From 527f2284a19547395997d4c959fa2c27a23a033b Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 20 Oct 2021 18:26:04 -0400 Subject: [PATCH 001/193] Fixed generate_mapping.py for authors --- scripts/generate_mapping.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index e84a2f1e5..f9642a3d7 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -233,9 +233,13 @@ def dir_path(string): sysprefs.append(rule_id) continue - full_baseline = '''title: "macOS 11 (Big Sur): Security Configuration - {}" + full_baseline = '''title: "macOS 12 (Monterey): Security Configuration - {}" description: | This guide describes the actions to take when securing a macOS 11 system against the {}. +authors: | + |=== + |Name|Organization + |=== profile:'''.format(other_header,other_header) if len(audit) != 0: From 773fb95280560bf4a5846e07ff6991d9c04a7f32 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 20 Oct 2021 18:27:15 -0400 Subject: [PATCH 002/193] Fixed generate_mapping.py for authors --- scripts/generate_mapping.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index f9642a3d7..d0ace2197 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -235,7 +235,7 @@ def dir_path(string): full_baseline = '''title: "macOS 12 (Monterey): Security Configuration - {}" description: | - This guide describes the actions to take when securing a macOS 11 system against the {}. + This guide describes the actions to take when securing a macOS 12 system against the {}. authors: | |=== |Name|Organization From 81e74fdce338de6ebd9a0e5b2b6afe84e4a11f89 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 22 Oct 2021 15:01:47 -0400 Subject: [PATCH 003/193] note about PAM --- rules/auth/auth_pam_login_smartcard_enforce.yaml | 2 ++ rules/auth/auth_pam_su_smartcard_enforce.yaml | 2 ++ rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 1aefc2a74..f407d8675 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -5,6 +5,8 @@ discussion: | All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. + IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. + NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system. check: | /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 611767989..5199a699b 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -5,6 +5,8 @@ discussion: | All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. + IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. + NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system. check: | /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index d17a669d2..4ed3ba997 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -5,6 +5,8 @@ discussion: | All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. + IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. + NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system. check: | /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo From a455446ca2063537ee1f077f713bce1746c2a7db Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 15 Nov 2021 13:16:41 -0500 Subject: [PATCH 004/193] script rename and make file update --- SCAP/Makefile | 6 +++--- scripts/{yaml-to-oval.py => generate_oval.py} | 0 2 files changed, 3 insertions(+), 3 deletions(-) rename scripts/{yaml-to-oval.py => generate_oval.py} (100%) diff --git a/SCAP/Makefile b/SCAP/Makefile index ea01671fe..3a851c9ff 100644 --- a/SCAP/Makefile +++ b/SCAP/Makefile @@ -12,7 +12,7 @@ inputs: # generate the HTML checklist document ../scripts/generate_guidance.py -g ../baselines/all_rules.yaml 2>/dev/null # generate the related OVAL content - ../scripts/yaml-to-oval.py ../baselines/all_rules.yaml + ../scripts/generate_oval.py ../baselines/all_rules.yaml # outputs end up in ${DIR} tidy: @@ -36,7 +36,7 @@ XCCDF: -o:${DIR}/xccdf.xml \ SCAP-version=1.3 \ id-namespace=content.mscp.nist.gov \ - benchmark-id-suffix=macOS_12.0 \ + benchmark-id-suffix=macOS_${OS} \ OVAL-URI=${DIR}/All_rules.xml \ include-CPE=1 # the input OVAL document will be copied to a companion of the XCCDF document named 'oval.xml' @@ -52,7 +52,7 @@ datastream: -o:${DIR}/datastream.xml \ SCAP-version=1.3 \ id-namespace=content.mscp.nist.gov \ - datastream-id-suffix=macOS_12.0 \ + datastream-id-suffix=macOS_${OS} \ include-CPE=1 report: diff --git a/scripts/yaml-to-oval.py b/scripts/generate_oval.py similarity index 100% rename from scripts/yaml-to-oval.py rename to scripts/generate_oval.py From d86ef0f70553d2e98f761f7fae8ab867c45e1d99 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 15 Nov 2021 13:44:14 -0500 Subject: [PATCH 005/193] cpe added --- VERSION.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/VERSION.yaml b/VERSION.yaml index c553ee960..fdc260cb7 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,3 +1,4 @@ os: "12.0" version: "Monterey Guidance, Revision 1" +cpe: o:apple:macos:12.0 date: "2021-10-20" From 72f460adef74ce0ebe7cb4083ca01ee9c576aafc Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 16 Nov 2021 10:32:26 -0500 Subject: [PATCH 006/193] generate_cpe script added to auto generate the cpe content using VERSION.yaml --- SCAP/Makefile | 5 +- SCAP/generate_cpe.sh | 89 +++++++++++++++++++++++++++++++++++ SCAP/macos-cpe-dictionary.xml | 3 +- SCAP/macos-cpe-oval.xml | 5 +- SCAP/os.sh | 2 +- 5 files changed, 99 insertions(+), 5 deletions(-) create mode 100755 SCAP/generate_cpe.sh diff --git a/SCAP/Makefile b/SCAP/Makefile index 3a851c9ff..4c405c4c7 100644 --- a/SCAP/Makefile +++ b/SCAP/Makefile @@ -6,7 +6,10 @@ DIR = ../build/All_rules VERSION = $(shell ./version.sh) OS = $(shell ./os.sh) -all: inputs tidy XCCDF datastream report beautify +all: generate_cpe inputs tidy XCCDF datastream report beautify + +generate_cpe: + ./generate_cpe.sh inputs: # generate the HTML checklist document diff --git a/SCAP/generate_cpe.sh b/SCAP/generate_cpe.sh new file mode 100755 index 000000000..e725b66e5 --- /dev/null +++ b/SCAP/generate_cpe.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +OS=$(/usr/bin/awk -F ": " '/os: /{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"') +CPE=$(/usr/bin/awk '/cpe/{print $2}' ../VERSION.yaml ) +CREATIONDATE=$(date -j -f "%a %b %d %T %Z %Y" "$(date)" "+%Y-%m-%dT%TZ") + +/bin/cat > macos-cpe-oval.xml << EOO + + + + macOS Security Compliance Project + 5.11.2 + $CREATIONDATE + + + + + Apple macOS $OS is installed + + macOS + + + The operating system installed on the system is Apple macOS ($OS). + + + + + + + + + + + + + + + + + + + + + ProductVersion + /System/Library/CoreServices/SystemVersion.plist + 1 + + + + + macos + + + $OS + + + + +EOO + +/bin/cat > macos-cpe-dictionary.xml << EOCPE + + + + + + + + + + macOS Security Compliance Project + 2.3 + $CREATIONDATE + + + Apple macOS $OS + + This CPE Name represents macOS $OS + + oval:gov.nist.mscp.content.cpe.oval:def:1 + + + + +EOCPE \ No newline at end of file diff --git a/SCAP/macos-cpe-dictionary.xml b/SCAP/macos-cpe-dictionary.xml index b2477f7b5..2eb9c7b55 100644 --- a/SCAP/macos-cpe-dictionary.xml +++ b/SCAP/macos-cpe-dictionary.xml @@ -9,7 +9,7 @@ macOS Security Compliance Project 2.3 - 2021-09-16T15:35:10Z + 2021-11-16T10:30:56Z Apple macOS 12.0 @@ -20,3 +20,4 @@ + diff --git a/SCAP/macos-cpe-oval.xml b/SCAP/macos-cpe-oval.xml index 2c5de92ab..03e1a5464 100644 --- a/SCAP/macos-cpe-oval.xml +++ b/SCAP/macos-cpe-oval.xml @@ -4,7 +4,7 @@ macOS Security Compliance Project 5.11.2 - 2021-09-16T15:35:10Z + 2021-11-16T10:30:56Z @@ -14,7 +14,7 @@ macOS - The operating system installed on the system is Apple macOS Big Sur (12.0). + The operating system installed on the system is Apple macOS (12.0). @@ -52,3 +52,4 @@ + diff --git a/SCAP/os.sh b/SCAP/os.sh index b9380191e..43e334119 100755 --- a/SCAP/os.sh +++ b/SCAP/os.sh @@ -1,5 +1,5 @@ #!/bin/bash -OS=$(/usr/bin/awk -F ": " '/os/{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"') +OS=$(/usr/bin/awk -F ": " '/os: /{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"') echo $OS \ No newline at end of file From a4a32fe5cd72e48a61c09cac38bc12150bc68305 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 18 Nov 2021 09:07:45 -0500 Subject: [PATCH 007/193] small fixes --- rules/os/os_sshd_fips_compliant.yaml | 2 +- scripts/generate_mapping.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index 4e48baaa6..373db873b 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -50,7 +50,7 @@ references: - IA-7 - SC-8(1) - SC-13 - - MF-4(6) + - MA-4(6) srg: - N/A disa_stig: diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index d0ace2197..9547da304 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -36,7 +36,7 @@ def dir_path(string): parser = argparse.ArgumentParser(description='Easily generate custom rules from compliance framework mappings') parser.add_argument("CSV", default=None, help="CSV to create custom rule files from a mapping.", type=argparse.FileType('rt')) - parser.add_argument("-f", "--framework", default="800-53r5", help="Specificy framework for the source. If no framework is specified, the default is 800-53r5.", action="store") + parser.add_argument("-f", "--framework", default="800-53r5", help="Specify framework for the source. If no framework is specified, the default is 800-53r5.", action="store") try: results = parser.parse_args() From c27c6e41390d2969baf68f6baa1846f157602859 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 18 Nov 2021 11:29:46 -0500 Subject: [PATCH 008/193] updated profile value check --- rules/auth/auth_smartcard_enforce.yaml | 8 ++++++-- rules/sysprefs/sysprefs_time_server_configure.yaml | 6 +++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index a0f8caf88..c9aa2dd9c 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -11,9 +11,13 @@ discussion: | NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'enforceSmartCard = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('enforceSmartCard')) + EOS result: - integer: 1 + boolean: true fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 4a587580b..d28992ae1 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -5,7 +5,11 @@ discussion: | This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk -F "= " '/timeServer/{print $2}' | /usr/bin/tr -d ';' | /usr/bin/tr -d '"' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ + .objectForKey('timeServer')) + EOS result: string: "time-a.nist.gov,time-b.nist.gov" fix: | From bdfc743574aa70a01d516fc43c0eb0a1e219be3d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 12:05:13 -0500 Subject: [PATCH 009/193] updates for new way of checking profile results --- scripts/generate_guidance.py | 6 +++--- templates/adoc_rule.adoc | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 9c22b151c..a9ffa44c3 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -842,7 +842,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): if "integer" in result: result_value = result['integer'] elif "boolean" in result: - result_value = result['boolean'] + result_value = str(result['boolean']).lower() elif "string" in result: result_value = result['string'] else: @@ -856,7 +856,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then #echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log" unset result_value - result_value=$({2}) + result_value=$({2}\n) # expected result {3} @@ -885,7 +885,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): echo "$(date -u) {5} does not apply to this architechture" | tee -a "$audit_log" defaults write "$audit_plist" {0} -dict-add finding -bool NO fi - """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id), arch) + """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), str(result).lower(), result_value, ' '.join(log_reference_id), arch) check_function_string = check_function_string + zsh_check_text diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc index bf9b2ef4f..3ac72580c 100644 --- a/templates/adoc_rule.adoc +++ b/templates/adoc_rule.adoc @@ -3,7 +3,7 @@ $rule_discussion To check the state of the system, run the following command(s): -[source,bash] +[source,bash,options="nowrap"] ---- $rule_check ---- From 2f4d7178218a970448a7d668a4cbb928ed95da08 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 12:07:14 -0500 Subject: [PATCH 010/193] new method of checking profiles --- rules/auth/auth_smartcard_allow.yaml | 6 +++++- .../auth_smartcard_certificate_trust_enforce_high.yaml | 6 +++++- ...h_smartcard_certificate_trust_enforce_moderate.yaml | 6 +++++- rules/icloud/icloud_addressbook_disable.yaml | 6 +++++- rules/icloud/icloud_bookmarks_disable.yaml | 6 +++++- rules/icloud/icloud_drive_disable.yaml | 6 +++++- rules/icloud/icloud_keychain_disable.yaml | 6 +++++- rules/icloud/icloud_mail_disable.yaml | 6 +++++- rules/icloud/icloud_notes_disable.yaml | 6 +++++- rules/icloud/icloud_photos_disable.yaml | 6 +++++- rules/icloud/icloud_private_relay_disable.yaml | 6 +++++- rules/icloud/icloud_reminders_disable.yaml | 6 +++++- rules/icloud/icloud_sync_disable.yaml | 6 +++++- rules/os/os_airdrop_disable.yaml | 6 +++++- rules/os/os_bonjour_disable.yaml | 6 +++++- rules/os/os_camera_disable.yaml | 6 +++++- rules/os/os_config_data_install_enforce.yaml | 6 +++++- rules/os/os_firewall_log_enable.yaml | 6 +++++- rules/os/os_gatekeeper_rearm.yaml | 6 +++++- rules/os/os_handoff_disable.yaml | 6 +++++- rules/os/os_icloud_storage_prompt_disable.yaml | 6 +++++- rules/os/os_ir_support_disable.yaml | 6 +++++- rules/os/os_messages_app_disable.yaml | 6 +++++- rules/os/os_parental_controls_enable.yaml | 6 +++++- rules/os/os_password_autofill_disable.yaml | 6 +++++- rules/os/os_password_proximity_disable.yaml | 6 +++++- rules/os/os_password_sharing_disable.yaml | 6 +++++- rules/os/os_privacy_setup_prompt_disable.yaml | 6 +++++- rules/os/os_removable_media_disable.yaml | 6 +++++- rules/os/os_screensaver_loginwindow_enforce.yaml | 6 +++++- rules/os/os_siri_prompt_disable.yaml | 6 +++++- rules/os/os_touchid_prompt_disable.yaml | 6 +++++- rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 6 +++++- rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 6 +++++- .../pwpolicy_account_lockout_timeout_enforce.yaml | 6 +++++- rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 6 +++++- rules/sysprefs/sysprefs_airplay_receiver_disable.yaml | 6 +++++- .../sysprefs/sysprefs_apple_watch_unlock_disable.yaml | 6 +++++- rules/sysprefs/sysprefs_automatic_login_disable.yaml | 6 +++++- rules/sysprefs/sysprefs_automatic_logout_enforce.yaml | 6 +++++- rules/sysprefs/sysprefs_bluetooth_disable.yaml | 6 +++++- rules/sysprefs/sysprefs_content_caching_disable.yaml | 6 +++++- .../sysprefs_critical_update_install_enforce.yaml | 6 +++++- .../sysprefs/sysprefs_diagnostics_reports_disable.yaml | 6 +++++- rules/sysprefs/sysprefs_find_my_disable.yaml | 6 +++++- rules/sysprefs/sysprefs_firewall_enable.yaml | 6 +++++- .../sysprefs_firewall_stealth_mode_enable.yaml | 6 +++++- ...prefs_gatekeeper_identified_developers_allowed.yaml | 6 +++++- .../sysprefs_gatekeeper_override_disallow.yaml | 6 +++++- rules/sysprefs/sysprefs_guest_account_disable.yaml | 6 +++++- rules/sysprefs/sysprefs_hot_corners_disable.yaml | 6 +++++- .../sysprefs_improve_siri_dictation_disable.yaml | 6 +++++- rules/sysprefs/sysprefs_internet_sharing_disable.yaml | 6 +++++- ...s_loginwindow_prompt_username_password_enforce.yaml | 6 +++++- rules/sysprefs/sysprefs_media_sharing_disabled.yaml | 6 +++++- rules/sysprefs/sysprefs_password_hints_disable.yaml | 6 +++++- .../sysprefs_personalized_advertising_disable.yaml | 6 +++++- ...efs_screensaver_ask_for_password_delay_enforce.yaml | 6 +++++- .../sysprefs_screensaver_password_enforce.yaml | 6 +++++- .../sysprefs/sysprefs_screensaver_timeout_enforce.yaml | 6 +++++- rules/sysprefs/sysprefs_siri_disable.yaml | 6 +++++- rules/sysprefs/sysprefs_time_server_configure.yaml | 10 +++++----- rules/sysprefs/sysprefs_time_server_enforce.yaml | 6 +++++- rules/sysprefs/sysprefs_token_removal_enforce.yaml | 6 +++++- rules/sysprefs/sysprefs_touchid_unlock_disable.yaml | 6 +++++- 65 files changed, 325 insertions(+), 69 deletions(-) diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 3db7d567f..d566dc5c4 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -7,7 +7,11 @@ discussion: | When enabled, the smartcard can be used for login, authorization, and screen saver unlocking. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSmartCard = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('allowSmartCard')) + EOS result: integer: 1 fix: | diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 2bd446bd2..4c79eca62 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -9,7 +9,11 @@ discussion: | NOTE: Before applying this setting, please see the smartcard supplemental guidance. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk '/checkCertificateTrust/{print substr($3, 1, length($3)-1)}' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('checkCertificateTrust')) + EOS result: integer: 3 fix: | diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 7bc3074f3..d6d3a5121 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -9,7 +9,11 @@ discussion: | NOTE: Before applying this setting, please see the smartcard supplemental guidance. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk '/checkCertificateTrust/{print substr($3, 1, length($3)-1)}' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('checkCertificateTrust')) + EOS result: integer: 2 fix: | diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index fa467da3d..b990cdfd8 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudAddressBook = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudAddressBook')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 62a6f0614..11132839a 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudBookmarks = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudBookmarks')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index c99985d44..b54e2626c 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDocumentSync = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudDocumentSync')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index fa648805a..9e1dc17d9 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudKeychainSync = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudKeychainSync')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 842a139fe..7a4058b7f 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudMail = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudMail')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index f09c04bd7..5784aab18 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudNotes = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudNotes')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 6e7735cc8..14083fa36 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudPhotoLibrary = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudPhotoLibrary')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index cc53ef6d2..d6042be03 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -5,7 +5,11 @@ discussion: | Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudPrivateRelay = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudPrivateRelay')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index fc59d0b4e..708e80ad8 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudReminders = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudReminders')) + EOS result: integer: 1 fix: | diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index c76df61d4..1ec224b29 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -5,7 +5,11 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDesktopAndDocuments = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudDesktopAndDocuments')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 15c214d9f..f80aa3298 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -5,7 +5,11 @@ discussion: AirDrop allows users to share and receive files from other nearby Apple devices. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowAirDrop = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAirDrop')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index c6b2ad77f..0e13c5c7d 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -3,7 +3,11 @@ title: "Disable Bonjour Multicast" discussion: | Bonjour multicast advertising _MUST_ be disabled to prevent the system from broadcasting its presence and available services over network interfaces. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'NoMulticastAdvertisements = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\ + .objectForKey('NoMulticastAdvertisements')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 3fb18df08..790482b65 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -3,7 +3,11 @@ title: "Disable Camera" discussion: | macOS _MUST_ be configured to disable the camera. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCamera = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCamera')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 87ac56322..22c53cf10 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -9,7 +9,11 @@ discussion: | NOTE: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ConfigDataInstall = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('ConfigDataInstall')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 8901cd7fb..0c6f9a269 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -7,7 +7,11 @@ discussion: | NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(EnableLogging = 1|LoggingOption = detail)' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('EnableLogging')) + EOS result: integer: 2 fix: | diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 587219c49..80125cc81 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -3,7 +3,11 @@ title: "Enforce Gatekeeper 30 Day Automatic Rearm" discussion: | Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'GKAutoRearm = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ + .objectForKey('com.apple.security')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 9edbb67ab..2d9ad1993 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -5,7 +5,11 @@ discussion: | Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowActivityContinuation = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowActivityContinuation')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 977dca7c8..1a865dc20 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -5,7 +5,11 @@ discussion: | The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipiCloudStorageSetup = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipiCloudStorageSetup')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index bcfd551a1..b1f8f13e2 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -7,7 +7,11 @@ discussion: | NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DeviceEnabled = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ + .objectForKey('com.apple.driver.AppleIRController')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 4432efa8a..dd21f19be 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -5,7 +5,11 @@ discussion: | The Messages.app establishes a connection to Apple’s iCloud service, even when security controls to disable iCloud access have been put in place. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Messages.app" + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('familyControlsEnabled')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 666616890..a1e0543fb 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -7,7 +7,11 @@ discussion: | Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'familyControlsEnabled = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('familyControlsEnabled')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 2cb8a08e2..d0c9e2f84 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -5,7 +5,11 @@ discussion: | macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowPasswordAutoFill = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowPasswordAutoFill')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index ca225634a..7b61a9bb5 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -5,7 +5,11 @@ discussion: | The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowPasswordProximityRequests = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowPasswordProximityRequests')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index e96fe0e93..7263496a3 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -5,7 +5,11 @@ discussion: | The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowPasswordSharing = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowPasswordSharing')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index d5d669c4c..cc592d1b3 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -5,7 +5,11 @@ discussion: | Organizations _MUST_ apply organization-wide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organization-wide settings. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipPrivacySetup = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipPrivacySetup')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 396ee8e50..8f8b010b7 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -10,7 +10,11 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep 'harddisk-external' -A3 | /usr/bin/grep -Ec "eject|alert" + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls')) + EOS result: integer: 2 fix: | diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index f704e3217..684333ae6 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -3,7 +3,11 @@ title: "Enforce Screen Saver at Login Window" discussion: | A default screen saver _MUST_ be configured to display at the login window and _MUST_ not display any sensitive information. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c loginWindowModulePath + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('loginWindowModulePath')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 5c6aaa366..0dac98248 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -5,7 +5,11 @@ discussion: | Organizations _MUST_ apply organization-wide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organization-wide settings. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipSiriSetup = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipSiriSetup')) + EOS result: integer: 1 fix: | diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 1f9978a67..49f9577bb 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -5,7 +5,11 @@ discussion: | macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipTouchIDSetup = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipTouchIDSetup')) + EOS result: integer: 1 fix: | diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 9a44432c6..7f8994dac 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -7,7 +7,11 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk -F " = " '/maxPINAgeInDays/{sub(/;.*/,"");print $2}' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('maxPINAgeInDays')) + EOS result: integer: 60 fix: | diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 164a84c5c..83297560a 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -5,7 +5,11 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'maxFailedAttempts = 3' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('maxFailedAttempts')) + EOS result: integer: 1 fix: | diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index bc92b833b..7aabceefc 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -5,7 +5,11 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minutesUntilFailedLoginReset = 15' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('minutesUntilFailedLoginReset')) + EOS result: integer: 1 fix: | diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index b6bb32e26..f0346c55b 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -7,7 +7,11 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minLength = 15' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('minLength')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index ce2a46928..58811f85b 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -7,7 +7,11 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AirplayRecieverEnabled = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ + .objectForKey('AirplayRecieverEnabled')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index d51fdee97..61451bab3 100644 --- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -5,7 +5,11 @@ discussion: | Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowAutoUnlock = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAutoUnlock')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 85d475f43..3571e81e3 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -5,7 +5,11 @@ discussion: | When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.login.mcx.DisableAutoLoginClient" = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('com.apple.login.mcx.DisableAutoLoginClient')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 775de6e35..7527da2e8 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -10,7 +10,11 @@ discussion: | The 24-hour automatic logout may cause disruptions to an organization’s workflow and/or loss of data. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the 24-hour automatic logout setting. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.autologout.AutoLogOutDelay" = 86400' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\ + .objectForKey('com.apple.autologout.AutoLogOutDelay')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index b993f4f95..998085f14 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -8,7 +8,11 @@ discussion: | Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableBluetooth = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ + .objectForKey('com.apple.MCXBluetooth')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index 1d3504d3d..3e17c7292 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -5,7 +5,11 @@ discussion: | Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowContentCaching = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowContentCaching')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index b1c1f6f61..9ae174426 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -3,7 +3,11 @@ title: "Enforce Critical Security Updates to be Installed" discussion: | Ensure that security updates are installed as soon as they are available from Apple. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'CriticalUpdateInstall = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('CriticalUpdateInstall')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index e90751a15..af5dfd73d 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -5,7 +5,11 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowDiagnosticSubmission = 0|AutoSubmit = 0)' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowDiagnosticSubmission')) + EOS result: integer: 2 fix: | diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 2d2d05c21..87341a370 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -7,7 +7,11 @@ discussion: | Apple’s Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowFindMyDevice = 0|allowFindMyFriends = 0|DisableFMMiCloudSetting = 1)' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\ + .objectForKey('DisableFMMiCloudSetting')) + EOS result: integer: 3 fix: | diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 00c95fb6c..1f9144e04 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -5,7 +5,11 @@ discussion: | When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableFirewall = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('EnableFirewall')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index a932e0716..a8271ad4b 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -10,7 +10,11 @@ discussion: | Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableStealthMode = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('EnableStealthMode')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index 76fddbaa2..4d3dbef5c 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -5,7 +5,11 @@ discussion: | Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party. check: | - /usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled" + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\ + .objectForKey('AllowIdentifiedDevelopers')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index 837510f9a..5079b601a 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -5,7 +5,11 @@ discussion: | If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableOverride = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\ + .objectForKey('DisableOverride')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index 4947d17aa..8cd5154d7 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -5,7 +5,11 @@ discussion: | Turning off guest access prevents anonymous users from accessing files. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableGuestAccount = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ + .objectForKey('DisableGuestAccount')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 5f223926e..5387d69cd 100644 --- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -5,7 +5,11 @@ discussion: | The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '"wvous-bl-corner" = 0|"wvous-br-corner" = 0|"wvous-tl-corner" = 0|"wvous-tr-corner" = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ + .objectForKey('com.apple.dock')) + EOS result: integer: 4 fix: | diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 6cc5180c7..7a0b5e26b 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -5,7 +5,11 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"Siri Data Sharing Opt-In Status" = 2;' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\ + .objectForKey('Siri Data Sharing Opt-In Status')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 6626b3a6e..406fe253b 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -5,7 +5,11 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling Internet sharing helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'forceInternetSharingOff = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ + .objectForKey('forceInternetSharingOff')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index 04f430ee9..35f61ce85 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -5,7 +5,11 @@ discussion: | By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else’s account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SHOWFULLNAME = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('SHOWFULLNAME')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index 85f1a8773..55b3d21b2 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -9,7 +9,11 @@ discussion: | NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(homeSharingUIStatus = 0|legacySharingUIStatus = 0|mediaSharingUIStatus = 0)' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ + .objectForKey('homeSharingUIStatus')) + EOS result: integer: 3 fix: | diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 14c430814..13bfb56cd 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -5,7 +5,11 @@ discussion: | Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'RetriesUntilHint = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('RetriesUntilHint')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 196c17afc..d6241a6b0 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -5,7 +5,11 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users’ interests and deliver targeted advertisements. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowApplePersonalizedAdvertising = 0;' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.AdLib')\ + .objectForKey('allowApplePersonalizedAdvertising')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index a5735af5d..b1b82363d 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -5,7 +5,11 @@ discussion: | An unattended system with an excessive grace period is vulnerable to a malicious user. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'askForPasswordDelay = 5' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('askForPasswordDelay')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 00d502f27..4093d7eaa 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -5,7 +5,11 @@ discussion: | The screen saver acts as a session lock and prevents unauthorized users from accessing the current user’s account. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'askForPassword = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('askForPassword')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index c655a07ac..4792f1830 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -5,7 +5,11 @@ discussion: | This rule ensures that a full session lock is triggered within no more than 15 minutes of inactivity. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 900) {print "Yes"} else {print "No"}}' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('idleTime')) + EOS result: string: "Yes" fix: | diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index 444312ac7..57119291c 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -5,7 +5,11 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"Ironwood Allowed" = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\ + .objectForKey('Ironwood Allowed')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index d28992ae1..d1898b2a9 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -5,11 +5,11 @@ discussion: | This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ - .objectForKey('timeServer')) - EOS + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ + .objectForKey('timeServer')) + EOS result: string: "time-a.nist.gov,time-b.nist.gov" fix: | diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index acd264193..1e7406ebd 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -5,7 +5,11 @@ discussion: | This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'TMAutomaticTimeOnlyEnabled = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ + .objectForKey('com.apple.timed')) + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml index f78e670d7..cac50bd05 100644 --- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -10,7 +10,11 @@ discussion: | Information System Security Officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed, so as to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'tokenRemovalAction = 1' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('tokenRemovalAction')) + EOS result: integer: 1 fix: diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index 92fe3858c..6db63d74b 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -7,7 +7,11 @@ discussion: | The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowFingerprintForUnlock = 0' + /usr/bin/osascript -l JavaScript << EOS + ObjC.import('Foundation') + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowFingerprintForUnlock')) + EOS result: integer: 1 fix: | From 375c01d801b3cd9bdc1824d441a9c67942d86c85 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 20:24:55 -0500 Subject: [PATCH 011/193] revert to old check --- rules/os/os_gatekeeper_rearm.yaml | 6 +----- rules/os/os_ir_support_disable.yaml | 6 +----- rules/os/os_removable_media_disable.yaml | 6 +----- rules/sysprefs/sysprefs_hot_corners_disable.yaml | 6 +----- rules/sysprefs/sysprefs_time_server_enforce.yaml | 6 +----- 5 files changed, 5 insertions(+), 25 deletions(-) diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 80125cc81..587219c49 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -3,11 +3,7 @@ title: "Enforce Gatekeeper 30 Day Automatic Rearm" discussion: | Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ - .objectForKey('com.apple.security')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'GKAutoRearm = 1' result: integer: 1 fix: | diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index b1f8f13e2..bcfd551a1 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -7,11 +7,7 @@ discussion: | NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ - .objectForKey('com.apple.driver.AppleIRController')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DeviceEnabled = 0' result: integer: 1 fix: | diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 8f8b010b7..396ee8e50 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -10,11 +10,7 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ - .objectForKey('mount-controls')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep 'harddisk-external' -A3 | /usr/bin/grep -Ec "eject|alert" result: integer: 2 fix: | diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 5387d69cd..5f223926e 100644 --- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -5,11 +5,7 @@ discussion: | The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ - .objectForKey('com.apple.dock')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '"wvous-bl-corner" = 0|"wvous-br-corner" = 0|"wvous-tl-corner" = 0|"wvous-tr-corner" = 0' result: integer: 4 fix: | diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index 1e7406ebd..acd264193 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -5,11 +5,7 @@ discussion: | This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ - .objectForKey('com.apple.timed')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'TMAutomaticTimeOnlyEnabled = 1' result: integer: 1 fix: | From 92c06b97ecc16b668219645f2201c763705189c1 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 20:56:34 -0500 Subject: [PATCH 012/193] revert to old check --- .../auth/auth_smartcard_certificate_trust_enforce_high.yaml | 2 +- rules/sysprefs/sysprefs_bluetooth_disable.yaml | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 4c79eca62..e54c8e709 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -14,7 +14,7 @@ check: | ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('checkCertificateTrust')) EOS -result: +result: integer: 3 fix: | This is implemented by a Configuration Profile. diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index 998085f14..b993f4f95 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -8,11 +8,7 @@ discussion: | Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ManagedClient.preferences')\ - .objectForKey('com.apple.MCXBluetooth')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableBluetooth = 1' result: integer: 1 fix: | From f34fb10b6d5cec8917d44fb390bb7dfeae5ffb28 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 21:03:09 -0500 Subject: [PATCH 013/193] revert to old check --- rules/sysprefs/sysprefs_find_my_disable.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 87341a370..2d2d05c21 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -7,11 +7,7 @@ discussion: | Apple’s Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\ - .objectForKey('DisableFMMiCloudSetting')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowFindMyDevice = 0|allowFindMyFriends = 0|DisableFMMiCloudSetting = 1)' result: integer: 3 fix: | From c0fb1303f130f4a29dec123a52b2ca7f94e995e7 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 21:04:26 -0500 Subject: [PATCH 014/193] revert to old check --- rules/os/os_messages_app_disable.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index dd21f19be..4432efa8a 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -5,11 +5,7 @@ discussion: | The Messages.app establishes a connection to Apple’s iCloud service, even when security controls to disable iCloud access have been put in place. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ - .objectForKey('familyControlsEnabled')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Messages.app" result: integer: 1 fix: | From 31d453d47ada2eaed35163e7737951a3a32ff1b1 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 21:06:16 -0500 Subject: [PATCH 015/193] revert to old check --- rules/sysprefs/sysprefs_media_sharing_disabled.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index 55b3d21b2..85f1a8773 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -9,11 +9,7 @@ discussion: | NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ - .objectForKey('homeSharingUIStatus')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(homeSharingUIStatus = 0|legacySharingUIStatus = 0|mediaSharingUIStatus = 0)' result: integer: 3 fix: | From a2dfe874058307d7ff14b828285a6b68bfe2c37d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 21:09:13 -0500 Subject: [PATCH 016/193] revert to old check --- rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index af5dfd73d..e90751a15 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -5,11 +5,7 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowDiagnosticSubmission')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowDiagnosticSubmission = 0|AutoSubmit = 0)' result: integer: 2 fix: | From 725338318487992f2f6f88216a8fdd97fadf8473 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 21:11:02 -0500 Subject: [PATCH 017/193] revert to old check --- rules/os/os_firewall_log_enable.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 0c6f9a269..8901cd7fb 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -7,11 +7,7 @@ discussion: | NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. check: | - /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ - .objectForKey('EnableLogging')) - EOS + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(EnableLogging = 1|LoggingOption = detail)' result: integer: 2 fix: | From 9e0e3c0c63d135e837271db513277979f289b976 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 24 Nov 2021 21:19:46 -0500 Subject: [PATCH 018/193] new result added --- rules/auth/auth_smartcard_allow.yaml | 2 +- rules/auth/auth_smartcard_enforce.yaml | 2 +- rules/icloud/icloud_addressbook_disable.yaml | 2 +- rules/icloud/icloud_bookmarks_disable.yaml | 2 +- rules/icloud/icloud_drive_disable.yaml | 2 +- rules/icloud/icloud_keychain_disable.yaml | 2 +- rules/icloud/icloud_mail_disable.yaml | 2 +- rules/icloud/icloud_notes_disable.yaml | 2 +- rules/icloud/icloud_photos_disable.yaml | 2 +- rules/icloud/icloud_private_relay_disable.yaml | 2 +- rules/icloud/icloud_reminders_disable.yaml | 2 +- rules/icloud/icloud_sync_disable.yaml | 2 +- rules/os/os_airdrop_disable.yaml | 2 +- rules/os/os_bonjour_disable.yaml | 2 +- rules/os/os_camera_disable.yaml | 2 +- rules/os/os_config_data_install_enforce.yaml | 2 +- rules/os/os_gatekeeper_enable.yaml | 2 +- rules/os/os_handoff_disable.yaml | 2 +- rules/os/os_icloud_storage_prompt_disable.yaml | 2 +- rules/os/os_parental_controls_enable.yaml | 2 +- rules/os/os_password_autofill_disable.yaml | 2 +- rules/os/os_password_proximity_disable.yaml | 2 +- rules/os/os_password_sharing_disable.yaml | 2 +- rules/os/os_privacy_setup_prompt_disable.yaml | 2 +- rules/os/os_screensaver_loginwindow_enforce.yaml | 2 +- rules/os/os_siri_prompt_disable.yaml | 2 +- rules/os/os_touchid_prompt_disable.yaml | 2 +- rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 2 +- rules/sysprefs/sysprefs_airplay_receiver_disable.yaml | 2 +- rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml | 2 +- rules/sysprefs/sysprefs_automatic_login_disable.yaml | 2 +- rules/sysprefs/sysprefs_automatic_logout_enforce.yaml | 2 +- rules/sysprefs/sysprefs_content_caching_disable.yaml | 2 +- rules/sysprefs/sysprefs_critical_update_install_enforce.yaml | 2 +- rules/sysprefs/sysprefs_firewall_enable.yaml | 2 +- rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml | 2 +- rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml | 2 +- rules/sysprefs/sysprefs_guest_account_disable.yaml | 2 +- rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml | 2 +- rules/sysprefs/sysprefs_internet_sharing_disable.yaml | 2 +- rules/sysprefs/sysprefs_password_hints_disable.yaml | 2 +- rules/sysprefs/sysprefs_personalized_advertising_disable.yaml | 2 +- .../sysprefs_screensaver_ask_for_password_delay_enforce.yaml | 2 +- rules/sysprefs/sysprefs_screensaver_password_enforce.yaml | 2 +- rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml | 2 +- rules/sysprefs/sysprefs_siri_disable.yaml | 2 +- rules/sysprefs/sysprefs_touchid_unlock_disable.yaml | 2 +- 49 files changed, 49 insertions(+), 49 deletions(-) diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index d566dc5c4..c3042d8a0 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -13,7 +13,7 @@ check: | .objectForKey('allowSmartCard')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index c9aa2dd9c..0e0439ce5 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -17,7 +17,7 @@ check: | .objectForKey('enforceSmartCard')) EOS result: - boolean: true + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index b990cdfd8..6de159475 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudAddressBook')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 11132839a..de2333c37 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudBookmarks')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index b54e2626c..7716c8c71 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudDocumentSync')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 9e1dc17d9..55f18e5ca 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudKeychainSync')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 7a4058b7f..6235aa27d 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudMail')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 5784aab18..509bb890c 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudNotes')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 14083fa36..4961ce586 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudPhotoLibrary')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index d6042be03..765396987 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudPrivateRelay')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 708e80ad8..cad50dec0 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudReminders')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 1ec224b29..264152f0b 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowCloudDesktopAndDocuments')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index f80aa3298..1f04e0e4b 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowAirDrop')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 0e13c5c7d..62819c436 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -9,7 +9,7 @@ check: | .objectForKey('NoMulticastAdvertisements')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 790482b65..b9b7abecc 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -9,7 +9,7 @@ check: | .objectForKey('allowCamera')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 22c53cf10..22729abeb 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -15,7 +15,7 @@ check: | .objectForKey('ConfigDataInstall')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 2cad2a915..3b31c1611 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -9,7 +9,7 @@ discussion: | check: | /usr/sbin/spctl --status | /usr/bin/grep -c "assessments enabled" result: - integer: 1 + string: "true" fix: | [source,bash] ---- diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 2d9ad1993..d66fc4310 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowActivityContinuation')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 1a865dc20..c710534e7 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('SkipiCloudStorageSetup')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index a1e0543fb..fc8c3e2a5 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -13,7 +13,7 @@ check: | .objectForKey('familyControlsEnabled')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index d0c9e2f84..e822cd739 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowPasswordAutoFill')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 7b61a9bb5..b2289c087 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowPasswordProximityRequests')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 7263496a3..ca73c9aa4 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowPasswordSharing')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index cc592d1b3..30f621471 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('SkipPrivacySetup')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 684333ae6..3263ee1d9 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -9,7 +9,7 @@ check: | .objectForKey('loginWindowModulePath')) EOS result: - integer: 1 + string: "/System/Library/Screen Savers/Flurry.saver" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 0dac98248..1e2decd79 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('SkipSiriSetup')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 49f9577bb..20768589e 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('SkipTouchIDSetup')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 83297560a..e8dfbe6a1 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('maxFailedAttempts')) EOS result: - integer: 1 + integer: 3 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 7aabceefc..6c942814c 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('minutesUntilFailedLoginReset')) EOS result: - integer: 1 + integer: 15 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index f0346c55b..101a8ddf7 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -13,7 +13,7 @@ check: | .objectForKey('minLength')) EOS result: - integer: 1 + integer: 15 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index 58811f85b..5c600b700 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -13,7 +13,7 @@ check: | .objectForKey('AirplayRecieverEnabled')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index 61451bab3..8f4022122 100644 --- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowAutoUnlock')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 3571e81e3..9a464d3ce 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('com.apple.login.mcx.DisableAutoLoginClient')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 7527da2e8..8b6e91d55 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -16,7 +16,7 @@ check: | .objectForKey('com.apple.autologout.AutoLogOutDelay')) EOS result: - integer: 1 + integer: 86400 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index 3e17c7292..cda1d9cde 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowContentCaching')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index 9ae174426..b8d0ce818 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -9,7 +9,7 @@ check: | .objectForKey('CriticalUpdateInstall')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 1f9144e04..8001fe201 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('EnableFirewall')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index a8271ad4b..8fa0547bd 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -16,7 +16,7 @@ check: | .objectForKey('EnableStealthMode')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index 5079b601a..b6773bf20 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('DisableOverride')) EOS result: - integer: 1 + string: "true" fix: | To implement the prescribed state with a Configuration Profile, create a configuration profile (com.apple.systempolicy.managed) with the following key DisableOverride set to true [source,xml] diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index 8cd5154d7..e4e310b06 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('DisableGuestAccount')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 7a0b5e26b..0cd70ab49 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('Siri Data Sharing Opt-In Status')) EOS result: - integer: 1 + integer: 2 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 406fe253b..7bd47530a 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('forceInternetSharingOff')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 13bfb56cd..3c5381581 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('RetriesUntilHint')) EOS result: - integer: 1 + integer: 0 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index d6241a6b0..86fe16b43 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('allowApplePersonalizedAdvertising')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index b1b82363d..daa0d42d7 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('askForPasswordDelay')) EOS result: - integer: 1 + integer: 5 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 4093d7eaa..48bb47bfa 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('askForPassword')) EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 4792f1830..205a20fbc 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('idleTime')) EOS result: - string: "Yes" + integer: 900 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index 57119291c..169cc2836 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -11,7 +11,7 @@ check: | .objectForKey('Ironwood Allowed')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index 6db63d74b..67161464e 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -13,7 +13,7 @@ check: | .objectForKey('allowFingerprintForUnlock')) EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: From 0ffbd147719408ff7e47673c09d04ddbc81ddfa1 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 29 Nov 2021 15:26:24 -0500 Subject: [PATCH 019/193] cleaned up javascript --- rules/auth/auth_smartcard_allow.yaml | 5 ++--- .../auth/auth_smartcard_certificate_trust_enforce_high.yaml | 5 ++--- .../auth_smartcard_certificate_trust_enforce_moderate.yaml | 5 ++--- rules/auth/auth_smartcard_enforce.yaml | 5 ++--- rules/icloud/icloud_addressbook_disable.yaml | 5 ++--- rules/icloud/icloud_bookmarks_disable.yaml | 5 ++--- rules/icloud/icloud_drive_disable.yaml | 5 ++--- rules/icloud/icloud_keychain_disable.yaml | 5 ++--- rules/icloud/icloud_mail_disable.yaml | 5 ++--- rules/icloud/icloud_notes_disable.yaml | 5 ++--- rules/icloud/icloud_photos_disable.yaml | 5 ++--- rules/icloud/icloud_private_relay_disable.yaml | 5 ++--- rules/icloud/icloud_reminders_disable.yaml | 5 ++--- rules/icloud/icloud_sync_disable.yaml | 5 ++--- rules/os/os_airdrop_disable.yaml | 5 ++--- rules/os/os_bonjour_disable.yaml | 5 ++--- rules/os/os_camera_disable.yaml | 5 ++--- rules/os/os_config_data_install_enforce.yaml | 5 ++--- rules/os/os_handoff_disable.yaml | 5 ++--- rules/os/os_icloud_storage_prompt_disable.yaml | 5 ++--- rules/os/os_parental_controls_enable.yaml | 5 ++--- rules/os/os_password_autofill_disable.yaml | 5 ++--- rules/os/os_password_proximity_disable.yaml | 5 ++--- rules/os/os_password_sharing_disable.yaml | 5 ++--- rules/os/os_privacy_setup_prompt_disable.yaml | 5 ++--- rules/os/os_screensaver_loginwindow_enforce.yaml | 5 ++--- rules/os/os_siri_prompt_disable.yaml | 5 ++--- rules/os/os_touchid_prompt_disable.yaml | 5 ++--- rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 5 ++--- rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml | 5 ++--- rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml | 5 ++--- rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 5 ++--- rules/sysprefs/sysprefs_airplay_receiver_disable.yaml | 5 ++--- rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml | 5 ++--- rules/sysprefs/sysprefs_automatic_login_disable.yaml | 5 ++--- rules/sysprefs/sysprefs_automatic_logout_enforce.yaml | 5 ++--- rules/sysprefs/sysprefs_content_caching_disable.yaml | 5 ++--- rules/sysprefs/sysprefs_critical_update_install_enforce.yaml | 5 ++--- rules/sysprefs/sysprefs_firewall_enable.yaml | 5 ++--- rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml | 5 ++--- .../sysprefs_gatekeeper_identified_developers_allowed.yaml | 5 ++--- rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml | 5 ++--- rules/sysprefs/sysprefs_guest_account_disable.yaml | 5 ++--- rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml | 5 ++--- rules/sysprefs/sysprefs_internet_sharing_disable.yaml | 5 ++--- ...ysprefs_loginwindow_prompt_username_password_enforce.yaml | 5 ++--- rules/sysprefs/sysprefs_password_hints_disable.yaml | 5 ++--- .../sysprefs/sysprefs_personalized_advertising_disable.yaml | 5 ++--- .../sysprefs_screensaver_ask_for_password_delay_enforce.yaml | 5 ++--- rules/sysprefs/sysprefs_screensaver_password_enforce.yaml | 5 ++--- rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml | 5 ++--- rules/sysprefs/sysprefs_siri_disable.yaml | 5 ++--- rules/sysprefs/sysprefs_time_server_configure.yaml | 5 ++--- rules/sysprefs/sysprefs_token_removal_enforce.yaml | 5 ++--- rules/sysprefs/sysprefs_touchid_unlock_disable.yaml | 5 ++--- 55 files changed, 110 insertions(+), 165 deletions(-) diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index c3042d8a0..e5b1c2391 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -8,9 +8,8 @@ discussion: | When enabled, the smartcard can be used for login, authorization, and screen saver unlocking. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ - .objectForKey('allowSmartCard')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('allowSmartCard').js EOS result: string: "true" diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index e54c8e709..beb651fe5 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -10,9 +10,8 @@ discussion: | NOTE: Before applying this setting, please see the smartcard supplemental guidance. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ - .objectForKey('checkCertificateTrust')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('checkCertificateTrust').js EOS result: integer: 3 diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index d6d3a5121..decfd37fb 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -10,9 +10,8 @@ discussion: | NOTE: Before applying this setting, please see the smartcard supplemental guidance. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ - .objectForKey('checkCertificateTrust')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('checkCertificateTrust').js EOS result: integer: 2 diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 0e0439ce5..0726a5d67 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -12,9 +12,8 @@ discussion: | NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ - .objectForKey('enforceSmartCard')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('enforceSmartCard').js EOS result: string: "true" diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 6de159475..22251e18f 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudAddressBook')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudAddressBook').js EOS result: string: "false" diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index de2333c37..88af0a575 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudBookmarks')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudBookmarks').js EOS result: string: "false" diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 7716c8c71..c4deb1f86 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudDocumentSync')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudDocumentSync').js EOS result: string: "false" diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 55f18e5ca..af3739123 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudKeychainSync')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudKeychainSync').js EOS result: string: "false" diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 6235aa27d..cc4f8fd91 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudMail')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudMail').js EOS result: string: "false" diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 509bb890c..b14a71315 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudNotes')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudNotes').js EOS result: string: "false" diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 4961ce586..6df81556b 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudPhotoLibrary')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudPhotoLibrary').js EOS result: string: "false" diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index 765396987..b781a11d3 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -6,9 +6,8 @@ discussion: | Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudPrivateRelay')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudPrivateRelay').js EOS result: string: "false" diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index cad50dec0..a9dbfca42 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudReminders')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudReminders').js EOS result: string: "false" diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 264152f0b..5fe108d9e 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -6,9 +6,8 @@ discussion: | Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCloudDesktopAndDocuments')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudDesktopAndDocuments').js EOS result: string: "false" diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 1f04e0e4b..7cefa5561 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -6,9 +6,8 @@ discussion: AirDrop allows users to share and receive files from other nearby Apple devices. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowAirDrop')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAirDrop').js EOS result: string: "false" diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 62819c436..9c95cf9f1 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -4,9 +4,8 @@ discussion: | Bonjour multicast advertising _MUST_ be disabled to prevent the system from broadcasting its presence and available services over network interfaces. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\ - .objectForKey('NoMulticastAdvertisements')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\ + .objectForKey('NoMulticastAdvertisements').js EOS result: string: "true" diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index b9b7abecc..e3bec0822 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -4,9 +4,8 @@ discussion: | macOS _MUST_ be configured to disable the camera. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowCamera')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCamera').js EOS result: string: "false" diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 22729abeb..4a42e0a8f 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -10,9 +10,8 @@ discussion: | NOTE: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ - .objectForKey('ConfigDataInstall')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('ConfigDataInstall').js EOS result: string: "true" diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index d66fc4310..b9e89f170 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -6,9 +6,8 @@ discussion: | Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowActivityContinuation')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowActivityContinuation').js EOS result: string: "false" diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index c710534e7..59553daca 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -6,9 +6,8 @@ discussion: | The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipiCloudStorageSetup')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipiCloudStorageSetup').js EOS result: string: "true" diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index fc8c3e2a5..a7499374b 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -8,9 +8,8 @@ discussion: | Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ - .objectForKey('familyControlsEnabled')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('familyControlsEnabled').js EOS result: string: "true" diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index e822cd739..026eeb1ec 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -6,9 +6,8 @@ discussion: | macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowPasswordAutoFill')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowPasswordAutoFill').js EOS result: string: "false" diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index b2289c087..42a1d65e0 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -6,9 +6,8 @@ discussion: | The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowPasswordProximityRequests')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowPasswordProximityRequests').js EOS result: string: "false" diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index ca73c9aa4..af22501c1 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -6,9 +6,8 @@ discussion: | The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowPasswordSharing')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowPasswordSharing').js EOS result: string: "false" diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index 30f621471..9573a6e84 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -6,9 +6,8 @@ discussion: | Organizations _MUST_ apply organization-wide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organization-wide settings. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipPrivacySetup')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipPrivacySetup').js EOS result: string: "true" diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 3263ee1d9..647c94a9f 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -4,9 +4,8 @@ discussion: | A default screen saver _MUST_ be configured to display at the login window and _MUST_ not display any sensitive information. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('loginWindowModulePath')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('loginWindowModulePath').js EOS result: string: "/System/Library/Screen Savers/Flurry.saver" diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 1e2decd79..219c78c84 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -6,9 +6,8 @@ discussion: | Organizations _MUST_ apply organization-wide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organization-wide settings. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipSiriSetup')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipSiriSetup').js EOS result: string: "true" diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 20768589e..0e685d85e 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -6,9 +6,8 @@ discussion: | macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ - .objectForKey('SkipTouchIDSetup')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipTouchIDSetup').js EOS result: string: "true" diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 7f8994dac..47f597d3b 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -8,9 +8,8 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ - .objectForKey('maxPINAgeInDays')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('maxPINAgeInDays').js EOS result: integer: 60 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index e8dfbe6a1..47e495daf 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -6,9 +6,8 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ - .objectForKey('maxFailedAttempts')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('maxFailedAttempts').js EOS result: integer: 3 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 6c942814c..01457494f 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -6,9 +6,8 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ - .objectForKey('minutesUntilFailedLoginReset')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('minutesUntilFailedLoginReset').js EOS result: integer: 15 diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 101a8ddf7..ea6ed2b20 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -8,9 +8,8 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ - .objectForKey('minLength')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('minLength').js EOS result: integer: 15 diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index 5c600b700..49bdfe634 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -8,9 +8,8 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ - .objectForKey('AirplayRecieverEnabled')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ + .objectForKey('AirplayRecieverEnabled').js EOS result: string: "false" diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index 8f4022122..fc391f712 100644 --- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -6,9 +6,8 @@ discussion: | Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowAutoUnlock')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAutoUnlock').js EOS result: string: "false" diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 9a464d3ce..c9cfbd317 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -6,9 +6,8 @@ discussion: | When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ - .objectForKey('com.apple.login.mcx.DisableAutoLoginClient')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js EOS result: string: "true" diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 8b6e91d55..a372fb093 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -11,9 +11,8 @@ discussion: | ==== check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\ - .objectForKey('com.apple.autologout.AutoLogOutDelay')) + $.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\ + .objectForKey('com.apple.autologout.AutoLogOutDelay').js EOS result: integer: 86400 diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index cda1d9cde..4bcc3d1a1 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -6,9 +6,8 @@ discussion: | Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowContentCaching')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowContentCaching').js EOS result: string: "false" diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index b8d0ce818..217f71c94 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -4,9 +4,8 @@ discussion: | Ensure that security updates are installed as soon as they are available from Apple. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ - .objectForKey('CriticalUpdateInstall')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('CriticalUpdateInstall').js EOS result: string: "true" diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 8001fe201..f9e9bf71a 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -6,9 +6,8 @@ discussion: | When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ - .objectForKey('EnableFirewall')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('EnableFirewall').js EOS result: string: "true" diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 8fa0547bd..8274174b3 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -11,9 +11,8 @@ discussion: | ==== check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ - .objectForKey('EnableStealthMode')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('EnableStealthMode').js EOS result: string: "true" diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index 4d3dbef5c..fce97c010 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -6,9 +6,8 @@ discussion: | Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\ - .objectForKey('AllowIdentifiedDevelopers')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\ + .objectForKey('AllowIdentifiedDevelopers').js EOS result: integer: 1 diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index b6773bf20..8ce6b9f53 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -6,9 +6,8 @@ discussion: | If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\ - .objectForKey('DisableOverride')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\ + .objectForKey('DisableOverride').js EOS result: string: "true" diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index e4e310b06..a62cdbab2 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -6,9 +6,8 @@ discussion: | Turning off guest access prevents anonymous users from accessing files. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ - .objectForKey('DisableGuestAccount')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ + .objectForKey('DisableGuestAccount').js EOS result: string: "true" diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 0cd70ab49..7ac4493ae 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -6,9 +6,8 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\ - .objectForKey('Siri Data Sharing Opt-In Status')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\ + .objectForKey('Siri Data Sharing Opt-In Status').js EOS result: integer: 2 diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 7bd47530a..3f31c744f 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -6,9 +6,8 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling Internet sharing helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ - .objectForKey('forceInternetSharingOff')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ + .objectForKey('forceInternetSharingOff').js EOS result: string: "true" diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index 35f61ce85..07d10bca6 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -6,9 +6,8 @@ discussion: | By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else’s account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ - .objectForKey('SHOWFULLNAME')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('SHOWFULLNAME').js EOS result: integer: 1 diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 3c5381581..bcf0917b0 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -6,9 +6,8 @@ discussion: | Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ - .objectForKey('RetriesUntilHint')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('RetriesUntilHint').js EOS result: integer: 0 diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 86fe16b43..7c89af24e 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -6,9 +6,8 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users’ interests and deliver targeted advertisements. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.AdLib')\ - .objectForKey('allowApplePersonalizedAdvertising')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.AdLib')\ + .objectForKey('allowApplePersonalizedAdvertising').js EOS result: string: "false" diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index daa0d42d7..588a1c063 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -6,9 +6,8 @@ discussion: | An unattended system with an excessive grace period is vulnerable to a malicious user. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('askForPasswordDelay')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('askForPasswordDelay').js EOS result: integer: 5 diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 48bb47bfa..c0c578bd5 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -6,9 +6,8 @@ discussion: | The screen saver acts as a session lock and prevents unauthorized users from accessing the current user’s account. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('askForPassword')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('askForPassword').js EOS result: string: "true" diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 205a20fbc..4c3208cd0 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -6,9 +6,8 @@ discussion: | This rule ensures that a full session lock is triggered within no more than 15 minutes of inactivity. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('idleTime')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('idleTime').js EOS result: integer: 900 diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index 169cc2836..da40bf655 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -6,9 +6,8 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\ - .objectForKey('Ironwood Allowed')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\ + .objectForKey('Ironwood Allowed').js EOS result: string: "false" diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index d1898b2a9..accc02eb3 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -6,9 +6,8 @@ discussion: | This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ - .objectForKey('timeServer')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ + .objectForKey('timeServer').js EOS result: string: "time-a.nist.gov,time-b.nist.gov" diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml index cac50bd05..703ffca84 100644 --- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -11,9 +11,8 @@ discussion: | ==== check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ - .objectForKey('tokenRemovalAction')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ + .objectForKey('tokenRemovalAction').js EOS result: integer: 1 diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index 67161464e..82d1cb92d 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -8,9 +8,8 @@ discussion: | The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method. check: | /usr/bin/osascript -l JavaScript << EOS - ObjC.import('Foundation') - ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowFingerprintForUnlock')) + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowFingerprintForUnlock').js EOS result: string: "false" From 1f4d4bfe8059f7df2eb617ce8d624c156f317f44 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 3 Dec 2021 14:55:09 -0500 Subject: [PATCH 020/193] changed plist510 to 511 for com.apple.dock --- scripts/generate_oval.py | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 4d5899ec0..fe793af90 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -227,51 +227,50 @@ def main(): '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) oval_test = oval_test + ''' - + - + '''.format(rule_yaml['id'],x,x,x) if payload_domain == "com.apple.dock": oval_object = oval_object + ''' - - lastUserName + /Library/Preferences/com.apple.loginwindow.plist - 1 - - - {} + /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() + + + /plist/dict/key[string()="{}"]/following-sibling::*[1]/text() 1 - - '''.format(x+1999,key,x,key,x) + + '''.format(x+1999,key,x,x,key) oval_variable = oval_variable + ''' /Library/Managed Preferences/ - + /com.apple.dock.plist '''.format(x,x+1999) else: oval_object = oval_object + ''' - + {} /Library/Managed Preferences/{}.plist 1 - + '''.format(rule_yaml['id'],x,key,payload_domain) oval_state = oval_state + ''' - - {} - + + {} + '''.format(rule_yaml['id'],x,state_kind,value) x += 1 From 995bd5b0db4a4f3e0c75fa436b1b780ce8793833 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 6 Dec 2021 14:22:20 -0500 Subject: [PATCH 021/193] converted plist510 to 511, xpath statements updated --- scripts/generate_oval.py | 198 ++++++++++++++++++++++----------------- 1 file changed, 114 insertions(+), 84 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index fe793af90..38f5c8b2f 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -243,10 +243,8 @@ def main(): - /plist/dict/key[string()="{}"]/following-sibling::*[1]/text() - 1 - - '''.format(x+1999,key,x,x,key) + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(x+1999,key,x,x,key) oval_variable = oval_variable + ''' @@ -260,11 +258,11 @@ def main(): else: oval_object = oval_object + ''' - {} /Library/Managed Preferences/{}.plist - 1 + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + - '''.format(rule_yaml['id'],x,key,payload_domain) + '''.format(rule_yaml['id'],x,payload_domain,key) oval_state = oval_state + ''' @@ -334,32 +332,37 @@ def main(): '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) oval_test = oval_test + ''' - + - + '''.format(rule_yaml['id'],x,x,x) oval_object = oval_object + ''' - - {} - /Library/Managed Preferences/{}.plist - 1 - - '''.format(rule_yaml['id'],x,key,payload_type) + + /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'],x,payload_type) state_kind = "" if type(value) == bool: + oval_object = oval_object + ''' +name(//*[contains(text(), "{}")]/following-sibling::*[1]) +'''.format(key) state_kind = "boolean" elif type(value) == int: state_kind = "int" + oval_object = oval_object + ''' +//*[contains(text(), "{}")]/following-sibling::*[1]/text() +'''.format(key) elif type(value) == str: state_kind = "string" + oval_object = oval_object + ''' +//*[contains(text(), "{}")]/following-sibling::*[1]/text() +'''.format(key) oval_state = oval_state + ''' - - {} - + + {} + '''.format(rule_yaml['id'],x,state_kind,value) x = x + 1 @@ -424,11 +427,10 @@ def main(): '''.format(rule_yaml['id'],x,x,x) oval_object = oval_object + ''' - - lastUserName + /Library/Preferences/com.apple.loginwindow.plist - 1 - + /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() + boolean(plist/dict/array/string/text() = "{}") @@ -448,7 +450,7 @@ def main(): /Library/Managed Preferences/ - + /com.apple.systempreferences.plist '''.format(x,x+1999) @@ -482,26 +484,25 @@ def main(): '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) oval_test = oval_test + ''' - + - + '''.format(rule_yaml['id'],x,x,x) oval_object = oval_object + ''' - - {} + /Library/Managed Preferences/{}.plist - 1 - - '''.format(rule_yaml['id'],x,key,payload_type) + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + + '''.format(rule_yaml['id'],x,payload_type,key) oval_state = oval_state + ''' - - {} - + + {} + '''.format(rule_yaml['id'],x,state_kind,value) x += 1 continue @@ -664,10 +665,10 @@ def main(): '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) oval_test = oval_test + ''' - + - + '''.format(rule_yaml['id'],x,x,x) if rule_yaml['check'].split()[1] == "--getloggingmode": @@ -678,16 +679,16 @@ def main(): firewall_variable = "globalstate" oval_object = oval_object + ''' - - {} + /Library/Preferences/com.apple.alf.plist + //*[contains(text(), "{}")]/following-sibling::*[1]/text() 1 - '''.format(rule_yaml['id'],x,firewall_variable) + '''.format(rule_yaml['id'],x,firewall_variable) oval_state = oval_state + ''' - - 1 - '''.format(rule_yaml['id'],x) + + 1 + '''.format(rule_yaml['id'],x) x += 1 continue if "systemsetup" in command[3]: @@ -762,10 +763,10 @@ def main(): '''.format(rule_yaml['id']+"_"+str(abc),x) oval_test = oval_test + ''' - + - '''.format(rule_yaml['id']+"_"+str(abc),x,x,x) + '''.format(rule_yaml['id']+"_"+str(abc),x,x,x) key = matchy_match.split("|")[abc].split(" = ")[0].replace("\"","") value = matchy_match.split("|")[abc].split(" = ")[1].replace(";","") @@ -801,27 +802,32 @@ def main(): oval_object = oval_object + ''' - - {} - - 1 - '''.format(rule_yaml['id']+"_"+str(abc),x,key,x) + + '''.format(rule_yaml['id']+"_"+str(abc),x,x) oval_datatype = "" try: int(value) oval_datatype = "int" + oval_object = oval_object + ''' + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) except: if value.lower() == "true" or value.lower == "false": oval_datatype = "boolean" - + oval_object = oval_object + ''' + name(//*[contains(text(), "{}")]/following-sibling::*[1]) + '''.format(key) else: oval_datatype = "string" + oval_object = oval_object + ''' + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value) + + {} + '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value) abc =+ 1 x = x+1 @@ -849,10 +855,10 @@ def main(): '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) oval_test = oval_test + ''' - + - '''.format(rule_yaml['id'],x,x,x) + '''.format(rule_yaml['id'],x,x,x) plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") @@ -866,7 +872,7 @@ def main(): '''.format("hardware UUID",x+999) if "$CURRENT_USER" in rule_yaml['check']: - # plist = rule_yaml['check'].split()[6] + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].split()[check_length-1] @@ -877,13 +883,19 @@ def main(): oval:mscp:ste:{} - - {} - - 1 - - '''.format(x+1999,x+1999,rule_yaml['id'],x,key,x) - + + + '''.format(x+1999,x+1999,rule_yaml['id'],x,x) + + try: + rule_yaml['result']['boolean'] + oval_object = oval_object + ''' + name(//*[contains(text(), "{}")]/following-sibling::*[1]) + '''.format(key) + except: + + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) oval_state = oval_state + ''' ^[^_\s].* @@ -909,11 +921,19 @@ def main(): key = rule_yaml['check'].split()[check_length-1] oval_object = oval_object + ''' - - {} + - 1 - '''.format(rule_yaml['id'],x,key,x) + '''.format(rule_yaml['id'],x,x) + + try: + rule_yaml['result']['boolean'] + oval_object = oval_object + ''' + name(//*[contains(text(), "{}")]/following-sibling::*[1]) + '''.format(key) + except: + oval_object = oval_object + ''' + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) oval_variable = oval_variable + ''' @@ -925,22 +945,33 @@ def main(): '''.format(x,plist,x+999) else: + if plist[-6:] != ".plist": plist = plist + ".plist" plist_key = rule_yaml['check'].split(" ")[3].rstrip() oval_object = oval_object + ''' - - {} - {} - 1 - '''.format(rule_yaml['id'],x,plist_key,plist) - + + {}'''.format(rule_yaml['id'],x,plist) + + try: + rule_yaml['result']['boolean'] + oval_object = oval_object + ''' + name(//*[contains(text(), "{}")]/following-sibling::*[1]) + '''.format(plist_key) + except: + oval_object = oval_object + ''' + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(plist_key) + + datatype = "" + plist_key = rule_yaml['check'].split(" ")[3].rstrip() for key in rule_yaml['result']: datatype = key if datatype == "integer": oval_datatype = "int" + else: oval_datatype = datatype @@ -952,9 +983,9 @@ def main(): value = rule_yaml['result'][datatype] oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id'],x,oval_datatype,value) + + {} + '''.format(rule_yaml['id'],x,oval_datatype,value) oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) x = x+1 @@ -1497,10 +1528,10 @@ def main(): '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x,rule_yaml['id'],x+999) oval_test = oval_test + ''' - + - + @@ -1511,11 +1542,10 @@ def main(): oval_object = oval_object + ''' - - {} + /var/db/com.apple.xpc.launchd/disabled.plist - 1 - + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(rule_yaml['id'],x,domain,x+999,rule_yaml['id'],domain) @@ -1526,9 +1556,9 @@ def main(): else: status = "true" oval_state = oval_state + ''' - - {} - '''.format(rule_yaml['id'],x,status) + + {} + '''.format(rule_yaml['id'],x,status) else: oval_definition = oval_definition + ''' From 56b233a00c51e9a9131994c99709bd9bffd2adb7 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 7 Dec 2021 16:14:16 -0500 Subject: [PATCH 022/193] fixed xpath for booleans for managed prefs --- scripts/generate_oval.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 38f5c8b2f..dab1858dc 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -493,11 +493,16 @@ def main(): oval_object = oval_object + ''' - /Library/Managed Preferences/{}.plist - //*[contains(text(), "{}")]/following-sibling::*[1]/text() - - '''.format(rule_yaml['id'],x,payload_type,key) - + /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'],x,payload_type) + + if state_kind == "boolean": + oval_object = oval_object + ''' + name(//*[contains(text(), "{}")]/following-sibling::*[1]) + '''.format(key) + else: + oval_object = oval_object + ''' + //*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) oval_state = oval_state + ''' From 422b2055d178ad1607348dab4ed999250c1380b4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 7 Dec 2021 16:20:52 -0500 Subject: [PATCH 023/193] fixed xpath for reading disabled LaunchDaemons --- scripts/generate_oval.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index dab1858dc..e309526c7 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -1549,7 +1549,7 @@ def main(): oval_object = oval_object + ''' /var/db/com.apple.xpc.launchd/disabled.plist - //*[contains(text(), "{}")]/following-sibling::*[1]/text() + name(//*[contains(text(), "{}")]/following-sibling::*[1]) From badf9847a3342cfacd7d680b344807ce966cabc7 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 8 Dec 2021 11:30:34 -0500 Subject: [PATCH 024/193] beautified oval and lowercased file name --- SCAP/Makefile | 2 +- scripts/generate_oval.py | 18 +++++++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/SCAP/Makefile b/SCAP/Makefile index 4c405c4c7..5e0a8dfdc 100644 --- a/SCAP/Makefile +++ b/SCAP/Makefile @@ -40,7 +40,7 @@ XCCDF: SCAP-version=1.3 \ id-namespace=content.mscp.nist.gov \ benchmark-id-suffix=macOS_${OS} \ - OVAL-URI=${DIR}/All_rules.xml \ + OVAL-URI=${DIR}/all_rules.xml \ include-CPE=1 # the input OVAL document will be copied to a companion of the XCCDF document named 'oval.xml' # a gratuitous OCIL document is provided diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index e309526c7..40307e68d 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -9,6 +9,7 @@ import warnings from pathlib import Path from datetime import datetime +import shutil warnings.filterwarnings("ignore", category=DeprecationWarning) @@ -38,7 +39,7 @@ def main(): except OSError: print(f"Creation of the directory {build_path} failed") print('Profile YAML:', results.baseline.name) - print('Output path:', output) + print('Output path:', output.lower()) @@ -1600,10 +1601,21 @@ def main(): final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n$.*', '<', total_oval) # final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', total_oval) - oval_file = output + oval_file = output.lower() - with open(oval_file,'w') as rite: + with open(oval_file + "temp",'w') as rite: rite.write(final_oval) + cmd = shutil.which('xmllint') + if cmd == None: + try: + os.rename(oval_file + "temp", oval_file) + except: + print("Error writing Oval file.") + else: + cmd = cmd + " " + oval_file + "temp --format --output " + oval_file + os.popen(cmd).read() + if os.path.exists(oval_file): + os.remove(oval_file + "temp") if __name__ == "__main__": main() \ No newline at end of file From c109287254cc7a434aa89b0313757c4dcf928a82 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 8 Dec 2021 11:34:42 -0500 Subject: [PATCH 025/193] lxml no longer required --- requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index afa9bb39b..948a1cebc 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,2 @@ pyyaml -lxml xlwt From bbc720e028d61b45135be847891d3e6e4cf37050 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 8 Dec 2021 15:11:00 -0500 Subject: [PATCH 026/193] multiple key check --- rules/sysprefs/sysprefs_find_my_disable.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 2d2d05c21..6d0afeea0 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -7,9 +7,18 @@ discussion: | Apple’s Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowFindMyDevice = 0|allowFindMyFriends = 0|DisableFMMiCloudSetting = 1)' + /usr/bin/osascript -l JavaScript << EOS + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess').objectForKey('allowFindMyDevice')) + let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess').objectForKey('allowFindMyFriends')) + let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed').objectForKey('DisableFMMiCloudSetting')) + if ( pref1 == false && pref2 == false && pref3 == true ) { + console.log("true") + } else { + console.log("false") + } + EOS result: - integer: 3 + string: "true" fix: | This is implemented by a Configuration Profile. references: From 17430477f2d76565b313a47eea8aaffffde1c898 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 8 Dec 2021 16:11:34 -0500 Subject: [PATCH 027/193] switched from console.log() to return() --- rules/sysprefs/sysprefs_find_my_disable.yaml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 6d0afeea0..ea56dcbc7 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -8,13 +8,18 @@ discussion: | Apple’s Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | /usr/bin/osascript -l JavaScript << EOS - let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess').objectForKey('allowFindMyDevice')) - let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess').objectForKey('allowFindMyFriends')) - let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed').objectForKey('DisableFMMiCloudSetting')) - if ( pref1 == false && pref2 == false && pref3 == true ) { - console.log("true") - } else { - console.log("false") + function run() { + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowFindMyDevice')) + let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowFindMyFriends')) + let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\ + .objectForKey('DisableFMMiCloudSetting')) + if ( pref1 == false && pref2 == false && pref3 == true ) { + return("true") + } else { + return("false") + } } EOS result: From 53b4040f539c7c3b48ea56bbb6f2905070b008ad Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 9 Dec 2021 14:08:20 -0500 Subject: [PATCH 028/193] added file close() line 1610 --- scripts/generate_oval.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 40307e68d..4e8a7d545 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -10,6 +10,7 @@ from pathlib import Path from datetime import datetime import shutil +from time import sleep warnings.filterwarnings("ignore", category=DeprecationWarning) @@ -26,7 +27,7 @@ def main(): output_basename = os.path.basename(results.baseline.name) output_filename = os.path.splitext(output_basename)[0] - baseline_name = os.path.splitext(output_basename)[0].capitalize() + baseline_name = os.path.splitext(output_basename)[0] file_dir = os.path.dirname(os.path.abspath(__file__)) parent_dir = os.path.dirname(file_dir) @@ -39,7 +40,7 @@ def main(): except OSError: print(f"Creation of the directory {build_path} failed") print('Profile YAML:', results.baseline.name) - print('Output path:', output.lower()) + print('Output path:', output) @@ -1601,11 +1602,12 @@ def main(): final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n$.*', '<', total_oval) # final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', total_oval) - oval_file = output.lower() + oval_file = output with open(oval_file + "temp",'w') as rite: rite.write(final_oval) cmd = shutil.which('xmllint') + rite.close() if cmd == None: try: os.rename(oval_file + "temp", oval_file) @@ -1613,9 +1615,11 @@ def main(): print("Error writing Oval file.") else: cmd = cmd + " " + oval_file + "temp --format --output " + oval_file + os.popen(cmd).read() if os.path.exists(oval_file): os.remove(oval_file + "temp") + # print('removed') if __name__ == "__main__": main() \ No newline at end of file From 86ae8fbf59057b9f9c3e2c979dc9d6c1b767eaee Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 9 Dec 2021 14:09:51 -0500 Subject: [PATCH 029/193] removed commented out lines --- scripts/generate_oval.py | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 4e8a7d545..99aab6b23 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -1438,12 +1438,7 @@ def main(): if "bannerText" in rule_yaml['check'] or "fips_" in rule_yaml['check']: text_to_find = rule_yaml['check'].split("=")[1].split('"')[1] - - # matches = re.findall(r'(?=\=")(?s)(.*)\."',rule_yaml['check']) - - # matches = str(matches).replace('="',"").replace("[","").replace("]","").replace("'","") - # matches = matches + "." - # matches = matches.replace(".","\.").replace(")","\)").replace("(","\(") + matches = text_to_find.replace(".","\.").replace(")","\)").replace("(","\(").replace("*","\*") oval_definition = oval_definition + ''' @@ -1600,7 +1595,6 @@ def main(): total_oval = ovalPrefix + "\n\n" + oval_definition + "\n\n\n" + oval_test + "\n\n\n" + oval_object + "\n\n\n"+ oval_state +"\n\n\n" + oval_variable + "\n\n" final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n$.*', '<', total_oval) - # final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', total_oval) oval_file = output @@ -1619,7 +1613,6 @@ def main(): os.popen(cmd).read() if os.path.exists(oval_file): os.remove(oval_file + "temp") - # print('removed') if __name__ == "__main__": main() \ No newline at end of file From e43f0fdbc22680bd4c42aaf888fe03663482ca7a Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 15 Dec 2021 16:01:35 -0500 Subject: [PATCH 030/193] initial cis macos lvl1 changes --- rules/os/os_config_data_install_enforce.yaml | 5 ++ ...prefs_critical_update_install_enforce.yaml | 5 ++ scripts/generate_guidance.py | 76 ++++++++++++++++--- templates/adoc_header.adoc | 2 + templates/adoc_rule.adoc | 10 +++ templates/adoc_rule_custom_refs.adoc | 10 +++ templates/adoc_rule_no_setting.adoc | 10 +++ 7 files changed, 106 insertions(+), 12 deletions(-) diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 87ac56322..d93e08688 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -30,6 +30,10 @@ references: - N/A 800-171r2: - N/A + cis_lvl1: + - 1.5 + cis_lvl2: + - N/A cisv8: - 10.1 - 10.2 @@ -40,6 +44,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cis_lvl1 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index b1c1f6f61..b5d3ab6f1 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -23,6 +23,10 @@ references: - N/A 800-171r2: - N/A + cis_lvl1: + - 1.5 + cis_lvl2: + - N/A cisv8: - 7.3 - 7.4 @@ -33,6 +37,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cis_lvl1 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 9c22b151c..49891631b 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -23,7 +23,7 @@ class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cisv8, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): + def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis_lvl1, cis_lvl2, cisv8, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -36,6 +36,8 @@ def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, n self.rule_800171 = nist_171 self.rule_disa_stig = disa_stig self.rule_srg = srg + self.rule_cis_lvl1 = cis_lvl1 + self.rule_cis_lvl2 = cis_lvl2 self.rule_cisv8 = cisv8 self.rule_custom_refs = custom_refs self.rule_result_value = result_value @@ -57,6 +59,8 @@ def create_asciidoc(self, adoc_rule_template): rule_cci=self.rule_cci, rule_80053r5=self.rule_80053r5, rule_disa_stig=self.rule_disa_stig, + rule_cis_lvl1=self.rule_cis_lvl1, + rule_cis_lvl2=self.rule_cis_lvl2, rule_cisv8=self.rule_cisv8, rule_srg=self.rule_srg, rule_result=self.rule_result_value @@ -1142,9 +1146,11 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 9, "800-171", headers) sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 11, "DISA STIG", headers) - sheet1.write(0, 12, "CIS Controls v8", headers) - sheet1.write(0, 13, "CCI", headers) - sheet1.write(0, 14, "Modifed Rule", headers) + sheet1.write(0, 12, "CIS Level 1", headers) + sheet1.write(0, 13, "CIS Level 2", headers) + sheet1.write(0, 14, "CIS Controls v8", headers) + sheet1.write(0, 15, "CCI", headers) + sheet1.write(0, 16, "Modifed Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1221,22 +1227,34 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(counter, 11, disa_refs, topWrap) sheet1.col(11).width = 500 * 15 - cci = (str(rule.rule_cci)).strip('[]\'') - cci = cci.replace(", ", "\n").replace("\'", "") + cislvl1_refs = (str(rule.rule_cis_lvl1)).strip('[]\'') + cislvl1_refs = cislvl1_refs.replace(", ", "\n").replace("\'", "") + + sheet1.write(counter, 12, cislvl1_refs, topWrap) + sheet1.col(12).width = 500 * 15 + + cislvl2_refs = (str(rule.rule_cis_lvl2)).strip('[]\'') + cislvl2_refs = cislvl2_refs.replace(", ", "\n").replace("\'", "") + + sheet1.write(counter, 13, cislvl2_refs, topWrap) + sheet1.col(12).width = 500 * 15 cisv8_refs = (str(rule.rule_cisv8)).strip('[]\'') cisv8_refs = cisv8_refs.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, 12, cisv8_refs, topWrap) + sheet1.write(counter, 14, cisv8_refs, topWrap) sheet1.col(12).width = 500 * 15 - sheet1.write(counter, 13, cci, topWrap) + cci = (str(rule.rule_cci)).strip('[]\'') + cci = cci.replace(", ", "\n").replace("\'", "") + + sheet1.write(counter, 15, cci, topWrap) sheet1.col(13).width = 400 * 15 customized = (str(rule.rule_customized)).strip('[]\'') customized = customized.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, 14, customized, topWrap) + sheet1.write(counter, 16, customized, topWrap) sheet1.col(14).width = 400 * 15 if rule.rule_custom_refs != ['None']: @@ -1281,6 +1299,8 @@ def create_rules(baseline_yaml): 'cce', '800-53r5', '800-171r2', + 'cis_lvl1', + 'cis_lvl2', 'cisv8', 'srg', 'custom'] @@ -1324,6 +1344,8 @@ def create_rules(baseline_yaml): rule_yaml['references']['800-171r2'], rule_yaml['references']['disa_stig'], rule_yaml['references']['srg'], + rule_yaml['references']['cis_lvl1'], + rule_yaml['references']['cis_lvl2'], rule_yaml['references']['cisv8'], rule_yaml['references']['custom'], rule_yaml['tags'], @@ -1552,7 +1574,17 @@ def main(): else: adoc_STIG_show=":show_STIG!:" - if "CIS" in baseline_yaml['title'].upper(): + if "LEVEL 1" in baseline_yaml['title'].upper(): + adoc_cis_lvl1_show=":show_cis_lvl1:" + else: + adoc_cis_lvl1_show=":show_cis_lvl1!:" + + if "LEVEL 2" in baseline_yaml['title'].upper(): + adoc_cis_lvl2_show=":show_cis_lvl2:" + else: + adoc_cis_lvl2_show=":show_cis_lvl2!:" + + if "CIS CONTROLS" in baseline_yaml['title'].upper(): adoc_cisv8_show=":show_cisv8:" else: adoc_cisv8_show=":show_cisv8!:" @@ -1573,6 +1605,8 @@ def main(): tag_attribute=adoc_tag_show, nist171_attribute=adoc_171_show, stig_attribute=adoc_STIG_show, + cislvl1_attribute=adoc_cis_lvl1_show, + cislvl2_attribute=adoc_cis_lvl2_show, cisv8_attribute=adoc_cisv8_show, version=version_yaml['version'], os_version=version_yaml['os'], @@ -1669,7 +1703,6 @@ def main(): except KeyError: nist_80053r5 = 'N/A' else: - #nist_80053r5 = ulify(rule_yaml['references']['800-53r5']) nist_80053r5 = rule_yaml['references']['800-53r5'] try: @@ -1677,7 +1710,6 @@ def main(): except KeyError: nist_800171 = '- N/A' else: - #nist_80053r5 = ulify(rule_yaml['references']['800-53r5']) nist_800171 = ulify(rule_yaml['references']['800-171r2']) try: @@ -1687,6 +1719,20 @@ def main(): else: disa_stig = ulify(rule_yaml['references']['disa_stig']) + try: + rule_yaml['references']['cis_lvl1'] + except KeyError: + cis_lvl1 = '- N/A' + else: + cis_lvl1 = ulify(rule_yaml['references']['cis_lvl1']) + + try: + rule_yaml['references']['cis_lvl2'] + except KeyError: + cis_lvl2 = '- N/A' + else: + cis_lvl2 = ulify(rule_yaml['references']['cis_lvl2']) + try: rule_yaml['references']['cisv8'] except KeyError: @@ -1776,6 +1822,8 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, + rule_cis_lvl1=cis_lvl1, + rule_cis_lvl2=cis_lvl2, rule_cisv8=cisv8, rule_cce=cce, rule_tags=tags, @@ -1792,6 +1840,8 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, + rule_cis_lvl1=cis_lvl1, + rule_cis_lvl2=cis_lvl2, rule_cisv8=cisv8, rule_cce=cce, rule_custom_refs=custom_refs, @@ -1810,6 +1860,8 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, + rule_cis_lvl1=cis_lvl1, + rule_cis_lvl2=cis_lvl2, rule_cisv8=cisv8, rule_cce=cce, rule_tags=tags, diff --git a/templates/adoc_header.adoc b/templates/adoc_header.adoc index 951cb8d0e..0ea1af58b 100644 --- a/templates/adoc_header.adoc +++ b/templates/adoc_header.adoc @@ -14,6 +14,8 @@ :nofooter: $nist171_attribute $stig_attribute +$cislvl1_attribute +$cislvl2_attribute $cisv8_attribute ifdef::backend-pdf[] = $profile_title diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc index bf9b2ef4f..ee4b31bfe 100644 --- a/templates/adoc_rule.adoc +++ b/templates/adoc_rule.adoc @@ -45,6 +45,16 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] +ifdef::show_CIS_LVL1[] +!CIS Level 1 +!$rule_cis_lvl1 +endif::[] + +ifdef::show_CIS_LVL2[] +!CIS Level 2 +!$rule_cis_lvl2 +endif::[] + ifdef::show_CISv8[] !CIS Controls V8 !$rule_cisv8 diff --git a/templates/adoc_rule_custom_refs.adoc b/templates/adoc_rule_custom_refs.adoc index b0bbfef4b..cf9e56e1e 100644 --- a/templates/adoc_rule_custom_refs.adoc +++ b/templates/adoc_rule_custom_refs.adoc @@ -45,6 +45,16 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] +ifdef::show_CIS_LVL1[] +!CIS Level 1 +!$rule_cis_lvl1 +endif::[] + +ifdef::show_CIS_LVL2[] +!CIS Level 2 +!$rule_cis_lvl2 +endif::[] + ifdef::show_CISv8[] !CIS Controls V8 !$rule_cisv8 diff --git a/templates/adoc_rule_no_setting.adoc b/templates/adoc_rule_no_setting.adoc index 44c950acf..d75d22d57 100644 --- a/templates/adoc_rule_no_setting.adoc +++ b/templates/adoc_rule_no_setting.adoc @@ -31,6 +31,16 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] +ifdef::show_CIS_LVL1[] +!CIS Level 1 +!$rule_cis_lvl1 +endif::[] + +ifdef::show_CIS_LVL2[] +!CIS Level 2 +!$rule_cis_lvl2 +endif::[] + ifdef::show_CISv8[] !CIS Controls V8 !$rule_cisv8 From 0f1efdc156066c34747e0888f024c014a999e7ba Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 15 Dec 2021 16:37:04 -0500 Subject: [PATCH 031/193] more cis rules --- rules/audit/audit_auditd_enabled.yaml | 5 +++++ rules/audit/audit_flags_aa_configure.yaml | 5 +++++ rules/audit/audit_flags_ad_configure.yaml | 5 +++++ rules/audit/audit_flags_ex_configure.yaml | 5 +++++ rules/audit/audit_flags_fm_configure.yaml | 5 +++++ rules/audit/audit_flags_fr_configure.yaml | 5 +++++ rules/audit/audit_flags_fw_configure.yaml | 5 +++++ rules/audit/audit_flags_lo_configure.yaml | 5 +++++ 8 files changed, 40 insertions(+) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 9fb99ced7..bbab0492c 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -61,6 +61,10 @@ references: - 3.3.1 - 3.3.2 - 3.3.7 + cis_lvl1: + - 3.1 + cis_lvl2: + - N/A cisv8: - 8.2 - 8.5 @@ -75,6 +79,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 9754e6406..0b77285db 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -37,6 +37,10 @@ references: 800-171r2: - 3.3.1 - 3.3.2 + cis_lvl1: + - N/A + cis_lvl2: + - 3.2 cisv8: - 3.14 - 8.2 @@ -53,6 +57,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 0a22abc7b..b7b8afeb7 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -52,6 +52,10 @@ references: - 3.1.7 - 3.3.1 - 3.3.2 + cis_lvl1: + - N/A + cis_lvl2: + - 3.2 cisv8: - 3.14 - 8.2 @@ -68,6 +72,7 @@ tags: - 800-53r5_low - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index d0a7d7876..12ed9e568 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -37,6 +37,10 @@ references: 800-171r2: - 3.3.1 - 3.3.2 + cis_lvl1: + - N/A + cis_lvl2: + - 3.2 cisv8: - 3.14 - 8.2 @@ -53,6 +57,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 7bc34da8d..65963aeef 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -42,6 +42,10 @@ references: - N/A 800-171r2: - N/A + cis_lvl1: + - N/A + cis_lvl2: + - 3.2 cisv8: - 3.14 - 8.2 @@ -50,6 +54,7 @@ macOS: - "12.0" tags: - stig + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index a054a5b40..b0284a2bc 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -44,6 +44,10 @@ references: - 3.3.1 - 3.3.2 - 3.3.8 + cis_lvl1: + - N/A + cis_lvl2: + - 3.2 cisv8: - 3.14 - 8.2 @@ -60,6 +64,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index f638b8003..46233c5cf 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -43,6 +43,10 @@ references: - 3.3.1 - 3.3.2 - 3.3.8 + cis_lvl1: + - N/A + cis_lvl2: + - 3.2 cisv8: - 3.14 - 8.2 @@ -59,6 +63,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 34453690b..202dc3fd0 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -40,6 +40,10 @@ references: - 3.1.12 - 3.3.1 - 3.3.2 + cis_lvl1: + - N/A + cis_lvl2: + - 3.2 cisv8: - 3.14 - 8.2 @@ -56,6 +60,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false From 3d3c972becda2364bd15fbedd03b4265a4ac1feb Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 15 Dec 2021 20:59:48 -0500 Subject: [PATCH 032/193] more cis rules --- rules/os/os_airdrop_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_airplay_receiver_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_content_caching_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_internet_sharing_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_media_sharing_disabled.yaml | 5 +++++ rules/sysprefs/sysprefs_rae_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_screen_sharing_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_smbd_disable.yaml | 3 +++ rules/sysprefs/sysprefs_ssh_disable.yaml | 5 +++++ 10 files changed, 48 insertions(+) diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 15c214d9f..0c74a63eb 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -35,6 +35,10 @@ references: - 3.1.16 - 3.1.20 - 3.4.6 + cis_lvl1: + - 2.4.11 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.8 @@ -50,6 +54,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index ce2a46928..462d1f97e 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -28,6 +28,10 @@ references: - N/A 800-171r2: - 3.4.6 + cis_lvl1: + - 2.4.13 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.8 @@ -37,6 +41,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cis_lvl1 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 96ed99513..e8b112208 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -46,6 +46,10 @@ references: - 3.1.2 - 3.1.16 - 3.4.7 + cis_lvl1: + - 2.4.7 + cis_lvl2: + - N/A cisv8: - 3.3 - 4.1 @@ -61,6 +65,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index 1d3504d3d..97fa49a83 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -27,6 +27,10 @@ references: - N/A 800-171r2: - 3.4.6 + cis_lvl1: + - N/A + cis_lvl2: + - 2.4.10 cisv8: - 4.1 - 4.8 @@ -41,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 6626b3a6e..d6105a5b5 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -28,6 +28,10 @@ references: 800-171r2: - 3.1.3 - 3.1.20 + cis_lvl1: + - 2.4.2 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.8 @@ -42,6 +46,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index 85f1a8773..d7ae9081e 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -31,6 +31,10 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cis_lvl1: + - N/A + cis_lvl2: + - 2.4.12 cisv8: - 4.1 - 4.8 @@ -44,6 +48,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index 29fa870f4..46bd35c22 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -32,6 +32,10 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cis_lvl1: + - 2.4.1 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.8 @@ -46,6 +50,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index 6bf39667f..297a3b89a 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -32,6 +32,10 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cis_lvl1: + - 2.4.3 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.8 @@ -46,6 +50,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index 5608aef93..65b5f2f18 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -31,6 +31,8 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cis_lvl1: + - 2.4.8 cisv8: - 4.1 - 4.8 @@ -45,6 +47,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index 1cc04e9de..a75df3542 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -34,12 +34,17 @@ references: - 3.1.1 - 3.1.2 - 3.4.6 + cis_lvl1: + - 2.4.5 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.8 macOS: - "12.0" tags: + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false From 3fa6004385520c04f70022111560e386882dd590 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 15 Dec 2021 21:26:11 -0500 Subject: [PATCH 033/193] more cis controls --- rules/icloud/icloud_sync_disable.yaml | 5 +++++ rules/os/os_gatekeeper_enable.yaml | 3 +++ rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml | 5 +++++ rules/sysprefs/sysprefs_filevault_enforce.yaml | 5 +++++ rules/sysprefs/sysprefs_firewall_enable.yaml | 5 +++++ rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml | 5 +++++ .../sysprefs/sysprefs_personalized_advertising_disable.yaml | 5 +++++ 7 files changed, 33 insertions(+) diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index c76df61d4..407aca460 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -33,6 +33,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cis_lvl1: + - N/A + cis_lvl2: + - 2.6.1.4 cisv8: - 4.1 - 4.8 @@ -48,6 +52,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 2cad2a915..2c105a015 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -37,6 +37,8 @@ references: - N/A 800-171r2: - 3.4.5 + cis_lvl1: + - 2.5.2.1 cisv8: - 10.1 - 10.2 @@ -51,6 +53,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "high" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index e90751a15..45228096f 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -28,6 +28,10 @@ references: - N/A 800-171r2: - 3.1.20 + cis_lvl1: + - N/A + cis_lvl2: + - 2.5.5 cisv8: - 4.1 - 4.8 @@ -42,6 +46,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 29bbddd74..79ea6dbf9 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -29,6 +29,10 @@ references: - N/A 800-171r2: - 3.13.16 + cis_lvl1: + - 2.5.5.1 + cis_lvl2: + - N/A cisv8: - 3.6 - 3.11 @@ -41,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 00c95fb6c..707d7f5b9 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -41,6 +41,10 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 + cis_lvl1: + - 2.5.2.2 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.5 @@ -56,6 +60,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index a932e0716..2619bd126 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -37,6 +37,10 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 + cis_lvl1: + - 2.5.2.3 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.5 @@ -52,6 +56,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 196c17afc..4b7d71982 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -31,6 +31,10 @@ references: 800-171r2: - 3.1.20 - 3.4.6 + cis_lvl1: + - 2.5.6 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.8 @@ -45,6 +49,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 mobileconfig: true mobileconfig_info: From 6c6b0a45202a3db7c432fd1d2cdd2f7ecc219d35 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 15 Dec 2021 22:09:56 -0500 Subject: [PATCH 034/193] cis wifi menu --- rules/sysprefs/sysprefs_wifi_menu_enable.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/sysprefs/sysprefs_wifi_menu_enable.yaml diff --git a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml new file mode 100644 index 000000000..68c6be925 --- /dev/null +++ b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml @@ -0,0 +1,39 @@ +id: sysprefs_wifi_menu_enable +title: "Enable Wifi Menu" +discussion: | + The WiFi menu _MUST_ be enabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WiFi = 18' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 4.2 + cis_lvl2: + - N/A + cisv8: + - N/A +macOS: + - "12.0" +tags: + - cis_lvl1 +mobileconfig: true +mobileconfig_info: + com.apple.controlcenter: + WiFi: 18 \ No newline at end of file From 9621b3d2838af265905753cea620c5846b3653d6 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 15 Dec 2021 22:51:28 -0500 Subject: [PATCH 035/193] more cis --- rules/os/os_authenticated_root_enable.yaml | 4 ++++ rules/os/os_bonjour_disable.yaml | 5 +++++ rules/os/os_firewall_log_enable.yaml | 5 +++++ rules/os/os_home_folders_secure.yaml | 7 +++++++ rules/os/os_httpd_disable.yaml | 5 +++++ rules/os/os_nfsd_disable.yaml | 5 +++++ rules/os/os_root_disable.yaml | 5 +++++ rules/os/os_sip_enable.yaml | 4 ++++ rules/os/os_unlock_active_user_session_disable.yaml | 7 +++++++ rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 6 ++++++ rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 5 +++++ rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 5 +++++ rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml | 5 +++++ rules/sysprefs/sysprefs_automatic_login_disable.yaml | 7 +++++++ ...ysprefs_screensaver_ask_for_password_delay_enforce.yaml | 7 +++++++ .../sysprefs_system_wide_preferences_configure.yaml | 7 +++++++ 16 files changed, 89 insertions(+) diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 38269918c..1d39d8b7f 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -42,6 +42,10 @@ references: - 3.1.1 - 3.1.2 - 3.4.5 + cis_lvl1: + - 5.1.5 + cis_lvl2: + - N/A cisv8: - 3.3 macOS: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index c6b2ad77f..1f9b306ad 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -25,6 +25,10 @@ references: - N/A 800-171r2: - 3.4.6 + cis_lvl1: + - N/A + cis_lvl2: + - 4.1 cisv8: - 4.1 - 4.8 @@ -39,6 +43,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 8901cd7fb..e5d671665 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -33,6 +33,10 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 + cis_lvl1: + - 3.6 + cis_lvl2: + - N/A cisv8: - 4.5 - 8.2 @@ -48,6 +52,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 3addf698b..02826fabe 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -32,6 +32,12 @@ references: - N/A 800-171r2: - 3.1.5 + cis_lvl1: + - 5.1.1 + cis_lvl2: + - N/A + cisv8: + - N/A macOS: - "12.0" tags: @@ -41,6 +47,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 87e2c0630..9208682e2 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -30,6 +30,10 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cis_lvl1: + - 4.4 + cis_lvl2: + - N/A cisv8: - 3.3 - 6.7 @@ -44,6 +48,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 61f07e7ba..b615fe898 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -29,6 +29,10 @@ references: 800-171r2: - 3.1.1 - 3.1.2 + cis_lvl1: + - 4.5 + cis_lvl2: + - N/A cisv8: - 3.3 - 6.7 @@ -43,6 +47,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index 260f247ff..f497597b7 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -27,6 +27,10 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cis_lvl1: + - 5.6 + cis_lvl2: + - N/A cisv8: - 4.7 macOS: @@ -40,6 +44,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 10461fb00..b3ea7700b 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -65,6 +65,10 @@ references: - 3.3.8 - 3.4.5 - 3.13.4 + cis_lvl1: + - 5.1.2 + cis_lvl2: + - N/A cisv8: - 2.6 - 3.3 diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index c9b1a60e8..07a13a5f7 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -33,6 +33,12 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cis_lvl1: + - 5.11 + cis_lvl2: + - N/A + cisv8: + - N/A macOS: - "12.0" tags: @@ -44,5 +50,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 2ba366f9f..3b6deca20 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -33,6 +33,11 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cis_lvl1: + - N/A + cis_lvl2: + - 5.2.3 + - 5.2.4 cisv8: - 5.2 macOS: @@ -46,6 +51,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 436937607..0f997771f 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -57,6 +57,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cis_lvl1: + - N/A + cis_lvl2: + - 5.2.6 cisv8: - 5.2 macOS: @@ -70,6 +74,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index b6bb32e26..58deefaab 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -33,6 +33,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cis_lvl1: + - 5.2.2 + cis_lvl2: + - N/A cisv8: - 5.2 macOS: @@ -46,6 +50,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 4590872ba..ccba47f4b 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -57,6 +57,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cis_lvl1: + - N/A + cis_lvl2: + - 5.2.6 cisv8: - 5.2 macOS: @@ -70,6 +74,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 85d475f43..a40468ac3 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -28,6 +28,12 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cis_lvl1: + - 5.7 + cis_lvl2: + - N/A + cisv8: + - N/A macOS: - "12.0" tags: @@ -39,6 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index a5735af5d..b198819c0 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -25,6 +25,12 @@ references: - N/A 800-171r2: - 3.1.10 + cis_lvl1: + - 5.8 + cis_lvl2: + - N/A + cisv8: + - N/A macOS: - "12.0" tags: @@ -34,6 +40,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index 52f64c2f7..7f017c27b 100644 --- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -33,6 +33,12 @@ references: 800-171r2: - 3.1.5 - 3.1.6 + cis_lvl1: + - 5.10 + cis_lvl2: + - N/A + cisv8: + - N/A macOS: - "12.0" tags: @@ -42,6 +48,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file From 6ff39cd830f519a646e607943ac547f3eb40b662 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 15 Dec 2021 22:52:27 -0500 Subject: [PATCH 036/193] another cis --- rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 9d9923a2b..66c9dec95 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -35,6 +35,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 + cis_lvl1: + - N/A + cis_lvl2: + - 5.2.5 cisv8: - 5.2 macOS: From 766f8789ec0c716aaf9b9f92617733d77797b366 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 17 Dec 2021 12:23:48 -0500 Subject: [PATCH 037/193] minor edit --- rules/pwpolicy/pwpolicy_special_character_enforce.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 66c9dec95..f2f945b0c 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -52,6 +52,7 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true From 731c8d7c5be780bcd53453781a84771d8b618c63 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 27 Dec 2021 15:15:35 -0500 Subject: [PATCH 038/193] sysprefs_softwareupdate_current --- .../sysprefs_softwareupdate_current.yaml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/sysprefs/sysprefs_softwareupdate_current.yaml diff --git a/rules/sysprefs/sysprefs_softwareupdate_current.yaml b/rules/sysprefs/sysprefs_softwareupdate_current.yaml new file mode 100644 index 000000000..2099517c8 --- /dev/null +++ b/rules/sysprefs/sysprefs_softwareupdate_current.yaml @@ -0,0 +1,52 @@ +id: sysprefs_softwareupdate_current +title: "Ensure Software Update is Updated and Current" +discussion: | + Make sure Software Update is updated and current. + + NOTE: Automatic fix can cause unplanned restarts and may lose work. +check: | + softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s") + thirty_days_epoch=$(/bin/date -v -30d "+%s") + if [[ $softwareupdate_date_epoch -gt $thirty_days_epoch ]]; then + /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastUpdatesAvailable + else + /bin/echo "1" + fi +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/sbin/softwareupdate -i -a -R + ---- + NOTE - This will apply to the whole system +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 1.1 + cis_lvl2: + - N/A + cisv8: + - 7.3 + - 7.4 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cisv8 +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 97997173ea0471b570b757de1ad2b9e504e7abec Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 27 Dec 2021 15:21:51 -0500 Subject: [PATCH 039/193] sysprefs_software_update_enforce added --- .../sysprefs_software_update_enforce.yaml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/sysprefs/sysprefs_software_update_enforce.yaml diff --git a/rules/sysprefs/sysprefs_software_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_enforce.yaml new file mode 100644 index 000000000..92764a5fc --- /dev/null +++ b/rules/sysprefs/sysprefs_software_update_enforce.yaml @@ -0,0 +1,41 @@ +id: sysprefs_software_update_enforce +title: "Enforce Software Update Automatically" +discussion: | + Software Update _MUST_ be configured to enforce automatic update is enabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticCheckEnabled = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SI-2(5) + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 1.2 + cis_lvl2: + - N/A + cisv8: + - 7.3 + - 7.4 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.SoftwareUpdate: + AutomaticCheckEnabled: true From 01995e0cfdbcda1d08c45966a44959049b0e28b5 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 27 Dec 2021 15:23:35 -0500 Subject: [PATCH 040/193] sysprefs_software_update_download_enforce added --- ...refs_software_update_download_enforce.yaml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/sysprefs/sysprefs_software_update_download_enforce.yaml diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml new file mode 100644 index 000000000..963c296e2 --- /dev/null +++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -0,0 +1,41 @@ +id: sysprefs_software_update_download_enforce +title: "Enforce Software Update Downloads Updates Automatically" +discussion: | + Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticDownload = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SI-2(5) + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 1.2 + cis_lvl2: + - N/A + cisv8: + - 7.3 + - 7.4 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.SoftwareUpdate: + AutomaticDownload: true From 879df647968e69e1fa91f26ea6cf5e55bcad0213 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 27 Dec 2021 15:24:49 -0500 Subject: [PATCH 041/193] updated references --- rules/sysprefs/sysprefs_software_update_download_enforce.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml index 963c296e2..541d0d093 100644 --- a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -14,7 +14,7 @@ references: cci: - N/A 800-53r5: - - SI-2(5) + - N/A 800-53r4: - N/A srg: @@ -24,7 +24,7 @@ references: 800-171r2: - N/A cis_lvl1: - - 1.2 + - 1.3 cis_lvl2: - N/A cisv8: From 615faf4f41762a91f9cbea306c800487e396be9c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 27 Dec 2021 15:27:23 -0500 Subject: [PATCH 042/193] sysprefs_software_update_app_update_enforce added --- ...fs_software_update_app_update_enforce.yaml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml diff --git a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml new file mode 100644 index 000000000..cfde9f156 --- /dev/null +++ b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml @@ -0,0 +1,41 @@ +id: sysprefs_software_update_app_update_enforce +title: "Enforce Software Update App Update Updates Automatically" +discussion: | + Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticallyInstallAppUpdates = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 1.4 + cis_lvl2: + - N/A + cisv8: + - 7.3 + - 7.4 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.SoftwareUpdate: + AutomaticallyInstallAppUpdates: true From 217601bb1feaa42f6e72934d5b768ec6718e568f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 27 Dec 2021 15:32:52 -0500 Subject: [PATCH 043/193] sysprefs_install_macos_updates_enforce added --- ...ysprefs_install_macos_updates_enforce.yaml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml diff --git a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml new file mode 100644 index 000000000..d794f4718 --- /dev/null +++ b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml @@ -0,0 +1,41 @@ +id: sysprefs_install_macos_updates_enforce +title: "Enforce macOS Updates are Automatically Installed" +discussion: | + Software Update _MUST_ be configured to enforce automatic installation of macOS updates is enabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticallyInstallMacOSUpdates = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 1.6 + cis_lvl2: + - N/A + cisv8: + - 7.3 + - 7.4 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.SoftwareUpdate: + AutomaticallyInstallMacOSUpdates: true From f41ba46d36ee1cef5605804d67a71ba932acf118 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 27 Dec 2021 22:04:38 -0500 Subject: [PATCH 044/193] added cis todo --- rules/cis_lvl1.txt | 68 +++++++++++++++++++ rules/cis_lvl2.txt | 43 ++++++++++++ rules/os/os_airdrop_disable.yaml | 2 +- .../sysprefs_screensaver_timeout_enforce.yaml | 13 ++-- 4 files changed, 121 insertions(+), 5 deletions(-) create mode 100644 rules/cis_lvl1.txt create mode 100644 rules/cis_lvl2.txt diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt new file mode 100644 index 000000000..228071c66 --- /dev/null +++ b/rules/cis_lvl1.txt @@ -0,0 +1,68 @@ +Recommendation # Title + Install Updates, Patches and Additional Security Software +1.1 Ensure All Apple-provided Software Is Current +1.2 Ensure Auto Update Is Enabled + System Preferences + Bluetooth +2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired +2.1.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled + Date & Time +2.2.1 Ensure "Set time and date automatically" Is Enabled +2.2.2 Ensure time set is within appropriate limits + Desktop & Screen Saver +2.3.3 Audit Lock Screen and Start Screen Saver Tools + Sharing + +2.4.4 Ensure Printer Sharing Is Disabled +2.4.6 Ensure DVD or CD Sharing Is Disabled +2.4.9 Ensure Remote Management Is Disabled + Security & Privacy + Encryption +2.5.1.2 Ensure all user storage APFS volumes are encrypted +2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted + Firewall +2.5.6 Ensure Limit Ad Tracking Is Enabled + Apple ID + iCloud + Time Machine +2.7.2 Ensure Time Machine Volumes Are Encrypted +2.8 Ensure Wake for Network Access Is Disabled +2.9 Ensure Power Nap Is Disabled +2.10 Ensure Secure Keyboard Entry terminal.app is Enabled +2.11 Ensure EFI Version Is Valid and Checked Regularly +2.12 Audit Automatic Actions for Optical Media +2.13 Audit Siri Settings +2.14 Audit Sidecar Settings +2.15 Audit Touch ID and Wallet & Apple Pay Settings +2.16 Audit Notification System Preference Settings +2.17 Audit Passwords System Preference Setting + Logging and Auditing +3.1 Ensure Security Auditing Is Enabled +3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size +3.4 Ensure Security Auditing Retention Is Enabled +3.5 Ensure Access to Audit Records Is Controlled + File System Permissions and Access Controls +5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled +5.1.3 Ensure Apple Mobile File Integrity Is Enabled +5.1.4 Ensure Library Validation Is Enabled +5.1.5 Ensure Sealed System Volume (SSV) Is Enabled +5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications +5.1.7 Ensure No World Writable Files Exist in the System Folder + Password Management +5.2.1 Ensure Password Account Lockout Threshold Is Configured +5.2.7 Ensure Password Age Is Configured +5.2.8 Ensure Password History Is Configured +5.3 Ensure the Sudo Timeout Period Is Set to Zero +5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo +5.12 Ensure a Custom Message for the Login Screen Is Enabled +5.14 Ensure Users' Accounts Do Not Have a Password Hint + User Accounts and Environment + Accounts Preferences Action Items +6.1.1 Ensure Login Window Displays as Name and Password Is Enabled +6.1.2 Ensure Show Password Hints Is Disabled +6.1.3 Ensure Guest Account Is Disabled +6.1.4 Ensure Guest Access to Shared Folders Is Disabled +6.1.5 Ensure the Guest Home Folder Does Not Exist +6.2 Ensure Show All Filename Extensions Setting is Enabled +6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled + Appendix: Additional Considerations \ No newline at end of file diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt new file mode 100644 index 000000000..70e2133e5 --- /dev/null +++ b/rules/cis_lvl2.txt @@ -0,0 +1,43 @@ +Recommendation # Title + Install Updates, Patches and Additional Security Software +1.7 Audit Computer Name + System Preferences + Bluetooth + Date & Time + Desktop & Screen Saver +2.3.2 Ensure Screen Saver Corners Are Secure + Sharing + Security & Privacy +2.5.3 Ensure Location Services Is Enabled +2.5.4 Audit Location Services Access +2.5.7 Audit Camera Privacy and Confidentiality + Encryption + Firewall + iCloud +2.6.1.1 Audit iCloud Configuration +2.6.1.2 Audit iCloud Keychain +2.6.1.3 Audit iCloud Drive + Apple ID +2.6.2 Audit App Store Password Settings + Time Machine +2.7.1 Ensure Backup Up Automatically is Enabled + Logging and Auditing +3.2 Ensure Security Auditing Flags Are Configured Per Local Organizational Requirements +3.7 Audit Software Inventory + Network Configurations +4.3 Audit Network Specific Locations +4.6 Audit Wi-Fi Settings + System Access, Authentication and Authorization + File System Permissions and Access Controls +5.1.8 Ensure No World Writable Files Exist in the Library Folder + Password Management +5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured +5.5 Ensure login keychain is locked when the computer sleeps +5.9 Ensure system is set to hibernate +5.13 Ensure a Login Window Banner Exists +5.15 Ensure Fast User Switching Is Disabled + User Accounts and Environment + Accounts Preferences Action Items + Appendix: Additional Considerations +7.1 Extensible Firmware Interface (EFI) password +7.2 FileVault and Local Account Password Reset using AppleID \ No newline at end of file diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 0c74a63eb..3cdba7565 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -54,7 +54,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - cis_lvl2 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index c655a07ac..ea8ede545 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -1,11 +1,11 @@ id: sysprefs_screensaver_timeout_enforce title: "Enforce Screen Saver Timeout" discussion: | - The screen saver timeout _MUST_ be set to 15 minutes or a shorter length of time. + The screen saver timeout _MUST_ be set to 20 minutes or a shorter length of time. - This rule ensures that a full session lock is triggered within no more than 15 minutes of inactivity. + This rule ensures that a full session lock is triggered within no more than 20 minutes of inactivity. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 900) {print "Yes"} else {print "No"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/egrep -o -e "idleTime\s=\s([^;]+)" | /usr/bin/awk '{ if ($3 <= 1200) {print "Yes"} else {print "No"}}' result: string: "Yes" fix: | @@ -26,6 +26,10 @@ references: - N/A 800-171r2: - 3.1.10 + cis_lvl1: + - 2.3.1 + cis_lvl2: + - N/A cisv8: - 4.3 macOS: @@ -38,9 +42,10 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: com.apple.screensaver: - idleTime: 900 + idleTime: 1200 From 509c52c5289f5351093b972db152a71ca24cd2a0 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 27 Dec 2021 22:49:39 -0500 Subject: [PATCH 045/193] more cis controls --- rules/cis_lvl1.txt | 17 ----------------- rules/cis_lvl2.txt | 8 -------- .../os_policy_banner_loginwindow_enforce.yaml | 7 +++++++ .../sysprefs_guest_access_smb_disable.yaml | 5 +++++ .../sysprefs_guest_account_disable.yaml | 5 +++++ ...window_prompt_username_password_enforce.yaml | 7 +++++++ .../sysprefs_password_hints_disable.yaml | 7 +++++++ rules/sysprefs/sysprefs_power_nap_disable.yaml | 5 +++++ 8 files changed, 36 insertions(+), 25 deletions(-) diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 228071c66..5bd43751a 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -1,8 +1,4 @@ Recommendation # Title - Install Updates, Patches and Additional Security Software -1.1 Ensure All Apple-provided Software Is Current -1.2 Ensure Auto Update Is Enabled - System Preferences Bluetooth 2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired 2.1.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled @@ -12,7 +8,6 @@ Recommendation # Title Desktop & Screen Saver 2.3.3 Audit Lock Screen and Start Screen Saver Tools Sharing - 2.4.4 Ensure Printer Sharing Is Disabled 2.4.6 Ensure DVD or CD Sharing Is Disabled 2.4.9 Ensure Remote Management Is Disabled @@ -20,14 +15,9 @@ Recommendation # Title Encryption 2.5.1.2 Ensure all user storage APFS volumes are encrypted 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted - Firewall -2.5.6 Ensure Limit Ad Tracking Is Enabled - Apple ID - iCloud Time Machine 2.7.2 Ensure Time Machine Volumes Are Encrypted 2.8 Ensure Wake for Network Access Is Disabled -2.9 Ensure Power Nap Is Disabled 2.10 Ensure Secure Keyboard Entry terminal.app is Enabled 2.11 Ensure EFI Version Is Valid and Checked Regularly 2.12 Audit Automatic Actions for Optical Media @@ -37,15 +27,12 @@ Recommendation # Title 2.16 Audit Notification System Preference Settings 2.17 Audit Passwords System Preference Setting Logging and Auditing -3.1 Ensure Security Auditing Is Enabled 3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size 3.4 Ensure Security Auditing Retention Is Enabled 3.5 Ensure Access to Audit Records Is Controlled File System Permissions and Access Controls -5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled 5.1.3 Ensure Apple Mobile File Integrity Is Enabled 5.1.4 Ensure Library Validation Is Enabled -5.1.5 Ensure Sealed System Volume (SSV) Is Enabled 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications 5.1.7 Ensure No World Writable Files Exist in the System Folder Password Management @@ -58,10 +45,6 @@ Recommendation # Title 5.14 Ensure Users' Accounts Do Not Have a Password Hint User Accounts and Environment Accounts Preferences Action Items -6.1.1 Ensure Login Window Displays as Name and Password Is Enabled -6.1.2 Ensure Show Password Hints Is Disabled -6.1.3 Ensure Guest Account Is Disabled -6.1.4 Ensure Guest Access to Shared Folders Is Disabled 6.1.5 Ensure the Guest Home Folder Does Not Exist 6.2 Ensure Show All Filename Extensions Setting is Enabled 6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 70e2133e5..689a3fd69 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -1,12 +1,6 @@ Recommendation # Title - Install Updates, Patches and Additional Security Software 1.7 Audit Computer Name - System Preferences - Bluetooth - Date & Time - Desktop & Screen Saver 2.3.2 Ensure Screen Saver Corners Are Secure - Sharing Security & Privacy 2.5.3 Ensure Location Services Is Enabled 2.5.4 Audit Location Services Access @@ -27,14 +21,12 @@ Recommendation # Title Network Configurations 4.3 Audit Network Specific Locations 4.6 Audit Wi-Fi Settings - System Access, Authentication and Authorization File System Permissions and Access Controls 5.1.8 Ensure No World Writable Files Exist in the Library Folder Password Management 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured 5.5 Ensure login keychain is locked when the computer sleeps 5.9 Ensure system is set to hibernate -5.13 Ensure a Login Window Banner Exists 5.15 Ensure Fast User Switching Is Disabled User Accounts and Environment Accounts Preferences Action Items diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index f09a80677..a83739375 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -45,6 +45,12 @@ references: - N/A 800-171r2: - 3.1.9 + cis_lvl1: + - N/A + cis_lvl2: + - 5.13 + cisv8: + - N/A macOS: - "12.0" tags: @@ -56,6 +62,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl2 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index daa3ae37b..024e5dd77 100644 --- a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -31,6 +31,10 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cis_lvl1: + - 6.1.4 + cis_lvl2: + - N/A cisv8: - 5.2 - 6.2 @@ -46,6 +50,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index 4947d17aa..3803b2d6d 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -28,6 +28,10 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cis_lvl1: + - 6.1.3 + cis_lvl2: + - N/A cisv8: - 5.2 - 6.2 @@ -43,6 +47,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 severity: "high" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index 04f430ee9..bbd80486d 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -26,6 +26,12 @@ references: 800-171r2: - 3.5.1 - 3.5.2 + cis_lvl1: + - 6.1.1 + cis_lvl2: + - N/A + cisv8: + - N/A macOS: - "12.0" tags: @@ -37,6 +43,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 mobileconfig: true mobileconfig_info: com.apple.loginwindow: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 14c430814..f3b2db8e1 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -25,6 +25,12 @@ references: - N/A 800-171r2: - 3.5.11 + cis_lvl1: + - 6.1.1 + cis_lvl2: + - N/A + cisv8: + - N/A macOS: - "12.0" tags: @@ -36,6 +42,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index 3907329c6..34581e12b 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -39,6 +39,10 @@ references: - N/A 800-171r2: - 3.4.6 + cis_lvl1: + - 2.9 + cis_lvl2: + - N/A cisv8: - 4.1 - 4.8 @@ -53,6 +57,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file From e3eb92ac72a30e718663079084316a52b68d54a8 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 27 Dec 2021 23:08:30 -0500 Subject: [PATCH 046/193] cis controls --- rules/cis_lvl1.txt | 5 +-- rules/cis_lvl2.txt | 1 - rules/os/os_sudoers_tty_configure.yaml | 7 ++++ .../sysprefs_bluetooth_menu_enable.yaml | 39 +++++++++++++++++ .../sysprefs_location_services_disable.yaml | 4 +- .../sysprefs_location_services_enable.yaml | 42 +++++++++++++++++++ 6 files changed, 90 insertions(+), 8 deletions(-) create mode 100644 rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml create mode 100644 rules/sysprefs/sysprefs_location_services_enable.yaml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 5bd43751a..0f1b5e8f5 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -1,7 +1,6 @@ Recommendation # Title Bluetooth 2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired -2.1.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled Date & Time 2.2.1 Ensure "Set time and date automatically" Is Enabled 2.2.2 Ensure time set is within appropriate limits @@ -43,9 +42,7 @@ Recommendation # Title 5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo 5.12 Ensure a Custom Message for the Login Screen Is Enabled 5.14 Ensure Users' Accounts Do Not Have a Password Hint - User Accounts and Environment Accounts Preferences Action Items 6.1.5 Ensure the Guest Home Folder Does Not Exist 6.2 Ensure Show All Filename Extensions Setting is Enabled -6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled - Appendix: Additional Considerations \ No newline at end of file +6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled \ No newline at end of file diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 689a3fd69..5d2ebd3f0 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -2,7 +2,6 @@ Recommendation # Title 1.7 Audit Computer Name 2.3.2 Ensure Screen Saver Corners Are Secure Security & Privacy -2.5.3 Ensure Location Services Is Enabled 2.5.4 Audit Location Services Access 2.5.7 Audit Camera Privacy and Confidentiality Encryption diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 7687d4496..1e88ebe32 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -27,6 +27,12 @@ references: - N/A disa_stig: - N/A + cis_lvl1: + - 5.4 + cis_lvl2: + - N/A + cisv8: + - N/A macOS: - "12.0" tags: @@ -34,6 +40,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253 + - cis_lvl1 severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml new file mode 100644 index 000000000..a03894b39 --- /dev/null +++ b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml @@ -0,0 +1,39 @@ +id: sysprefs_bluetooth_menu_enable +title: "Enable Bluetooth Menu" +discussion: | + The bluetooth menu _MUST_ be enabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'Bluetooth = 18' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 2.1.2 + cis_lvl2: + - N/A + cisv8: + - N/A +macOS: + - "12.0" +tags: + - cis_lvl1 +mobileconfig: true +mobileconfig_info: + com.apple.controlcenter: + Bluetooth: 18 \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index d51307ebd..66ef5fcf5 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -32,8 +32,7 @@ references: 800-171r2: - 3.4.6 cisv8: - - 4.1 - - 4.8 + - N/A macOS: - "12.0" tags: @@ -45,7 +44,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_location_services_enable.yaml b/rules/sysprefs/sysprefs_location_services_enable.yaml new file mode 100644 index 000000000..2001bb3d2 --- /dev/null +++ b/rules/sysprefs/sysprefs_location_services_enable.yaml @@ -0,0 +1,42 @@ +id: sysprefs_location_services_enable +title: "Enable Location Services" +discussion: | + Location Services _MUST_ be enabled. +check: | + /usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist LocationServicesEnabled +result: + boolean: 1 +fix: | + [source,bash] + ---- + /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; /bin/launchctl kickstart -k system/com.apple.locationd + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - N/A + cis_lvl2: + - 2.5.3 + cisv8: + - 4.1 + - 4.8 +macOS: + - "12.0" +tags: + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: From 63a0ac8a3dc0628f2bd28d8c3de7149da9837cdc Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 28 Dec 2021 08:50:09 -0500 Subject: [PATCH 047/193] additional cis controls --- includes/supported_payloads.yaml | 1 + rules/cis_lvl1.txt | 2 - rules/cis_lvl2.txt | 1 - .../os_terminal_secure_keyboard_enable.yaml | 40 ++++++++++++++++++ .../sysprefs_computer_name_audit.yaml | 42 +++++++++++++++++++ .../sysprefs_wake_network_access_disable.yaml | 41 ++++++++++++++++++ 6 files changed, 124 insertions(+), 3 deletions(-) create mode 100644 rules/os/os_terminal_secure_keyboard_enable.yaml create mode 100644 rules/sysprefs/sysprefs_computer_name_audit.yaml create mode 100644 rules/sysprefs/sysprefs_wake_network_access_disable.yaml diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml index bb265e501..b951471bb 100644 --- a/includes/supported_payloads.yaml +++ b/includes/supported_payloads.yaml @@ -22,6 +22,7 @@ payloads_types: - com.apple.SubmitDiagInfo - com.apple.SystemConfiguration - com.apple.TCC.configuration-profile-policy + - com.apple.Terminal - com.apple.TextEdit - com.apple.TimeMachine - com.apple.airplay diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 0f1b5e8f5..1630ee0ad 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -16,8 +16,6 @@ Recommendation # Title 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted Time Machine 2.7.2 Ensure Time Machine Volumes Are Encrypted -2.8 Ensure Wake for Network Access Is Disabled -2.10 Ensure Secure Keyboard Entry terminal.app is Enabled 2.11 Ensure EFI Version Is Valid and Checked Regularly 2.12 Audit Automatic Actions for Optical Media 2.13 Audit Siri Settings diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 5d2ebd3f0..894d7ae2e 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -1,5 +1,4 @@ Recommendation # Title -1.7 Audit Computer Name 2.3.2 Ensure Screen Saver Corners Are Secure Security & Privacy 2.5.4 Audit Location Services Access diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml new file mode 100644 index 000000000..d7b8d21aa --- /dev/null +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -0,0 +1,40 @@ +id: os_terminal_secure_keyboard_enable +title: "Ensure Secure Keyboard Entry Terminal.app is Enabled" +discussion: | + Secure keyboard entry _MUST_ be enabled in Terminal.app. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SecureKeyboardEntry = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cci: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 2.10 + cis_lvl2: + - N/A + cisv8: + - 4.8 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.Terminal: + SecureKeyboardEntry: false diff --git a/rules/sysprefs/sysprefs_computer_name_audit.yaml b/rules/sysprefs/sysprefs_computer_name_audit.yaml new file mode 100644 index 000000000..9f0431fb6 --- /dev/null +++ b/rules/sysprefs/sysprefs_computer_name_audit.yaml @@ -0,0 +1,42 @@ +id: sysprefs_computer_name_audit +title: "Audit Computer Name" +discussion: | + The organization _MUST_ audit a systems computer name. +check: | + /usr/sbin/scutil --get ComputerName +result: + string: "an organizations approved computer name." +fix: | + Set the computer name back to an approved naming convention. + + [source,bash] + ---- + /usr/sbin/scutil --set ComputerName + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis_lvl1: + - N/A + cis lvl2: + - 1.7 + cisv8: + - 1.1 +macOS: + - "12.0" +tags: + - cis_lvl2 + - cisv8 + - manual +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml new file mode 100644 index 000000000..dea09e37d --- /dev/null +++ b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml @@ -0,0 +1,41 @@ +id: sysprefs_wake_network_access_disable +title: "Ensure Wake for Network Access Is Disabled" +discussion: | + Wake for network access _MUST_ be disabled. +check: | + /usr/bin/pmset -g custom | /usr/bin/awk '/womp/{print $2}' +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a womp 0 + ---- +references: + cce: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cci: + - N/A + 800-171r2: + - N/A + cis_lvl1: + - 2.8 + cis_lvl2: + - N/A + cisv8: + - 4.8 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 371b8a12fc6c9451a6cfb0d42e84d05d54a7a656 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 28 Dec 2021 17:02:48 -0500 Subject: [PATCH 048/193] cis restructure begins --- rules/audit/audit_auditd_enabled.yaml | 13 ++++++------- rules/audit/audit_flags_aa_configure.yaml | 15 +++++++-------- rules/audit/audit_flags_ad_configure.yaml | 15 +++++++-------- rules/audit/audit_flags_ex_configure.yaml | 15 +++++++-------- rules/audit/audit_flags_fm_configure.yaml | 15 +++++++-------- rules/audit/audit_flags_fr_configure.yaml | 15 +++++++-------- rules/audit/audit_flags_fw_configure.yaml | 15 +++++++-------- rules/audit/audit_flags_lo_configure.yaml | 15 +++++++-------- rules/audit/audit_retention_configure.yaml | 10 +++++++--- rules/icloud/icloud_addressbook_disable.yaml | 11 +++++++---- rules/icloud/icloud_appleid_prefpane_disable.yaml | 9 ++++++--- rules/icloud/icloud_bookmarks_disable.yaml | 11 +++++++---- rules/icloud/icloud_calendar_disable.yaml | 11 +++++++---- rules/icloud/icloud_drive_disable.yaml | 11 +++++++---- rules/icloud/icloud_keychain_disable.yaml | 11 +++++++---- rules/icloud/icloud_mail_disable.yaml | 11 +++++++---- rules/icloud/icloud_notes_disable.yaml | 11 +++++++---- rules/icloud/icloud_photos_disable.yaml | 11 +++++++---- rules/icloud/icloud_private_relay_disable.yaml | 11 +++++++---- rules/icloud/icloud_reminders_disable.yaml | 11 +++++++---- rules/icloud/icloud_sync_disable.yaml | 15 +++++++-------- rules/os/os_access_control_mobile_devices.yaml | 7 +++++-- rules/os/os_airdrop_disable.yaml | 15 +++++++-------- rules/os/os_appleid_prompt_disable.yaml | 9 ++++++--- rules/os/os_auth_peripherals.yaml | 9 ++++++--- rules/os/os_authenticated_root_enable.yaml | 11 +++++------ rules/os/os_bonjour_disable.yaml | 13 ++++++------- rules/os/os_calendar_app_disable.yaml | 9 ++++++--- rules/os/os_config_data_install_enforce.yaml | 15 +++++++-------- rules/os/os_directory_services_configured.yaml | 7 +++++-- rules/os/os_facetime_app_disable.yaml | 9 ++++++--- rules/os/os_filevault_autologin_disable.yaml | 9 ++++++--- rules/os/os_firewall_log_enable.yaml | 15 +++++++-------- rules/os/os_gatekeeper_enable.yaml | 13 +++++++------ .../sysprefs_airplay_receiver_disable.yaml | 12 ++++++------ 35 files changed, 230 insertions(+), 185 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index bbab0492c..ecdb6bdfb 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -61,13 +61,12 @@ references: - 3.3.1 - 3.3.2 - 3.3.7 - cis_lvl1: - - 3.1 - cis_lvl2: - - N/A - cisv8: - - 8.2 - - 8.5 + cis: + benchmark: + - 3.1 (level 1) + v8: + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 0b77285db..443542f6c 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -37,14 +37,13 @@ references: 800-171r2: - 3.3.1 - 3.3.2 - cis_lvl1: - - N/A - cis_lvl2: - - 3.2 - cisv8: - - 3.14 - - 8.2 - - 8.5 + cis: + benchmark: + - 3.2 (level 2) + v8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index b7b8afeb7..3ab025168 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -52,14 +52,13 @@ references: - 3.1.7 - 3.3.1 - 3.3.2 - cis_lvl1: - - N/A - cis_lvl2: - - 3.2 - cisv8: - - 3.14 - - 8.2 - - 8.5 + cis: + benchmark: + - 3.2 (level 2) + v8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 12ed9e568..ab8e8d31a 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -37,14 +37,13 @@ references: 800-171r2: - 3.3.1 - 3.3.2 - cis_lvl1: - - N/A - cis_lvl2: - - 3.2 - cisv8: - - 3.14 - - 8.2 - - 8.5 + cis: + benchmark: + - 3.2 (level 2) + v8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 65963aeef..914bde852 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -42,14 +42,13 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - N/A - cis_lvl2: - - 3.2 - cisv8: - - 3.14 - - 8.2 - - 8.5 + cis: + benchmark: + - 3.2 (level 2) + v8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index b0284a2bc..d9eb95177 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -44,14 +44,13 @@ references: - 3.3.1 - 3.3.2 - 3.3.8 - cis_lvl1: - - N/A - cis_lvl2: - - 3.2 - cisv8: - - 3.14 - - 8.2 - - 8.5 + cis: + benchmark: + - 3.2 (level 2) + v8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 46233c5cf..34d67b1a9 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -43,14 +43,13 @@ references: - 3.3.1 - 3.3.2 - 3.3.8 - cis_lvl1: - - N/A - cis_lvl2: - - 3.2 - cisv8: - - 3.14 - - 8.2 - - 8.5 + cis: + benchmark: + - 3.2 (level 2) + v8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 202dc3fd0..8983a2e01 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -40,14 +40,13 @@ references: - 3.1.12 - 3.3.1 - 3.3.2 - cis_lvl1: - - N/A - cis_lvl2: - - 3.2 - cisv8: - - 3.14 - - 8.2 - - 8.5 + cis: + benchmark: + - 3.2 (level 2) + v8: + - 3.14 + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 0a39cd572..75d205a34 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -28,9 +28,12 @@ references: - N/A disa_stig: - N/A - cisv8: - - 8.3 - - 8.1 + cis: + benchmark: + - 3.4 (level 1) + v8: + - 8.3 + - 8.1 macOS: - "12.0" tags: @@ -42,6 +45,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253 + - cis_lvl1 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index fa467da3d..a77d1ace0 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index 2aa1ca6ed..042519889 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -32,9 +32,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 62a6f0614..ae61759ee 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index c8c06ff30..743132c11 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index c99985d44..71b682689 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index fa648805a..b3361be76 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 842a139fe..2f22d2c2d 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index f09c04bd7..f913634be 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 6e7735cc8..e7ae6123c 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index cc53ef6d2..e5a8eb60d 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -33,10 +33,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index fc59d0b4e..43789dd30 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -34,10 +34,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + cisv8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 407aca460..2cecdb533 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -33,14 +33,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cis_lvl1: - - N/A - cis_lvl2: - - 2.6.1.4 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - 2.6.1.4 (level 2) + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index 73e808f5d..43411adff 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -23,8 +23,11 @@ references: - N/A srg: - N/A - cisv8: - - 6.4 + cis: + benchmark: + - N/A + v8: + - 6.4 macOS: - "12.0" tags: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 3cdba7565..83ed1755b 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -35,14 +35,13 @@ references: - 3.1.16 - 3.1.20 - 3.4.6 - cis_lvl1: - - 2.4.11 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.8 - - 6.7 + cis: + benchmark: + - 2.4.11 (level 1) + v8: + - 4.1 + - 4.8 + - 6.7 macOS: - "12.0" tags: diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index eeb9bdb2d..cd25574e7 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -25,9 +25,12 @@ references: - N/A 800-171r2: - 3.1.20 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index b4ed22e3c..f9ba0b38c 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -21,9 +21,12 @@ references: - N/A 800-171r2: - 3.5.1 - - 3.5.2 - cisv8: - - 13.9 + - 3.5.2 + cis: + benchmark: + - N/A + v8: + - 13.9 macOS: - "12.0" tags: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index 1d39d8b7f..e3eafbc80 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -42,12 +42,11 @@ references: - 3.1.1 - 3.1.2 - 3.4.5 - cis_lvl1: - - 5.1.5 - cis_lvl2: - - N/A - cisv8: - - 3.3 + cis: + benchmark: + - 5.1.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 1f9b306ad..602de58c4 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -25,13 +25,12 @@ references: - N/A 800-171r2: - 3.4.6 - cis_lvl1: - - N/A - cis_lvl2: - - 4.1 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 4.1 (level 2) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 4b84c4101..50c996c5d 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -33,9 +33,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index d93e08688..a81997343 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -30,14 +30,13 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 1.5 - cis_lvl2: - - N/A - cisv8: - - 10.1 - - 10.2 - - 10.4 + cis: + benchmark: + - 1.5 (level 1) + v8: + - 10.1 + - 10.2 + - 10.4 macOS: - "12.0" tags: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 57f10e7cf..f276809b7 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -23,8 +23,11 @@ references: - N/A disa_stig: - N/A - cisv8: - - 6.7 + cis: + benchmark: + - N/A + v8: + - 6.7 macOS: - "12.0" tags: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 2557d62c5..37252c115 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -31,9 +31,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 510645fe8..40ca9868f 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -32,9 +32,12 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cisv8: - - 3.3 - - 6.7 + cis: + benchmark: + - N/A + v8: + - 3.3 + - 6.7 macOS: - "12.0" tags: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index e5d671665..8acd72c82 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -33,14 +33,13 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 - cis_lvl1: - - 3.6 - cis_lvl2: - - N/A - cisv8: - - 4.5 - - 8.2 - - 8.5 + cis: + benchmark: + - 3.6 (level 1) + v8: + - 4.5 + - 8.2 + - 8.5 macOS: - "12.0" tags: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 2c105a015..a49677fe1 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -37,12 +37,13 @@ references: - N/A 800-171r2: - 3.4.5 - cis_lvl1: - - 2.5.2.1 - cisv8: - - 10.1 - - 10.2 - - 10.5 + cis: + benchmark: + - 2.5.2.1 (level 1) + v8: + - 10.1 + - 10.2 + - 10.5 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index 462d1f97e..acf084fcf 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -29,12 +29,12 @@ references: 800-171r2: - 3.4.6 cis_lvl1: - - 2.4.13 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.8 + Benchmark: + - 2.4.13 + - Level 1 + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: From 90e05ed59fd3bcb81ecd8ce74123aa0dfe58d9f3 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 28 Dec 2021 17:23:43 -0500 Subject: [PATCH 049/193] more cis --- rules/os/os_gatekeeper_rearm.yaml | 7 +++++-- rules/os/os_handoff_disable.yaml | 9 ++++++--- rules/os/os_hbss_installed.yaml | 13 ++++++++----- rules/os/os_home_folders_secure.yaml | 11 +++++------ rules/os/os_httpd_disable.yaml | 13 ++++++------- rules/os/os_icloud_storage_prompt_disable.yaml | 9 ++++++--- rules/os/os_internet_accounts_prefpane_disable.yaml | 9 ++++++--- rules/os/os_ir_support_disable.yaml | 11 +++++++---- rules/os/os_logical_access.yaml | 9 ++++++--- rules/os/os_mail_app_disable.yaml | 9 ++++++--- rules/os/os_malicious_code_prevention.yaml | 11 +++++++---- rules/os/os_mdm_require.yaml | 9 ++++++--- rules/os/os_messages_app_disable.yaml | 9 ++++++--- rules/os/os_mfa_network_access.yaml | 7 +++++-- rules/os/os_nfsd_disable.yaml | 13 ++++++------- rules/os/os_obscure_password.yaml | 7 +++++-- rules/os/os_parental_controls_enable.yaml | 7 +++++-- rules/os/os_password_autofill_disable.yaml | 9 ++++++--- rules/os/os_password_proximity_disable.yaml | 9 ++++++--- rules/os/os_password_sharing_disable.yaml | 9 ++++++--- rules/os/os_policy_banner_loginwindow_enforce.yaml | 11 +++++------ rules/os/os_privacy_setup_prompt_disable.yaml | 9 ++++++--- rules/os/os_root_disable.yaml | 11 +++++------ 23 files changed, 135 insertions(+), 86 deletions(-) diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 587219c49..0bf09d269 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -24,8 +24,11 @@ references: - N/A 800-171r2: - 3.4.5 - cisv8: - - 10.5 + cis: + benchmark: + - N/A + v8: + - 10.5 macOS: - "12.0" tags: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 9edbb67ab..357a4a11f 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -34,9 +34,12 @@ references: - 3.1.2 - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml index c41f86ff1..3d7bac6db 100644 --- a/rules/os/os_hbss_installed.yaml +++ b/rules/os/os_hbss_installed.yaml @@ -22,11 +22,14 @@ references: - N/A disa_stig: - N/A - cisv8: - - 10.1 - - 10.2 - - 10.6 - - 10.7 + cis: + benchmark: + - N/A + v8: + - 10.1 + - 10.2 + - 10.6 + - 10.7 macOS: - "12.0" tags: diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 02826fabe..1a0fba375 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -32,12 +32,11 @@ references: - N/A 800-171r2: - 3.1.5 - cis_lvl1: - - 5.1.1 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 5.1.1 (level 1) + v8: + - N/A macOS: - "12.0" tags: diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 9208682e2..305e6906b 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -30,13 +30,12 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cis_lvl1: - - 4.4 - cis_lvl2: - - N/A - cisv8: - - 3.3 - - 6.7 + cis: + benchmark: + - 4.4 (level 1) + v8: + - 3.3 + - 6.7 macOS: - "12.0" tags: diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 977dca7c8..78a939414 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -25,9 +25,12 @@ references: - N/A 800-171r2: - 3.1.20 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index 09f146c8b..9417c273a 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -31,9 +31,12 @@ references: - N/A 800-171r2: - 3.1.20 - cisv8: - - 4.8 - - 15.2 + cis: + benchmark: + - N/A + v8: + - 4.8 + - 15.2 macOS: - "12.0" tags: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index bcfd551a1..85cc5be6a 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -32,10 +32,13 @@ references: 800-171r2: - 3.1.16 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 12.6 + cis: + benchmark: + - N/A + cisv8: + - 4.1 + - 4.8 + - 12.6 macOS: - "12.0" tags: diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index f0df30f59..ff115f6b5 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -26,9 +26,12 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cisv8: - - 3.3 - - 6.7 + cis: + benchmark: + - N/A + v8: + - 3.3 + - 6.7 macOS: - "12.0" tags: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index fe0579ad4..f8829586d 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -35,9 +35,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index b2cf685ae..28d155065 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -45,10 +45,13 @@ references: - N/A srg: - N/A - cisv8: - - 10.1 - - 10.2 - - 10.5 + cis: + benchmark: + - N/A + v8: + - 10.1 + - 10.2 + - 10.5 macOS: - "12.0" tags: diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 7d1920471..180c7a713 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -42,9 +42,12 @@ references: 800-171r2: - 3.4.1 - 3.4.2 - cisv8: - - 4.1 - - 5.1 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 5.1 macOS: - "12.0" tags: diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 4432efa8a..124c7f370 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -31,9 +31,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index 931ee87a9..49f6b261f 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -20,8 +20,11 @@ references: - N/A srg: - N/A - cisv8: - - 5.6 + cis: + benchmark: + - N/A + v8: + - 5.6 macOS: - "12.0" tags: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index b615fe898..cc7280433 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -29,13 +29,12 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cis_lvl1: - - 4.5 - cis_lvl2: - - N/A - cisv8: - - 3.3 - - 6.7 + cis: + benchmark: + - 4.5 (level 1) + v8: + - 3.3 + - 6.7 macOS: - "12.0" tags: diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 4fb9a5466..07c5386d2 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -29,8 +29,11 @@ references: - 3.5.1 - 3.5.2 - 3.5.11 - cisv8: - - 4.1 + cis: + benchmark: + - N/A + v8: + - 4.1 macOS: - "12.0" tags: diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 666616890..bc166b6f1 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -28,8 +28,11 @@ references: - N/A 800-171r2: - 3.4.7 - cisv8: - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 2cb8a08e2..ff330a6c4 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -35,9 +35,12 @@ references: - 3.4.6 - 3.5.1 - 3.5.2 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index ca225634a..650ec69bb 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -31,9 +31,12 @@ references: 800-171r2: - 3.5.1 - 3.5.2 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index e96fe0e93..87c62c257 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -28,9 +28,12 @@ references: 800-171r2: - 3.5.1 - 3.5.2 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index a83739375..b976f2055 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -45,12 +45,11 @@ references: - N/A 800-171r2: - 3.1.9 - cis_lvl1: - - N/A - cis_lvl2: - - 5.13 - cisv8: - - N/A + cis: + benchmark: + - 5.13 (level 2) + v8: + - N/A macOS: - "12.0" tags: diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index d5d669c4c..1441456ae 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -25,9 +25,12 @@ references: - N/A disa_stig: - N/A - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index f497597b7..7b2f300e6 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -27,12 +27,11 @@ references: 800-171r2: - 3.5.1 - 3.5.2 - cis_lvl1: - - 5.6 - cis_lvl2: - - N/A - cisv8: - - 4.7 + cis: + benchmark: + - 5.6 (level 1) + v8: + - 4.7 macOS: - "12.0" tags: From 3a86010c797bf84c262717af6f3635c85b8322f4 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Tue, 28 Dec 2021 18:31:18 -0500 Subject: [PATCH 050/193] CIS reference refactor --- scripts/generate_guidance.py | 126 +++++++++++++---------------------- templates/adoc_header.adoc | 4 +- templates/adoc_rule.adoc | 15 +---- 3 files changed, 49 insertions(+), 96 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 49891631b..80fdf8e15 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -23,7 +23,7 @@ class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis_lvl1, cis_lvl2, cisv8, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): + def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -36,9 +36,7 @@ def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, n self.rule_800171 = nist_171 self.rule_disa_stig = disa_stig self.rule_srg = srg - self.rule_cis_lvl1 = cis_lvl1 - self.rule_cis_lvl2 = cis_lvl2 - self.rule_cisv8 = cisv8 + self.rule_cis = cis self.rule_custom_refs = custom_refs self.rule_result_value = result_value self.rule_tags = tags @@ -59,9 +57,7 @@ def create_asciidoc(self, adoc_rule_template): rule_cci=self.rule_cci, rule_80053r5=self.rule_80053r5, rule_disa_stig=self.rule_disa_stig, - rule_cis_lvl1=self.rule_cis_lvl1, - rule_cis_lvl2=self.rule_cis_lvl2, - rule_cisv8=self.rule_cisv8, + rule_cis=self.rule_cis, rule_srg=self.rule_srg, rule_result=self.rule_result_value ) @@ -1132,7 +1128,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): top = xlwt.easyxf("align: vert top") headers = xlwt.easyxf("font: bold on") counter = 1 - column_counter = 15 + column_counter = 16 custom_ref_column = {} sheet1.write(0, 0, "CCE", headers) sheet1.write(0, 1, "Rule ID", headers) @@ -1146,11 +1142,10 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 9, "800-171", headers) sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 11, "DISA STIG", headers) - sheet1.write(0, 12, "CIS Level 1", headers) - sheet1.write(0, 13, "CIS Level 2", headers) - sheet1.write(0, 14, "CIS Controls v8", headers) - sheet1.write(0, 15, "CCI", headers) - sheet1.write(0, 16, "Modifed Rule", headers) + sheet1.write(0, 12, "CIS Benchmark", headers) + sheet1.write(0, 13, "CIS v8", headers) + sheet1.write(0, 14, "CCI", headers) + sheet1.write(0, 15, "Modifed Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) @@ -1227,34 +1222,28 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(counter, 11, disa_refs, topWrap) sheet1.col(11).width = 500 * 15 - cislvl1_refs = (str(rule.rule_cis_lvl1)).strip('[]\'') - cislvl1_refs = cislvl1_refs.replace(", ", "\n").replace("\'", "") - - sheet1.write(counter, 12, cislvl1_refs, topWrap) - sheet1.col(12).width = 500 * 15 - - cislvl2_refs = (str(rule.rule_cis_lvl2)).strip('[]\'') - cislvl2_refs = cislvl2_refs.replace(", ", "\n").replace("\'", "") - - sheet1.write(counter, 13, cislvl2_refs, topWrap) - sheet1.col(12).width = 500 * 15 - - cisv8_refs = (str(rule.rule_cisv8)).strip('[]\'') - cisv8_refs = cisv8_refs.replace(", ", "\n").replace("\'", "") - - sheet1.write(counter, 14, cisv8_refs, topWrap) - sheet1.col(12).width = 500 * 15 + cis = "" + if rule.rule_cis != ['None']: + for title, ref in rule.rule_cis.items(): + if title == "benchmark": + sheet1.write(counter, 12, ref, topWrap) + sheet1.col(12).width = 500 * 15 + if title == "v8": + cis = (str(ref).strip('[]\'')) + cis = cis.replace(", ", "\n") + sheet1.write(counter, 13, cis, topWrap) + sheet1.col(13).width = 500 * 15 cci = (str(rule.rule_cci)).strip('[]\'') cci = cci.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, 15, cci, topWrap) + sheet1.write(counter, 14, cci, topWrap) sheet1.col(13).width = 400 * 15 customized = (str(rule.rule_customized)).strip('[]\'') customized = customized.replace(", ", "\n").replace("\'", "") - sheet1.write(counter, 16, customized, topWrap) + sheet1.write(counter, 15, customized, topWrap) sheet1.col(14).width = 400 * 15 if rule.rule_custom_refs != ['None']: @@ -1299,9 +1288,7 @@ def create_rules(baseline_yaml): 'cce', '800-53r5', '800-171r2', - 'cis_lvl1', - 'cis_lvl2', - 'cisv8', + 'cis', 'srg', 'custom'] @@ -1344,9 +1331,7 @@ def create_rules(baseline_yaml): rule_yaml['references']['800-171r2'], rule_yaml['references']['disa_stig'], rule_yaml['references']['srg'], - rule_yaml['references']['cis_lvl1'], - rule_yaml['references']['cis_lvl2'], - rule_yaml['references']['cisv8'], + rule_yaml['references']['cis'], rule_yaml['references']['custom'], rule_yaml['tags'], rule_yaml['result'], @@ -1443,6 +1428,19 @@ def parse_custom_references(reference): string += "!" + str(item) + "!* " + str(reference[item]) + "\n" return string +def parse_cis_references(reference): + string = "\n" + for item in reference: + if isinstance(reference[item], list): + string += "!CIS " + str(item) + "\n!\n" + string += "* " + for i in reference[item]: + string += str(i) + ", " + string = string[:-2] + "\n" + else: + string += "!" + str(item) + "!* " + str(reference[item]) + "\n" + return string + def main(): @@ -1574,20 +1572,10 @@ def main(): else: adoc_STIG_show=":show_STIG!:" - if "LEVEL 1" in baseline_yaml['title'].upper(): - adoc_cis_lvl1_show=":show_cis_lvl1:" + if "CIS" in baseline_yaml['title'].upper(): + adoc_cis_show=":show_cis:" else: - adoc_cis_lvl1_show=":show_cis_lvl1!:" - - if "LEVEL 2" in baseline_yaml['title'].upper(): - adoc_cis_lvl2_show=":show_cis_lvl2:" - else: - adoc_cis_lvl2_show=":show_cis_lvl2!:" - - if "CIS CONTROLS" in baseline_yaml['title'].upper(): - adoc_cisv8_show=":show_cisv8:" - else: - adoc_cisv8_show=":show_cisv8!:" + adoc_cis_show=":show_cis!:" if "800" in baseline_yaml['title']: adoc_171_show=":show_171:" @@ -1605,9 +1593,7 @@ def main(): tag_attribute=adoc_tag_show, nist171_attribute=adoc_171_show, stig_attribute=adoc_STIG_show, - cislvl1_attribute=adoc_cis_lvl1_show, - cislvl2_attribute=adoc_cis_lvl2_show, - cisv8_attribute=adoc_cisv8_show, + cis_attribute=adoc_cis_show, version=version_yaml['version'], os_version=version_yaml['os'], release_date=version_yaml['date'] @@ -1720,25 +1706,11 @@ def main(): disa_stig = ulify(rule_yaml['references']['disa_stig']) try: - rule_yaml['references']['cis_lvl1'] - except KeyError: - cis_lvl1 = '- N/A' - else: - cis_lvl1 = ulify(rule_yaml['references']['cis_lvl1']) - - try: - rule_yaml['references']['cis_lvl2'] - except KeyError: - cis_lvl2 = '- N/A' - else: - cis_lvl2 = ulify(rule_yaml['references']['cis_lvl2']) - - try: - rule_yaml['references']['cisv8'] + rule_yaml['references']['cis'] except KeyError: - cisv8 = '- N/A' + cis = '- N/A' else: - cisv8 = ulify(rule_yaml['references']['cisv8']) + cis = parse_cis_references(rule_yaml['references']['cis']) try: rule_yaml['references']['srg'] @@ -1822,9 +1794,7 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, - rule_cis_lvl1=cis_lvl1, - rule_cis_lvl2=cis_lvl2, - rule_cisv8=cisv8, + rule_cis=cis, rule_cce=cce, rule_tags=tags, rule_srg=srg @@ -1840,9 +1810,7 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, - rule_cis_lvl1=cis_lvl1, - rule_cis_lvl2=cis_lvl2, - rule_cisv8=cisv8, + rule_cis=cis, rule_cce=cce, rule_custom_refs=custom_refs, rule_tags=tags, @@ -1860,9 +1828,7 @@ def main(): rule_80053r5=nist_controls, rule_800171=nist_800171, rule_disa_stig=disa_stig, - rule_cis_lvl1=cis_lvl1, - rule_cis_lvl2=cis_lvl2, - rule_cisv8=cisv8, + rule_cis=cis, rule_cce=cce, rule_tags=tags, rule_srg=srg, diff --git a/templates/adoc_header.adoc b/templates/adoc_header.adoc index 0ea1af58b..417ea007c 100644 --- a/templates/adoc_header.adoc +++ b/templates/adoc_header.adoc @@ -14,9 +14,7 @@ :nofooter: $nist171_attribute $stig_attribute -$cislvl1_attribute -$cislvl2_attribute -$cisv8_attribute +$cis_attribute ifdef::backend-pdf[] = $profile_title $version ($release_date) diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc index ee4b31bfe..be4d3508a 100644 --- a/templates/adoc_rule.adoc +++ b/templates/adoc_rule.adoc @@ -45,19 +45,8 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] -ifdef::show_CIS_LVL1[] -!CIS Level 1 -!$rule_cis_lvl1 -endif::[] - -ifdef::show_CIS_LVL2[] -!CIS Level 2 -!$rule_cis_lvl2 -endif::[] - -ifdef::show_CISv8[] -!CIS Controls V8 -!$rule_cisv8 +ifdef::show_CIS[] +$rule_cis endif::[] !CCE From f1bbc9b521c5cee2059fdaaeb361b4dcc5c8866a Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 28 Dec 2021 20:31:48 -0500 Subject: [PATCH 051/193] more rework --- rules/os/os_secure_name_resolution.yaml | 7 +++++-- rules/os/os_sip_enable.yaml | 15 +++++++-------- rules/os/os_siri_prompt_disable.yaml | 9 ++++++--- rules/os/os_skip_unlock_with_watch_enable.yaml | 7 +++++-- rules/os/os_store_encrypted_passwords.yaml | 7 +++++-- rules/os/os_sudoers_tty_configure.yaml | 11 +++++------ rules/os/os_terminal_secure_keyboard_enable.yaml | 11 +++++------ rules/os/os_tftpd_disable.yaml | 11 +++++++---- rules/os/os_time_server_enabled.yaml | 7 +++++-- rules/os/os_touchid_prompt_disable.yaml | 7 +++++-- rules/os/os_unique_identification.yaml | 9 ++++++--- .../os/os_unlock_active_user_session_disable.yaml | 11 +++++------ rules/os/os_uucp_disable.yaml | 11 +++++++---- rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 7 +++++-- .../pwpolicy_account_inactivity_enforce.yaml | 7 +++++-- .../pwpolicy_account_lockout_enforce.yaml | 7 +++++-- .../pwpolicy_account_lockout_timeout_enforce.yaml | 7 +++++-- .../pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 11 +++++------ 18 files changed, 98 insertions(+), 64 deletions(-) diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 1dcef83e2..1ed31bbe6 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -24,8 +24,11 @@ references: - N/A srg: - N/A - cisv8: - - 4.9 + cis: + benchmark: + - N/A + v8: + - 4.9 macOS: - "12.0" tags: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index b3ea7700b..f9e58bd7a 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -65,14 +65,13 @@ references: - 3.3.8 - 3.4.5 - 3.13.4 - cis_lvl1: - - 5.1.2 - cis_lvl2: - - N/A - cisv8: - - 2.6 - - 3.3 - - 10.5 + cis: + benchmark: + - 5.1.2 + v8: + - 2.6 + - 3.3 + - 10.5 macOS: - "12.0" tags: diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 5c6aaa366..0aa1a713d 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -31,9 +31,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index d94b7e591..8e72fd269 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -25,8 +25,11 @@ references: - N/A 800-171r2: - 3.1.20 - cisv8: - - 4.1 + cis: + benchmark: + - N/A + v8: + - 4.1 macOS: - "12.0" tags: diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 54ad1cd76..d38693306 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -30,8 +30,11 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cisv8: - - 3.11 + cis: + benchmark: + - N/A + v8: + - 3.11 macOS: - "12.0" tags: diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 1e88ebe32..e28b50123 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -27,12 +27,11 @@ references: - N/A disa_stig: - N/A - cis_lvl1: - - 5.4 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 5.4 (level 1) + v8: + - 4.3 macOS: - "12.0" tags: diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index d7b8d21aa..4a6785237 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -23,12 +23,11 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 2.10 - cis_lvl2: - - N/A - cisv8: - - 4.8 + cis: + benchmark: + - 2.10 (level 1) + v8: + - 4.8 macOS: - "12.0" tags: diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 9a735f5b1..d4dc11356 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -35,10 +35,13 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cisv8: - - 3.3 - - 3.1 - - 5.2 + cis: + benchmark: + - N/A + v8: + - 3.3 + - 3.1 + - 5.2 macOS: - "12.0" tags: diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 9d41d2a5d..5b6d2b725 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -30,8 +30,11 @@ references: - N/A 800-171r2: - 3.3.7 - cisv8: - - 8.4 + cis: + benchmark: + - N/A + v8: + - 8.4 macOS: - "12.0" tags: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 1f9978a67..4317fbcd1 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -26,8 +26,11 @@ references: 800-171r2: - 3.4.1 - 3.4.2 - cisv8: - - 4.1 + cis: + benchmark: + - N/A + v8: + - 4.1 macOS: - "12.0" tags: diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index 7c0f5e9e5..8e9c9c481 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -19,9 +19,12 @@ references: - N/A srg: - N/A - cisv8: - - 5.1 - - 6.1 + cis: + benchmark: + - N/A + v8: + - 5.1 + - 6.1 macOS: - "12.0" tags: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 07a13a5f7..37b6514df 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -33,12 +33,11 @@ references: 800-171r2: - 3.5.1 - 3.5.2 - cis_lvl1: - - 5.11 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 5.11 (level 1) + v8: + - 4.3 macOS: - "12.0" tags: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 2ee40966f..115eee567 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -33,10 +33,13 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cisv8: - - 3.3 - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 3.3 + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 9a44432c6..be1f15806 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -33,8 +33,11 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cisv8: - - 4.7 + cis: + benchmark: + - N/A + v8: + - 4.7 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 678dae8d9..16d868ed5 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -50,8 +50,11 @@ references: 800-171r2: - 3.5.5 - 3.5.6 - cisv8: - - 5.3 + cis: + benchmark: + - N/A + v8: + - 5.3 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 164a84c5c..428920c2e 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -25,8 +25,11 @@ references: - N/A 800-171r2: - 3.1.8 - cisv8: - - 4.1 + cis: + benchmark: + - N/A + v8: + - 4.1 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index bc92b833b..8c8a65b96 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -25,8 +25,11 @@ references: - N/A 800-171r2: - 3.1.8 - cisv8: - - 4.1 + cis: + benchmark: + - N/A + v8: + - 4.1 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 3b6deca20..3f8a3da4f 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -33,12 +33,11 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cis_lvl1: - - N/A - cis_lvl2: - - 5.2.3 - - 5.2.4 - cisv8: + cis: + benchmark: + - 5.2.3 (level 2) + - 5.2.4 (level 2) + v8: - 5.2 macOS: - "12.0" From f2799e097b88757b33941c04a9a2b47192a3dd2f Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 29 Dec 2021 10:44:04 -0500 Subject: [PATCH 052/193] more cis --- .../audit_flags_fm_failed_configure.yaml | 2 +- rules/cis_lvl1.txt | 1 - .../pwpolicy_account_lockout_enforce.yaml | 2 +- ...pwpolicy_account_lockout_enforce_five.yaml | 43 +++++++++++++++++ .../pwpolicy_force_password_change.yaml | 5 +- rules/pwpolicy/pwpolicy_history_enforce.yaml | 7 ++- .../pwpolicy_history_enforce_fifteen.yaml | 48 +++++++++++++++++++ ...pwpolicy_lower_case_character_enforce.yaml | 11 ++--- .../pwpolicy_minimum_length_enforce.yaml | 9 ++-- .../pwpolicy_minimum_lifetime_enforce.yaml | 5 +- .../pwpolicy_simple_sequence_disable.yaml | 5 +- .../pwpolicy_special_character_enforce.yaml | 9 ++-- ...pwpolicy_upper_case_character_enforce.yaml | 9 ++-- .../sysprefs_airplay_receiver_disable.yaml | 12 ++--- .../sysprefs_automatic_login_disable.yaml | 9 ++-- .../sysprefs_computer_name_audit.yaml | 11 ++--- .../sysprefs_screensaver_timeout_enforce.yaml | 11 ++--- .../sysprefs_time_server_configure.yaml | 5 ++ .../sysprefs_time_server_enforce.yaml | 5 ++ 19 files changed, 157 insertions(+), 52 deletions(-) create mode 100644 rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml create mode 100644 rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index d5ffe8d97..b72a54e47 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -44,7 +44,7 @@ references: - 3.3.2 - 3.3.8 macOS: - - "10.15" + - "12.0" tags: - 800-53r5_privacy - 800-53r5_low diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 1630ee0ad..c1adf2299 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -33,7 +33,6 @@ Recommendation # Title 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications 5.1.7 Ensure No World Writable Files Exist in the System Folder Password Management -5.2.1 Ensure Password Account Lockout Threshold Is Configured 5.2.7 Ensure Password Age Is Configured 5.2.8 Ensure Password History Is Configured 5.3 Ensure the Sudo Timeout Period Is Set to Zero diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 428920c2e..f7d233e26 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -29,7 +29,7 @@ references: benchmark: - N/A v8: - - 4.1 + - 6.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml new file mode 100644 index 000000000..04c3fcb2c --- /dev/null +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml @@ -0,0 +1,43 @@ +id: pwpolicy_account_lockout_enforce_five +title: "Limit Consecutive Failed Login Attempts to Five" +discussion: | + The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of five. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after. + + This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'maxFailedAttempts = 5' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AC-7 + 800-53r4: + - AC-7 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.1.8 + cis: + benchmark: + - 5.2.1 (level 1) + v8: + - 6.2 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.mobiledevice.passwordpolicy: + maxFailedAttempts: 5 diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index bff8b25c0..d8ed7bc29 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -36,7 +36,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cisv8: + cis: + benchmark: + - N/A + v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 09aac6670..6636553c7 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -32,8 +32,11 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cisv8: - - 5.2 + cis: + benchmark: + - N/A + v8: + - 5.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml new file mode 100644 index 000000000..ab498a3cf --- /dev/null +++ b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml @@ -0,0 +1,48 @@ +id: pwpolicy_history_enforce_fifteen +title: "Prohibit Password Reuse for a Minimum of Fifteen Generations" +discussion: | + The macOS _MUST_ be configured to enforce a password history of at least fifteen previous passwords when a password is created. + + This rule ensures that users are not allowed to re-use a password that was used in any of the fifteen previous password generations. + + Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/awk '/pinHistory/{sub(/;.*/,"");print $3}' +result: + integer: 15 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - IA-5(1) + 800-53r4: + - IA-5(1) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.5.7 + - 3.5.8 + - 3.5.9 + - 3.5.10 + cis: + benchmark: + - 5.2.8 (level 1) + v8: + - 5.2 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.mobiledevice.passwordpolicy: + pinHistory: 15 diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 0f997771f..17933e384 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -57,12 +57,11 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cis_lvl1: - - N/A - cis_lvl2: - - 5.2.6 - cisv8: - - 5.2 + cis: + benchmark: + - 5.2.6 (level 1) + v8: + - 5.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 58deefaab..cb205e0ce 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -33,11 +33,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cis_lvl1: - - 5.2.2 - cis_lvl2: - - N/A - cisv8: + cis: + benchmark: + - 5.2.2 (level 1) + v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 2ef25f10f..a59e4b9c2 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -54,7 +54,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cisv8: + cis: + benchmark: + - N/A + v8: - 4.7 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 3a41ce183..f4c38faaf 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -33,7 +33,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cisv8: + cis: + benchmark: + - N/A + v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index f2f945b0c..7411e0b23 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -35,11 +35,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cis_lvl1: - - N/A - cis_lvl2: - - 5.2.5 - cisv8: + cis: + benchmark: + - 5.2.5 (level 2) + v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index ccba47f4b..43d7f7dac 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -57,11 +57,10 @@ references: - 3.5.8 - 3.5.9 - 3.5.10 - cis_lvl1: - - N/A - cis_lvl2: - - 5.2.6 - cisv8: + cis: + benchmark: + - 5.2.6 (level 2) + v8: - 5.2 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index acf084fcf..d853392a8 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -28,13 +28,12 @@ references: - N/A 800-171r2: - 3.4.6 - cis_lvl1: - Benchmark: - - 2.4.13 - - Level 1 + cis: + benchmark: + - 2.4.13 (level 1) v8: - - 4.1 - - 4.8 + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -42,6 +41,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index a40468ac3..ce7af3083 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -28,11 +28,10 @@ references: 800-171r2: - 3.5.1 - 3.5.2 - cis_lvl1: - - 5.7 - cis_lvl2: - - N/A - cisv8: + cis: + benchmark: + - 5.7 (level 1) + v8: - N/A macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_computer_name_audit.yaml b/rules/sysprefs/sysprefs_computer_name_audit.yaml index 9f0431fb6..2ec2cf555 100644 --- a/rules/sysprefs/sysprefs_computer_name_audit.yaml +++ b/rules/sysprefs/sysprefs_computer_name_audit.yaml @@ -26,12 +26,11 @@ references: - N/A srg: - N/A - cis_lvl1: - - N/A - cis lvl2: - - 1.7 - cisv8: - - 1.1 + cis: + benchmark: + - 1.7 (level 2) + v8: + - 1.1 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index ea8ede545..11bb3f8dc 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -26,12 +26,11 @@ references: - N/A 800-171r2: - 3.1.10 - cis_lvl1: - - 2.3.1 - cis_lvl2: - - N/A - cisv8: - - 4.3 + cis: + benchmark: + - 2.3.1 (level 1) + v8: + - 4.3 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 4a587580b..e9eb03789 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -27,6 +27,9 @@ references: - N/A 800-171r2: - 3.3.7 + cis: + benchmark: + - 2.2.1 (level 1) cisv8: - 8.4 macOS: @@ -39,6 +42,8 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index acd264193..ce62d00b8 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -27,6 +27,9 @@ references: - N/A 800-171r2: - 3.3.7 + cis: + benchmark: + - 2.2.1 (level 1) cisv8: - 8.4 macOS: @@ -39,6 +42,8 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true From 3d7512caa7cbd2591a3e7cc9f8fa28656522d56c Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 29 Dec 2021 10:58:53 -0500 Subject: [PATCH 053/193] updated cis todo --- rules/audit/audit_flags_fm_failed_configure.yaml | 2 +- rules/cis_lvl1.txt | 3 --- rules/cis_lvl2.txt | 5 ----- 3 files changed, 1 insertion(+), 9 deletions(-) diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index b72a54e47..50663b705 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -1,7 +1,7 @@ id: audit_flags_fm_failed_configure title: "Configure System to Audit All Failed Change of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (fm). + The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index c1adf2299..99b040cf5 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -2,7 +2,6 @@ Recommendation # Title Bluetooth 2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired Date & Time -2.2.1 Ensure "Set time and date automatically" Is Enabled 2.2.2 Ensure time set is within appropriate limits Desktop & Screen Saver 2.3.3 Audit Lock Screen and Start Screen Saver Tools @@ -33,8 +32,6 @@ Recommendation # Title 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications 5.1.7 Ensure No World Writable Files Exist in the System Folder Password Management -5.2.7 Ensure Password Age Is Configured -5.2.8 Ensure Password History Is Configured 5.3 Ensure the Sudo Timeout Period Is Set to Zero 5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo 5.12 Ensure a Custom Message for the Login Screen Is Enabled diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 894d7ae2e..3825609aa 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -3,8 +3,6 @@ Recommendation # Title Security & Privacy 2.5.4 Audit Location Services Access 2.5.7 Audit Camera Privacy and Confidentiality - Encryption - Firewall iCloud 2.6.1.1 Audit iCloud Configuration 2.6.1.2 Audit iCloud Keychain @@ -14,7 +12,6 @@ Recommendation # Title Time Machine 2.7.1 Ensure Backup Up Automatically is Enabled Logging and Auditing -3.2 Ensure Security Auditing Flags Are Configured Per Local Organizational Requirements 3.7 Audit Software Inventory Network Configurations 4.3 Audit Network Specific Locations @@ -26,8 +23,6 @@ Recommendation # Title 5.5 Ensure login keychain is locked when the computer sleeps 5.9 Ensure system is set to hibernate 5.15 Ensure Fast User Switching Is Disabled - User Accounts and Environment - Accounts Preferences Action Items Appendix: Additional Considerations 7.1 Extensible Firmware Interface (EFI) password 7.2 FileVault and Local Account Password Reset using AppleID \ No newline at end of file From 3f5ed5770086b88feeb2386a928e88e56212f99e Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 29 Dec 2021 11:48:06 -0500 Subject: [PATCH 054/193] fixed cis tags --- rules/audit/audit_auditd_enabled.yaml | 1 + rules/audit/audit_retention_configure.yaml | 1 + rules/os/os_airdrop_disable.yaml | 1 + rules/os/os_authenticated_root_enable.yaml | 2 ++ rules/os/os_config_data_install_enforce.yaml | 1 + rules/os/os_firewall_log_enable.yaml | 1 + rules/os/os_gatekeeper_enable.yaml | 1 + rules/os/os_home_folders_secure.yaml | 1 + rules/os/os_httpd_disable.yaml | 1 + rules/os/os_nfsd_disable.yaml | 1 + rules/os/os_root_disable.yaml | 1 + rules/os/os_sudoers_tty_configure.yaml | 2 ++ rules/os/os_terminal_secure_keyboard_enable.yaml | 1 + rules/os/os_unlock_active_user_session_disable.yaml | 2 ++ rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml | 2 +- rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml | 1 + rules/sysprefs/sysprefs_automatic_login_disable.yaml | 4 +++- rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml | 1 + 18 files changed, 23 insertions(+), 2 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index ecdb6bdfb..dd4beb6c0 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -79,6 +79,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 75d205a34..94df46f47 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -46,6 +46,7 @@ tags: - 800-53r5_high - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 83ed1755b..f74d29753 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -54,6 +54,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index e3eafbc80..ce80e8b64 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -58,6 +58,8 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index a81997343..da5fc2324 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -44,6 +44,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 8acd72c82..26fc29411 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -52,6 +52,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index a49677fe1..ec011320d 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -55,6 +55,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "high" mobileconfig: true diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 1a0fba375..080469278 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -47,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 305e6906b..04f7af764 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -48,6 +48,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index cc7280433..ba4ebd584 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -47,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index 7b2f300e6..c57e811db 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -44,6 +44,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index e28b50123..a5cb7fbb0 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -40,6 +40,8 @@ tags: - 800-53r5_high - cnssi-1253 - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 4a6785237..fe133b463 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -32,6 +32,7 @@ macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 37b6514df..696ffc05f 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -50,5 +50,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 + - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 17933e384..d612d8bf4 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -59,7 +59,7 @@ references: - 3.5.10 cis: benchmark: - - 5.2.6 (level 1) + - 5.2.6 (level 2) v8: - 5.2 macOS: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index cb205e0ce..d9d0d3b99 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -50,6 +50,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index ce7af3083..dfc9a2c3b 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -32,7 +32,7 @@ references: benchmark: - 5.7 (level 1) v8: - - N/A + - 4.7 macOS: - "12.0" tags: @@ -45,6 +45,8 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 11bb3f8dc..6c4043b57 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -42,6 +42,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true From d327c56fb1d051170e5dba55c4a183c929278188 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 29 Dec 2021 14:30:50 -0500 Subject: [PATCH 055/193] sysprefs_printer_sharing_disable added --- rules/cis_lvl1.txt | 1 - .../sysprefs_printer_sharing_disable.yaml | 52 +++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 rules/sysprefs/sysprefs_printer_sharing_disable.yaml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 99b040cf5..b147c38a0 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -6,7 +6,6 @@ Recommendation # Title Desktop & Screen Saver 2.3.3 Audit Lock Screen and Start Screen Saver Tools Sharing -2.4.4 Ensure Printer Sharing Is Disabled 2.4.6 Ensure DVD or CD Sharing Is Disabled 2.4.9 Ensure Remote Management Is Disabled Security & Privacy diff --git a/rules/sysprefs/sysprefs_printer_sharing_disable.yaml b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml new file mode 100644 index 000000000..fc449c8b4 --- /dev/null +++ b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml @@ -0,0 +1,52 @@ +id: sysprefs_printer_sharing_disable +title: "Disable Printer Sharing" +discussion: | + Printer Sharing _MUST_ be disabled. +check: | + /usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0" +result: + boolean: 1 +fix: | + [source,bash] + ---- + /usr/sbin/cupsctl --no-share-printers + /usr/bin/lpstat -p | awk '{print $2}'| /usr/bin/xargs -I{} lpadmin -p {} -o printer-is-shared=false + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.4.4 (level 1) + cisv8: + - 4.1 + - 4.8 +macOS: + - "12.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: + From c5480f36cb8f1566f01128b1d472ac4e19b2a075 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 29 Dec 2021 15:33:11 -0500 Subject: [PATCH 056/193] sysprefs_cd_dvd_sharing_disable --- rules/cis_lvl1.txt | 1 - .../sysprefs_cd_dvd_sharing_disable.yaml | 53 +++++++++++++++++++ 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index b147c38a0..2affd56a5 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -6,7 +6,6 @@ Recommendation # Title Desktop & Screen Saver 2.3.3 Audit Lock Screen and Start Screen Saver Tools Sharing -2.4.6 Ensure DVD or CD Sharing Is Disabled 2.4.9 Ensure Remote Management Is Disabled Security & Privacy Encryption diff --git a/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml new file mode 100644 index 000000000..1052b4083 --- /dev/null +++ b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml @@ -0,0 +1,53 @@ +id: sysprefs_cd_dvd_sharing_disable +title: "Disable CD/DVD Sharing" +discussion: | + CD/DVD Sharing _MUST_ be disabled. +check: | + /usr/bin/pgrep -q ODSAgent; /bin/echo $? +result: + integer: 1 +fix: | + [source,bash] + ---- + /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.ODSAgent.plist + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.4.6 (level 1) + v8: + - 4.1 + - 4.8 +macOS: + - "12.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: + From 155037c4fa9d1313818099c5e8fa216f749580a6 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 29 Dec 2021 15:33:28 -0500 Subject: [PATCH 057/193] updated references --- rules/sysprefs/sysprefs_printer_sharing_disable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_printer_sharing_disable.yaml b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml index fc449c8b4..dcc3b588e 100644 --- a/rules/sysprefs/sysprefs_printer_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - 2.4.4 (level 1) - cisv8: + v8: - 4.1 - 4.8 macOS: From 6450e89ad0fb1bf59bf0e758a35fc55c0f70752c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 29 Dec 2021 15:33:55 -0500 Subject: [PATCH 058/193] updated references --- rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml index 1052b4083..4a5feff60 100644 --- a/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml @@ -43,7 +43,6 @@ tags: - 800-53r4_low - 800-53r4_moderate - 800-53r4_high - - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 From 5124874f9ce7d53c57cd821e9a0adf97aec4bc3f Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 29 Dec 2021 15:37:39 -0500 Subject: [PATCH 059/193] Adjusted templates for cisv8 --- scripts/generate_guidance.py | 6 +++--- templates/adoc_rule_custom_refs.adoc | 15 ++------------- templates/adoc_rule_no_setting.adoc | 15 ++------------- 3 files changed, 7 insertions(+), 29 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 80fdf8e15..f17a769c1 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1225,10 +1225,10 @@ def generate_xls(baseline_name, build_path, baseline_yaml): cis = "" if rule.rule_cis != ['None']: for title, ref in rule.rule_cis.items(): - if title == "benchmark": + if title.lower() == "benchmark": sheet1.write(counter, 12, ref, topWrap) sheet1.col(12).width = 500 * 15 - if title == "v8": + if title.lower() == "v8": cis = (str(ref).strip('[]\'')) cis = cis.replace(", ", "\n") sheet1.write(counter, 13, cis, topWrap) @@ -1432,7 +1432,7 @@ def parse_cis_references(reference): string = "\n" for item in reference: if isinstance(reference[item], list): - string += "!CIS " + str(item) + "\n!\n" + string += "!CIS " + str(item).title() + "\n!\n" string += "* " for i in reference[item]: string += str(i) + ", " diff --git a/templates/adoc_rule_custom_refs.adoc b/templates/adoc_rule_custom_refs.adoc index cf9e56e1e..ed23571eb 100644 --- a/templates/adoc_rule_custom_refs.adoc +++ b/templates/adoc_rule_custom_refs.adoc @@ -45,19 +45,8 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] -ifdef::show_CIS_LVL1[] -!CIS Level 1 -!$rule_cis_lvl1 -endif::[] - -ifdef::show_CIS_LVL2[] -!CIS Level 2 -!$rule_cis_lvl2 -endif::[] - -ifdef::show_CISv8[] -!CIS Controls V8 -!$rule_cisv8 +ifdef::show_CIS[] +$rule_cis endif::[] !CCE diff --git a/templates/adoc_rule_no_setting.adoc b/templates/adoc_rule_no_setting.adoc index d75d22d57..25661de26 100644 --- a/templates/adoc_rule_no_setting.adoc +++ b/templates/adoc_rule_no_setting.adoc @@ -31,19 +31,8 @@ ifdef::show_STIG[] !$rule_disa_stig endif::[] -ifdef::show_CIS_LVL1[] -!CIS Level 1 -!$rule_cis_lvl1 -endif::[] - -ifdef::show_CIS_LVL2[] -!CIS Level 2 -!$rule_cis_lvl2 -endif::[] - -ifdef::show_CISv8[] -!CIS Controls V8 -!$rule_cisv8 +ifdef::show_CIS[] +$rule_cis endif::[] ifdef::show_tags[] From da89a8740bb9fab77208df65d46a94f4026718f2 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 29 Dec 2021 16:09:05 -0500 Subject: [PATCH 060/193] sysprefs_remote_management_disable --- rules/cis_lvl1.txt | 2 - .../sysprefs_remote_management_disable.yaml | 51 +++++++++++++++++++ 2 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 rules/sysprefs/sysprefs_remote_management_disable.yaml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 2affd56a5..c3e8cb2bc 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -5,8 +5,6 @@ Recommendation # Title 2.2.2 Ensure time set is within appropriate limits Desktop & Screen Saver 2.3.3 Audit Lock Screen and Start Screen Saver Tools - Sharing -2.4.9 Ensure Remote Management Is Disabled Security & Privacy Encryption 2.5.1.2 Ensure all user storage APFS volumes are encrypted diff --git a/rules/sysprefs/sysprefs_remote_management_disable.yaml b/rules/sysprefs/sysprefs_remote_management_disable.yaml new file mode 100644 index 000000000..a33e8eac3 --- /dev/null +++ b/rules/sysprefs/sysprefs_remote_management_disable.yaml @@ -0,0 +1,51 @@ +id: sysprefs_remote_management_disable +title: "Disable Remote Management" +discussion: | + Remote Management _MUST_ be disabled. +check: | + /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0" +result: + integer: 1 +fix: | + [source,bash] + ---- + /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.4.3 (level 1) + v8: + - 4.1 + - 4.8 +macOS: + - "12.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 38f72207cf0bab17207d47f2f8d103e9198b8ef4 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 29 Dec 2021 17:02:33 -0500 Subject: [PATCH 061/193] fixed sysprefs_screen_sharing_disable --- .../sysprefs/sysprefs_screen_sharing_disable.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index 297a3b89a..b7d29bb28 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -32,13 +32,12 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cis_lvl1: - - 2.4.3 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.4.3 (level 1) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -51,6 +50,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false From babaa65f13c191d539f54132c8dc8c4cd1f35628 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 29 Dec 2021 17:04:27 -0500 Subject: [PATCH 062/193] fixed sysprefs_bluetooth_menu_enable --- rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml index a03894b39..1e277bd0f 100644 --- a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml @@ -23,16 +23,18 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 2.1.2 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 2.1.2 (level 1) + v8: + - 4.8 + - 13.9 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.controlcenter: From de7495ca4f7c338bceba3ec03ce1c065a304ec29 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 09:34:36 -0500 Subject: [PATCH 063/193] fixed cis refs/tags in yams --- .../sysprefs_bluetooth_sharing_disable.yaml | 16 ++++++++-------- .../sysprefs_content_caching_disable.yaml | 13 ++++++------- ...sysprefs_critical_update_install_enforce.yaml | 16 ++++++++-------- .../sysprefs_diagnostics_reports_disable.yaml | 13 ++++++------- rules/sysprefs/sysprefs_filevault_enforce.yaml | 14 +++++++------- rules/sysprefs/sysprefs_firewall_enable.yaml | 16 ++++++++-------- .../sysprefs_firewall_stealth_mode_enable.yaml | 16 ++++++++-------- .../sysprefs_guest_access_smb_disable.yaml | 16 ++++++++-------- .../sysprefs/sysprefs_guest_account_disable.yaml | 16 ++++++++-------- .../sysprefs_install_macos_updates_enforce.yaml | 14 +++++++------- .../sysprefs_internet_sharing_disable.yaml | 14 +++++++------- .../sysprefs_location_services_enable.yaml | 13 ++++++------- ...nwindow_prompt_username_password_enforce.yaml | 13 +++++++------ .../sysprefs_media_sharing_disabled.yaml | 13 ++++++------- .../sysprefs_password_hints_disable.yaml | 13 +++++++------ ...ysprefs_personalized_advertising_disable.yaml | 14 +++++++------- rules/sysprefs/sysprefs_power_nap_disable.yaml | 14 +++++++------- rules/sysprefs/sysprefs_rae_disable.yaml | 14 +++++++------- ...reensaver_ask_for_password_delay_enforce.yaml | 13 +++++++------ rules/sysprefs/sysprefs_smbd_disable.yaml | 12 +++++++----- ...prefs_software_update_app_update_enforce.yaml | 14 +++++++------- ...ysprefs_software_update_download_enforce.yaml | 14 +++++++------- .../sysprefs_software_update_enforce.yaml | 14 +++++++------- .../sysprefs_softwareupdate_current.yaml | 14 +++++++------- rules/sysprefs/sysprefs_ssh_disable.yaml | 14 +++++++------- ...sprefs_system_wide_preferences_configure.yaml | 13 +++++++------ .../sysprefs_wake_network_access_disable.yaml | 12 ++++++------ rules/sysprefs/sysprefs_wifi_menu_enable.yaml | 14 ++++++++------ 28 files changed, 198 insertions(+), 194 deletions(-) diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index e8b112208..a8bc8ffc2 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -46,14 +46,13 @@ references: - 3.1.2 - 3.1.16 - 3.4.7 - cis_lvl1: - - 2.4.7 - cis_lvl2: - - N/A - cisv8: - - 3.3 - - 4.1 - - 4.8 + cis: + benchmark: + - 2.4.7 (level 1) + v8: + - 3.3 + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -66,6 +65,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index 97fa49a83..e3d4d88cd 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -27,13 +27,12 @@ references: - N/A 800-171r2: - 3.4.6 - cis_lvl1: - - N/A - cis_lvl2: - - 2.4.10 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.4.10 (level 2) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index b5d3ab6f1..9cae895c3 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -23,14 +23,13 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 1.5 - cis_lvl2: - - N/A - cisv8: - - 7.3 - - 7.4 - - 7.7 + cis: + benchmark: + - 1.5 (level 1) + v8: + - 7.3 + - 7.4 + - 7.7 macOS: - "12.0" tags: @@ -38,6 +37,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index 45228096f..739548b7a 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -28,13 +28,12 @@ references: - N/A 800-171r2: - 3.1.20 - cis_lvl1: - - N/A - cis_lvl2: - - 2.5.5 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.5.5 (level 2) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 79ea6dbf9..2f5db7b08 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -29,13 +29,12 @@ references: - N/A 800-171r2: - 3.13.16 - cis_lvl1: - - 2.5.5.1 - cis_lvl2: - - N/A - cisv8: - - 3.6 - - 3.11 + cis: + benchmark: + - 2.5.5.1 (level 1) + v8: + - 3.6 + - 3.11 macOS: - "12.0" tags: @@ -46,6 +45,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 707d7f5b9..4aa3acda1 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -41,14 +41,13 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 - cis_lvl1: - - 2.5.2.2 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.5 - - 13.1 + cis: + benchmark: + - 2.5.2.2 (level 1) + v8: + - 4.1 + - 4.5 + - 13.1 macOS: - "12.0" tags: @@ -61,6 +60,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 2619bd126..8a4c9b481 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -37,14 +37,13 @@ references: - 3.13.1 - 3.13.2 - 3.13.5 - cis_lvl1: - - 2.5.2.3 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.5 - - 4.8 + cis: + benchmark: + - 2.5.2.3 + v8: + - 4.1 + - 4.5 + - 4.8 macOS: - "12.0" tags: @@ -57,6 +56,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index 024e5dd77..489e7171b 100644 --- a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -31,14 +31,13 @@ references: 800-171r2: - 3.5.1 - 3.5.2 - cis_lvl1: - - 6.1.4 - cis_lvl2: - - N/A - cisv8: - - 5.2 - - 6.2 - - 6.8 + cis: + benchmark: + - 6.1.4 (level 1) + v8: + - 5.2 + - 6.2 + - 6.8 macOS: - "12.0" tags: @@ -51,6 +50,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index 3803b2d6d..579fd3438 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -28,14 +28,13 @@ references: 800-171r2: - 3.5.1 - 3.5.2 - cis_lvl1: - - 6.1.3 - cis_lvl2: - - N/A - cisv8: - - 5.2 - - 6.2 - - 6.8 + cis: + benchmark: + - 6.1.3 (level 1) + v8: + - 5.2 + - 5.3 + - 6.8 macOS: - "12.0" tags: @@ -48,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "high" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml index d794f4718..5431ec753 100644 --- a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml +++ b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml @@ -23,17 +23,17 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 1.6 - cis_lvl2: - - N/A - cisv8: - - 7.3 - - 7.4 + cis: + benchmark: + - 1.6 (level 1) + v8: + - 7.3 + - 7.4 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index d6105a5b5..1856ffb96 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -28,13 +28,12 @@ references: 800-171r2: - 3.1.3 - 3.1.20 - cis_lvl1: - - 2.4.2 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.4.2 (level 1) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -47,6 +46,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: true diff --git a/rules/sysprefs/sysprefs_location_services_enable.yaml b/rules/sysprefs/sysprefs_location_services_enable.yaml index 2001bb3d2..6ab353f5c 100644 --- a/rules/sysprefs/sysprefs_location_services_enable.yaml +++ b/rules/sysprefs/sysprefs_location_services_enable.yaml @@ -26,13 +26,12 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - N/A - cis_lvl2: - - 2.5.3 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.5.3 (level 2) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index bbd80486d..49ae66fad 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -26,12 +26,11 @@ references: 800-171r2: - 3.5.1 - 3.5.2 - cis_lvl1: - - 6.1.1 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 6.1.1 (level 1) + v8: + - 4.1 macOS: - "12.0" tags: @@ -44,6 +43,8 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.loginwindow: diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index d7ae9081e..b50d6df1a 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -31,13 +31,12 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cis_lvl1: - - N/A - cis_lvl2: - - 2.4.12 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.4.12 (level 2) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index f3b2db8e1..7ccf6d39d 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -25,12 +25,11 @@ references: - N/A 800-171r2: - 3.5.11 - cis_lvl1: - - 6.1.1 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 6.1.2 (level 1) + v8: + - 4.1 macOS: - "12.0" tags: @@ -43,6 +42,8 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 4b7d71982..bc6400b10 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -31,13 +31,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cis_lvl1: - - 2.5.6 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.5.6 (level 1) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -50,6 +49,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index 34581e12b..ad6f90af7 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -39,13 +39,12 @@ references: - N/A 800-171r2: - 3.4.6 - cis_lvl1: - - 2.9 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.9 (level 1) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -58,6 +57,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index 46bd35c22..f899eb696 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -32,13 +32,12 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cis_lvl1: - - 2.4.1 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.4.1 (level 1) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -51,6 +50,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index b198819c0..4253a850b 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -25,12 +25,11 @@ references: - N/A 800-171r2: - 3.1.10 - cis_lvl1: - - 5.8 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 5.8 (level 1) + v8: + - 4.7 macOS: - "12.0" tags: @@ -41,6 +40,8 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index 65b5f2f18..d4f9ad2a8 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -31,11 +31,12 @@ references: 800-171r2: - 3.1.1 - 3.1.2 - cis_lvl1: - - 2.4.8 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.4.8 (level 1) + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: @@ -48,6 +49,7 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml index cfde9f156..edb6e8584 100644 --- a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml @@ -23,17 +23,17 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 1.4 - cis_lvl2: - - N/A - cisv8: - - 7.3 - - 7.4 + cis: + benchmark: + - 1.4 (level 1) + v8: + - 7.3 + - 7.4 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml index 541d0d093..5691d7cd1 100644 --- a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -23,17 +23,17 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 1.3 - cis_lvl2: - - N/A - cisv8: - - 7.3 - - 7.4 + cis: + benchmark: + - 1.3 (level 1) + v8: + - 7.3 + - 7.4 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_software_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_enforce.yaml index 92764a5fc..0bac9e49d 100644 --- a/rules/sysprefs/sysprefs_software_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_enforce.yaml @@ -23,17 +23,17 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 1.2 - cis_lvl2: - - N/A - cisv8: - - 7.3 - - 7.4 + cis: + benchmark: + - 1.2 (level 1) + v8: + - 7.3 + - 7.4 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_softwareupdate_current.yaml b/rules/sysprefs/sysprefs_softwareupdate_current.yaml index 2099517c8..0afffc370 100644 --- a/rules/sysprefs/sysprefs_softwareupdate_current.yaml +++ b/rules/sysprefs/sysprefs_softwareupdate_current.yaml @@ -35,17 +35,17 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 1.1 - cis_lvl2: - - N/A - cisv8: - - 7.3 - - 7.4 + cis: + benchmark: + - 1.1 (level 1) + v8: + - 7.3 + - 7.4 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index a75df3542..7ca29da1a 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -34,17 +34,17 @@ references: - 3.1.1 - 3.1.2 - 3.4.6 - cis_lvl1: - - 2.4.5 - cis_lvl2: - - N/A - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - 2.4.5 + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index 7f017c27b..66845835d 100644 --- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -33,12 +33,11 @@ references: 800-171r2: - 3.1.5 - 3.1.6 - cis_lvl1: - - 5.10 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 5.10 (level 1) + v8: + - 4.1 macOS: - "12.0" tags: @@ -49,6 +48,8 @@ tags: - 800-171 - cnssi-1253 - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml index dea09e37d..3ff01d0c5 100644 --- a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml +++ b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml @@ -26,16 +26,16 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 2.8 - cis_lvl2: - - N/A - cisv8: - - 4.8 + cis: + benchmark: + - 2.8 (level 1) + v8: + - 4.8 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml index 68c6be925..c016e63f5 100644 --- a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml @@ -23,16 +23,18 @@ references: - N/A 800-171r2: - N/A - cis_lvl1: - - 4.2 - cis_lvl2: - - N/A - cisv8: - - N/A + cis: + benchmark: + - 4.2 (level 1) + v8: + - 4.8 + - 12.6 macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.controlcenter: From cbac9a6c557126a8e950390dcfa478d138a3509d Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 09:46:21 -0500 Subject: [PATCH 064/193] sysprefs_fast_users_switching_disable --- ...sysprefs_fast_users_switching_disable.yaml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/sysprefs/sysprefs_fast_users_switching_disable.yaml diff --git a/rules/sysprefs/sysprefs_fast_users_switching_disable.yaml b/rules/sysprefs/sysprefs_fast_users_switching_disable.yaml new file mode 100644 index 000000000..7098dff2a --- /dev/null +++ b/rules/sysprefs/sysprefs_fast_users_switching_disable.yaml @@ -0,0 +1,41 @@ +id: sysprefs_fast_user_switching_disable +title: "Ensure Fast User Switching Is Disabled" +discussion: | + Fast user switching _MUST_ be disabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'MultipleSessionEnabled = 0' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 5.15 (level 2) + v8: + - 4.1 +macOS: + - "12.0" +tags: + - cis_lvl2 + - cisv8 +mobileconfig: true +mobileconfig_info: + .GlobalPreferences: + MultipleSessionEnabled: true + + From e3a493afac2ff4e8c971157907b4a7a1de1f9f2c Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 13:45:01 -0500 Subject: [PATCH 065/193] added/fixed cis controls --- rules/audit/audit_acls_files_configure.yaml | 10 ++++++++-- rules/audit/audit_acls_folders_configure.yaml | 8 ++++++++ rules/audit/audit_files_group_configure.yaml | 8 ++++++++ rules/audit/audit_files_mode_configure.yaml | 8 ++++++++ rules/audit/audit_files_owner_configure.yaml | 8 ++++++++ rules/audit/audit_folder_group_configure.yaml | 8 ++++++++ rules/audit/audit_folder_owner_configure.yaml | 8 ++++++++ rules/audit/audit_folders_mode_configure.yaml | 8 ++++++++ rules/audit/audit_retention_configure.yaml | 4 +--- rules/cis_lvl1.txt | 7 +------ rules/cis_lvl2.txt | 2 -- 11 files changed, 66 insertions(+), 13 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 0211cd2b2..95537ba92 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -20,17 +20,20 @@ references: - CCI-000162 - CCI-001314 800-53r5: - - SI-11 - AU-9 800-53r4: - AU-9 - - SI-11 srg: - N/A disa_stig: - N/A 800-171r2: - 3.3.8 + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: @@ -42,6 +45,9 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index ef58e7306..5f2b279b3 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -28,6 +28,11 @@ references: - N/A 800-171r2: - 3.3.8 + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: @@ -39,6 +44,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 128b45999..dd87741bf 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -30,6 +30,11 @@ references: - N/A 800-171r2: - 3.3.8 + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: @@ -41,6 +46,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index d55950494..571d06a48 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -26,6 +26,11 @@ references: - N/A 800-171r2: - 3.3.8 + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: @@ -37,6 +42,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 0bdcfcd1d..d1df0d51b 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -30,6 +30,11 @@ references: - N/A 800-171r2: - 3.3.8 + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: @@ -41,6 +46,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index d0aefb04a..65b0ae1f0 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -30,6 +30,11 @@ references: - N/A 800-171r2: - 3.3.8 + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: @@ -41,6 +46,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index afbc5db8e..be161d4ec 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -30,6 +30,11 @@ references: - N/A 800-171r2: - 3.3.8 + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: @@ -41,6 +46,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 07e3bb467..eea02cbe1 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -30,6 +30,11 @@ references: - N/A 800-171r2: - 3.3.8 + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: @@ -41,6 +46,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 94df46f47..f8d1f26a7 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -30,7 +30,7 @@ references: - N/A cis: benchmark: - - 3.4 (level 1) + - N/A v8: - 8.3 - 8.1 @@ -45,8 +45,6 @@ tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253 - - cis_lvl1 - - cis_lvl2 - cisv8 severity: "medium" mobileconfig: false diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index c3e8cb2bc..0b5d01439 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -20,19 +20,14 @@ Recommendation # Title 2.17 Audit Passwords System Preference Setting Logging and Auditing 3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size -3.4 Ensure Security Auditing Retention Is Enabled -3.5 Ensure Access to Audit Records Is Controlled File System Permissions and Access Controls 5.1.3 Ensure Apple Mobile File Integrity Is Enabled 5.1.4 Ensure Library Validation Is Enabled 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications 5.1.7 Ensure No World Writable Files Exist in the System Folder Password Management -5.3 Ensure the Sudo Timeout Period Is Set to Zero -5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo 5.12 Ensure a Custom Message for the Login Screen Is Enabled 5.14 Ensure Users' Accounts Do Not Have a Password Hint Accounts Preferences Action Items 6.1.5 Ensure the Guest Home Folder Does Not Exist -6.2 Ensure Show All Filename Extensions Setting is Enabled -6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled \ No newline at end of file +6.2 Ensure Show All Filename Extensions Setting is Enabled \ No newline at end of file diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 3825609aa..4ba769c1e 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -19,10 +19,8 @@ Recommendation # Title File System Permissions and Access Controls 5.1.8 Ensure No World Writable Files Exist in the Library Folder Password Management -5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured 5.5 Ensure login keychain is locked when the computer sleeps 5.9 Ensure system is set to hibernate -5.15 Ensure Fast User Switching Is Disabled Appendix: Additional Considerations 7.1 Extensible Firmware Interface (EFI) password 7.2 FileVault and Local Account Password Reset using AppleID \ No newline at end of file From db9de60f2adfafcba9f97b12eaa3c739538cec4b Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 13:45:48 -0500 Subject: [PATCH 066/193] fixes #108 --- rules/os/os_sudoers_tty_configure.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index a5cb7fbb0..e238c08f1 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -5,13 +5,13 @@ discussion: | This rule ensures that the "sudo" command will prompt for the administrator’s password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window. check: | - /usr/bin/grep -Ec "^Defaults tty_tickets" /etc/sudoers + /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+\!tty_tickets" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs result: - integer: 1 + integer: 0 fix: | [source,bash] ---- - /bin/cp /etc/sudoers /etc/sudoers.bk; /bin/echo "Defaults tty_tickets" >> /etc/sudoers + /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/!tty_tickets/d' '{}' \; ---- references: cce: @@ -42,6 +42,5 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 -severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file From b5b2466caaa53e7468dadd1c9e0e74d6750cd4b0 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 13:46:45 -0500 Subject: [PATCH 067/193] sysprefs_fast_users_switching_disable --- rules/sysprefs/sysprefs_fast_users_switching_disable.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/sysprefs/sysprefs_fast_users_switching_disable.yaml b/rules/sysprefs/sysprefs_fast_users_switching_disable.yaml index 7098dff2a..f7a29e96e 100644 --- a/rules/sysprefs/sysprefs_fast_users_switching_disable.yaml +++ b/rules/sysprefs/sysprefs_fast_users_switching_disable.yaml @@ -33,6 +33,7 @@ macOS: tags: - cis_lvl2 - cisv8 + - cis_manual mobileconfig: true mobileconfig_info: .GlobalPreferences: From 43f52a8f299b1ce206b5f37deef5d62af9774362 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 13:47:23 -0500 Subject: [PATCH 068/193] added cis rules for audit_control --- .../audit/audit_control_group_configure.yaml | 41 +++++++++++++++++++ rules/audit/audit_control_mode_configure.yaml | 41 +++++++++++++++++++ .../audit/audit_control_owner_configure.yaml | 41 +++++++++++++++++++ 3 files changed, 123 insertions(+) create mode 100644 rules/audit/audit_control_group_configure.yaml create mode 100644 rules/audit/audit_control_mode_configure.yaml create mode 100644 rules/audit/audit_control_owner_configure.yaml diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml new file mode 100644 index 000000000..8ca43ca2b --- /dev/null +++ b/rules/audit/audit_control_group_configure.yaml @@ -0,0 +1,41 @@ +id: audit_control_group_configure +title: "Configure Audit_Control Group to Wheel" +discussion: | + /etc/security/audit_control _MUST_ have the group set to wheel. +check: | + /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}' +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/chgrp wheel /etc/security/audit_control + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-9 + 800-53r4: + - AU-9 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml new file mode 100644 index 000000000..ff5b225c1 --- /dev/null +++ b/rules/audit/audit_control_mode_configure.yaml @@ -0,0 +1,41 @@ +id: audit_control_mode_configure +title: "Configure Audit_Control Owner to Mode 440 or Less Permissive" +discussion: | + /etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel. +check: | + /bin/ls -l /etc/security/audit_control | awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs +result: + integer: 0 +fix: | + [source,bash] + ---- + //bin/chmod 440 /etc/security/audit_control + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-9 + 800-53r4: + - AU-9 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml new file mode 100644 index 000000000..1af95825f --- /dev/null +++ b/rules/audit/audit_control_owner_configure.yaml @@ -0,0 +1,41 @@ +id: audit_control_owner_configure +title: "Configure Audit_Control Owner to Root" +discussion: | + /etc/security/audit_control _MUST_ have the owner set to root. +check: | + /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}' +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/chown root /etc/security/audit_control + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-9 + 800-53r4: + - AU-9 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 34193a1fe5a1fb036703f6dff7dabb0223f03902 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 13:47:56 -0500 Subject: [PATCH 069/193] cis audit retention --- .../audit_retention_configure_sixty_days.yaml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/audit/audit_retention_configure_sixty_days.yaml diff --git a/rules/audit/audit_retention_configure_sixty_days.yaml b/rules/audit/audit_retention_configure_sixty_days.yaml new file mode 100644 index 000000000..c7dcce952 --- /dev/null +++ b/rules/audit/audit_retention_configure_sixty_days.yaml @@ -0,0 +1,45 @@ +id: audit_retention_configure_sixty_days +title: "Configure Audit Retention to a Minimum of Sixty Days or One Gigabyte" +discussion: | + The audit service _MUST_ be configured to require records be kept for sixty days or longer before deletion, unless the system uses a central audit record storage facility. + + When "expire-after" is set to "60d", the audit service will not delete audit logs until the log data is at least sixty days old. +check: | + /usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control +result: + string: 60d or 1G +fix: | + [source,bash] + ---- + /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:60d or 1G/' /etc/security/audit_control; /usr/sbin/audit -s + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-11 + - AU-4 + 800-53r4: + - AU-4 + - AU-11 + srg: + - N/A + disa_stig: + - N/A + cis: + benchmark: + - 3.4 (level 1) + v8: + - 8.3 + - 8.1 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 040035275866778fefdfc0f54d8a7d953ab22480 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 13:48:24 -0500 Subject: [PATCH 070/193] added safari safe downloads control --- ...os_safari_open_safe_downloads_disable.yaml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/os/os_safari_open_safe_downloads_disable.yaml diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml new file mode 100644 index 000000000..c5960d2e8 --- /dev/null +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -0,0 +1,36 @@ +id: os_safari_open_safe_downloads_disable +title: "Disable Automatic Opening of Safe Files in Safari" +discussion: | + Open "safe" files after downloading _MUST_ be disabled in Safari. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis: + benchmark: + - 6.3 (level 1) + v8: + - 9 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.Safari: + AutoOpenSafeDownloads: false From b015913744f87e6c7fe6de6384251373c1a297cd Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 13:48:57 -0500 Subject: [PATCH 071/193] cis sudo timeout --- rules/os/os_sudo_timeout_configure.yaml | 44 +++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/os/os_sudo_timeout_configure.yaml diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml new file mode 100644 index 000000000..f1ec63169 --- /dev/null +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -0,0 +1,44 @@ +id: os_sudo_timeout_configure +title: "Configure Sudo Timeout Period to Zero" +discussion: | + The file /etc/sudoers _MUST_ include a timestamp_timout of zero. +check: | + /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+timestamp_timeout=0" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \; + /bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + cis: + benchmark: + - 5.3 (level 1) + v8: + - 4.3 +macOS: + - "12.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 82614ec45f38bb544fef164f3e4c4f4db120286c Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 30 Dec 2021 13:49:20 -0500 Subject: [PATCH 072/193] cis sudoers timestamp_type --- .../os_sudoers_timestamp_type_configure.yaml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/os/os_sudoers_timestamp_type_configure.yaml diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml new file mode 100644 index 000000000..9f63fb069 --- /dev/null +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -0,0 +1,46 @@ +id: os_sudoers_timestamp_type_configure +title: "Configure Sudoers Timestamp Type" +discussion: | + The file /etc/sudoers _MUST_ be configured to not include a timestamp_type of global or ppid. + + This rule ensures that the "sudo" command will prompt for the administrator’s password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. +check: | + /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E '(^Defaults\s+timestamp_type=global|^Defaults\s+timestamp_type=ppid)' '{}' \; | /usr/bin/wc -l | /usr/bin/xargs +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_type/d' '{}' \; + ---- +references: + cce: + - CCE-91015-8 + cci: + - CCI-000366 + 800-53r5: + - CM-5(1) + - IA-11 + 800-53r4: + - IA-11 + srg: + - N/A + disa_stig: + - N/A + cis: + benchmark: + - 5.4 (level 1) + v8: + - 4.3 +macOS: + - "12.0" +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From b008cbf473fa829166cad5e7695703bcc2c44b62 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 30 Dec 2021 14:24:52 -0500 Subject: [PATCH 073/193] fix for static defined files in permissions checks --- scripts/generate_oval.py | 51 +++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 99aab6b23..7512f69f4 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -1116,32 +1116,39 @@ def main(): continue s = rule_yaml['check'] + config_file = '' + + if "grep" in s.split()[3]: + + grep_search = re.search('\((.*?)\)', s).group(1) - grep_search = re.search('\((.*?)\)', s).group(1) - - substring = grep_search.split("|")[0] - regex = re.search('\'(.*?)\'', substring).group(1) - - try: - regex = re.search('/(.*?)/', regex).group(1) - except: - regex = regex + substring = grep_search.split("|")[0] + regex = re.search('\'(.*?)\'', substring).group(1) + try: + regex = re.search('/(.*?)/', regex).group(1) + except: + regex = regex + + config_file = substring = grep_search.split("|")[0].split()[-1] - config_file = substring = grep_search.split("|")[0].split()[-1] - oval_object = oval_object + ''' - - {} - {}:\s*(.*)$ - 1 - - '''.format(rule_yaml['id'], x+999, config_file, regex) - - oval_variable = oval_variable + ''' - - - '''.format(x,rule_yaml['id'],x+999) + + oval_object = oval_object + ''' + + {} + {}:\s*(.*)$ + 1 + + '''.format(rule_yaml['id'], x+999, config_file, regex) + + oval_variable = oval_variable + ''' + + + '''.format(x,rule_yaml['id'],x+999) + else: + config_file = s.split()[3] + s = rule_yaml['fix'] fix_command = re.search('-\n(.*?)\n-', s).group(1).split('$')[0] From 99003f6ade202da5a2db9fdb1698f4f07b644f91 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 30 Dec 2021 14:27:14 -0500 Subject: [PATCH 074/193] hot_corners, fixes PR #98 --- .../sysprefs/sysprefs_hot_corners_secure.yaml | 50 +++++++++++++++++++ scripts/generate_guidance.py | 2 +- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 rules/sysprefs/sysprefs_hot_corners_secure.yaml diff --git a/rules/sysprefs/sysprefs_hot_corners_secure.yaml b/rules/sysprefs/sysprefs_hot_corners_secure.yaml new file mode 100644 index 000000000..92539369c --- /dev/null +++ b/rules/sysprefs/sysprefs_hot_corners_secure.yaml @@ -0,0 +1,50 @@ +id: sysprefs_hot_corners_secure +title: "Secure Hot Corners" +discussion: | + Hot corners _MUST_ be secured. + + The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. +check: | + bl_corner="$(defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null)" + tl_corner="$(defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null)" + tr_corner="$(defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null)" + br_corner="$(defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null)" + + if [[ "$bl_corner" != "6" ]] && [[ "$tl_corner" != "6" ]] && [[ "$tr_corner" != "6" ]] && [[ "$br_corner" != "6" ]]; then + echo "0" + fi +result: + integer: 0 +fix: | + sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null + sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null + sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null + sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AC-11(1) + 800-53r4: + - AC-11(1) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.3.2 (level 2) + v8: + - 4.3 +macOS: + - "12.0" +tags: + - cis_lvl2 + - cisv8 +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index f17a769c1..47fef582f 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -581,7 +581,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): # get the currently logged in user CURRENT_USER=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {{ print $3 }}') -CURR_USER_UID=$(/usr/bin/id -u $CURR_USER) +CURR_USER_UID=$(/usr/bin/id -u $CURRENT_USER) # get system architecture arch=$(/usr/bin/arch) From 6a9c975ca62992fef6a5db0125e9babe6395b1ee Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 30 Dec 2021 15:08:09 -0500 Subject: [PATCH 075/193] More CIS rules --- rules/cis_lvl2.txt | 2 - .../sysprefs_computer_name_audit.yaml | 3 +- ...sysprefs_fast_user_switching_disable.yaml} | 0 .../sysprefs/sysprefs_hot_corners_secure.yaml | 19 +++++----- .../sysprefs_location_services_audit.yaml | 38 +++++++++++++++++++ 5 files changed, 49 insertions(+), 13 deletions(-) rename rules/sysprefs/{sysprefs_fast_users_switching_disable.yaml => sysprefs_fast_user_switching_disable.yaml} (100%) create mode 100644 rules/sysprefs/sysprefs_location_services_audit.yaml diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 4ba769c1e..758da82e1 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -1,7 +1,5 @@ Recommendation # Title -2.3.2 Ensure Screen Saver Corners Are Secure Security & Privacy -2.5.4 Audit Location Services Access 2.5.7 Audit Camera Privacy and Confidentiality iCloud 2.6.1.1 Audit iCloud Configuration diff --git a/rules/sysprefs/sysprefs_computer_name_audit.yaml b/rules/sysprefs/sysprefs_computer_name_audit.yaml index 2ec2cf555..d5fc92bb1 100644 --- a/rules/sysprefs/sysprefs_computer_name_audit.yaml +++ b/rules/sysprefs/sysprefs_computer_name_audit.yaml @@ -5,7 +5,7 @@ discussion: | check: | /usr/sbin/scutil --get ComputerName result: - string: "an organizations approved computer name." + string: "an organization's approved computer name." fix: | Set the computer name back to an approved naming convention. @@ -36,6 +36,7 @@ macOS: tags: - cis_lvl2 - cisv8 + - cis_manual - manual mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_fast_users_switching_disable.yaml b/rules/sysprefs/sysprefs_fast_user_switching_disable.yaml similarity index 100% rename from rules/sysprefs/sysprefs_fast_users_switching_disable.yaml rename to rules/sysprefs/sysprefs_fast_user_switching_disable.yaml diff --git a/rules/sysprefs/sysprefs_hot_corners_secure.yaml b/rules/sysprefs/sysprefs_hot_corners_secure.yaml index 92539369c..497a034e3 100644 --- a/rules/sysprefs/sysprefs_hot_corners_secure.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_secure.yaml @@ -5,21 +5,21 @@ discussion: | The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. check: | - bl_corner="$(defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null)" - tl_corner="$(defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null)" - tr_corner="$(defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null)" - br_corner="$(defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null)" + bl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null)" + tl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null)" + tr_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null)" + br_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null)" - if [[ "$bl_corner" != "6" ]] && [[ "$tl_corner" != "6" ]] && [[ "$tr_corner" != "6" ]] && [[ "$br_corner" != "6" ]]; then + if [[ "$bl_corner" != "6" ]] && [[ "$tl_corner" != "6" ]] && [[ "$tr_corner" != "6" ]] && [[ "$br_corner" != "6" ]]; then echo "0" fi result: integer: 0 fix: | - sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null - sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null - sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null - sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null + /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null + /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null + /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null + /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null references: cce: - N/A @@ -45,6 +45,5 @@ macOS: tags: - cis_lvl2 - cisv8 -severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_location_services_audit.yaml b/rules/sysprefs/sysprefs_location_services_audit.yaml new file mode 100644 index 000000000..3c649512f --- /dev/null +++ b/rules/sysprefs/sysprefs_location_services_audit.yaml @@ -0,0 +1,38 @@ +id: sysprefs_location_services_audit +title: "Audit Location Services" +discussion: | + The organization _MUST_ audit which applications have access to location services. +check: | + sudo /usr/libexec/PlistBuddy -c print /var/db/locationd/clients.plist | grep Dict | awk '(NR>1) { print $1 }' +result: + string: "a list containing approved applications." +fix: | + Review the list of applications and remove any unauthorized applications from System Prefrences->Security & Privacy->Privacy->Location Services. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + disa_stig: + - N/A + srg: + - N/A + cis: + benchmark: + - 2.5.4 (level 2) + v8: + - 2.3 + - 4.1 +macOS: + - "12.0" +tags: + - cis_lvl2 + - cisv8 + - cis_manual + - manual +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 2f24dab104672ce7b9d6d9c554bfe9191780b5da Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 31 Dec 2021 10:46:17 -0500 Subject: [PATCH 076/193] os_time_offset_limit_configure --- rules/os/os_time_offset_limit_configure.yaml | 44 ++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/os/os_time_offset_limit_configure.yaml diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml new file mode 100644 index 000000000..652c9bfbf --- /dev/null +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -0,0 +1,44 @@ +id: os_time_limit_configure +title: "Ensure time set within " +discussion: | + The macOS time synchronization daemon (timed) _MUST_ be enabled for proper time synchronization to an authorized time server. + + NOTE: The time synchronization daemon is enabled by default on macOS. +check: | + /usr/bin/sntp $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}') | /usr/bin/awk -F'.' '/\+\/\-/{if (substr($1,2) >= 270) {print "No"} else {print "Yes"}}' +result: + string: "Yes" +fix: | + [source,bash] + ---- + /usr/bin/sntp -Ss $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}') + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.2.2 (level 1) + v8: + - 8.4 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +severity: "medium" +mobileconfig: false +mobileconfig_info: From df6047469016961c25834a73f6769542595a1d7d Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 31 Dec 2021 13:50:52 -0500 Subject: [PATCH 077/193] fixed id --- rules/cis_lvl1.txt | 2 -- rules/os/os_time_offset_limit_configure.yaml | 9 +++------ 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 0b5d01439..8119a65cd 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -1,8 +1,6 @@ Recommendation # Title Bluetooth 2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired - Date & Time -2.2.2 Ensure time set is within appropriate limits Desktop & Screen Saver 2.3.3 Audit Lock Screen and Start Screen Saver Tools Security & Privacy diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 652c9bfbf..6994f7b34 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -1,9 +1,7 @@ -id: os_time_limit_configure -title: "Ensure time set within " +id: os_time_offset_limit_configure +title: "Ensure Time Offset Within Limits" discussion: | - The macOS time synchronization daemon (timed) _MUST_ be enabled for proper time synchronization to an authorized time server. - - NOTE: The time synchronization daemon is enabled by default on macOS. + The macOS system time _MUST_ be monitored to not drift more than four minutes and thirty seconds. check: | /usr/bin/sntp $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}') | /usr/bin/awk -F'.' '/\+\/\-/{if (substr($1,2) >= 270) {print "No"} else {print "Yes"}}' result: @@ -39,6 +37,5 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 -severity: "medium" mobileconfig: false mobileconfig_info: From e0262861cc6124640c7e86029121e1c89b8905e3 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 31 Dec 2021 16:52:15 -0500 Subject: [PATCH 078/193] os_show_filename_extensions_enable --- .../os_show_filename_extensions_enable.yaml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/os/os_show_filename_extensions_enable.yaml diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml new file mode 100644 index 000000000..6150e4696 --- /dev/null +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -0,0 +1,41 @@ +id: os_show_filename_extensions_enable +title: "Enable Show All Filename Extensions" +discussion: | + Show all filename extensions _MUST_ be enabled in the Finder. +check: | + /usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions 2>/dev/null +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 6.2 (level 1) + v8: + - 2.3 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 36fdb8422853a1069c9e2414a1acdb1303892330 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 31 Dec 2021 21:08:44 -0500 Subject: [PATCH 079/193] updates to launchctl test, pmset test --- scripts/generate_oval.py | 68 ++++++++++++++++++++++++++++++++++------ 1 file changed, 58 insertions(+), 10 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 7512f69f4..33e386817 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -646,9 +646,16 @@ def main(): oval_object = oval_object + ''' - /Library/Preferences/com.apple.PowerManagement.plist - boolean(plist/dict[key="AC Power"]/dict[key="DarkWakeBackgroundTasks"]/integer/text() = "0") - '''.format(rule_yaml['id'],x) + /Library/Preferences/com.apple.PowerManagement.plist'''.format(rule_yaml['id'],x) + pmset_key = str() + if "powernap" in rule_yaml['check']: + pmset_key = "DarkWakeBackgroundTasks" + if "womp" in rule_yaml['check']: + pmset_key = "Wake On LAN" + + oval_object = oval_object + ''' + boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") + '''.format(pmset_key,rule_yaml['fix'].split("----")[1].replace("\n","")[-1]) oval_state = oval_state + ''' @@ -996,7 +1003,7 @@ def main(): oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) x = x+1 - + continue if "security" in command[3]: if rule_yaml['check'].split()[1] == "authorizationdb": check = rule_yaml['check'].split("|") @@ -1440,7 +1447,7 @@ def main(): '''.format(x,rule_yaml['id'],awk_file.rstrip(), awk_search) x += 1 continue - if "grep" in command[3]: + if "grep" in command[3] and not "pgrep" in command[3]: if "bannerText" in rule_yaml['check'] or "fips_" in rule_yaml['check']: @@ -1480,6 +1487,9 @@ def main(): else: s = rule_yaml['check'] + print(rule_yaml['id']) + print(s) + try: grep_search = re.search('"(.*?)"', s).group(1) @@ -1519,9 +1529,9 @@ def main(): x += 1 continue - if "launchctl" in command[2]: + if "launchctl" in command[2] or "launchctl" in rule_yaml['fix']: - if "disable" in command[2] and "=> true" in rule_yaml['check']: + if "disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix']: oval_definition = oval_definition + ''' @@ -1546,9 +1556,13 @@ def main(): '''.format(rule_yaml['id'],x,x,x,x+999,rule_yaml['id'],x+999) - s = command[5].split()[2] - domain = re.search('"(.*?)"', s).group(1) - + domain = str() + if "launchctl" not in rule_yaml['check']: + domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") + + else: + s = command[5].split()[2] + domain = re.search('"(.*?)"', s).group(1) oval_object = oval_object + ''' @@ -1568,6 +1582,40 @@ def main(): {} '''.format(rule_yaml['id'],x,status) + + elif "launchctl unload" in rule_yaml['fix']: + oval_definition = oval_definition + ''' + + + {} + + + {} + + + + + '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x,rule_yaml['id'],x+999) + + oval_test = oval_test + ''' + + + '''.format(x,rule_yaml['id'],x) + + domain = str() + + if "launchctl" not in rule_yaml['check']: + domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") + + else: + s = command[5].split()[2] + domain = re.search('"(.*?)"', s).group(1) + + oval_object = oval_object + ''' + + + '''.format(x, rule_yaml['id'],domain) + else: oval_definition = oval_definition + ''' From a9b5b19f200117def3237668b19145efb938911c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 31 Dec 2021 21:16:57 -0500 Subject: [PATCH 080/193] no longer generates states and variables when not needed --- scripts/generate_oval.py | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 33e386817..a92be786b 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -71,11 +71,11 @@ def main(): macOS Security Compliance Project '''.format(date_time_string) - oval_definition = "" - oval_test = "" - oval_object = "" - oval_state = "" - oval_variable = "" + oval_definition = str() + oval_test = str() + oval_object = str() + oval_state = str() + oval_variable = str() print() for sections in profile_yaml['profile']: for profile_rule in sections['rules']: @@ -1646,9 +1646,14 @@ def main(): x += 1 continue + total_oval = ovalPrefix + "\n\n" + oval_definition + "\n\n\n" + oval_test + "\n\n\n" + oval_object + "\n\n" + if oval_state != "": + total_oval = total_oval + "\n" + oval_state + "\n\n" + if oval_variable != "": + total_oval = total_oval + "\n\n" + oval_variable + "\n\n" + + total_oval = total_oval + "\n" - - total_oval = ovalPrefix + "\n\n" + oval_definition + "\n\n\n" + oval_test + "\n\n\n" + oval_object + "\n\n\n"+ oval_state +"\n\n\n" + oval_variable + "\n\n" final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n$.*', '<', total_oval) oval_file = output From 3ce7f67f1e89b7033c0530cdf1582c86aa60933f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 3 Jan 2022 11:15:31 -0500 Subject: [PATCH 081/193] updated check and result --- rules/os/os_show_filename_extensions_enable.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 6150e4696..8074f7fa6 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -2,10 +2,19 @@ id: os_show_filename_extensions_enable title: "Enable Show All Filename Extensions" discussion: | Show all filename extensions _MUST_ be enabled in the Finder. + + [NOTE] + ==== + The check and fix are for the currently logged in user. To get the currently logged in user, run the following. + [source,bash] + ---- + CURRENT_USER=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' ) + ---- + ==== check: | - /usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions 2>/dev/null + /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null result: - integer: 1 + boolean: 1 fix: | [source,bash] ---- From 32c35dc672f48e511c5a515da8ab24695c23808a Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 3 Jan 2022 14:57:26 -0500 Subject: [PATCH 082/193] added source,bash --- rules/sysprefs/sysprefs_hot_corners_secure.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/sysprefs/sysprefs_hot_corners_secure.yaml b/rules/sysprefs/sysprefs_hot_corners_secure.yaml index 497a034e3..a46209bac 100644 --- a/rules/sysprefs/sysprefs_hot_corners_secure.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_secure.yaml @@ -16,10 +16,13 @@ check: | result: integer: 0 fix: | + [source,bash] + ---- /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null + ---- references: cce: - N/A From abc836a6f8ca024e04fc7d78c7d9a77d09d90114 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 3 Jan 2022 14:58:15 -0500 Subject: [PATCH 083/193] added rule specific oval. modified permissions check for specific file --- scripts/generate_oval.py | 210 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 194 insertions(+), 16 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index a92be786b..da07ef939 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -515,6 +515,11 @@ def main(): continue else: command = rule_yaml['check'].split("/") + if "sntp" in rule_yaml['check']: + x += 1 + print(rule_yaml['id'] + " - No relevant oval test") + continue + if "SPStorageDataType" in rule_yaml['check']: x += 1 print(rule_yaml['id'] + " - No relevant oval test") @@ -854,7 +859,125 @@ def main(): if "defaults" in rule_yaml['check']: + if rule_yaml['id'] == "sysprefs_hot_corners_secure": + oval_definition = oval_definition + ''' + + + {} + + + {} + + + + + + + + '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x,rule_yaml['id'],x+5000,rule_yaml['id'],x+5001,rule_yaml['id'],x+5002) + + oval_test = oval_test + ''' + + + + '''.format(rule_yaml['id'],x,x,x) + + oval_test = oval_test + ''' + + + + '''.format(rule_yaml['id'],x+5000,x+5000,x+5000) + + oval_test = oval_test + ''' + + + + '''.format(rule_yaml['id'],x+5001,x+5001,x+5001) + + oval_test = oval_test + ''' + + + + '''.format(rule_yaml['id'],x+5002,x+5002,x+5002) + + plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") + check_length = len(rule_yaml['check'].split()) + key = rule_yaml['check'].split("\n")[0].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') + + oval_object = oval_object + ''' + + .* + oval:mscp:ste:{} + + + + + '''.format(x+1999,x+1999,rule_yaml['id'],x,x) + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) + + key = rule_yaml['check'].split("\n")[1].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') + oval_object = oval_object + ''' + + + '''.format(rule_yaml['id'],x+5000,x) + + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) + + key = rule_yaml['check'].split("\n")[2].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') + oval_object = oval_object + ''' + + + '''.format(rule_yaml['id'],x+5001,x) + + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) + + key = rule_yaml['check'].split("\n")[3].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') + oval_object = oval_object + ''' + + + '''.format(rule_yaml['id'],x+5002,x) + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) + + oval_state = oval_state + ''' + + ^[^_\s].* + 0 + 0 + /usr/bin/false + '''.format(x+1999) + after_user = plist.split('"')[2] + oval_variable = oval_variable + ''' + + + + {} + .plist + + '''.format(x,x+1999,after_user,x+999) + + check_if = rule_yaml['check'].split("\n")[5] + modifier = 0 + for n in check_if.split(): + + if n.replace('"',"").isdigit(): + if modifier >= 4999: + modifier = modifier + 1 + oval_state = oval_state + ''' + {} + '''.format(rule_yaml['id'],x+modifier,n.replace('"',"")) + if modifier == 0: + modifier = 4999 + + + + continue + + oval_definition = oval_definition + ''' @@ -928,11 +1051,12 @@ def main(): '''.format(x,x+1999,plist,x+999) + else: check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].split()[check_length-1] + key = rule_yaml['check'].replace(" 2>/dev/null","").split()[check_length-1] oval_object = oval_object + ''' @@ -958,12 +1082,54 @@ def main(): '''.format(x,plist,x+999) + elif "$CURRENT_USER" in rule_yaml['check']: + + + check_length = len(rule_yaml['check'].split()) + key = rule_yaml['check'].replace(" 2>/dev/null","").split()[-1] + + oval_object = oval_object + ''' + + .* + oval:mscp:ste:{} + + + + + '''.format(x+1999,x+1999,rule_yaml['id'],x,x) + + try: + rule_yaml['result']['boolean'] + oval_object = oval_object + ''' + name(//*[contains(text(), "{}")]/following-sibling::*[1]) +'''.format(key) + except: + + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) + oval_state = oval_state + ''' + + ^[^_\s].* + 0 + 0 + /usr/bin/false + '''.format(x+1999) + + oval_variable = oval_variable + ''' + + + + /Library/Preferences/{}. + plist + + '''.format(x,x+1999,plist,x+999) + else: if plist[-6:] != ".plist": plist = plist + ".plist" - plist_key = rule_yaml['check'].split(" ")[3].rstrip() + plist_key = rule_yaml['check'].replace(" 2>/dev/null","").split(" ")[3].rstrip() oval_object = oval_object + ''' {}'''.format(rule_yaml['id'],x,plist) @@ -1123,10 +1289,10 @@ def main(): continue s = rule_yaml['check'] - config_file = '' - + config_file = str() + oval_variable_need = bool() if "grep" in s.split()[3]: - + oval_variable_need = True grep_search = re.search('\((.*?)\)', s).group(1) substring = grep_search.split("|")[0] @@ -1138,7 +1304,7 @@ def main(): regex = regex config_file = substring = grep_search.split("|")[0].split()[-1] - + oval_object = oval_object + ''' @@ -1153,8 +1319,11 @@ def main(): '''.format(x,rule_yaml['id'],x+999) + else: - config_file = s.split()[3] + oval_variable_need = False + config_file = s.split()[2] + s = rule_yaml['fix'] @@ -1189,12 +1358,20 @@ def main(): behavior = "" filename = '' - oval_object = oval_object + ''' - - {} - - {} - '''.format(rule_yaml['id'],x,behavior,x,filename) + if oval_variable_need == True: + oval_object = oval_object + ''' + + {} + + {} + '''.format(rule_yaml['id'],x,behavior,x,filename) + else: + oval_object = oval_object + ''' + + {} + {} + + '''.format(rule_yaml['id'],x,behavior,config_file) state_test = "" if "-" in fix_command and "N" in fix_command and "chmod" in fix_command: state_test = ''' @@ -1238,6 +1415,7 @@ def main(): true true''' elif perms[0] == "4": + state_test = ''' true false @@ -1279,6 +1457,7 @@ def main(): true true''' elif perms[1] == "4": + state_test = state_test + ''' true false @@ -1300,6 +1479,7 @@ def main(): true''' if perms[2] == "0": + state_test = state_test + ''' false false @@ -1487,8 +1667,6 @@ def main(): else: s = rule_yaml['check'] - print(rule_yaml['id']) - print(s) try: @@ -1592,7 +1770,7 @@ def main(): {} - + '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x,rule_yaml['id'],x+999) From 69582067e44a527132d729d6220ddc1176ac1701 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 5 Jan 2022 14:56:31 -0500 Subject: [PATCH 084/193] 3 cis rules --- rules/audit/audit_control_acls_configure.yaml | 41 ++++++++++++++ rules/cis_lvl1.txt | 5 +- rules/os/os_efi_integrity_validated.yaml | 35 ++++++++++++ .../sysprefs_bluetooth_unpaired_disable.yaml | 53 +++++++++++++++++++ 4 files changed, 130 insertions(+), 4 deletions(-) create mode 100644 rules/audit/audit_control_acls_configure.yaml create mode 100644 rules/os/os_efi_integrity_validated.yaml create mode 100644 rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml new file mode 100644 index 000000000..afc00bf41 --- /dev/null +++ b/rules/audit/audit_control_acls_configure.yaml @@ -0,0 +1,41 @@ +id: audit_control_acls_configure +title: "Configure Audit_Control to Not Contain Access Control Lists" +discussion: | + /etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs). +check: | + /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/chmod -N /etc/security/audit_control + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-9 + 800-53r4: + - AU-9 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 3.5 (level 1) + v8: + - 3.3 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 8119a65cd..c747cf892 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -1,6 +1,4 @@ Recommendation # Title - Bluetooth -2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired Desktop & Screen Saver 2.3.3 Audit Lock Screen and Start Screen Saver Tools Security & Privacy @@ -9,7 +7,6 @@ Recommendation # Title 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted Time Machine 2.7.2 Ensure Time Machine Volumes Are Encrypted -2.11 Ensure EFI Version Is Valid and Checked Regularly 2.12 Audit Automatic Actions for Optical Media 2.13 Audit Siri Settings 2.14 Audit Sidecar Settings @@ -28,4 +25,4 @@ Recommendation # Title 5.14 Ensure Users' Accounts Do Not Have a Password Hint Accounts Preferences Action Items 6.1.5 Ensure the Guest Home Folder Does Not Exist -6.2 Ensure Show All Filename Extensions Setting is Enabled \ No newline at end of file +6.2 Ensure Show All Filename Extensions Setting is Enabled \ No newline at end of file diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml new file mode 100644 index 000000000..3b51b4a72 --- /dev/null +++ b/rules/os/os_efi_integrity_validated.yaml @@ -0,0 +1,35 @@ +id: os_efi_integrity_validated +title: "Ensure Extensible Firmware Interface Version is Valid" +discussion: | + The macOS Extensible Firmware Interface (EFI) _MUST_ be checked to ensure it is a known good version from Apple. +check: | + if /usr/sbin/ioreg -w 0 -c AppleSEPManager | grep -q AppleSEPManager; then echo "1"; else /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | /usr/bin/grep -c "No changes detected"; fi +result: + integer: 1 +fix: | + Install a known good version of macOS. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + + 800-53r4: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.11 (level 1) + v8: + - 2.2 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml new file mode 100644 index 000000000..e024716e1 --- /dev/null +++ b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml @@ -0,0 +1,53 @@ +id: sysprefs_bluetooth_unpaired_disable +title: "Disable Bluetooth When No Devices are Paired" +discussion: | + Bluetooth _MUST_ be disabled when no devices are paired. +check: | + isPaired=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -cm1 'Connected: Yes') + if [[ "$isPaired" != 1 ]]; then + powerState=$(/usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState) + /bin/echo "$powerState" + else + /bin/echo "0" + fi +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 + /usr/bin/killall -HUP bluetoothd + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AC-18 + - SC-8 + - AC-18(3) + 800-53r4: + - AC-18(3) + - SC-8 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.1.1 (level 1) + v8: + - 4.8 + - 12.6 + - 13.9 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 5edb19a612228a5cce41296553fa92de8b86f27c Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Sat, 8 Jan 2022 21:57:12 -0500 Subject: [PATCH 085/193] install.log rules --- rules/cis_lvl1.txt | 2 - .../os_install_log_retention_configure.yaml | 44 +++++++++++++++++++ ...l_log_retention_no_max_size_configure.yaml | 42 ++++++++++++++++++ 3 files changed, 86 insertions(+), 2 deletions(-) create mode 100644 rules/os/os_install_log_retention_configure.yaml create mode 100644 rules/os/os_install_log_retention_no_max_size_configure.yaml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index c747cf892..3a2eb264d 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -13,8 +13,6 @@ Recommendation # Title 2.15 Audit Touch ID and Wallet & Apple Pay Settings 2.16 Audit Notification System Preference Settings 2.17 Audit Passwords System Preference Setting - Logging and Auditing -3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size File System Permissions and Access Controls 5.1.3 Ensure Apple Mobile File Integrity Is Enabled 5.1.4 Ensure Library Validation Is Enabled diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml new file mode 100644 index 000000000..64f2c4b15 --- /dev/null +++ b/rules/os/os_install_log_retention_configure.yaml @@ -0,0 +1,44 @@ +id: os_install_log_retention_configure +title: "Configure Install.log Retention to 365 Days or More" +discussion: | + The install.log _MUST_ be configured to require records be kept for 365 days or longer before deletion, unless the system uses a central audit record storage facility. +check: | + +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/sed -i.bak "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M ttl=365/g" + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AU-11 + - AU-4 + 800-53r4: + - AU-11 + - AU-4 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 3.3 (level 1) + v8: + - 8.1 + - 8.3 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_install_log_retention_no_max_size_configure.yaml b/rules/os/os_install_log_retention_no_max_size_configure.yaml new file mode 100644 index 000000000..157eecd82 --- /dev/null +++ b/rules/os/os_install_log_retention_no_max_size_configure.yaml @@ -0,0 +1,42 @@ +id: os_install_log_retention_no_max_size_configure +title: "Configure Install.log Retention to Not Contain a Maximum File Size" +discussion: | + The install log retention _MUST_ be configured to not contain a maximum file size. +check: | + +result: + integer: 0 +fix: | + [source,bash] + ---- + sed -i.bak "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M ttl=365/g" + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - SI-11 + 800-53r4: + - SI-11 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 3.3 (level 1) + v8: + - 8.1 + - 8.3 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From be7a9d5c1e9504bf812ac3b8552dd6a9ce8eb861 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 10 Jan 2022 11:34:18 -0500 Subject: [PATCH 086/193] install log done --- rules/cis_lvl1.txt | 3 +- .../os_install_log_retention_configure.yaml | 6 +-- ...l_log_retention_no_max_size_configure.yaml | 42 ------------------- 3 files changed, 4 insertions(+), 47 deletions(-) delete mode 100644 rules/os/os_install_log_retention_no_max_size_configure.yaml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 3a2eb264d..c80febc93 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -22,5 +22,4 @@ Recommendation # Title 5.12 Ensure a Custom Message for the Login Screen Is Enabled 5.14 Ensure Users' Accounts Do Not Have a Password Hint Accounts Preferences Action Items -6.1.5 Ensure the Guest Home Folder Does Not Exist -6.2 Ensure Show All Filename Extensions Setting is Enabled \ No newline at end of file +6.1.5 Ensure the Guest Home Folder Does Not Exist \ No newline at end of file diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index 64f2c4b15..5158f4b63 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -3,13 +3,13 @@ title: "Configure Install.log Retention to 365 Days or More" discussion: | The install.log _MUST_ be configured to require records be kept for 365 days or longer before deletion, unless the system uses a central audit record storage facility. check: | - + /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count==1 && ttl="True" && max != "True") { print "Yes" } else { print "No" }}' result: - integer: 1 + string: Yes fix: | [source,bash] ---- - /usr/bin/sed -i.bak "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M ttl=365/g" + /usr/bin/sed -i.bak "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" ---- references: cce: diff --git a/rules/os/os_install_log_retention_no_max_size_configure.yaml b/rules/os/os_install_log_retention_no_max_size_configure.yaml deleted file mode 100644 index 157eecd82..000000000 --- a/rules/os/os_install_log_retention_no_max_size_configure.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: os_install_log_retention_no_max_size_configure -title: "Configure Install.log Retention to Not Contain a Maximum File Size" -discussion: | - The install log retention _MUST_ be configured to not contain a maximum file size. -check: | - -result: - integer: 0 -fix: | - [source,bash] - ---- - sed -i.bak "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M ttl=365/g" - ---- -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - SI-11 - 800-53r4: - - SI-11 - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - 3.3 (level 1) - v8: - - 8.1 - - 8.3 -macOS: - - "12.0" -tags: - - cis_lvl1 - - cis_lvl2 - - cisv8 -mobileconfig: false -mobileconfig_info: \ No newline at end of file From 1f67cd4ab9b3493b24b95356948d1a3786a7f4fa Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 10 Jan 2022 16:46:15 -0500 Subject: [PATCH 087/193] added audit_flags for cis --- rules/audit/audit_flags_aa_configure.yaml | 9 ---- rules/audit/audit_flags_ad_configure.yaml | 9 ---- rules/audit/audit_flags_configure.yaml | 51 +++++++++++++++++++++++ rules/audit/audit_flags_ex_configure.yaml | 9 ---- rules/audit/audit_flags_fd_configure.yaml | 5 --- rules/audit/audit_flags_fm_configure.yaml | 9 ---- rules/audit/audit_flags_fr_configure.yaml | 9 ---- rules/audit/audit_flags_fw_configure.yaml | 9 ---- rules/audit/audit_flags_lo_configure.yaml | 9 ---- 9 files changed, 51 insertions(+), 68 deletions(-) create mode 100644 rules/audit/audit_flags_configure.yaml diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 443542f6c..72fd9af2a 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -37,13 +37,6 @@ references: 800-171r2: - 3.3.1 - 3.3.2 - cis: - benchmark: - - 3.2 (level 2) - v8: - - 3.14 - - 8.2 - - 8.5 macOS: - "12.0" tags: @@ -56,8 +49,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cis_lvl2 - - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 3ab025168..ebb56f290 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -52,13 +52,6 @@ references: - 3.1.7 - 3.3.1 - 3.3.2 - cis: - benchmark: - - 3.2 (level 2) - v8: - - 3.14 - - 8.2 - - 8.5 macOS: - "12.0" tags: @@ -71,8 +64,6 @@ tags: - 800-53r5_low - 800-171 - cnssi-1253 - - cis_lvl2 - - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_configure.yaml b/rules/audit/audit_flags_configure.yaml new file mode 100644 index 000000000..99790ba3f --- /dev/null +++ b/rules/audit/audit_flags_configure.yaml @@ -0,0 +1,51 @@ +id: audit_flags_configure +title: "Configure Audit Flags" +discussion: | + The auditing system _MUST_ be configured with at least the minimal flags of fm, ad, -ex, aa, -fr, lo, and -fw. +check: | + /usr/bin/sed -n 's/^flags://p' test_file | /usr/bin/grep -ce 'fm,ad,\-ex,aa,\-fr,lo,\-fw' +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/sed 's/^flags:.*/flags:fm,ad,\-ex,aa,\-fr,lo,\-fw/' /etc/security/audit_control; /usr/sbin/audit -s + ---- + + NOTE: NOTE: This fix will replace the contents of the flags: line in `/etc/security/audit_control`, if you have customized the flags, your changes may be overwritten. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - AC-2(12) + - AU-12 + - AU-2 + - MA-4(1) + - CM-5(1) + 800-53r4: + - AU-2 + - AU-12 + - MA-4(1) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 3.2 (level 2) + v8: + - 3.14 + - 8.2 + - 8.5 +macOS: + - "12.0" +tags: + - cis_lvl2 + - cisv8 +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index ab8e8d31a..690e3e94d 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -37,13 +37,6 @@ references: 800-171r2: - 3.3.1 - 3.3.2 - cis: - benchmark: - - 3.2 (level 2) - v8: - - 3.14 - - 8.2 - - 8.5 macOS: - "12.0" tags: @@ -56,7 +49,5 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cis_lvl2 - - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 742ae0a43..d5e805589 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -42,10 +42,6 @@ references: - N/A 800-171r2: - N/A - cisv8: - - 3.14 - - 8.2 - - 8.5 macOS: - "12.0" tags: @@ -53,7 +49,6 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high - - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 914bde852..0036ba865 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -42,19 +42,10 @@ references: - N/A 800-171r2: - N/A - cis: - benchmark: - - 3.2 (level 2) - v8: - - 3.14 - - 8.2 - - 8.5 macOS: - "12.0" tags: - stig - - cis_lvl2 - - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index d9eb95177..546dad7fd 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -44,13 +44,6 @@ references: - 3.3.1 - 3.3.2 - 3.3.8 - cis: - benchmark: - - 3.2 (level 2) - v8: - - 3.14 - - 8.2 - - 8.5 macOS: - "12.0" tags: @@ -63,8 +56,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cis_lvl2 - - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 34d67b1a9..2f11dbd80 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -43,13 +43,6 @@ references: - 3.3.1 - 3.3.2 - 3.3.8 - cis: - benchmark: - - 3.2 (level 2) - v8: - - 3.14 - - 8.2 - - 8.5 macOS: - "12.0" tags: @@ -62,8 +55,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cis_lvl2 - - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 8983a2e01..33e594d90 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -40,13 +40,6 @@ references: - 3.1.12 - 3.3.1 - 3.3.2 - cis: - benchmark: - - 3.2 (level 2) - v8: - - 3.14 - - 8.2 - - 8.5 macOS: - "12.0" tags: @@ -59,8 +52,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cis_lvl2 - - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file From 59de65ef72ee012006c0cafec575e5c7b80ea0a3 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 12 Jan 2022 11:51:10 -0500 Subject: [PATCH 088/193] created cis manual supplemental --- rules/audit/audit_control_mode_configure.yaml | 2 +- rules/cis_lvl2.txt | 1 + .../supplemental/supplemental_cis_manual.yaml | 33 +++++++++++++++ .../sysprefs_computer_name_audit.yaml | 42 ------------------- 4 files changed, 35 insertions(+), 43 deletions(-) create mode 100644 rules/supplemental/supplemental_cis_manual.yaml delete mode 100644 rules/sysprefs/sysprefs_computer_name_audit.yaml diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index ff5b225c1..bb3fdf539 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -9,7 +9,7 @@ result: fix: | [source,bash] ---- - //bin/chmod 440 /etc/security/audit_control + /bin/chmod 440 /etc/security/audit_control ---- references: cce: diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 758da82e1..02565abc1 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -1,4 +1,5 @@ Recommendation # Title +1.7 Audit Computer Name Security & Privacy 2.5.7 Audit Camera Privacy and Confidentiality iCloud diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml new file mode 100644 index 000000000..6831050a9 --- /dev/null +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -0,0 +1,33 @@ +id: supplemental_cis_manual +title: "CIS Manual Controls" +discussion: | + + [cols="15%h, 85%a"] + |=== + + |Section + |Install Updates, Patches and Additional Security Software + + |Control + |1.7 Audit Computer Name + + |=== +check: | +fix: | +references: + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A +macOS: + - "12.0" +tags: + - supplemental +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_computer_name_audit.yaml b/rules/sysprefs/sysprefs_computer_name_audit.yaml deleted file mode 100644 index d5fc92bb1..000000000 --- a/rules/sysprefs/sysprefs_computer_name_audit.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: sysprefs_computer_name_audit -title: "Audit Computer Name" -discussion: | - The organization _MUST_ audit a systems computer name. -check: | - /usr/sbin/scutil --get ComputerName -result: - string: "an organization's approved computer name." -fix: | - Set the computer name back to an approved naming convention. - - [source,bash] - ---- - /usr/sbin/scutil --set ComputerName - ---- -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - disa_stig: - - N/A - srg: - - N/A - cis: - benchmark: - - 1.7 (level 2) - v8: - - 1.1 -macOS: - - "12.0" -tags: - - cis_lvl2 - - cisv8 - - cis_manual - - manual -mobileconfig: false -mobileconfig_info: \ No newline at end of file From 49586c05353c6cf8b373230bc94df334c20f8b64 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 12 Jan 2022 12:09:48 -0500 Subject: [PATCH 089/193] updated cis manual --- .../supplemental/supplemental_cis_manual.yaml | 35 +++++++++++++++- .../sysprefs_fast_user_switching_disable.yaml | 42 ------------------- 2 files changed, 33 insertions(+), 44 deletions(-) delete mode 100644 rules/sysprefs/sysprefs_fast_user_switching_disable.yaml diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 6831050a9..5059ba0dc 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -1,16 +1,47 @@ id: supplemental_cis_manual title: "CIS Manual Controls" discussion: | - + List of CIS controls that are manual checks. + [cols="15%h, 85%a"] |=== |Section |Install Updates, Patches and Additional Security Software - |Control + |Controls |1.7 Audit Computer Name + |Section + |System Preferences + + |Controls + |2.3.3 Audit Lock Screen and Start Screen Saver Tools, 2.5.1.2 Ensure all user storage APFS volumes are encrypted, 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted, 2.5.4 Audit Location Services Access, 2.5.7 Audit Camera Privacy and Confidentiality, 2.6.1.1 Audit iCloud Configuration, 2.6.1.2 Audit iCloud Keychain, 2.6.1.3 Audit iCloud Drive, 2.6.2 Audit App Store Password Settings, 2.12 Audit Automatic Actions for Optical Media, 2.13 Audit Siri Settings, 2.14 Audit Sidecar Settings, 2.15 Audit Touch ID and Wallet & Apple Pay Settings, 2.16 Audit Notification System Preference Settings, 2.17 Audit Passwords System Preference Setting + + |Section + |Logging and Auditing + + |Controls + |3.7 Audit Software Inventory + + |Section + |Network Configurations + + |Controls + |4.3 Audit Network Specific Locations, 4.6 Audit Wi-Fi Settings + + |Section + |System Access, Authentication and Authorization + + |Controls + |5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured, 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured, 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured, 5.5 Ensure login keychain is locked when the computer sleeps, 5.15 Ensure Fast User Switching Is Disabled + + |Section + |Appendix: Additional Considerations + + |Controls + |7.1 Extensible Firmware Interface (EFI) password, 7.2 FileVault and Local Account Password Reset using AppleID + |=== check: | fix: | diff --git a/rules/sysprefs/sysprefs_fast_user_switching_disable.yaml b/rules/sysprefs/sysprefs_fast_user_switching_disable.yaml deleted file mode 100644 index f7a29e96e..000000000 --- a/rules/sysprefs/sysprefs_fast_user_switching_disable.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: sysprefs_fast_user_switching_disable -title: "Ensure Fast User Switching Is Disabled" -discussion: | - Fast user switching _MUST_ be disabled. -check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'MultipleSessionEnabled = 0' -result: - integer: 1 -fix: | - This is implemented by a Configuration Profile. -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - disa_stig: - - N/A - srg: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - - 5.15 (level 2) - v8: - - 4.1 -macOS: - - "12.0" -tags: - - cis_lvl2 - - cisv8 - - cis_manual -mobileconfig: true -mobileconfig_info: - .GlobalPreferences: - MultipleSessionEnabled: true - - From 3405ff05b2540bc1028599dc3203dc8ef562bf12 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 12 Jan 2022 12:14:52 -0500 Subject: [PATCH 090/193] fixed formatting --- .../supplemental/supplemental_cis_manual.yaml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 5059ba0dc..9bd3c7b7b 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -11,37 +11,51 @@ discussion: | |Controls |1.7 Audit Computer Name - + |=== + + [cols="15%h, 85%a"] + |=== |Section |System Preferences |Controls |2.3.3 Audit Lock Screen and Start Screen Saver Tools, 2.5.1.2 Ensure all user storage APFS volumes are encrypted, 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted, 2.5.4 Audit Location Services Access, 2.5.7 Audit Camera Privacy and Confidentiality, 2.6.1.1 Audit iCloud Configuration, 2.6.1.2 Audit iCloud Keychain, 2.6.1.3 Audit iCloud Drive, 2.6.2 Audit App Store Password Settings, 2.12 Audit Automatic Actions for Optical Media, 2.13 Audit Siri Settings, 2.14 Audit Sidecar Settings, 2.15 Audit Touch ID and Wallet & Apple Pay Settings, 2.16 Audit Notification System Preference Settings, 2.17 Audit Passwords System Preference Setting + |=== + [cols="15%h, 85%a"] + |=== |Section |Logging and Auditing |Controls |3.7 Audit Software Inventory + |=== + [cols="15%h, 85%a"] + |=== |Section |Network Configurations |Controls |4.3 Audit Network Specific Locations, 4.6 Audit Wi-Fi Settings + |=== + [cols="15%h, 85%a"] + |=== |Section |System Access, Authentication and Authorization |Controls |5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured, 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured, 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured, 5.5 Ensure login keychain is locked when the computer sleeps, 5.15 Ensure Fast User Switching Is Disabled + |=== + [cols="15%h, 85%a"] + |=== |Section |Appendix: Additional Considerations |Controls |7.1 Extensible Firmware Interface (EFI) password, 7.2 FileVault and Local Account Password Reset using AppleID - |=== check: | fix: | From d59d3c473319a6ef19b1c6691bbb3fa657af0bb7 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 12 Jan 2022 12:17:26 -0500 Subject: [PATCH 091/193] removed manual from tasks --- rules/cis_lvl1.txt | 14 +------------- rules/cis_lvl2.txt | 20 +------------------- 2 files changed, 2 insertions(+), 32 deletions(-) diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index c80febc93..2ee1d3b73 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -1,18 +1,6 @@ Recommendation # Title - Desktop & Screen Saver -2.3.3 Audit Lock Screen and Start Screen Saver Tools - Security & Privacy - Encryption -2.5.1.2 Ensure all user storage APFS volumes are encrypted -2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted - Time Machine +Time Machine 2.7.2 Ensure Time Machine Volumes Are Encrypted -2.12 Audit Automatic Actions for Optical Media -2.13 Audit Siri Settings -2.14 Audit Sidecar Settings -2.15 Audit Touch ID and Wallet & Apple Pay Settings -2.16 Audit Notification System Preference Settings -2.17 Audit Passwords System Preference Setting File System Permissions and Access Controls 5.1.3 Ensure Apple Mobile File Integrity Is Enabled 5.1.4 Ensure Library Validation Is Enabled diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 02565abc1..48f249142 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -1,25 +1,7 @@ Recommendation # Title -1.7 Audit Computer Name - Security & Privacy -2.5.7 Audit Camera Privacy and Confidentiality - iCloud -2.6.1.1 Audit iCloud Configuration -2.6.1.2 Audit iCloud Keychain -2.6.1.3 Audit iCloud Drive - Apple ID -2.6.2 Audit App Store Password Settings Time Machine 2.7.1 Ensure Backup Up Automatically is Enabled - Logging and Auditing -3.7 Audit Software Inventory - Network Configurations -4.3 Audit Network Specific Locations -4.6 Audit Wi-Fi Settings File System Permissions and Access Controls 5.1.8 Ensure No World Writable Files Exist in the Library Folder Password Management -5.5 Ensure login keychain is locked when the computer sleeps -5.9 Ensure system is set to hibernate - Appendix: Additional Considerations -7.1 Extensible Firmware Interface (EFI) password -7.2 FileVault and Local Account Password Reset using AppleID \ No newline at end of file +5.9 Ensure system is set to hibernate \ No newline at end of file From ce6040e7cec3e37f287dd8caaed08b8eb6ae1fc8 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 12 Jan 2022 15:08:58 -0500 Subject: [PATCH 092/193] added cis rules --- includes/supported_payloads.yaml | 1 + rules/cis_lvl1.txt | 7 +-- rules/cis_lvl2.txt | 2 - rules/os/os_guest_folder_removed.yaml | 38 ++++++++++++++++ rules/os/os_library_validation_enabled.yaml | 44 +++++++++++++++++++ rules/os/os_mobile_file_integrity_enable.yaml | 42 ++++++++++++++++++ ...fs_loginwindow_loginwindowtext_enable.yaml | 37 ++++++++++++++++ .../sysprefs_time_machine_auto_backup.yaml | 38 ++++++++++++++++ 8 files changed, 201 insertions(+), 8 deletions(-) create mode 100644 rules/os/os_guest_folder_removed.yaml create mode 100644 rules/os/os_library_validation_enabled.yaml create mode 100644 rules/os/os_mobile_file_integrity_enable.yaml create mode 100644 rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml create mode 100644 rules/sysprefs/sysprefs_time_machine_auto_backup.yaml diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml index b951471bb..bd82a51f4 100644 --- a/includes/supported_payloads.yaml +++ b/includes/supported_payloads.yaml @@ -87,6 +87,7 @@ payloads_types: - com.apple.security.FDERecoveryRedirect - com.apple.security.certificatetransparency - com.apple.security.firewall + - com.apple.security.libraryvalidation - com.apple.security.pem - com.apple.security.pkcs1 - com.apple.security.pkcs12 diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 2ee1d3b73..b77d37cb1 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -2,12 +2,7 @@ Recommendation # Title Time Machine 2.7.2 Ensure Time Machine Volumes Are Encrypted File System Permissions and Access Controls -5.1.3 Ensure Apple Mobile File Integrity Is Enabled -5.1.4 Ensure Library Validation Is Enabled 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications 5.1.7 Ensure No World Writable Files Exist in the System Folder Password Management -5.12 Ensure a Custom Message for the Login Screen Is Enabled -5.14 Ensure Users' Accounts Do Not Have a Password Hint - Accounts Preferences Action Items -6.1.5 Ensure the Guest Home Folder Does Not Exist \ No newline at end of file +5.14 Ensure Users' Accounts Do Not Have a Password Hint \ No newline at end of file diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 48f249142..6ffc69fad 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -1,6 +1,4 @@ Recommendation # Title - Time Machine -2.7.1 Ensure Backup Up Automatically is Enabled File System Permissions and Access Controls 5.1.8 Ensure No World Writable Files Exist in the Library Folder Password Management diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml new file mode 100644 index 000000000..dd99fdef6 --- /dev/null +++ b/rules/os/os_guest_folder_removed.yaml @@ -0,0 +1,38 @@ +id: os_guest_folder_removed +title: "Remove Guest Folder if Present"" +discussion: + The guest folder _MUST_ be deleted if present. +check: | + /bin/ls /Users/ | /usr/bin/grep -c "Guest" +result: + integer: 0 +fix: | + [source,bash] + ---- + /bin/rm -Rf /Users/Guest + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 6.1.5 (level 1) +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml new file mode 100644 index 000000000..67cd82f01 --- /dev/null +++ b/rules/os/os_library_validation_enabled.yaml @@ -0,0 +1,44 @@ +id: os_library_validation_enabled +title: "Enable Library Validation" +discussion: + Library validation _MUST_ be enabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep 'DisableLibraryValidation = 0' +result: + integer: 1 +fix: | + [source,bash] + ---- + This is implemented by a Configuration Profile. + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 5.1.4 (level 1) + v8: + - 2.3 + - 2.6 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: true +mobileconfig_info: + com.apple.security.libraryvalidation: + DisableLibraryValidation: false \ No newline at end of file diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml new file mode 100644 index 000000000..b66df95c6 --- /dev/null +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -0,0 +1,42 @@ +id: os_mobile_file_integrity_enable +title: "Enable Apple Mobile File Integrity" +discussion: + Mobile file integrity _MUST_ be ebabled. +check: | + /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/sbin/nvram boot-args="" + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 5.1.3 (level 1) + v8: + - 2.3 + - 2.6 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml new file mode 100644 index 000000000..5adda5a17 --- /dev/null +++ b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml @@ -0,0 +1,37 @@ +id: sysprefs_loginwindow_loginwindowtext_enable +title: "Configure Login Window to Show A Custom Message" +discussion: | + The login window _MUST_ be configured to show a custom access warning message. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'LoginwindowText' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 6.1.1 (level 1) +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 +mobileconfig: true +mobileconfig_info: + com.apple.loginwindow: + LoginwindowText: "Approved message goes here" diff --git a/rules/sysprefs/sysprefs_time_machine_auto_backup.yaml b/rules/sysprefs/sysprefs_time_machine_auto_backup.yaml new file mode 100644 index 000000000..36169852e --- /dev/null +++ b/rules/sysprefs/sysprefs_time_machine_auto_backup.yaml @@ -0,0 +1,38 @@ +id: sysprefs_time_machine_auto_backup_enable +title: "Configure Time Machine for Automatic Backups" +discussion: | + Automatic backups _MUST_ be enabled when using Time Machine. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoBackup = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.7.2 (level 2) + v8: + - 11.2 +macOS: + - "12.0" +tags: + - cis_lvl2 +mobileconfig: true +mobileconfig_info: + com.apple.TimeMachine: + AutoBackup: true \ No newline at end of file From 3b5640c76d3644c5309dcaf0e38960f3b70043d5 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 13 Jan 2022 10:19:27 -0500 Subject: [PATCH 093/193] password hint remove --- rules/cis_lvl1.txt | 4 +-- rules/os/os_password_hint_remove.yaml | 39 +++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 rules/os/os_password_hint_remove.yaml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index b77d37cb1..9bb4065d7 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -3,6 +3,4 @@ Time Machine 2.7.2 Ensure Time Machine Volumes Are Encrypted File System Permissions and Access Controls 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications -5.1.7 Ensure No World Writable Files Exist in the System Folder - Password Management -5.14 Ensure Users' Accounts Do Not Have a Password Hint \ No newline at end of file +5.1.7 Ensure No World Writable Files Exist in the System Folder \ No newline at end of file diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml new file mode 100644 index 000000000..6077fe0ba --- /dev/null +++ b/rules/os/os_password_hint_remove.yaml @@ -0,0 +1,39 @@ +id: os_password_hint_remove +title: "Remove Password Hint From User Accounts" +discussion: | + User accounts _MUST_ not contain password hints. +check: | + /usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs +result: + integer: 0 +fix: | + [source,bash] + ---- + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + /usr/bin/dscl . -delete /Users/$u hint + done + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - IA-6 + 800-53r4: + - IA-6 + 800-171r2: + - 3.5.11 + cis: + benchmark: + - 5.14 (level 1) + v8: + - 5.2 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From 7937b70b142c54723d7c635c387a4efd46b526da Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 13 Jan 2022 10:54:50 -0500 Subject: [PATCH 094/193] CIS supplemental update, fix guest_folder --- rules/os/os_guest_folder_removed.yaml | 4 +-- .../supplemental/supplemental_cis_manual.yaml | 28 ++++++++++++++++--- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index dd99fdef6..4cd6eac80 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -1,6 +1,6 @@ id: os_guest_folder_removed -title: "Remove Guest Folder if Present"" -discussion: +title: "Remove Guest Folder if Present" +discussion: | The guest folder _MUST_ be deleted if present. check: | /bin/ls /Users/ | /usr/bin/grep -c "Guest" diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index 9bd3c7b7b..d335598d1 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -19,7 +19,21 @@ discussion: | |System Preferences |Controls - |2.3.3 Audit Lock Screen and Start Screen Saver Tools, 2.5.1.2 Ensure all user storage APFS volumes are encrypted, 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted, 2.5.4 Audit Location Services Access, 2.5.7 Audit Camera Privacy and Confidentiality, 2.6.1.1 Audit iCloud Configuration, 2.6.1.2 Audit iCloud Keychain, 2.6.1.3 Audit iCloud Drive, 2.6.2 Audit App Store Password Settings, 2.12 Audit Automatic Actions for Optical Media, 2.13 Audit Siri Settings, 2.14 Audit Sidecar Settings, 2.15 Audit Touch ID and Wallet & Apple Pay Settings, 2.16 Audit Notification System Preference Settings, 2.17 Audit Passwords System Preference Setting + |2.3.3 Audit Lock Screen and Start Screen Saver Tools + + 2.5.1.2 Ensure all user storage APFS volumes are encrypted + + 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted + + 2.5.4 Audit Location Services Access + + 2.5.7 Audit Camera Privacy and Confidentiality + + 2.6.1.1 Audit iCloud Configuration + + 2.6.1.2 Audit iCloud Keychain + + 2.6.1.3 Audit iCloud Drive + + 2.6.2 Audit App Store Password Settings + + 2.12 Audit Automatic Actions for Optical Media + + 2.13 Audit Siri Settings + + 2.14 Audit Sidecar Settings + + 2.15 Audit Touch ID and Wallet & Apple Pay Settings + + 2.16 Audit Notification System Preference Settings + + 2.17 Audit Passwords System Preference Setting + |=== [cols="15%h, 85%a"] @@ -37,7 +51,8 @@ discussion: | |Network Configurations |Controls - |4.3 Audit Network Specific Locations, 4.6 Audit Wi-Fi Settings + |4.3 Audit Network Specific Locations + + 4.6 Audit Wi-Fi Settings + |=== [cols="15%h, 85%a"] @@ -46,7 +61,11 @@ discussion: | |System Access, Authentication and Authorization |Controls - |5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured, 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured, 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured, 5.5 Ensure login keychain is locked when the computer sleeps, 5.15 Ensure Fast User Switching Is Disabled + |5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured + + 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured + + 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + + 5.5 Ensure login keychain is locked when the computer sleeps + + 5.15 Ensure Fast User Switching Is Disabled + |=== [cols="15%h, 85%a"] @@ -55,7 +74,8 @@ discussion: | |Appendix: Additional Considerations |Controls - |7.1 Extensible Firmware Interface (EFI) password, 7.2 FileVault and Local Account Password Reset using AppleID + |7.1 Extensible Firmware Interface (EFI) password + + 7.2 FileVault and Local Account Password Reset using AppleID + |=== check: | fix: | From 7f9a170562a05759b6554f49804d9a4348bbc7ff Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 14 Jan 2022 11:45:45 -0500 Subject: [PATCH 095/193] time machine encrypted --- rules/cis_lvl1.txt | 2 - rules/os/os_guest_folder_removed.yaml | 2 +- ...refs_time_machine_auto_backup_enable.yaml} | 3 +- ...refs_time_machine_encrypted_configure.yaml | 59 +++++++++++++++++++ 4 files changed, 62 insertions(+), 4 deletions(-) rename rules/sysprefs/{sysprefs_time_machine_auto_backup.yaml => sysprefs_time_machine_auto_backup_enable.yaml} (95%) create mode 100644 rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index 9bb4065d7..dfd94ae5d 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -1,6 +1,4 @@ Recommendation # Title -Time Machine -2.7.2 Ensure Time Machine Volumes Are Encrypted File System Permissions and Access Controls 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications 5.1.7 Ensure No World Writable Files Exist in the System Folder \ No newline at end of file diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index dd99fdef6..d344a46e1 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -1,5 +1,5 @@ id: os_guest_folder_removed -title: "Remove Guest Folder if Present"" +title: "Remove Guest Folder if Present" discussion: The guest folder _MUST_ be deleted if present. check: | diff --git a/rules/sysprefs/sysprefs_time_machine_auto_backup.yaml b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml similarity index 95% rename from rules/sysprefs/sysprefs_time_machine_auto_backup.yaml rename to rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml index 36169852e..72dbf7d7c 100644 --- a/rules/sysprefs/sysprefs_time_machine_auto_backup.yaml +++ b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml @@ -25,13 +25,14 @@ references: - N/A cis: benchmark: - - 2.7.2 (level 2) + - 2.7.1 (level 2) v8: - 11.2 macOS: - "12.0" tags: - cis_lvl2 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.TimeMachine: diff --git a/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml new file mode 100644 index 000000000..59e38a287 --- /dev/null +++ b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml @@ -0,0 +1,59 @@ +id: sysprefs_time_machine_encrypted_configure +title: "Ensure Time Machine Volumes are Encrypted" +discussion: | + Time Machine volumes _MUST_ be encrypted. +check: | + tmdestination=$(/usr/bin/tmutil destinationinfo 2>/dev/null | /usr/bin/awk -F': ' '/Name/{print $2}') + if [[ "$tmdestination" = "" ]]; then + echo "1" + else + tmVolMounted=$(/usr/sbin/diskutil info "${tmdestination}" 2>&1 | /usr/bin/awk '/Mounted/{print $2}') + tmVolEncrypted=$(/usr/sbin/diskutil info "${tmdestination}" 2>&1 | /usr/bin/awk '/FileVault/{print $2}') + + if [[ "$tmVolMounted" = "Yes" && "$tmVolEncrypted" = "Yes" ]]; then + echo "1" + else + if [[ "$tmVolMounted" = "" ]]; then + echo "1" + else + echo "0" + fi + fi + fi +result: + integer: 1 +fix: | + . Go to System Preferences -> Time Machine + . Click *Select Disk* + . Select existing Backup Disk under *Available Disks* + . Click *Encrypt Backups* + . Click *Use Disk* +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 2.7.2 (level 2) + v8: + - 3.6 + - 3.11 + - 11.2 +macOS: + - "12.0" +tags: + - cis_lvl2 + - cisv8 +mobileconfig: false +mobileconfig_info: \ No newline at end of file From de83bae731fbcd2df5a1492f8f03dd51c0ba7991 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 14 Jan 2022 15:34:12 -0500 Subject: [PATCH 096/193] time_machine_encrypted --- ...refs_time_machine_encrypted_configure.yaml | 28 +++++++------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml index 59e38a287..3de3db6af 100644 --- a/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml +++ b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml @@ -3,25 +3,17 @@ title: "Ensure Time Machine Volumes are Encrypted" discussion: | Time Machine volumes _MUST_ be encrypted. check: | - tmdestination=$(/usr/bin/tmutil destinationinfo 2>/dev/null | /usr/bin/awk -F': ' '/Name/{print $2}') - if [[ "$tmdestination" = "" ]]; then - echo "1" - else - tmVolMounted=$(/usr/sbin/diskutil info "${tmdestination}" 2>&1 | /usr/bin/awk '/Mounted/{print $2}') - tmVolEncrypted=$(/usr/sbin/diskutil info "${tmdestination}" 2>&1 | /usr/bin/awk '/FileVault/{print $2}') - - if [[ "$tmVolMounted" = "Yes" && "$tmVolEncrypted" = "Yes" ]]; then - echo "1" - else - if [[ "$tmVolMounted" = "" ]]; then - echo "1" - else - echo "0" - fi - fi - fi + error_count=0 + for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do + tmMounted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/Mounted/{print $2}') + tmEncrypted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/FileVault/{print $2}') + if [[ "$tmMounted" = "Yes" && "$tmEncrypted" = "No" ]]; then + ((error_count++)) + fi + done + echo "$error_count" result: - integer: 1 + integer: 0 fix: | . Go to System Preferences -> Time Machine . Click *Select Disk* From 0ffbdb795062f45e1476f437e6b5ab488696c7ad Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 19 Jan 2022 20:33:36 -0500 Subject: [PATCH 097/193] fixed tag --- rules/os/os_efi_integrity_validated.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml index 3b51b4a72..8f030c7ce 100644 --- a/rules/os/os_efi_integrity_validated.yaml +++ b/rules/os/os_efi_integrity_validated.yaml @@ -3,7 +3,7 @@ title: "Ensure Extensible Firmware Interface Version is Valid" discussion: | The macOS Extensible Firmware Interface (EFI) _MUST_ be checked to ensure it is a known good version from Apple. check: | - if /usr/sbin/ioreg -w 0 -c AppleSEPManager | grep -q AppleSEPManager; then echo "1"; else /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | /usr/bin/grep -c "No changes detected"; fi + if /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q AppleSEPManager; then echo "1"; else /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | /usr/bin/grep -c "No changes detected"; fi result: integer: 1 fix: | @@ -15,7 +15,6 @@ references: - N/A 800-53r5: - N/A - 800-53r4: - N/A 800-171r2: @@ -31,5 +30,6 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 + - i386 mobileconfig: false mobileconfig_info: \ No newline at end of file From a63a07cf3e08aa793159a07be98bb51fd9f600d2 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 19 Jan 2022 20:34:00 -0500 Subject: [PATCH 098/193] fixed rule --- rules/os/os_guest_folder_removed.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index b6cb4f78b..4cd6eac80 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -1,10 +1,6 @@ id: os_guest_folder_removed title: "Remove Guest Folder if Present" -<<<<<<< HEAD -discussion: -======= discussion: | ->>>>>>> 7937b70b142c54723d7c635c387a4efd46b526da The guest folder _MUST_ be deleted if present. check: | /bin/ls /Users/ | /usr/bin/grep -c "Guest" From 53263dccd0cfc114253088048b506a63105411da Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 19 Jan 2022 20:41:16 -0500 Subject: [PATCH 099/193] new check for bt --- rules/os/os_hibernate_mode_enable.yaml | 40 +++++++++++++++++++ .../sysprefs_bluetooth_unpaired_disable.yaml | 8 ++-- 2 files changed, 44 insertions(+), 4 deletions(-) create mode 100644 rules/os/os_hibernate_mode_enable.yaml diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml new file mode 100644 index 000000000..e829e8739 --- /dev/null +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -0,0 +1,40 @@ +id: os_hibernate_mode_enable +title: "Enable Hibernate Mode" +discussion: | + Hibernate mode _MUST_ be enabled. + + NOTE: Hibernate mode is not fully supported on Apple Silicon devices. This rule is only applicable to Intel devices. +check: | + +result: + integer: 1 +fix: | + [source,bash] + ---- + + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + -5.9 (level 2) +macOS: + - "12.0" +tags: + - cis_lvl2 + - i386 +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml index e024716e1..237156d0e 100644 --- a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml @@ -3,9 +3,9 @@ title: "Disable Bluetooth When No Devices are Paired" discussion: | Bluetooth _MUST_ be disabled when no devices are paired. check: | - isPaired=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -cm1 'Connected: Yes') - if [[ "$isPaired" != 1 ]]; then - powerState=$(/usr/bin/defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState) + isPaired=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | grep -c 'Connected: Yes') + if [[ "$isPaired" = "0" ]]; then + powerState=$(system_profiler SPBluetoothDataType 2>/dev/null | grep -c 'State: On') /bin/echo "$powerState" else /bin/echo "0" @@ -15,7 +15,7 @@ result: fix: | [source,bash] ---- - /usr/bin/defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 + /usr/bin/defaults write /private/var/root/Library/Preferences/com.apple.BTServer.plist defaultPoweredState off /usr/bin/killall -HUP bluetoothd ---- references: From b7d058ba741b5e62670b03ffcb1e9559f5ad15b2 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Wed, 19 Jan 2022 20:45:48 -0500 Subject: [PATCH 100/193] fixed paths --- rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml index 237156d0e..cda9619af 100644 --- a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml @@ -3,9 +3,9 @@ title: "Disable Bluetooth When No Devices are Paired" discussion: | Bluetooth _MUST_ be disabled when no devices are paired. check: | - isPaired=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | grep -c 'Connected: Yes') + isPaired=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -c 'Connected: Yes') if [[ "$isPaired" = "0" ]]; then - powerState=$(system_profiler SPBluetoothDataType 2>/dev/null | grep -c 'State: On') + powerState=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -c 'State: On') /bin/echo "$powerState" else /bin/echo "0" From 1e97b0a6c83382bd86e44bf2489fda045217a29f Mon Sep 17 00:00:00 2001 From: John Mahlman Date: Thu, 20 Jan 2022 11:43:32 -0500 Subject: [PATCH 101/193] Final checks for CIS Monterey (#113) * Adding remaining CIS checks. * Clean up yaml files. * Clean up yaml files one more time. * Something broke with VSCode, fixed setting. * LAST ONE --- rules/cis_lvl1.txt | 4 +- rules/cis_lvl2.txt | 4 +- ..._hibernate_mode_DestroyFVKeyOnStandby.yaml | 37 ++++++++++++++++ rules/os/os_hibernate_mode_enable.yaml | 40 ++++++++++++++---- rules/os/os_system_wide_applications.yml | 40 ++++++++++++++++++ rules/os/os_world_writable_library_folder.yml | 42 +++++++++++++++++++ rules/os/os_world_writable_system_folder.yml | 40 ++++++++++++++++++ 7 files changed, 193 insertions(+), 14 deletions(-) create mode 100644 rules/os/os_hibernate_mode_DestroyFVKeyOnStandby.yaml create mode 100644 rules/os/os_system_wide_applications.yml create mode 100644 rules/os/os_world_writable_library_folder.yml create mode 100644 rules/os/os_world_writable_system_folder.yml diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt index dfd94ae5d..6dc9870ad 100644 --- a/rules/cis_lvl1.txt +++ b/rules/cis_lvl1.txt @@ -1,4 +1,2 @@ Recommendation # Title - File System Permissions and Access Controls -5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications -5.1.7 Ensure No World Writable Files Exist in the System Folder \ No newline at end of file + File System Permissions and Access Controls \ No newline at end of file diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt index 6ffc69fad..308aaecd3 100644 --- a/rules/cis_lvl2.txt +++ b/rules/cis_lvl2.txt @@ -1,5 +1,3 @@ Recommendation # Title File System Permissions and Access Controls -5.1.8 Ensure No World Writable Files Exist in the Library Folder - Password Management -5.9 Ensure system is set to hibernate \ No newline at end of file + Password Management \ No newline at end of file diff --git a/rules/os/os_hibernate_mode_DestroyFVKeyOnStandby.yaml b/rules/os/os_hibernate_mode_DestroyFVKeyOnStandby.yaml new file mode 100644 index 000000000..ee19c5e3a --- /dev/null +++ b/rules/os/os_hibernate_mode_DestroyFVKeyOnStandby.yaml @@ -0,0 +1,37 @@ +id: os_hibernate_mode_DestroyFVKeyOnStandby +title: "Enable Hibernate Mode:DestroyFVKeyOnStandby" +discussion: | + Destroy FV key on hibernate _MUST_ be enabled. + +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DestroyFVKeyOnStandby = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + -5.9 (level 2) +macOS: + - "12.0" +tags: + - cis_lvl2 +mobileconfig: false +mobileconfig_info: + com.apple.MCX: + DestroyFVKeyOnStandby: true diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml index e829e8739..63eacfc98 100644 --- a/rules/os/os_hibernate_mode_enable.yaml +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -2,17 +2,41 @@ id: os_hibernate_mode_enable title: "Enable Hibernate Mode" discussion: | Hibernate mode _MUST_ be enabled. + Hibernation writes FileVault keys to disk and requires FileVault to be unlocked prior to the OS being available. + + Mac systems should be set to hibernate after sleeping for a risk-acceptable time period. The default value for "standbydelay" is three hours (10800 seconds). This value is likely appropriate for most desktops. + If Mac desktops are deployed in unmonitored, less physically secure areas with confidential data this value might be adjusted. The desktop or would have to retain power so that the running OS or physical RAM could be attacked however. + MacBooks should also be set to a hibernate mode that removes power from the RAM. This will stop the possibility of cold boot attacks on the system. NOTE: Hibernate mode is not fully supported on Apple Silicon devices. This rule is only applicable to Intel devices. check: | - -result: - integer: 1 + error_count=0 + hibernateStandbyLowValue=$(/usr/bin/pmset -g | grep standbydelaylow 2>&1 | awk '{print $2}') + hibernateStandbyHighValue=$(/usr/bin/pmset -g | grep standbydelayhigh 2>&1 | awk '{print $2}') + hibernateStandbyThreshValue=$(/usr/bin/pmset -g | grep highstandbythreshold 2>&1 | awk '{print $2}') + hibernateMode=$(/usr/bin/pmset -b -g | grep hibernatemode 2>&1 | awk '{print $2}') + macType=$(/usr/sbin/system_profiler SPHardwareDataType 2>&1 | grep -c MacBook) + if [[ "$macType" -ge 0 ]]; then + if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 600 ]]; then + ((error_count++)) + fi + if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 fix: | - [source,bash] - ---- - - ---- + [source,bash] + ---- + pmset -a standbydelayhigh 600 + pmset -a standbydelaylow 600 + pmset -a highstandbythreshold 90 + ---- references: cce: - N/A @@ -37,4 +61,4 @@ tags: - cis_lvl2 - i386 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/rules/os/os_system_wide_applications.yml b/rules/os/os_system_wide_applications.yml new file mode 100644 index 000000000..0a557d17e --- /dev/null +++ b/rules/os/os_system_wide_applications.yml @@ -0,0 +1,40 @@ +id: os_system_wide_applications +title: "Ensure Appropriate Permissions Are Enabled for System Wide Applications" +discussion: | + Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world-writable and allow any process or user to alter them for other processes or users to then execute modified versions. +check: | + /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 -ls | wc -l | xargs +result: + integer: 0 +fix: | + [source,bash] + ---- + IFS=$'\n' + for apps in $( /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 ); do + chmod -R o-w "$apps" + done + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + -5.1.6 (level 1) +macOS: + - "12.0" +tags: + - cis_lvl2 +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_world_writable_library_folder.yml b/rules/os/os_world_writable_library_folder.yml new file mode 100644 index 000000000..7d576c7d4 --- /dev/null +++ b/rules/os/os_world_writable_library_folder.yml @@ -0,0 +1,42 @@ +id: os_world_writable_library_folder +title: "Ensure No World Writable Files Exist in the Library Folder" +discussion: | + Folders in /System/Volumes/Data/Library should not be world-writable. The audit check excludes the /System/Volumes/Data/Library/Caches and /System/Volumes/Data/Library/Preferences/Audio/Data folders where the sticky bit is set. + + NOTE: SOme vendors (ex: Adobe, Jamf, VMware) are known to create world-wriatable folders to the System Library folder, you may need to add more exclusions to this check and fix to match your environment. +check: | + /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls | grep -v Caches | grep -v /Preferences/Audio/Data | wc -l | xargs +result: + integer: 0 +fix: | + [source,bash] + ---- + IFS=$'\n' + for libPermissions in $( find /System/Volumes/Data/Library -type d -perm -2 | grep -v Caches | grep -v /Preferences/Audio/Data ); do + chmod -R o-w "$libPermissions" + done + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + -5.1.8 (level 1) +macOS: + - "12.0" +tags: + - cis_lvl2 +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_world_writable_system_folder.yml b/rules/os/os_world_writable_system_folder.yml new file mode 100644 index 000000000..f86c8746a --- /dev/null +++ b/rules/os/os_world_writable_system_folder.yml @@ -0,0 +1,40 @@ +id: os_world_writable_system_folder +title: "Ensure No World Writable Files Exist in the System Folder" +discussion: | + Folders in /System/Volumes/Data/System should not be world-writable. The audit check excludes the "Drop Box" folder that is part of Apple's default user template. +check: | + /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | grep -v "Drop Box" | wc -l | xargs +result: + integer: 0 +fix: | + [source,bash] + ---- + IFS=$'\n' + for sysPermissions in $( find /System/Volumes/Data/System -type d -perm -2 | grep -v "Drop Box" ); do + chmod -R o-w "$sysPermissions" + done + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + -5.1.7 (level 1) +macOS: + - "12.0" +tags: + - cis_lvl2 +mobileconfig: false +mobileconfig_info: From b6b8d830ebad401120ad45c93c5ae54b2221a4a1 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 20 Jan 2022 12:11:04 -0500 Subject: [PATCH 102/193] Cleaned up PR --- rules/cis_lvl1.txt | 2 - rules/cis_lvl2.txt | 3 -- ...te_mode_destroyfvkeyonstandby_enable.yaml} | 8 ++-- rules/os/os_hibernate_mode_enable.yaml | 22 ++++----- ...os_system_wide_applications_configure.yml} | 13 +++--- rules/os/os_world_writable_library_folder.yml | 42 ----------------- ...orld_writable_library_folder_configure.yml | 45 +++++++++++++++++++ ...orld_writable_system_folder_configure.yml} | 19 ++++---- 8 files changed, 77 insertions(+), 77 deletions(-) delete mode 100644 rules/cis_lvl1.txt delete mode 100644 rules/cis_lvl2.txt rename rules/os/{os_hibernate_mode_DestroyFVKeyOnStandby.yaml => os_hibernate_mode_destroyfvkeyonstandby_enable.yaml} (74%) rename rules/os/{os_system_wide_applications.yml => os_system_wide_applications_configure.yml} (68%) delete mode 100644 rules/os/os_world_writable_library_folder.yml create mode 100644 rules/os/os_world_writable_library_folder_configure.yml rename rules/os/{os_world_writable_system_folder.yml => os_world_writable_system_folder_configure.yml} (50%) diff --git a/rules/cis_lvl1.txt b/rules/cis_lvl1.txt deleted file mode 100644 index 6dc9870ad..000000000 --- a/rules/cis_lvl1.txt +++ /dev/null @@ -1,2 +0,0 @@ -Recommendation # Title - File System Permissions and Access Controls \ No newline at end of file diff --git a/rules/cis_lvl2.txt b/rules/cis_lvl2.txt deleted file mode 100644 index 308aaecd3..000000000 --- a/rules/cis_lvl2.txt +++ /dev/null @@ -1,3 +0,0 @@ -Recommendation # Title - File System Permissions and Access Controls - Password Management \ No newline at end of file diff --git a/rules/os/os_hibernate_mode_DestroyFVKeyOnStandby.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml similarity index 74% rename from rules/os/os_hibernate_mode_DestroyFVKeyOnStandby.yaml rename to rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index ee19c5e3a..40ab9a94e 100644 --- a/rules/os/os_hibernate_mode_DestroyFVKeyOnStandby.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -1,8 +1,7 @@ -id: os_hibernate_mode_DestroyFVKeyOnStandby -title: "Enable Hibernate Mode:DestroyFVKeyOnStandby" +id: os_hibernate_mode_destroyfvkeyonstandby_enable +title: "Enable DestroyFVKeyOnStandby on Hibernate" discussion: | - Destroy FV key on hibernate _MUST_ be enabled. - + DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DestroyFVKeyOnStandby = 1' result: @@ -30,6 +29,7 @@ references: macOS: - "12.0" tags: + - cis_lvl1 - cis_lvl2 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml index 63eacfc98..dde7b038d 100644 --- a/rules/os/os_hibernate_mode_enable.yaml +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -2,20 +2,15 @@ id: os_hibernate_mode_enable title: "Enable Hibernate Mode" discussion: | Hibernate mode _MUST_ be enabled. - Hibernation writes FileVault keys to disk and requires FileVault to be unlocked prior to the OS being available. - - Mac systems should be set to hibernate after sleeping for a risk-acceptable time period. The default value for "standbydelay" is three hours (10800 seconds). This value is likely appropriate for most desktops. - If Mac desktops are deployed in unmonitored, less physically secure areas with confidential data this value might be adjusted. The desktop or would have to retain power so that the running OS or physical RAM could be attacked however. - MacBooks should also be set to a hibernate mode that removes power from the RAM. This will stop the possibility of cold boot attacks on the system. NOTE: Hibernate mode is not fully supported on Apple Silicon devices. This rule is only applicable to Intel devices. check: | error_count=0 - hibernateStandbyLowValue=$(/usr/bin/pmset -g | grep standbydelaylow 2>&1 | awk '{print $2}') - hibernateStandbyHighValue=$(/usr/bin/pmset -g | grep standbydelayhigh 2>&1 | awk '{print $2}') - hibernateStandbyThreshValue=$(/usr/bin/pmset -g | grep highstandbythreshold 2>&1 | awk '{print $2}') - hibernateMode=$(/usr/bin/pmset -b -g | grep hibernatemode 2>&1 | awk '{print $2}') - macType=$(/usr/sbin/system_profiler SPHardwareDataType 2>&1 | grep -c MacBook) + hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') + hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') + hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') + macType=$(/usr/sbin/system_profiler SPHardwareDataType 2>&1 | /usr/bin/grep -c MacBook) if [[ "$macType" -ge 0 ]]; then if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then ((error_count++)) @@ -33,9 +28,9 @@ result: fix: | [source,bash] ---- - pmset -a standbydelayhigh 600 - pmset -a standbydelaylow 600 - pmset -a highstandbythreshold 90 + /usr/bin/pmset -a standbydelayhigh 600 + /usr/bin/pmset -a standbydelaylow 600 + /usr/bin/pmset -a highstandbythreshold 90 ---- references: cce: @@ -58,6 +53,7 @@ references: macOS: - "12.0" tags: + - cis_lvl1 - cis_lvl2 - i386 mobileconfig: false diff --git a/rules/os/os_system_wide_applications.yml b/rules/os/os_system_wide_applications_configure.yml similarity index 68% rename from rules/os/os_system_wide_applications.yml rename to rules/os/os_system_wide_applications_configure.yml index 0a557d17e..e02f8e963 100644 --- a/rules/os/os_system_wide_applications.yml +++ b/rules/os/os_system_wide_applications_configure.yml @@ -1,9 +1,9 @@ id: os_system_wide_applications title: "Ensure Appropriate Permissions Are Enabled for System Wide Applications" discussion: | - Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world-writable and allow any process or user to alter them for other processes or users to then execute modified versions. + Applications in the System Applications Directory (/Applications) _MUST_ not be world-writable. check: | - /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 -ls | wc -l | xargs + /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 -ls | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | @@ -11,7 +11,7 @@ fix: | ---- IFS=$'\n' for apps in $( /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 ); do - chmod -R o-w "$apps" + /bin/chmod -R o-w "$apps" done ---- references: @@ -31,10 +31,13 @@ references: - N/A cis: benchmark: - -5.1.6 (level 1) + - 5.1.6 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: - - cis_lvl2 + - cis_lvl1 + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_world_writable_library_folder.yml b/rules/os/os_world_writable_library_folder.yml deleted file mode 100644 index 7d576c7d4..000000000 --- a/rules/os/os_world_writable_library_folder.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: os_world_writable_library_folder -title: "Ensure No World Writable Files Exist in the Library Folder" -discussion: | - Folders in /System/Volumes/Data/Library should not be world-writable. The audit check excludes the /System/Volumes/Data/Library/Caches and /System/Volumes/Data/Library/Preferences/Audio/Data folders where the sticky bit is set. - - NOTE: SOme vendors (ex: Adobe, Jamf, VMware) are known to create world-wriatable folders to the System Library folder, you may need to add more exclusions to this check and fix to match your environment. -check: | - /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls | grep -v Caches | grep -v /Preferences/Audio/Data | wc -l | xargs -result: - integer: 0 -fix: | - [source,bash] - ---- - IFS=$'\n' - for libPermissions in $( find /System/Volumes/Data/Library -type d -perm -2 | grep -v Caches | grep -v /Preferences/Audio/Data ); do - chmod -R o-w "$libPermissions" - done - ---- -references: - cce: - - N/A - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r2: - - N/A - cis: - benchmark: - -5.1.8 (level 1) -macOS: - - "12.0" -tags: - - cis_lvl2 -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_world_writable_library_folder_configure.yml b/rules/os/os_world_writable_library_folder_configure.yml new file mode 100644 index 000000000..d2d57cbef --- /dev/null +++ b/rules/os/os_world_writable_library_folder_configure.yml @@ -0,0 +1,45 @@ +id: os_world_writable_library_folder_configure +title: "Ensure No World Writable Files Exist in the Library Folder" +discussion: | + Folders in /System/Volumes/Data/Library _MUST_ not be world-writable. + + NOTE: Some vendors are known to create world-wriatable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment. +check: | + /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs +result: + integer: 0 +fix: | + [source,bash] + ---- + IFS=$'\n' + for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data ); do + /bin/chmod -R o-w "$libPermissions" + done + ---- +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - N/A + cis: + benchmark: + - 5.1.8 (level 1) + v8: + - 3.3 +macOS: + - "12.0" +tags: + - cis_lvl1 + - cisv8 +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_world_writable_system_folder.yml b/rules/os/os_world_writable_system_folder_configure.yml similarity index 50% rename from rules/os/os_world_writable_system_folder.yml rename to rules/os/os_world_writable_system_folder_configure.yml index f86c8746a..1b8367942 100644 --- a/rules/os/os_world_writable_system_folder.yml +++ b/rules/os/os_world_writable_system_folder_configure.yml @@ -1,17 +1,17 @@ -id: os_world_writable_system_folder +id: os_world_writable_system_folder_configure title: "Ensure No World Writable Files Exist in the System Folder" discussion: | - Folders in /System/Volumes/Data/System should not be world-writable. The audit check excludes the "Drop Box" folder that is part of Apple's default user template. + Folders in /System/Volumes/Data/System _MUST_ not be world-writable. check: | - /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | grep -v "Drop Box" | wc -l | xargs + /usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "Drop Box" | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | [source,bash] ---- IFS=$'\n' - for sysPermissions in $( find /System/Volumes/Data/System -type d -perm -2 | grep -v "Drop Box" ); do - chmod -R o-w "$sysPermissions" + for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "Drop Box" ); do + /bin/chmod -R o-w "$sysPermissions" done ---- references: @@ -31,10 +31,13 @@ references: - N/A cis: benchmark: - -5.1.7 (level 1) + - 5.1.7 (level 1) + v8: + - 3.3 macOS: - "12.0" tags: - - cis_lvl2 + - cis_lvl1 + - cisv8 mobileconfig: false -mobileconfig_info: +mobileconfig_info: \ No newline at end of file From 7a0b9d5de5af9e92bb5a2afd99ece7d63188dc6f Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 20 Jan 2022 13:47:01 -0500 Subject: [PATCH 103/193] fixed references --- rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/os/os_hibernate_mode_enable.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 40ab9a94e..3850552c9 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -25,7 +25,7 @@ references: - N/A cis: benchmark: - -5.9 (level 2) + - 5.9 (level 2) macOS: - "12.0" tags: diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml index dde7b038d..7d6f130ca 100644 --- a/rules/os/os_hibernate_mode_enable.yaml +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -49,7 +49,7 @@ references: - N/A cis: benchmark: - -5.9 (level 2) + - 5.9 (level 2) macOS: - "12.0" tags: From edee3c2cd77d7ff7ad173f60aeafd27fd0c7db8e Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 20 Jan 2022 13:58:19 -0500 Subject: [PATCH 104/193] added lvl 1 & 2 baselines --- baselines/cis_lvl1.yaml | 104 ++++++++++++++++++++++++++++++++++ baselines/cis_lvl2.yaml | 122 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 226 insertions(+) create mode 100644 baselines/cis_lvl1.yaml create mode 100644 baselines/cis_lvl2.yaml diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml new file mode 100644 index 000000000..1f71237cb --- /dev/null +++ b/baselines/cis_lvl1.yaml @@ -0,0 +1,104 @@ +title: "macOS 12.0: Security Configuration - CIS Benchmarks" +description: | + This guide describes the actions to take when securing a macOS 12.0 system against the CIS Benchmarks (Level 1) +authors: | + The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) + |=== + |Edward Byrd|Center for Internet Security + |Ron Colvin|Center for Internet Security + |=== +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure_sixty_days + - section: "macos" + rules: + - os_airdrop_disable + - os_authenticated_root_enable + - os_config_data_install_enforce + - os_efi_integrity_validated + - os_firewall_log_enable + - os_gatekeeper_enable + - os_guest_folder_removed + - os_hibernate_mode_destroyfvkeyonstandby_enable + - os_hibernate_mode_enable + - os_home_folders_secure + - os_httpd_disable + - os_install_log_retention_configure + - os_library_validation_enabled + - os_mobile_file_integrity_enable + - os_nfsd_disable + - os_password_hint_remove + - os_root_disable + - os_safari_open_safe_downloads_disable + - os_show_filename_extensions_enable + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_sudoers_tty_configure + - os_terminal_secure_keyboard_enable + - os_time_offset_limit_configure + - os_unlock_active_user_session_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_lockout_enforce_five + - pwpolicy_history_enforce_fifteen + - pwpolicy_minimum_length_enforce + - section: "systempreferences" + rules: + - sysprefs_airplay_receiver_disable + - sysprefs_automatic_login_disable + - sysprefs_bluetooth_menu_enable + - sysprefs_bluetooth_sharing_disable + - sysprefs_bluetooth_unpaired_disable + - sysprefs_cd_dvd_sharing_disable + - sysprefs_critical_update_install_enforce + - sysprefs_filevault_enforce + - sysprefs_firewall_enable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_guest_access_smb_disable + - sysprefs_guest_account_disable + - sysprefs_install_macos_updates_enforce + - sysprefs_internet_sharing_disable + - sysprefs_loginwindow_loginwindowtext_enable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_password_hints_disable + - sysprefs_personalized_advertising_disable + - sysprefs_power_nap_disable + - sysprefs_printer_sharing_disable + - sysprefs_rae_disable + - sysprefs_remote_management_disable + - sysprefs_screen_sharing_disable + - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_screensaver_timeout_enforce + - sysprefs_smbd_disable + - sysprefs_software_update_app_update_enforce + - sysprefs_software_update_download_enforce + - sysprefs_software_update_enforce + - sysprefs_softwareupdate_current + - sysprefs_ssh_disable + - sysprefs_system_wide_preferences_configure + - sysprefs_time_server_configure + - sysprefs_time_server_enforce + - sysprefs_wake_network_access_disable + - sysprefs_wifi_menu_enable + - section: "Supplemental" + rules: + - supplemental_cis_manual + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml new file mode 100644 index 000000000..3d815919c --- /dev/null +++ b/baselines/cis_lvl2.yaml @@ -0,0 +1,122 @@ +title: "macOS 12.0: Security Configuration - CIS Benchmarks" +description: | + This guide describes the actions to take when securing a macOS 12.0 system against the CIS Benchmarks (Level 1 and 2) +authors: | + The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) + |=== + |Edward Byrd|Center for Internet Security + |Ron Colvin|Center for Internet Security + |=== +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure_sixty_days + - section: "macos" + rules: + - os_airdrop_disable + - os_authenticated_root_enable + - os_bonjour_disable + - os_config_data_install_enforce + - os_efi_integrity_validated + - os_firewall_log_enable + - os_gatekeeper_enable + - os_guest_folder_removed + - os_hibernate_mode_destroyfvkeyonstandby_enable + - os_hibernate_mode_enable + - os_home_folders_secure + - os_httpd_disable + - os_install_log_retention_configure + - os_library_validation_enabled + - os_mobile_file_integrity_enable + - os_nfsd_disable + - os_password_hint_remove + - os_policy_banner_loginwindow_enforce + - os_root_disable + - os_safari_open_safe_downloads_disable + - os_show_filename_extensions_enable + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_sudoers_tty_configure + - os_terminal_secure_keyboard_enable + - os_time_offset_limit_configure + - os_unlock_active_user_session_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_lockout_enforce_five + - pwpolicy_alpha_numeric_enforce + - pwpolicy_history_enforce_fifteen + - pwpolicy_lower_case_character_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_special_character_enforce + - pwpolicy_upper_case_character_enforce + - section: "icloud" + rules: + - icloud_sync_disable + - section: "systempreferences" + rules: + - sysprefs_airplay_receiver_disable + - sysprefs_automatic_login_disable + - sysprefs_bluetooth_menu_enable + - sysprefs_bluetooth_sharing_disable + - sysprefs_bluetooth_unpaired_disable + - sysprefs_cd_dvd_sharing_disable + - sysprefs_content_caching_disable + - sysprefs_critical_update_install_enforce + - sysprefs_diagnostics_reports_disable + - sysprefs_filevault_enforce + - sysprefs_firewall_enable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_guest_access_smb_disable + - sysprefs_guest_account_disable + - sysprefs_hot_corners_secure + - sysprefs_install_macos_updates_enforce + - sysprefs_internet_sharing_disable + - sysprefs_location_services_audit + - sysprefs_location_services_enable + - sysprefs_loginwindow_loginwindowtext_enable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_media_sharing_disabled + - sysprefs_password_hints_disable + - sysprefs_personalized_advertising_disable + - sysprefs_power_nap_disable + - sysprefs_printer_sharing_disable + - sysprefs_rae_disable + - sysprefs_remote_management_disable + - sysprefs_screen_sharing_disable + - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_screensaver_timeout_enforce + - sysprefs_smbd_disable + - sysprefs_software_update_app_update_enforce + - sysprefs_software_update_download_enforce + - sysprefs_software_update_enforce + - sysprefs_softwareupdate_current + - sysprefs_ssh_disable + - sysprefs_system_wide_preferences_configure + - sysprefs_time_machine_auto_backup_enable + - sysprefs_time_machine_encrypted_configure + - sysprefs_time_server_configure + - sysprefs_time_server_enforce + - sysprefs_wake_network_access_disable + - sysprefs_wifi_menu_enable + - section: "Supplemental" + rules: + - supplemental_cis_manual + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard From b91037994a745c5868867b26d295bdfc6af80b91 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 20 Jan 2022 14:42:50 -0500 Subject: [PATCH 105/193] fixed typo --- rules/os/os_world_writable_library_folder_configure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_world_writable_library_folder_configure.yml b/rules/os/os_world_writable_library_folder_configure.yml index d2d57cbef..5838fcd81 100644 --- a/rules/os/os_world_writable_library_folder_configure.yml +++ b/rules/os/os_world_writable_library_folder_configure.yml @@ -3,7 +3,7 @@ title: "Ensure No World Writable Files Exist in the Library Folder" discussion: | Folders in /System/Volumes/Data/Library _MUST_ not be world-writable. - NOTE: Some vendors are known to create world-wriatable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment. + NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment. check: | /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs result: From 3da63675bc08bdd834fb982071884c188fb0584e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 26 Jan 2022 11:06:00 -0500 Subject: [PATCH 106/193] fixed mobileconfig from false to true --- rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 3850552c9..ba402f319 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -31,7 +31,7 @@ macOS: tags: - cis_lvl1 - cis_lvl2 -mobileconfig: false +mobileconfig: true mobileconfig_info: com.apple.MCX: DestroyFVKeyOnStandby: true From f4f3c80be5bdbd38e8c25880f3449c3e92b81b9c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 26 Jan 2022 11:22:11 -0500 Subject: [PATCH 107/193] added info on unsupported checks --- scripts/generate_oval.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index da07ef939..286553217 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -87,14 +87,22 @@ def main(): rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: continue + if "time_machine" in rule_yaml['id'] and "encrypted" in rule_yaml['id']: + print(rule_yaml['id'] + " - Manual Check Required") + continue + if "bluetooth" in rule_yaml['id'] and "unpaired" in rule_yaml['id']: + print(rule_yaml['id'] + " - Manual Check Required") + continue if rule_yaml['check'][0] != "/" and "[source,bash]" not in rule_yaml['fix']: print(rule_yaml['id'] + " - Manual Check") continue if "manual" in rule_yaml['tags']: print(rule_yaml['id'] + " - Manual Check") continue - - if "newsyslog.conf" in rule_yaml['check'] or "asl.conf" in rule_yaml['check']: + if "eficheck" in rule_yaml['check']: + print(rule_yaml['id'] + " - eficheck - no relevant oval") + continue + if "newsyslog.conf" in rule_yaml['check'] or "asl.conf" in rule_yaml['check'] or "aslmanager" in rule_yaml['check']: print(rule_yaml['id'] + " - Manual Check Required") continue if "/usr/bin/pwpolicy getaccountpolicies" in rule_yaml['check']: From efb8b9b863fd3d7a3a38b016a41190192a616d7e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 27 Jan 2022 09:26:47 -0500 Subject: [PATCH 108/193] added oval generation for hibernate --- scripts/generate_oval.py | 115 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 114 insertions(+), 1 deletion(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 286553217..8c22b9c2d 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -636,6 +636,119 @@ def main(): print(rule_yaml['id'] + " - No relevant oval test") x += 1 continue + + + if "pmset" in command[3] and "standby" in rule_yaml['check']: + oval_definition = oval_definition + ''' + + + {} + + + {} + + + + + + + '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'] +"_standbydelayhigh",x, rule_yaml['id'] +"_standbydelaylow",x+877, rule_yaml['id'] +"_highstandbythreshold",x+888) + + + oval_test = oval_test + ''' + + + + '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x,x) + + oval_test = oval_test + ''' + + + + '''.format(rule_yaml['id'] + "_standbydelaylow",x+877,x+877,x+877) + + oval_test = oval_test + ''' + + + + '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888,x+888,x+888) + + + standbydelayhigh = str() + standbydelaylow = str() + highstandbythreshold = str() + + for line in rule_yaml['fix'].split("----")[1].split("\n"): + if line == "": + continue + if "standbydelayhigh" in line: + standbydelayhigh = line.split(" ")[-1].rstrip() + if "standbydelaylow" in line: + standbydelaylow = line.split(" ")[-1].rstrip() + if "highstandbythreshold" in line: + highstandbythreshold = line.split(" ")[-1].rstrip() + + oval_object = oval_object + ''' + + SPHardwareDataType + + //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text() + '''.format("hardware UUID",x+999) + + oval_variable = oval_variable + ''' + + + /Library/Preferences/com.apple.PowerManagement. + + .plist + + '''.format(x,x+999) + + oval_object = oval_object + ''' + + '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x) + + oval_object = oval_object + ''' + boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") + '''.format("High Standby Delay",standbydelayhigh) + + + oval_object = oval_object + ''' + + '''.format(rule_yaml['id'] + "_standbydelaylow",x+877, x) + + oval_object = oval_object + ''' + boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") + '''.format("Standby Delay",standbydelaylow) + + oval_object = oval_object + ''' + + '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888, x) + + oval_object = oval_object + ''' + boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") + '''.format("Standby Battery Threshold",highstandbythreshold) + + oval_state = oval_state + ''' + + true + '''.format(rule_yaml['id'] + "_standbydelayhigh",x) + + oval_state = oval_state + ''' + + true + '''.format(rule_yaml['id'] + "_standbydelaylow",x+877) + + oval_state = oval_state + ''' + + true + '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888) + + x += 1 + continue + + + if "pmset" in command[3]: oval_definition = oval_definition + ''' @@ -656,7 +769,7 @@ def main(): '''.format(rule_yaml['id'],x,x,x) - + oval_object = oval_object + ''' /Library/Preferences/com.apple.PowerManagement.plist'''.format(rule_yaml['id'],x) From 3779e086c8a19caa56140678aecf9560738ecaf4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 27 Jan 2022 11:43:20 -0500 Subject: [PATCH 109/193] added folder check --- scripts/generate_oval.py | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 8c22b9c2d..41b80c586 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -96,6 +96,9 @@ def main(): if rule_yaml['check'][0] != "/" and "[source,bash]" not in rule_yaml['fix']: print(rule_yaml['id'] + " - Manual Check") continue + if "hint" in rule_yaml['check'] and "dscl" in rule_yaml['check']: + print(rule_yaml['id'] + " - no relevant oval") + continue if "manual" in rule_yaml['tags']: print(rule_yaml['id'] + " - Manual Check") continue @@ -1371,12 +1374,42 @@ def main(): '''.format(rule_yaml['id'],x,key) x += 1 continue + if "/bin/rm" in rule_yaml['fix'] and "/bin/ls" in rule_yaml['check']: + oval_definition = oval_definition + ''' + + + {} + + + {} + + + + + + '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) + oval_test = oval_test + ''' + + + '''.format(x,rule_yaml['id'],x) + + path = rule_yaml['fix'].split("----")[1].split(" ")[-1] + + oval_object = oval_object + ''' + + {} + + '''.format(x,rule_yaml['id'],path.rstrip()) + + continue + + if "ls" in command[2] or "stat" in command[3].split()[0]: if '/Library/Security/PolicyBanner.rtf' in rule_yaml['check']: oval_definition = oval_definition + ''' - + {} @@ -1413,6 +1446,7 @@ def main(): config_file = str() oval_variable_need = bool() if "grep" in s.split()[3]: + print(s.split()[3]) oval_variable_need = True grep_search = re.search('\((.*?)\)', s).group(1) From 9e8fd4a2749e60d9800af90987b31be4f2345c76 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 27 Jan 2022 12:05:08 -0500 Subject: [PATCH 110/193] added note about rules with find --- scripts/generate_oval.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 41b80c586..fc1cfbe18 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -111,6 +111,9 @@ def main(): if "/usr/bin/pwpolicy getaccountpolicies" in rule_yaml['check']: print(rule_yaml['id'] + " - pwpolicy getaccountpolicies - no relevant oval") continue + if "find" in rule_yaml['check'].split(" ")[0]: + print(rule_yaml['id'] + " - no relevant oval") + continue if "os_home_folders_secure" in rule_file: oval_definition = oval_definition + ''' From aa260790b9b730658cea8bcb362d478fb2d11927 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 3 Feb 2022 15:54:20 -0500 Subject: [PATCH 111/193] migrated to new checks --- rules/audit/audit_auditd_enabled.yaml | 2 +- rules/icloud/icloud_calendar_disable.yaml | 13 ++++++++----- rules/os/os_appleid_prompt_disable.yaml | 7 +++++-- rules/os/os_calendar_app_disable.yaml | 15 ++++++++++++++- rules/os/os_facetime_app_disable.yaml | 15 ++++++++++++++- rules/os/os_filevault_autologin_disable.yaml | 7 +++++-- rules/os/os_firewall_log_enable.yaml | 16 ++++++++++++++-- rules/os/os_gatekeeper_rearm.yaml | 7 +++++-- rules/os/os_ir_support_disable.yaml | 7 +++++-- rules/os/os_mail_app_disable.yaml | 15 ++++++++++++++- rules/os/os_messages_app_disable.yaml | 15 ++++++++++++++- rules/os/os_removable_media_disable.yaml | 7 +++++-- rules/os/os_skip_unlock_with_watch_enable.yaml | 7 +++++-- .../os/os_user_app_installation_prohibit.yaml | 15 ++++++++++++++- .../pwpolicy_alpha_numeric_enforce.yaml | 7 +++++-- rules/pwpolicy/pwpolicy_history_enforce.yaml | 5 ++++- .../pwpolicy_simple_sequence_disable.yaml | 7 +++++-- .../pwpolicy_special_character_enforce.yaml | 5 ++++- rules/sysprefs/sysprefs_bluetooth_disable.yaml | 7 +++++-- .../sysprefs_diagnostics_reports_disable.yaml | 16 ++++++++++++++-- .../sysprefs_media_sharing_disabled.yaml | 18 ++++++++++++++++-- .../sysprefs/sysprefs_time_server_enforce.yaml | 7 +++++-- 22 files changed, 181 insertions(+), 39 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 9fb99ced7..009a0e74a 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -5,7 +5,7 @@ discussion: | Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. - The content required to be captured in an audit record varies based on the impact level of an organization’s system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. + The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system start-up. diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index c8c06ff30..b28ecd19b 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -1,13 +1,16 @@ id: icloud_calendar_disable title: "Disable the iCloud Calendar Services" discussion: | - The macOS built-in Calendar.app connection to Apple’s iCloud service _MUST_ be disabled. + The macOS built-in Calendar.app connection to Apple's iCloud service _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service. -check: - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudCalendar = 0' + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowCloudCalendar').js + EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index eeb9bdb2d..895a0280d 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -5,9 +5,12 @@ discussion: | macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipCloudSetup = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipCloudSetup').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 4b84c4101..c2191caf2 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -8,7 +8,20 @@ discussion: | Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: - /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Calendar.app" + /usr/bin/osascript -l JavaScript << EOS + function run() { + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('familyControlsEnabled')) + let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('pathBlackList').js + for ( let app in pathlist ) { + if ( ObjC.unwrap(pathlist[app]) == "/Applications/Calendar.app" && pref1 == true ){ + return("true") + } + } + return("false") + } + EOS result: integer: 1 fix: | diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 2557d62c5..a6dd32b79 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -5,7 +5,20 @@ discussion: | The FaceTime.app establishes a connection to Apple’s iCloud service, even when security controls have been put in place to disable iCloud access. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/FaceTime.app" + /usr/bin/osascript -l JavaScript << EOS + function run() { + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('familyControlsEnabled')) + let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('pathBlackList').js + for ( let app in pathlist ) { + if ( ObjC.unwrap(pathlist[app]) == "/Applications/FaceTime.app" && pref1 == true ){ + return("true") + } + } + return("false") + } + EOS result: integer: 1 fix: | diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 510645fe8..b2885f91b 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -7,9 +7,12 @@ discussion: | NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableFDEAutoLogin = 1' + osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('DisableFDEAutoLogin').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 8901cd7fb..ecfa09c57 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -7,9 +7,21 @@ discussion: | NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(EnableLogging = 1|LoggingOption = detail)' + osascript -l JavaScript << EOS + function run() { + let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('EnableLogging').js + let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('LoggingOption').js + if ( pref1 == true && pref2 == "detail" ){ + return("true") + } else { + return("false") + } + } + EOS result: - integer: 2 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 587219c49..9e5cdcefa 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -3,9 +3,12 @@ title: "Enforce Gatekeeper 30 Day Automatic Rearm" discussion: | Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'GKAutoRearm = 1' + osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security')\ + .objectForKey('GKAutoRearm').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index bcfd551a1..19176c887 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -7,9 +7,12 @@ discussion: | NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DeviceEnabled = 0' + osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.driver.AppleIRController')\ + .objectForKey('DeviceEnabled').js + EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index fe0579ad4..3c920523f 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -10,7 +10,20 @@ discussion: | Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Mail.app" + /usr/bin/osascript -l JavaScript << EOS + function run() { + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('familyControlsEnabled')) + let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('pathBlackList').js + for ( let app in pathlist ) { + if ( ObjC.unwrap(pathlist[app]) == "/Applications/Mail.app" && pref1 == true ){ + return("true") + } + } + return("false") + } + EOS result: integer: 1 fix: | diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 4432efa8a..222b2b3af 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -5,7 +5,20 @@ discussion: | The Messages.app establishes a connection to Apple’s iCloud service, even when security controls to disable iCloud access have been put in place. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Messages.app" + /usr/bin/osascript -l JavaScript << EOS + function run() { + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('familyControlsEnabled')) + let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('pathBlackList').js + for ( let app in pathlist ) { + if ( ObjC.unwrap(pathlist[app]) == "/Applications/Messages.app" && pref1 == true ){ + return("true") + } + } + return("false") + } + EOS result: integer: 1 fix: | diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 396ee8e50..be394b20a 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -10,9 +10,12 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep 'harddisk-external' -A3 | /usr/bin/grep -Ec "eject|alert" + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls').js + EOS result: - integer: 2 + string: "harddisk-external:deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index d94b7e591..48e664e8f 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -5,9 +5,12 @@ discussion: | Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipUnlockWithWatch = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipUnlockWithWatch').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 7e8ff2f78..34d384fa0 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -5,7 +5,20 @@ discussion: | Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. check: | - /usr/bin/profiles -P -o stdout-xml | /usr/bin/sed -n '/pathBlackList/,/key/p' | /usr/bin/grep -c "/Users/" + /usr/bin/osascript -l JavaScript << EOS + function run() { + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('familyControlsEnabled')) + let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ + .objectForKey('pathBlackList').js + for ( let app in pathlist ) { + if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){ + return("true") + } + } + return("false") + } + EOS result: integer: 1 fix: | diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 2ba366f9f..1a9c3bef5 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -7,9 +7,12 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c "requireAlphanumeric = 1;" + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('requireAlphanumeric').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 09aac6670..3a023bb40 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -9,7 +9,10 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk '/pinHistory/{sub(/;.*/,"");print $3}' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('pinHistory').js + EOS result: integer: 5 fix: | diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 3a41ce183..165fd2a85 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -7,9 +7,12 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSimple = 0' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('allowSimple').js + EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 9d9923a2b..f197c0b92 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -9,7 +9,10 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk '/minComplexChars/{sub(/;.*/,"");print $3}' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('minComplexChars').js + EOS result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index b993f4f95..28f7912b9 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -8,9 +8,12 @@ discussion: | Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableBluetooth = 1' + osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\ + .objectForKey('DisableBluetooth').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index e90751a15..178fb2474 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -5,9 +5,21 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowDiagnosticSubmission = 0|AutoSubmit = 0)' + osascript -l JavaScript << EOS + function run() { + let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\ + .objectForKey('AutoSubmit').js + let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowDiagnosticSubmission').js + if ( pref1 == false && pref2 == false ){ + return("true") + } else { + return("false") + } + } + EOS result: - integer: 2 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index 85f1a8773..1384adc31 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -9,9 +9,23 @@ discussion: | NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(homeSharingUIStatus = 0|legacySharingUIStatus = 0|mediaSharingUIStatus = 0)' + osascript -l JavaScript << EOS + function run() { + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ + .objectForKey('homeSharingUIStatus')) + let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ + .objectForKey('legacySharingUIStatus')) + let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ + .objectForKey('mediaSharingUIStatus')) + if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) { + return("true") + } else { + return("false") + } + } + EOS result: - integer: 3 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index acd264193..7d4301471 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -5,9 +5,12 @@ discussion: | This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'TMAutomaticTimeOnlyEnabled = 1' + osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.timed')\ + .objectForKey('TMAutomaticTimeOnlyEnabled').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: From 74ed58cd2758ec6d901324414356caf3e10ae858 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 3 Feb 2022 16:29:53 -0500 Subject: [PATCH 112/193] fixed key value, jxa check --- rules/os/os_terminal_secure_keyboard_enable.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index fe133b463..cc9bd3845 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -3,9 +3,12 @@ title: "Ensure Secure Keyboard Entry Terminal.app is Enabled" discussion: | Secure keyboard entry _MUST_ be enabled in Terminal.app. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SecureKeyboardEntry = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\ + .objectForKey('SecureKeyboardEntry').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: @@ -37,4 +40,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.Terminal: - SecureKeyboardEntry: false + SecureKeyboardEntry: true From ec5f1f9cf039d74e540ac09b22802b996988f63c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 3 Feb 2022 16:30:05 -0500 Subject: [PATCH 113/193] converted to jxa checks --- .../os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml | 7 +++++-- rules/os/os_library_validation_enabled.yaml | 7 +++++-- rules/sysprefs/sysprefs_software_update_enforce.yaml | 7 +++++-- .../sysprefs/sysprefs_time_machine_auto_backup_enable.yaml | 7 +++++-- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index ba402f319..8ac79f732 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -3,9 +3,12 @@ title: "Enable DestroyFVKeyOnStandby on Hibernate" discussion: | DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DestroyFVKeyOnStandby = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ + .objectForKey('DestroyFVKeyOnStandby').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index 67cd82f01..1037715b6 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -3,9 +3,12 @@ title: "Enable Library Validation" discussion: Library validation _MUST_ be enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep 'DisableLibraryValidation = 0' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.libraryvalidation')\ + .objectForKey('DisableLibraryValidation').js + EOS result: - integer: 1 + string: "false" fix: | [source,bash] ---- diff --git a/rules/sysprefs/sysprefs_software_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_enforce.yaml index 0bac9e49d..64dffcec7 100644 --- a/rules/sysprefs/sysprefs_software_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_enforce.yaml @@ -3,9 +3,12 @@ title: "Enforce Software Update Automatically" discussion: | Software Update _MUST_ be configured to enforce automatic update is enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticCheckEnabled = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('AutomaticCheckEnabled').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml index 72dbf7d7c..6cd1f558e 100644 --- a/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml +++ b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml @@ -3,9 +3,12 @@ title: "Configure Time Machine for Automatic Backups" discussion: | Automatic backups _MUST_ be enabled when using Time Machine. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoBackup = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\ + .objectForKey('AutoBackup').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: From a1e46ef003361f8feb50f0a920d04a7019856b1f Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 3 Feb 2022 17:27:49 -0500 Subject: [PATCH 114/193] result added --- rules/os/os_safari_open_safe_downloads_disable.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index c5960d2e8..d9ce5e3fc 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -4,6 +4,8 @@ discussion: | Open "safe" files after downloading _MUST_ be disabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' +result: + integer: 1 fix: | This is implemented by a Configuration Profile. references: From 74e7200aa8894cfe80205e5e29c8ba7a0bbd8119 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Fri, 4 Feb 2022 17:02:36 -0500 Subject: [PATCH 115/193] Initial STIG to YAML --- baselines/all_rules.yaml | 2 +- baselines/cisv8.yaml | 2 +- rules/os/os_ess_installed.yaml | 37 ++++++++++++++++ rules/os/os_hbss_installed.yaml | 37 ---------------- rules/stig/APPL-12-000001.yml | 23 ++++++++++ rules/stig/APPL-12-000002.yml | 22 ++++++++++ rules/stig/APPL-12-000003.yml | 22 ++++++++++ rules/stig/APPL-12-000004.yml | 29 +++++++++++++ rules/stig/APPL-12-000005.yml | 32 ++++++++++++++ rules/stig/APPL-12-000006.yml | 25 +++++++++++ rules/stig/APPL-12-000007.yml | 23 ++++++++++ rules/stig/APPL-12-000011.yml | 64 +++++++++++++++++++++++++++ rules/stig/APPL-12-000012.yml | 70 ++++++++++++++++++++++++++++++ rules/stig/APPL-12-000014.yml | 45 +++++++++++++++++++ rules/stig/APPL-12-000015.yml | 23 ++++++++++ rules/stig/APPL-12-000016.yml | 20 +++++++++ rules/stig/APPL-12-000022.yml | 22 ++++++++++ rules/stig/APPL-12-000023.yml | 52 ++++++++++++++++++++++ rules/stig/APPL-12-000024.yml | 38 +++++++++++++++++ rules/stig/APPL-12-000025.yml | 60 ++++++++++++++++++++++++++ rules/stig/APPL-12-000030.yml | 33 ++++++++++++++ rules/stig/APPL-12-000031.yml | 28 ++++++++++++ rules/stig/APPL-12-000032.yml | 35 +++++++++++++++ rules/stig/APPL-12-000033.yml | 24 +++++++++++ rules/stig/APPL-12-000051.yml | 29 +++++++++++++ rules/stig/APPL-12-000052.yml | 29 +++++++++++++ rules/stig/APPL-12-000053.yml | 28 ++++++++++++ rules/stig/APPL-12-000054.yml | 60 ++++++++++++++++++++++++++ rules/stig/APPL-12-000055.yml | 60 ++++++++++++++++++++++++++ rules/stig/APPL-12-000056.yml | 59 +++++++++++++++++++++++++ rules/stig/APPL-12-001001.yml | 76 +++++++++++++++++++++++++++++++++ rules/stig/APPL-12-001002.yml | 44 +++++++++++++++++++ rules/stig/APPL-12-001003.yml | 74 ++++++++++++++++++++++++++++++++ rules/stig/APPL-12-001010.yml | 39 +++++++++++++++++ rules/stig/APPL-12-001012.yml | 29 +++++++++++++ rules/stig/APPL-12-001013.yml | 26 +++++++++++ rules/stig/APPL-12-001014.yml | 29 +++++++++++++ rules/stig/APPL-12-001015.yml | 26 +++++++++++ rules/stig/APPL-12-001016.yml | 31 ++++++++++++++ rules/stig/APPL-12-001017.yml | 35 +++++++++++++++ rules/stig/APPL-12-001020.yml | 53 +++++++++++++++++++++++ rules/stig/APPL-12-001029.yml | 34 +++++++++++++++ rules/stig/APPL-12-001030.yml | 37 ++++++++++++++++ rules/stig/APPL-12-001031.yml | 32 ++++++++++++++ rules/stig/APPL-12-001044.yml | 44 +++++++++++++++++++ rules/stig/APPL-12-001060.yml | 47 ++++++++++++++++++++ rules/stig/APPL-12-001100.yml | 26 +++++++++++ rules/stig/APPL-12-002001.yml | 28 ++++++++++++ rules/stig/APPL-12-002003.yml | 29 +++++++++++++ rules/stig/APPL-12-002004.yml | 33 ++++++++++++++ rules/stig/APPL-12-002005.yml | 31 ++++++++++++++ rules/stig/APPL-12-002006.yml | 35 +++++++++++++++ rules/stig/APPL-12-002007.yml | 31 ++++++++++++++ rules/stig/APPL-12-002008.yml | 37 ++++++++++++++++ rules/stig/APPL-12-002009.yml | 33 ++++++++++++++ rules/stig/APPL-12-002012.yml | 31 ++++++++++++++ rules/stig/APPL-12-002013.yml | 31 ++++++++++++++ rules/stig/APPL-12-002014.yml | 31 ++++++++++++++ rules/stig/APPL-12-002015.yml | 31 ++++++++++++++ rules/stig/APPL-12-002016.yml | 31 ++++++++++++++ rules/stig/APPL-12-002017.yml | 36 ++++++++++++++++ rules/stig/APPL-12-002020.yml | 32 ++++++++++++++ rules/stig/APPL-12-002021.yml | 47 ++++++++++++++++++++ rules/stig/APPL-12-002022.yml | 35 +++++++++++++++ rules/stig/APPL-12-002031.yml | 31 ++++++++++++++ rules/stig/APPL-12-002032.yml | 34 +++++++++++++++ rules/stig/APPL-12-002035.yml | 32 ++++++++++++++ rules/stig/APPL-12-002036.yml | 32 ++++++++++++++ rules/stig/APPL-12-002037.yml | 32 ++++++++++++++ rules/stig/APPL-12-002038.yml | 29 +++++++++++++ rules/stig/APPL-12-002039.yml | 30 +++++++++++++ rules/stig/APPL-12-002040.yml | 30 +++++++++++++ rules/stig/APPL-12-002041.yml | 31 ++++++++++++++ rules/stig/APPL-12-002042.yml | 30 +++++++++++++ rules/stig/APPL-12-002043.yml | 30 +++++++++++++ rules/stig/APPL-12-002050.yml | 28 ++++++++++++ rules/stig/APPL-12-002051.yml | 34 +++++++++++++++ rules/stig/APPL-12-002052.yml | 34 +++++++++++++++ rules/stig/APPL-12-002053.yml | 33 ++++++++++++++ rules/stig/APPL-12-002060.yml | 28 ++++++++++++ rules/stig/APPL-12-002062.yml | 53 +++++++++++++++++++++++ rules/stig/APPL-12-002063.yml | 39 +++++++++++++++++ rules/stig/APPL-12-002064.yml | 27 ++++++++++++ rules/stig/APPL-12-002066.yml | 20 +++++++++ rules/stig/APPL-12-002068.yml | 40 +++++++++++++++++ rules/stig/APPL-12-002069.yml | 31 ++++++++++++++ rules/stig/APPL-12-002070.yml | 41 ++++++++++++++++++ rules/stig/APPL-12-003001.yml | 40 +++++++++++++++++ rules/stig/APPL-12-003007.yml | 26 +++++++++++ rules/stig/APPL-12-003008.yml | 25 +++++++++++ rules/stig/APPL-12-003009.yml | 22 ++++++++++ rules/stig/APPL-12-003010.yml | 23 ++++++++++ rules/stig/APPL-12-003011.yml | 31 ++++++++++++++ rules/stig/APPL-12-003012.yml | 19 +++++++++ rules/stig/APPL-12-003013.yml | 30 +++++++++++++ rules/stig/APPL-12-003020.yml | 36 ++++++++++++++++ rules/stig/APPL-12-003050.yml | 41 ++++++++++++++++++ rules/stig/APPL-12-003051.yml | 54 +++++++++++++++++++++++ rules/stig/APPL-12-003052.yml | 53 +++++++++++++++++++++++ rules/stig/APPL-12-004001.yml | 29 +++++++++++++ rules/stig/APPL-12-004002.yml | 30 +++++++++++++ rules/stig/APPL-12-004021.yml | 31 ++++++++++++++ rules/stig/APPL-12-005001.yml | 64 +++++++++++++++++++++++++++ rules/stig/APPL-12-005020.yml | 43 +++++++++++++++++++ rules/stig/APPL-12-005050.yml | 22 ++++++++++ rules/stig/APPL-12-005051.yml | 31 ++++++++++++++ rules/stig/APPL-12-005052.yml | 23 ++++++++++ rules/stig/APPL-12-005053.yml | 25 +++++++++++ rules/stig/APPL-12-005054.yml | 32 ++++++++++++++ rules/stig/APPL-12-005055.yml | 32 ++++++++++++++ rules/stig/APPL-12-005056.yml | 33 ++++++++++++++ rules/stig/APPL-12-005058.yml | 33 ++++++++++++++ rules/stig/APPL-12-005060.yml | 33 ++++++++++++++ rules/stig/APPL-12-005061.yml | 33 ++++++++++++++ 114 files changed, 3881 insertions(+), 39 deletions(-) create mode 100644 rules/os/os_ess_installed.yaml delete mode 100644 rules/os/os_hbss_installed.yaml create mode 100644 rules/stig/APPL-12-000001.yml create mode 100644 rules/stig/APPL-12-000002.yml create mode 100644 rules/stig/APPL-12-000003.yml create mode 100644 rules/stig/APPL-12-000004.yml create mode 100644 rules/stig/APPL-12-000005.yml create mode 100644 rules/stig/APPL-12-000006.yml create mode 100644 rules/stig/APPL-12-000007.yml create mode 100644 rules/stig/APPL-12-000011.yml create mode 100644 rules/stig/APPL-12-000012.yml create mode 100644 rules/stig/APPL-12-000014.yml create mode 100644 rules/stig/APPL-12-000015.yml create mode 100644 rules/stig/APPL-12-000016.yml create mode 100644 rules/stig/APPL-12-000022.yml create mode 100644 rules/stig/APPL-12-000023.yml create mode 100644 rules/stig/APPL-12-000024.yml create mode 100644 rules/stig/APPL-12-000025.yml create mode 100644 rules/stig/APPL-12-000030.yml create mode 100644 rules/stig/APPL-12-000031.yml create mode 100644 rules/stig/APPL-12-000032.yml create mode 100644 rules/stig/APPL-12-000033.yml create mode 100644 rules/stig/APPL-12-000051.yml create mode 100644 rules/stig/APPL-12-000052.yml create mode 100644 rules/stig/APPL-12-000053.yml create mode 100644 rules/stig/APPL-12-000054.yml create mode 100644 rules/stig/APPL-12-000055.yml create mode 100644 rules/stig/APPL-12-000056.yml create mode 100644 rules/stig/APPL-12-001001.yml create mode 100644 rules/stig/APPL-12-001002.yml create mode 100644 rules/stig/APPL-12-001003.yml create mode 100644 rules/stig/APPL-12-001010.yml create mode 100644 rules/stig/APPL-12-001012.yml create mode 100644 rules/stig/APPL-12-001013.yml create mode 100644 rules/stig/APPL-12-001014.yml create mode 100644 rules/stig/APPL-12-001015.yml create mode 100644 rules/stig/APPL-12-001016.yml create mode 100644 rules/stig/APPL-12-001017.yml create mode 100644 rules/stig/APPL-12-001020.yml create mode 100644 rules/stig/APPL-12-001029.yml create mode 100644 rules/stig/APPL-12-001030.yml create mode 100644 rules/stig/APPL-12-001031.yml create mode 100644 rules/stig/APPL-12-001044.yml create mode 100644 rules/stig/APPL-12-001060.yml create mode 100644 rules/stig/APPL-12-001100.yml create mode 100644 rules/stig/APPL-12-002001.yml create mode 100644 rules/stig/APPL-12-002003.yml create mode 100644 rules/stig/APPL-12-002004.yml create mode 100644 rules/stig/APPL-12-002005.yml create mode 100644 rules/stig/APPL-12-002006.yml create mode 100644 rules/stig/APPL-12-002007.yml create mode 100644 rules/stig/APPL-12-002008.yml create mode 100644 rules/stig/APPL-12-002009.yml create mode 100644 rules/stig/APPL-12-002012.yml create mode 100644 rules/stig/APPL-12-002013.yml create mode 100644 rules/stig/APPL-12-002014.yml create mode 100644 rules/stig/APPL-12-002015.yml create mode 100644 rules/stig/APPL-12-002016.yml create mode 100644 rules/stig/APPL-12-002017.yml create mode 100644 rules/stig/APPL-12-002020.yml create mode 100644 rules/stig/APPL-12-002021.yml create mode 100644 rules/stig/APPL-12-002022.yml create mode 100644 rules/stig/APPL-12-002031.yml create mode 100644 rules/stig/APPL-12-002032.yml create mode 100644 rules/stig/APPL-12-002035.yml create mode 100644 rules/stig/APPL-12-002036.yml create mode 100644 rules/stig/APPL-12-002037.yml create mode 100644 rules/stig/APPL-12-002038.yml create mode 100644 rules/stig/APPL-12-002039.yml create mode 100644 rules/stig/APPL-12-002040.yml create mode 100644 rules/stig/APPL-12-002041.yml create mode 100644 rules/stig/APPL-12-002042.yml create mode 100644 rules/stig/APPL-12-002043.yml create mode 100644 rules/stig/APPL-12-002050.yml create mode 100644 rules/stig/APPL-12-002051.yml create mode 100644 rules/stig/APPL-12-002052.yml create mode 100644 rules/stig/APPL-12-002053.yml create mode 100644 rules/stig/APPL-12-002060.yml create mode 100644 rules/stig/APPL-12-002062.yml create mode 100644 rules/stig/APPL-12-002063.yml create mode 100644 rules/stig/APPL-12-002064.yml create mode 100644 rules/stig/APPL-12-002066.yml create mode 100644 rules/stig/APPL-12-002068.yml create mode 100644 rules/stig/APPL-12-002069.yml create mode 100644 rules/stig/APPL-12-002070.yml create mode 100644 rules/stig/APPL-12-003001.yml create mode 100644 rules/stig/APPL-12-003007.yml create mode 100644 rules/stig/APPL-12-003008.yml create mode 100644 rules/stig/APPL-12-003009.yml create mode 100644 rules/stig/APPL-12-003010.yml create mode 100644 rules/stig/APPL-12-003011.yml create mode 100644 rules/stig/APPL-12-003012.yml create mode 100644 rules/stig/APPL-12-003013.yml create mode 100644 rules/stig/APPL-12-003020.yml create mode 100644 rules/stig/APPL-12-003050.yml create mode 100644 rules/stig/APPL-12-003051.yml create mode 100644 rules/stig/APPL-12-003052.yml create mode 100644 rules/stig/APPL-12-004001.yml create mode 100644 rules/stig/APPL-12-004002.yml create mode 100644 rules/stig/APPL-12-004021.yml create mode 100644 rules/stig/APPL-12-005001.yml create mode 100644 rules/stig/APPL-12-005020.yml create mode 100644 rules/stig/APPL-12-005050.yml create mode 100644 rules/stig/APPL-12-005051.yml create mode 100644 rules/stig/APPL-12-005052.yml create mode 100644 rules/stig/APPL-12-005053.yml create mode 100644 rules/stig/APPL-12-005054.yml create mode 100644 rules/stig/APPL-12-005055.yml create mode 100644 rules/stig/APPL-12-005056.yml create mode 100644 rules/stig/APPL-12-005058.yml create mode 100644 rules/stig/APPL-12-005060.yml create mode 100644 rules/stig/APPL-12-005061.yml diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index a7bd21359..9a272623b 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -72,7 +72,7 @@ profile: - os_gatekeeper_enable - os_gatekeeper_rearm - os_handoff_disable - - os_hbss_installed + - os_ess_installed - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index 913dee532..cbe30f90f 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -45,7 +45,7 @@ profile: - os_gatekeeper_enable - os_gatekeeper_rearm - os_handoff_disable - - os_hbss_installed + - os_ess_installed - os_httpd_disable - os_icloud_storage_prompt_disable - os_internet_accounts_prefpane_disable diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml new file mode 100644 index 000000000..57384efc4 --- /dev/null +++ b/rules/os/os_ess_installed.yaml @@ -0,0 +1,37 @@ +id: os_ess_installed +title: "Must Use ESS" +discussion: | + The approved ESS solution _MUST_ be installed and configured to run. + + The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNET. +check: | + Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved ESS solution is loaded on the system. + If the installed components of the ESS solution are not at the DoD approved minimal versions, this is a finding. +fix: | + Install the approved ESS solution onto the system. +references: + cce: + - CCE-90930-9 + cci: + - CCI-001233 + 800-53r5: + - N/A + 800-53r4: + - SI-2(2) + srg: + - N/A + disa_stig: + - N/A + cisv8: + - 10.1 + - 10.2 + - 10.6 + - 10.7 +macOS: + - "12.0" +tags: + - manual + - cisv8 +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml deleted file mode 100644 index c41f86ff1..000000000 --- a/rules/os/os_hbss_installed.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: os_hbss_installed -title: "Must Use HBSS" -discussion: | - The approved HBSS solution _MUST_ be installed and configured to run. - - The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved HBSS solution to be implemented on the operating system. For additional information, reference all applicable HBSS OPORDs and FRAGOs on SIPRNET. -check: | - Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved HBSS solution is loaded on the system. - If the installed components of the HBSS solution are not at the DoD approved minimal versions, this is a finding. -fix: | - Install the approved HBSS solution onto the system. -references: - cce: - - CCE-90930-9 - cci: - - CCI-001233 - 800-53r5: - - N/A - 800-53r4: - - SI-2(2) - srg: - - N/A - disa_stig: - - N/A - cisv8: - - 10.1 - - 10.2 - - 10.6 - - 10.7 -macOS: - - "12.0" -tags: - - manual - - cisv8 -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/stig/APPL-12-000001.yml b/rules/stig/APPL-12-000001.yml new file mode 100644 index 000000000..1d0510db1 --- /dev/null +++ b/rules/stig/APPL-12-000001.yml @@ -0,0 +1,23 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to prevent Apple Watch from terminating + a session lock. +discussion: Users must be prompted to enter their passwords when unlocking the screen + saver. The screen saver acts as a session lock and prevents unauthorized users from + accessing the current user's account. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAutoUnlock" +result: '[''allowAutoUnlock = 0;'', '''', ''If there is no result or "allowAutoUnlock" + is not set to "0", this is a finding.'']' +fix: "This setting is enforced using the \u201CRestrictions Policy\" configuration\ + \ profile." +references: + srg: + - SRG-OS-000028-GPOS-00009 + disa_stig: + - APPL-12-000001 + cci: + - CCI-000056 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000002.yml b/rules/stig/APPL-12-000002.yml new file mode 100644 index 000000000..ae379dc2b --- /dev/null +++ b/rules/stig/APPL-12-000002.yml @@ -0,0 +1,22 @@ +rule_id: MSCP RULE +title: The macOS system must retain the session lock until the user reestablishes + access using established identification and authentication procedures. +discussion: Users must be prompted to enter their passwords when unlocking the screen + saver. The screen saver acts as a session lock and prevents unauthorized users from + accessing the current user's account. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPassword +result: '[''If there is no result, or if "askForPassword" is not set to "1", this + is a finding.'']' +fix: This setting is enforced using the "Login Window Policy" configuration profile. +references: + srg: + - SRG-OS-000028-GPOS-00009 + disa_stig: + - APPL-12-000002 + cci: + - CCI-000056 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000003.yml b/rules/stig/APPL-12-000003.yml new file mode 100644 index 000000000..abc7c0faf --- /dev/null +++ b/rules/stig/APPL-12-000003.yml @@ -0,0 +1,22 @@ +rule_id: MSCP RULE +title: The macOS system must initiate the session lock no more than five seconds after + a screen saver is started. +discussion: A screen saver must be enabled and set to require a password to unlock. + An excessive grace period impacts the ability for a session to be truly locked, + requiring authentication to unlock. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPasswordDelay +result: '[''If there is no result, or if "askForPasswordDelay" is not set to "5.0" + or less, this is a finding.'']' +fix: This setting is enforced using the "Login Window Policy" configuration profile. +references: + srg: + - SRG-OS-000028-GPOS-00009 + disa_stig: + - APPL-12-000003 + cci: + - CCI-000056 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000004.yml b/rules/stig/APPL-12-000004.yml new file mode 100644 index 000000000..4a77ae137 --- /dev/null +++ b/rules/stig/APPL-12-000004.yml @@ -0,0 +1,29 @@ +rule_id: MSCP RULE +title: The macOS system must initiate a session lock after a 15-minute period of inactivity. +discussion: 'A screen saver must be enabled and set to require a password to unlock. + The timeout should be set to 15 minutes of inactivity. This mitigates the risk that + a user might forget to manually lock the screen before stepping away from the computer. + + + A session time-out lock is a temporary action taken when a user stops work and moves + away from the immediate physical vicinity of the information system but does not + log out because of the temporary nature of the absence. Rather than relying on the + user to manually lock their operating system session prior to vacating the vicinity, + operating systems need to be able to identify when a user''s session has idled and + take action to initiate the session lock.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep loginWindowIdleTime +result: '[''If there is no result, or if "loginWindowIdleTime" is not set to "900" + seconds or less, this is a finding.'']' +fix: This setting is enforced using the "Login Window Policy" configuration profile. +references: + srg: + - SRG-OS-000029-GPOS-00010 + disa_stig: + - APPL-12-000004 + cci: + - CCI-000057 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000005.yml b/rules/stig/APPL-12-000005.yml new file mode 100644 index 000000000..8a8c0310a --- /dev/null +++ b/rules/stig/APPL-12-000005.yml @@ -0,0 +1,32 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to lock the user session when a smart token + is removed. +discussion: 'A session lock is a temporary action taken when a user stops work and + moves away from the immediate physical vicinity of the information system but does + not want to log out because of the temporary nature of the absence. + + + The session lock is implemented at the point where session activity can be determined. + Rather than be forced to wait for a period of time to expire before the user session + can be locked, operating systems need to provide users with the ability to manually + invoke a session lock so users may secure their session should they need to temporarily + vacate the immediate physical vicinity.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "tokenRemovalAction + = 1;" +result: '[''If there is no result, this is a finding.'']' +fix: "This setting is enforced using the \"Smart Card Policy\" configuration profile.\ + \ \n\nNote: Before applying the \"Smart Card Policy\", the supplemental guidance\ + \ provided with the STIG should be consulted to ensure continued access to the operating\ + \ system." +references: + srg: + - SRG-OS-000030-GPOS-00011 + disa_stig: + - APPL-12-000005 + cci: + - CCI-000058 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000006.yml b/rules/stig/APPL-12-000006.yml new file mode 100644 index 000000000..9161e7d0b --- /dev/null +++ b/rules/stig/APPL-12-000006.yml @@ -0,0 +1,25 @@ +rule_id: MSCP RULE +title: The macOS system must conceal, via the session lock, information previously + visible on the display with a publicly viewable image. +discussion: A default screen saver must be configured for all users, as the screen + saver will act as a session time-out lock for the system and must conceal the contents + of the screen from unauthorized users. The screen saver must not display any sensitive + information or reveal the contents of the locked session screen. Publicly viewable + images can include static or dynamic images such as patterns used with screen savers, + photographic images, solid colors, a clock, a battery life indicator, or a blank + screen. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep loginWindowModulePath +result: '[''If there is no result or defined "modulePath", this is a finding.'']' +fix: This setting is enforced using the "Login Window Policy" configuration profile. +references: + srg: + - SRG-OS-000031-GPOS-00012 + disa_stig: + - APPL-12-000006 + cci: + - CCI-000060 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-000007.yml b/rules/stig/APPL-12-000007.yml new file mode 100644 index 000000000..3a73aa693 --- /dev/null +++ b/rules/stig/APPL-12-000007.yml @@ -0,0 +1,23 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable hot corners. +discussion: Although hot corners can be used to initiate a session lock or launch + useful applications, they can also be configured to disable an automatic session + lock from initiating. Such a configuration introduces the risk that a user might + forget to manually lock the screen before stepping away from the computer. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep wvous +result: '[''If the return is null, or does not equal:'', ''"wvous-bl-corner = 0'', + ''wvous-br-corner = 0;'', ''wvous-tl-corner = 0;'', ''wvous-tr-corner = 0;" '', + ''this is a finding.'']' +fix: This setting is enforced using the "Custom Policy" configuration profile. +references: + srg: + - SRG-OS-000031-GPOS-00012 + disa_stig: + - APPL-12-000007 + cci: + - CCI-000060 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000011.yml b/rules/stig/APPL-12-000011.yml new file mode 100644 index 000000000..6d2ff9d23 --- /dev/null +++ b/rules/stig/APPL-12-000011.yml @@ -0,0 +1,64 @@ +rule_id: MSCP RULE +title: The macOS system must disable the SSHD service. +discussion: "Without confidentiality and integrity protection mechanisms, unauthorized\ + \ individuals may gain access to sensitive information via a remote access session.\n\ + \nRemote access is access to DoD non-public information systems by an authorized\ + \ user (or an information system) communicating through an external, non-organization-controlled\ + \ network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\ + \nEncryption provides a means to secure the remote connection to prevent unauthorized\ + \ access to the data traversing the remote access connection (e.g., Remote Desktop\ + \ Protocol [RDP]), thereby providing a degree of confidentiality. The encryption\ + \ strength of a mechanism is selected based on the security categorization of the\ + \ information.\n\nPrivileged access contains control and configuration information\ + \ and is particularly sensitive, so additional protections are necessary. This is\ + \ maintained by using cryptographic mechanisms, such as a hash function or digital\ + \ signature, to protect integrity. \n\nNonlocal maintenance and diagnostic activities\ + \ are those activities conducted by individuals communicating through a network,\ + \ either an external network (e.g., the Internet) or an internal network. \n\n\ + Use of weak or untested encryption algorithms undermines the purposes of using encryption\ + \ to protect data. The operating system must implement cryptographic modules adhering\ + \ to the higher standards approved by the federal government since this provides\ + \ assurance they have been tested and validated.\n\nThe implementation of OpenSSH\ + \ that is included with macOS does not utilize a FIPS 140-2 validated cryptographic\ + \ module.\n\n" +check: /bin/launchctl print-disabled system | grep sshd +result: '[''If the results do not show "com.openssh.sshd => true", this is a finding.'']' +fix: 'Disable the "SSHD" service by using the following command: + + + /usr/bin/sudo /bin/launchctl disable system/com.openssh.sshd + + + The system may need to be restarted for the update to take effect.' +references: + srg: + - SRG-OS-000250-GPOS-00093 + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000319-GPOS-00164 + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + - SRG-OS-000112-GPOS-00057 + - SRG-OS-000113-GPOS-00058 + - SRG-OS-000423-GPOS-00187 + - SRG-OS-000424-GPOS-00188 + - SRG-OS-000425-GPOS-00189 + - SRG-OS-000426-GPOS-00190 + disa_stig: + - APPL-12-000011 + cci: + - CCI-000068 + - CCI-001453 + - CCI-001941 + - CCI-001942 + - CCI-001967 + - CCI-002418 + - CCI-002420 + - CCI-002421 + - CCI-002422 + - CCI-002890 + - CCI-003123 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000012.yml b/rules/stig/APPL-12-000012.yml new file mode 100644 index 000000000..a7effd866 --- /dev/null +++ b/rules/stig/APPL-12-000012.yml @@ -0,0 +1,70 @@ +rule_id: MSCP RULE +title: The macOS system must automatically remove or disable temporary and emergency + user accounts after 72 hours. +discussion: 'If temporary user accounts remain active when no longer needed or for + an excessive period, these accounts may be targeted by attackers to gain unauthorized + access. To mitigate this risk, automated termination of all temporary accounts must + be set upon account creation. + + + Temporary accounts are established as part of normal account activation procedures + when there is a need for short-term accounts without the demand for immediacy in + account activation. + + + If temporary accounts are used, the operating system must be configured to automatically + terminate these types of accounts after a DoD-defined time period of 72 hours. + + + Emergency administrator accounts are privileged accounts established in response + to crisis situations where the need for rapid account activation is required. Therefore, + emergency account activation may bypass normal account authorization processes. + If these accounts are automatically disabled, system maintenance during emergencies + may not be possible, thus adversely affecting system availability. + + + Emergency administrator accounts are different from infrequently used accounts (i.e., + local logon accounts used by system administrators when network or normal logon/access + is not available). Infrequently used accounts also remain available and are not + subject to automatic termination dates. However, an emergency administrator account + is normally a different account created for use by vendors or system maintainers. + + + To address access requirements, many operating systems may be integrated with enterprise-level + authentication/access mechanisms that meet or exceed access control policy requirements. + + + ' +check: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 +result: '[''If there is no output, and password policy is not controlled by a directory + service, this is a finding.'', '''', ''Otherwise, look for the line "policyCategoryAuthentication".'', + '''', ''In the array that follows, there should be a section that contains + a check that allows users to log in if "policyAttributeCurrentTime" is + less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 + seconds). The check might use a variable defined in its "policyParameters" section.'', + '''', ''If the check does not exist or if the check adds too great an amount of + time to "policyAttributeCreationTime", this is a finding.'']' +fix: "This setting may be enforced using local policy or by a directory service.\n\ + \nTo set local policy to disable a temporary or emergency user, create a plain text\ + \ file containing the following:\n\n \n policyCategoryAuthentication\n\ + \ \n \n policyContent\n policyAttributeCurrentTime\ + \ < policyAttributeCreationTime+259299\n policyIdentifier\n\ + \ Disable Tmp Accounts \n \n \n\ + \ \n\nAfter saving the file and exiting to the command prompt, run the\ + \ following command to load the new policy file, substituting the correct user name\ + \ in place of \"username\" and the path to the file in place of \"/path/to/file\"\ + .\n\n/usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file" +references: + srg: + - SRG-OS-000002-GPOS-00002 + - SRG-OS-000123-GPOS-00064 + disa_stig: + - APPL-12-000012 + cci: + - CCI-001682 + - CCI-000016 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000014.yml b/rules/stig/APPL-12-000014.yml new file mode 100644 index 000000000..3aa9d5fcd --- /dev/null +++ b/rules/stig/APPL-12-000014.yml @@ -0,0 +1,45 @@ +rule_id: MSCP RULE +title: The macOS system must, for networked systems, compare internal information + system clocks at least every 24 hours with a server that is synchronized to one + of the redundant United States Naval Observatory (USNO) time servers or a time server + designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning + System (GPS). +discussion: "Inaccurate time stamps make it more difficult to correlate events and\ + \ can lead to an inaccurate analysis. Determining the correct time a particular\ + \ event occurred on a system is critical when conducting forensic analysis and investigating\ + \ system events. Sources outside of the configured acceptable allowance (drift)\ + \ may be inaccurate.\n\nSynchronizing internal information system clocks provides\ + \ uniformity of time stamps for information systems with multiple system clocks\ + \ and systems connected over a network. \n\nOrganizations should consider endpoints\ + \ that may not have regular access to the authoritative time server (e.g., mobile,\ + \ teleworking, and tactical endpoints).\n\n" +check: sudo systemsetup -getusingnetworktime +result: '[''If the following in not returned, this is a finding:'', ''Network Time: + On'', '''', ''To verify that an authorized Time Server is configured, run the following + command:'', '' sudo systemsetup -getnetworktimeserver'', '''', ''Only approved time + servers should be configured for use.'', '''', ''If no server is configured, or + if an unapproved time server is in use, this is a finding.'']' +fix: 'To enable the TIMED service, run the following command: + + + /usr/bin/sudo systemsetup -setusingnetworktime on + + + To configure a time server, use the following command: + + + /usr/bin/sudo systemsetup -setnetworktimeserver "server"' +references: + srg: + - SRG-OS-000355-GPOS-00143 + - SRG-OS-000356-GPOS-00144 + disa_stig: + - APPL-12-000014 + cci: + - CCI-002046 + - CCI-001891 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000015.yml b/rules/stig/APPL-12-000015.yml new file mode 100644 index 000000000..3aa1a066d --- /dev/null +++ b/rules/stig/APPL-12-000015.yml @@ -0,0 +1,23 @@ +rule_id: MSCP RULE +title: The macOS system must utilize an ESS solution and implement all DoD required + modules. +discussion: The macOS system must employ automated mechanisms to determine the state + of system components. The DoD requires the installation and use of an approved HBSS + solution to be implemented on the operating system. For additional information, + reference all applicable HBSS OPORDs and FRAGOs on SIPRNET. +check: Unable to parse the check text +result: Unable to parse the check text +fix: Install an approved ESS solution onto the system and ensure that all components + are at least updated to their DoD approved minimal versions. +references: + srg: + - SRG-OS-000191-GPOS-00080 + disa_stig: + - APPL-12-000015 + cci: + - CCI-001233 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000016.yml b/rules/stig/APPL-12-000016.yml new file mode 100644 index 000000000..5b53fc18e --- /dev/null +++ b/rules/stig/APPL-12-000016.yml @@ -0,0 +1,20 @@ +rule_id: MSCP RULE +title: The macOS system must be integrated into a directory services infrastructure. +discussion: Distinct user account databases on each separate system cause problems + with username and password policy enforcement. Most approved directory services + infrastructure solutions allow centralized management of users and passwords. +check: /usr/bin/dscl localhost -list . | /usr/bin/grep "Active Directory" +result: '[''If no results are returned, this is a finding.'']' +fix: Integrate the system into an existing directory services infrastructure. +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-000016 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-000022.yml b/rules/stig/APPL-12-000022.yml new file mode 100644 index 000000000..efb9363ce --- /dev/null +++ b/rules/stig/APPL-12-000022.yml @@ -0,0 +1,22 @@ +rule_id: MSCP RULE +title: The macOS system must enforce the limit of three consecutive invalid logon + attempts by a user before the user account is locked. +discussion: By limiting the number of failed logon attempts, the risk of unauthorized + system access via user password guessing, otherwise known as brute forcing, is reduced. + Limits are imposed by locking the account. +check: Unable to parse the check text +result: Unable to parse the check text +fix: This setting may be enforced using the "Passcode Policy" configuration profile + or by a directory service. +references: + srg: + - SRG-OS-000329-GPOS-00128 + disa_stig: + - APPL-12-000022 + cci: + - CCI-002238 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000023.yml b/rules/stig/APPL-12-000023.yml new file mode 100644 index 000000000..a6ca54eb0 --- /dev/null +++ b/rules/stig/APPL-12-000023.yml @@ -0,0 +1,52 @@ +rule_id: MSCP RULE +title: The macOS system must display the Standard Mandatory DoD Notice and Consent + Banner before granting remote access to the operating system. +discussion: 'Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification verbiage + used is consistent with applicable federal laws, Executive Orders, directives, policies, + regulations, standards, and guidance. + + + System use notifications are required only for access via logon interfaces with + human users and are not required when such human interfaces do not exist. + + + The banner must be formatted in accordance with DTM-08-060.' +check: '# more /etc/banner' +result: '[''The command should return the following text:'', ''"You are accessing + a U.S. Government (USG) Information System (IS) that is provided for USG-authorized + use only.'', '''', ''By using this IS (which includes any device attached to this + IS), you consent to the following conditions:'', '''', ''-The USG routinely intercepts + and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel + misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.'', + '''', ''-At any time, the USG may inspect and seize data stored on this IS.'', '''', + ''-Communications using, or data stored on, this IS are not private, are subject + to routine monitoring, interception, and search, and may be disclosed or used for + any USG-authorized purpose.'', '''', ''-This IS includes security measures (e.g., + authentication and access controls) to protect USG interests--not for your personal + benefit or privacy.'', '''', ''-Notwithstanding the above, using this IS does not + constitute consent to PM, LE or CI investigative searching or monitoring of the + content of privileged communications, or work product, related to personal representation + or services by attorneys, psychotherapists, or clergy, and their assistants. Such + communications and work product are private and confidential. See User Agreement + for details."'', '''', ''If the operating system does not display a graphical logon + banner or the banner does not match the Standard Mandatory DoD Notice and Consent + Banner, this is a finding.'', '''', ''If the text in the "/etc/banner" file does + not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.'']' +fix: 'Create a text file containing the required DoD text. + + + Name the file "banner" and place it in "/etc/".' +references: + srg: + - SRG-OS-000023-GPOS-00006 + disa_stig: + - APPL-12-000023 + cci: + - CCI-000048 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000024.yml b/rules/stig/APPL-12-000024.yml new file mode 100644 index 000000000..b5e6fbb9c --- /dev/null +++ b/rules/stig/APPL-12-000024.yml @@ -0,0 +1,38 @@ +rule_id: MSCP RULE +title: The macOS system must display the Standard Mandatory DoD Notice and Consent + Banner before granting access to the system via SSH. +discussion: 'Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification verbiage + used is consistent with applicable federal laws, Executive Orders, directives, policies, + regulations, standards, and guidance. + + + System use notifications are required only for access via logon interfaces with + human users and are not required when such human interfaces do not exist. + + + The banner must be formatted in accordance with DTM-08-060. + + + ' +check: '# /usr/bin/grep Banner /etc/ssh/sshd_config' +result: '[''Banner /etc/banner'', '''', ''If the sshd Banner configuration option + does not point to "/etc/banner", this is a finding.'']' +fix: 'For systems that allow remote access through SSH run the following command: + + + # /usr/bin/sudo /usr/bin/sed -i.bak ''s/^#Banner.*/Banner \/etc\/banner/'' /etc/ssh/sshd_config' +references: + srg: + - SRG-OS-000023-GPOS-00006 + - SRG-OS-000024-GPOS-00007 + disa_stig: + - APPL-12-000024 + cci: + - CCI-000048 + - CCI-000050 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000025.yml b/rules/stig/APPL-12-000025.yml new file mode 100644 index 000000000..2663e51e6 --- /dev/null +++ b/rules/stig/APPL-12-000025.yml @@ -0,0 +1,60 @@ +rule_id: MSCP RULE +title: The macOS system must be configured so that any connection to the system must + display the Standard Mandatory DoD Notice and Consent Banner before granting GUI + access to the system. +discussion: 'Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification verbiage + used is consistent with applicable federal laws, Executive Orders, directives, policies, + regulations, standards, and guidance. + + + System use notifications are required only for access via logon interfaces with + human users and are not required when such human interfaces do not exist. + + + The banner must be formatted in accordance with DTM-08-060. + + + ' +check: /bin/ls -l /Library/Security/PolicyBanner.rtf* +result: '[''If neither "PolicyBanner.rtf" nor "PolicyBanner.rtfd" exists, this is + a finding. '', '''', ''The banner text of the document MUST read:'', '''', ''"You + are accessing a U.S. Government (USG) Information System (IS) that is provided for + USG-authorized use only. By using this IS (which includes any device attached to + this IS), you consent to the following conditions:'', ''-The USG routinely intercepts + and monitors communications on this IS for purposes including, but not limited to, + penetration testing, COMSEC monitoring, network operations and defense, personnel + misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.'', + ''-At any time, the USG may inspect and seize data stored on this IS.'', ''-Communications + using, or data stored on, this IS are not private, are subject to routine monitoring, + interception, and search, and may be disclosed or used for any USG authorized purpose.'', + ''-This IS includes security measures (e.g., authentication and access controls) + to protect USG interests--not for your personal benefit or privacy.'', ''-Notwithstanding + the above, using this IS does not constitute consent to PM, LE or CI investigative + searching or monitoring of the content of privileged communications, or work product, + related to personal representation or services by attorneys, psychotherapists, or + clergy, and their assistants. Such communications and work product are private and + confidential. See User Agreement for details."'', '''', ''If the text is not worded + exactly this way, this is a finding.'']' +fix: Create an RTF file containing the required text. Name the file "PolicyBanner.rtf" + or "PolicyBanner.rtfd" and place it in "/Library/Security/". +references: + srg: + - SRG-OS-000023-GPOS-00006 + - SRG-OS-000024-GPOS-00007 + - SRG-OS-000228-GPOS-00088 + disa_stig: + - APPL-12-000025 + cci: + - CCI-000048 + - CCI-000050 + - CCI-001384 + - CCI-001385 + - CCI-001386 + - CCI-001387 + - CCI-001388 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000030.yml b/rules/stig/APPL-12-000030.yml new file mode 100644 index 000000000..8b5788f19 --- /dev/null +++ b/rules/stig/APPL-12-000030.yml @@ -0,0 +1,33 @@ +rule_id: MSCP RULE +title: The macOS system must be configured so that log files must not contain access + control lists (ACLs). +discussion: 'The audit service must be configured to create log files with the correct + permissions to prevent normal users from reading audit logs. Audit logs contain + sensitive data about the system and users. If log files are set to be readable and + writable only by root or administrative users with sudo, the risk is mitigated. + + + ' +check: '/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control + | awk -F: ''{print $2}'') | /usr/bin/grep -v current' +result: '[''In the output from the above commands, ACLs will be listed under any file + that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity").'', + '''', ''If any such line exists, this is a finding.'']' +fix: 'For any log file that contains ACLs, run the following command: + + + /usr/bin/sudo chmod -N [audit log file]' +references: + srg: + - SRG-OS-000057-GPOS-00027 + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-12-000030 + cci: + - CCI-001314 + - CCI-000162 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000031.yml b/rules/stig/APPL-12-000031.yml new file mode 100644 index 000000000..b0fdfa347 --- /dev/null +++ b/rules/stig/APPL-12-000031.yml @@ -0,0 +1,28 @@ +rule_id: MSCP RULE +title: The macOS system must be configured so that log folders must not contain access + control lists (ACLs). +discussion: The audit service must be configured to create log folders with the correct + permissions to prevent normal users from reading audit logs. Audit logs contain + sensitive data about the system and users. If log folders are set to be readable + and writable only by root or administrative users with sudo, the risk is mitigated. +check: '/usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control + | awk -F: ''{print $2}'')' +result: '[''In the output from the above commands, ACLs will be listed under any folder + that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity").'', + '''', ''If any such line exists, this is a finding.'']' +fix: 'For any log folder that contains ACLs, run the following command: + + + /usr/bin/sudo chmod -N [audit log folder]' +references: + srg: + - SRG-OS-000057-GPOS-00027 + disa_stig: + - APPL-12-000031 + cci: + - CCI-000162 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000032.yml b/rules/stig/APPL-12-000032.yml new file mode 100644 index 000000000..4ec6db9bc --- /dev/null +++ b/rules/stig/APPL-12-000032.yml @@ -0,0 +1,35 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with dedicated user accounts to decrypt + the hard disk upon startup. +discussion: When "FileVault" and Multifactor Authentication are configured on the + operating system, a dedicated user must be configured to ensure that the implemented + Multifactor Authentication rules are enforced. If a dedicated user is not configured + to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor + Authentication rules during initial startup and first login. +check: $ sudo fdesetup list +result: "['fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A', '', 'If any unauthorized\ + \ users are listed, this is a finding.', '', 'Verify that the shell for authorized\ + \ FileVault users is set to \u201C/usr/bin/false\u201D, which prevents console logins:',\ + \ '', '$ sudo dscl . read /Users/ UserShell', '', 'UserShell: /usr/bin/false',\ + \ '', 'If the FileVault users\\' shell is not set to \"/usr/bin/false\", this is\ + \ a finding.']" +fix: "Note: In previous versions of macOS, this setting was implemented differently.\ + \ Systems that used the previous method should prepare the system for the new method\ + \ by creating a new unlock user, verifying its ability to unlock FileVault after\ + \ reboot, then deleting the old FileVault unlock user. \n\n\nDisable the login ability\ + \ of the newly created user account:\n\n$ sudo /usr/bin/dscl . change /Users/\ + \ UserShell /usr/bin/false\n\nRemove all FileVault login\ + \ access from each user account defined on the system that is not a designated FileVault\ + \ user:\n\n$ sudo fdesetup remove -user " +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-000032 + cci: + - CCI-002143 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000033.yml b/rules/stig/APPL-12-000033.yml new file mode 100644 index 000000000..c685ece74 --- /dev/null +++ b/rules/stig/APPL-12-000033.yml @@ -0,0 +1,24 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable password forwarding for FileVault2. +discussion: When "FileVault" and Multifactor Authentication are configured on the + operating system, a dedicated user must be configured to ensure that the implemented + Multifactor Authentication rules are enforced. If a dedicated user is not configured + to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor + Authentication rules during initial startup and first login. +check: '# /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep + "DisableFDEAutoLogin"' +result: '[''DisableFDEAutologin = 1;'', '''', ''If "DisableFDEAutologin" is not set + to a value of "1", this is a finding.'']' +fix: This setting is enforced using the "Smart Card" configuration profile. +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-000033 + cci: + - CCI-002143 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000051.yml b/rules/stig/APPL-12-000051.yml new file mode 100644 index 000000000..e93c6c60e --- /dev/null +++ b/rules/stig/APPL-12-000051.yml @@ -0,0 +1,29 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with the SSH daemon ClientAliveInterval + option set to 900 or less. +discussion: SSH should be configured to log users out after a 15-minute interval of + inactivity and to wait only 30 seconds before timing out logon attempts. Terminating + an idle session within a short time period reduces the window of opportunity for + unauthorized personnel to take control of a management session enabled on the console + or console port that has been left unattended. In addition, quickly terminating + an idle session or an incomplete logon attempt will also free up resources committed + by the managed network element. +check: /usr/bin/grep ^ClientAliveInterval /etc/ssh/sshd_config +result: '[''If the setting is not "900" or less, this is a finding.'']' +fix: 'To ensure that "ClientAliveInterval" is set correctly, run the following command: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*ClientAliveInterval.*/ClientAliveInterval + 900/'' /etc/ssh/sshd_config' +references: + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - APPL-12-000051 + cci: + - CCI-001133 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000052.yml b/rules/stig/APPL-12-000052.yml new file mode 100644 index 000000000..61f257e11 --- /dev/null +++ b/rules/stig/APPL-12-000052.yml @@ -0,0 +1,29 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with the SSH daemon ClientAliveCountMax + option set to 0. +discussion: SSH should be configured with an Active Client Alive Maximum Count of + 0. Terminating an idle session within a short time period reduces the window of + opportunity for unauthorized personnel to take control of a management session enabled + on the console or console port that has been left unattended. In addition, quickly + terminating an idle session or an incomplete logon attempt will also free up resources + committed by the managed network element. +check: /usr/bin/grep ^ClientAliveCountMax /etc/ssh/sshd_config +result: '[''If the setting is not "ClientAliveCountMax 0", this is a finding.'']' +fix: 'To ensure that the SSH idle timeout occurs precisely when the "ClientAliveCountMax" + is set, run the following command: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*ClientAliveCountMax.*/ClientAliveCountMax + 0/'' /etc/ssh/sshd_config' +references: + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - APPL-12-000052 + cci: + - CCI-001133 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000053.yml b/rules/stig/APPL-12-000053.yml new file mode 100644 index 000000000..9fb55cd15 --- /dev/null +++ b/rules/stig/APPL-12-000053.yml @@ -0,0 +1,28 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with the SSH daemon LoginGraceTime set + to 30 or less. +discussion: SSH should be configured to log users out after a 15-minute interval of + inactivity and to wait only 30 seconds before timing out logon attempts. Terminating + an idle session within a short time period reduces the window of opportunity for + unauthorized personnel to take control of a management session enabled on the console + or console port that has been left unattended. In addition, quickly terminating + an idle session or an incomplete logon attempt will also free up resources committed + by the managed network element. +check: /usr/bin/grep ^LoginGraceTime /etc/ssh/sshd_config +result: '[''If the value is not set to "30" or less, this is a finding.'']' +fix: 'To ensure that "LoginGraceTime" is configured correctly, run the following command: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*LoginGraceTime.*/LoginGraceTime 30/'' /etc/ssh/sshd_config' +references: + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - APPL-12-000053 + cci: + - CCI-001133 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000054.yml b/rules/stig/APPL-12-000054.yml new file mode 100644 index 000000000..4f133de3f --- /dev/null +++ b/rules/stig/APPL-12-000054.yml @@ -0,0 +1,60 @@ +rule_id: MSCP RULE +title: The macOS system must implement approved ciphers to protect the confidentiality + of SSH connections. +discussion: 'Unapproved mechanisms for authentication to the cryptographic module + are not verified, and therefore cannot be relied upon to provide confidentiality + or integrity, resulting in the compromise of DoD data. + + + Operating systems using encryption are required to use FIPS-compliant mechanisms + for authenticating to cryptographic modules. + + + The implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 + validated cryptographic module. While the listed ciphers are FIPS 140-2 approved + algorithms, the module implementing them has not been validated. + + + By specifying a cipher list with the order of ciphers being in a "strongest to weakest" + orientation, the system will automatically attempt to use the strongest cipher for + securing SSH connections. + + + ' +check: '' +result: '['''', ''Ciphers aes256-ctr,aes192-ctr,aes128-ctr'', '''', ''If any ciphers + other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs + from the example above, or the "Ciphers" keyword is missing, this is a finding.'']' +fix: 'Configure SSH to use secure cryptographic algorithms. + + + To ensure that "Ciphers" set correctly, run the following command: + + + /usr/bin/sudo /usr/bin/grep -q ''^Ciphers'' /etc/ssh/sshd_config && /usr/bin/sudo + /usr/bin/sed -i.bak ''s/^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/'' /etc/ssh/sshd_config + || /usr/bin/sudo /usr/bin/sed -i.bak ''/.*Ciphers and keying.*/a\''$''\nCiphers + aes256-ctr,aes192-ctr,aes128-ctr''$''\n'' /etc/ssh/sshd_config + + + The SSH service must be restarted for changes to take effect.' +references: + srg: + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000120-GPOS-00061 + - SRG-OS-000125-GPOS-00065 + - SRG-OS-000250-GPOS-00093 + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + disa_stig: + - APPL-12-000054 + cci: + - CCI-000803 + - CCI-000068 + - CCI-003123 + - CCI-002890 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000055.yml b/rules/stig/APPL-12-000055.yml new file mode 100644 index 000000000..e1eddc4c9 --- /dev/null +++ b/rules/stig/APPL-12-000055.yml @@ -0,0 +1,60 @@ +rule_id: MSCP RULE +title: The macOS system must use only Message Authentication Codes (MACs) employing + FIPS 140-2 validated cryptographic hash algorithms. +discussion: 'Unapproved mechanisms for authentication to the cryptographic module + are not verified, and therefore cannot be relied upon to provide confidentiality + or integrity, resulting in the compromise of DoD data. + + + Operating systems using encryption are required to use FIPS-compliant mechanisms + for authenticating to cryptographic modules. + + + The implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 + validated cryptographic module. While the listed MACs are FIPS 140-2 approved algorithms, + the module implementing them has not been validated. + + + By specifying a Keyed-Hash Message Authentication Code list with the order of hashes + being in a "strongest to weakest" orientation, the system will automatically attempt + to use the strongest hash for securing SSH connections. + + + ' +check: '' +result: '['''', ''MACs hmac-sha2-512,hmac-sha2-256'', '''', ''If any hashes other + than "hmac-sha2-512" and/or "hmac-sha2-256" are listed, the order differs from the + example above, or the "MACs" keyword is missing, this is a finding.'']' +fix: 'Configure SSH to use secure Keyed-Hash Message Authentication Codes. + + + To ensure that "MACs" set correctly, run the following command: + + + /usr/bin/sudo /usr/bin/grep -q ''^MACs'' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed + -i.bak ''s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/'' /etc/ssh/sshd_config || /usr/bin/sudo + /usr/bin/sed -i.bak ''/.*Ciphers and keying.*/a\''$''\nMACs hmac-sha2-512,hmac-sha2-256''$''\n'' + /etc/ssh/sshd_config + + + The SSH service must be restarted for changes to take effect.' +references: + srg: + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000120-GPOS-00061 + - SRG-OS-000125-GPOS-00065 + - SRG-OS-000250-GPOS-00093 + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + disa_stig: + - APPL-12-000055 + cci: + - CCI-000068 + - CCI-000803 + - CCI-003123 + - CCI-002890 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-000056.yml b/rules/stig/APPL-12-000056.yml new file mode 100644 index 000000000..ee27d2cf4 --- /dev/null +++ b/rules/stig/APPL-12-000056.yml @@ -0,0 +1,59 @@ +rule_id: MSCP RULE +title: The macOS system must implement an approved Key Exchange Algorithm. +discussion: 'Unapproved mechanisms for authentication to the cryptographic module + are not verified, and therefore cannot be relied upon to provide confidentiality + or integrity, resulting in the compromise of DoD data. + + + Operating systems using encryption are required to use FIPS-compliant mechanisms + for authenticating to cryptographic modules. + + + The implementation of OpenSSH that is included with macOS does not utilize a FIPS + 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are + FIPS 140-2 approved, the module implementing them has not been validated. + + + By specifying a Key Exchange Algorithm list with the order of hashes being in a + "strongest to weakest" orientation, the system will automatically attempt to use + the strongest Key Exchange Algorithm for securing SSH connections. + + + ' +check: '' +result: '['''', ''KexAlgorithms diffie-hellman-group-exchange-sha256'', '''', ''If + any algorithm other than "diffie-hellman-group-exchange-sha256" is listed or the + "KexAlgorithms" keyword is missing, this is a finding.'']' +fix: 'Configure SSH to use a secure Key Exchange Algorithm. + + + To ensure that "KexAlgorithms" set correctly, run the following command: + + + /usr/bin/sudo /usr/bin/grep -q ''^KexAlgorithms'' /etc/ssh/sshd_config && /usr/bin/sudo + /usr/bin/sed -i.bak ''s/^KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/'' + /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak ''/.*Ciphers and keying.*/a\''$''\nKexAlgorithms + diffie-hellman-group-exchange-sha256''$''\n'' /etc/ssh/sshd_config + + + The SSH service must be restarted for changes to take effect.' +references: + srg: + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000120-GPOS-00061 + - SRG-OS-000125-GPOS-00065 + - SRG-OS-000250-GPOS-00093 + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + disa_stig: + - APPL-12-000056 + cci: + - CCI-000803 + - CCI-000068 + - CCI-002890 + - CCI-003123 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001001.yml b/rules/stig/APPL-12-001001.yml new file mode 100644 index 000000000..53f59425f --- /dev/null +++ b/rules/stig/APPL-12-001001.yml @@ -0,0 +1,76 @@ +rule_id: MSCP RULE +title: The macOS system must generate audit records for all account creations, modifications, + disabling, and termination events; privileged activities or other system-level access; + all kernel module load, unload, and restart actions; all program initiations; and + organizationally defined events for all non-local maintenance and diagnostic sessions. +discussion: 'Without generating audit records that are specific to the security and + mission needs of the organization, it would be difficult to establish, correlate, + and investigate the events relating to an incident or identify those responsible + for one. Audit records can be generated from various components within the information + system (e.g., module or policy filter). If events associated with nonlocal administrative + access or diagnostic sessions are not logged, a major tool for assessing and investigating + attacks would not be available. + + + This requirement addresses auditing-related issues associated with maintenance tools + used specifically for diagnostic and repair actions on organizational information + systems. + + + Nonlocal maintenance and diagnostic activities are those activities conducted by + individuals communicating through a network, either an external network (e.g., the + internet) or an internal network. Local maintenance and diagnostic activities are + those activities carried out by individuals physically present at the information + system or information system component and not communicating across a network connection. + + + This requirement applies to hardware/software diagnostic test equipment or tools. + This requirement does not cover hardware/software components that may support information + system maintenance, yet are a part of the system, for example, the software implementing + "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring + port of an Ethernet switch. + + + ' +check: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control +result: '[''Administrative and Privileged access, including administrative use of + the command line tools "kextload" and "kextunload" and changes to configuration + settings are logged by way of the "ad" flag.'', '''', ''If "ad" is not listed in + the result of the check, this is a finding.'']' +fix: 'To ensure the appropriate flags are enabled for auditing, run the following + command: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''/^flags/ s/$/,ad/'' /etc/security/audit_control; + /usr/bin/sudo /usr/sbin/audit -s + + + A text editor may also be used to implement the required updates to the "/etc/security/audit_control" + file.' +references: + srg: + - SRG-OS-000004-GPOS-00004 + - SRG-OS-000239-GPOS-00089 + - SRG-OS-000240-GPOS-00090 + - SRG-OS-000241-GPOS-00091 + - SRG-OS-000327-GPOS-00127 + - SRG-OS-000392-GPOS-00172 + - SRG-OS-000471-GPOS-00215 + - SRG-OS-000471-GPOS-00216 + - SRG-OS-000476-GPOS-00221 + - SRG-OS-000477-GPOS-00222 + disa_stig: + - APPL-12-001001 + cci: + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002884 + - CCI-002234 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001002.yml b/rules/stig/APPL-12-001002.yml new file mode 100644 index 000000000..5c59f7277 --- /dev/null +++ b/rules/stig/APPL-12-001002.yml @@ -0,0 +1,44 @@ +rule_id: MSCP RULE +title: The macOS system must monitor remote access methods and generate audit records + when successful/unsuccessful attempts to access/modify privileges occur. +discussion: 'Frequently, an attacker that successfully gains access to a system has + only gained access to an account with limited privileges, such as a guest account + or a service account. The attacker must attempt to change to another user account + with normal or elevated privileges in order to proceed. Without generating audit + records that are specific to the security and mission needs of the organization, + it would be difficult to establish, correlate, and investigate the events relating + to an incident or identify those responsible for one. + + + Audit records can be generated from various components within the information system + (e.g., module or policy filter). + + + ' +check: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control +result: '[''Attempts to log in as another user are logged by way of the "lo" flag.'', + '''', ''If "lo" is not listed in the result of the check, this is a finding.'']' +fix: 'To ensure the appropriate flags are enabled for auditing, run the following + command: + + + /usr/bin/sudo sed -i.bak ''/^flags/ s/$/,lo/'' /etc/security/audit_control; /usr/bin/sudo + /usr/sbin/audit -s + + + A text editor may also be used to implement the required updates to the "/etc/security/audit_control" + file.' +references: + srg: + - SRG-OS-000032-GPOS-00013 + - SRG-OS-000462-GPOS-00206 + disa_stig: + - APPL-12-001002 + cci: + - CCI-000172 + - CCI-000067 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001003.yml b/rules/stig/APPL-12-001003.yml new file mode 100644 index 000000000..1d5efa0ad --- /dev/null +++ b/rules/stig/APPL-12-001003.yml @@ -0,0 +1,74 @@ +rule_id: MSCP RULE +title: The macOS system must initiate session audits at system startup, using internal + clocks with time stamps for audit records that meet a minimum granularity of one + second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time + (GMT), in order to generate audit records containing information to establish what + type of events occurred, the identity of any individual or process associated with + the event, including individual identities of group account users, establish where + the events occurred, source of the event, and outcome of the events including all + account enabling actions, full-text recording of privileged commands, and information + about the use of encryption for access wireless access to and from the system. +discussion: 'Without establishing what type of events occurred, when they occurred, + and by whom it would be difficult to establish, correlate, and investigate the events + leading up to an outage or attack. + + + Audit record content that may be necessary to satisfy this requirement includes, + for example, time stamps, source and destination addresses, user/process identifiers, + event descriptions, success/fail indications, filenames involved, and access control + or flow control rules invoked. + + + Associating event types with detected events in the operating system audit logs + provides a means of investigating an attack, recognizing resource utilization or + capacity thresholds, or identifying an improperly configured operating system. + + + ' +check: launchctl print-disabled system| grep auditd +result: '[''If the return is not:'', ''"com.apple.auditd" => false"'', '' the audit + service is disabled, and this is a finding.'']' +fix: 'To enable the audit service, run the following command: + + + /usr/bin/sudo /bin/launchctl enable system/com.apple.auditd + + + The system may need to be restarted for the update to take effect.' +references: + srg: + - SRG-OS-000037-GPOS-00015 + - SRG-OS-000038-GPOS-00016 + - SRG-OS-000039-GPOS-00017 + - SRG-OS-000040-GPOS-00018 + - SRG-OS-000041-GPOS-00019 + - SRG-OS-000042-GPOS-00020 + - SRG-OS-000042-GPOS-00021 + - SRG-OS-000055-GPOS-00026 + - SRG-OS-000254-GPOS-00095 + - SRG-OS-000255-GPOS-00096 + - SRG-OS-000303-GPOS-00120 + - SRG-OS-000337-GPOS-00129 + - SRG-OS-000358-GPOS-00145 + - SRG-OS-000359-GPOS-00146 + disa_stig: + - APPL-12-001003 + cci: + - CCI-000159 + - CCI-000130 + - CCI-000131 + - CCI-000132 + - CCI-000133 + - CCI-000134 + - CCI-000135 + - CCI-001464 + - CCI-001487 + - CCI-002130 + - CCI-001914 + - CCI-001889 + - CCI-001890 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001010.yml b/rules/stig/APPL-12-001010.yml new file mode 100644 index 000000000..a66837da9 --- /dev/null +++ b/rules/stig/APPL-12-001010.yml @@ -0,0 +1,39 @@ +rule_id: MSCP RULE +title: The macOS system must shut down by default upon audit failure (unless availability + is an overriding concern). +discussion: "The audit service should shut down the computer if it is unable to audit\ + \ system events. Once audit failure occurs, user and system activity is no longer\ + \ recorded and malicious activity could go undetected. Audit processing failures\ + \ include software/hardware errors, failures in the audit capturing mechanisms,\ + \ and audit storage capacity being reached or exceeded. Responses to audit failure\ + \ depend on the nature of the failure mode.\n\nWhen availability is an overriding\ + \ concern, other approved actions in response to an audit failure are as follows:\ + \ \n\n(i) If the failure was caused by the lack of audit record storage capacity,\ + \ the operating system must continue generating audit records if possible (automatically\ + \ restarting the audit service if necessary), overwriting the oldest audit records\ + \ in a first-in-first-out manner. \n\n(ii) If audit records are sent to a centralized\ + \ collection server and communication with this server is lost or the server fails,\ + \ the operating system must queue audit records locally until communication is restored\ + \ or until the audit records are retrieved manually. Upon restoration of the connection\ + \ to the centralized collection server, action should be taken to synchronize the\ + \ local audit data with the collection server." +check: sudo /usr/bin/grep ^policy /etc/security/audit_control | /usr/bin/grep ahlt +result: '[''If there is no result, this is a finding.'']' +fix: 'Edit the "/etc/security/audit_control file" and change the value for policy + to include the setting "ahlt". To do this programmatically, run the following command: + + + sudo /usr/bin/sed -i.bak ''/^policy/ s/$/,ahlt/'' /etc/security/audit_control; sudo + /usr/sbin/audit -s' +references: + srg: + - SRG-OS-000047-GPOS-00023 + disa_stig: + - APPL-12-001010 + cci: + - CCI-000140 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001012.yml b/rules/stig/APPL-12-001012.yml new file mode 100644 index 000000000..b3ddaef6b --- /dev/null +++ b/rules/stig/APPL-12-001012.yml @@ -0,0 +1,29 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with audit log files owned by root. +discussion: The audit service must be configured to create log files with the correct + ownership to prevent normal users from reading audit logs. Audit logs contain sensitive + data about the system and users. If log files are set to only be readable and writable + by root or administrative users with sudo, the risk is mitigated. +check: '/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control + | awk -F: ''{print $2}'') | grep -v current' +result: '[''The results should show the owner (third column) to be "root". '', '''', + ''If they do not, this is a finding.'']' +fix: 'For any log file that returns an incorrect owner, run the following command: + + + /usr/bin/sudo chown root [audit log file] + + + [audit log file] is the full path to the log file in question.' +references: + srg: + - SRG-OS-000057-GPOS-00027 + disa_stig: + - APPL-12-001012 + cci: + - CCI-000162 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001013.yml b/rules/stig/APPL-12-001013.yml new file mode 100644 index 000000000..2ec0907ed --- /dev/null +++ b/rules/stig/APPL-12-001013.yml @@ -0,0 +1,26 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with audit log folders owned by root. +discussion: The audit service must be configured to create log files with the correct + ownership to prevent normal users from reading audit logs. Audit logs contain sensitive + data about the system and about users. If log files are set to be readable and writable + only by root or administrative users with sudo, the risk is mitigated. +check: '/usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control + | awk -F: ''{print $2}'')' +result: '[''The results should show the owner (third column) to be "root". '', '''', + ''If it does not, this is a finding.'']' +fix: 'For any log folder that has an incorrect owner, run the following command: + + + /usr/bin/sudo chown root [audit log folder]' +references: + srg: + - SRG-OS-000057-GPOS-00027 + disa_stig: + - APPL-12-001013 + cci: + - CCI-000162 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001014.yml b/rules/stig/APPL-12-001014.yml new file mode 100644 index 000000000..79d61d61f --- /dev/null +++ b/rules/stig/APPL-12-001014.yml @@ -0,0 +1,29 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with audit log files group-owned by wheel. +discussion: The audit service must be configured to create log files with the correct + group ownership to prevent normal users from reading audit logs. Audit logs contain + sensitive data about the system and users. If log files are set to be readable and + writable only by root or administrative users with sudo, the risk is mitigated. +check: '/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control + | awk -F: ''{print $2}'') | /usr/bin/grep -v current' +result: '[''The results should show the group owner (fourth column) to be "wheel". + '', '''', ''If they do not, this is a finding.'']' +fix: 'For any log file that returns an incorrect group owner, run the following command: + + + /usr/bin/sudo chgrp wheel [audit log file] + + + [audit log file] is the full path to the log file in question.' +references: + srg: + - SRG-OS-000057-GPOS-00027 + disa_stig: + - APPL-12-001014 + cci: + - CCI-000162 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001015.yml b/rules/stig/APPL-12-001015.yml new file mode 100644 index 000000000..9a1b07857 --- /dev/null +++ b/rules/stig/APPL-12-001015.yml @@ -0,0 +1,26 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with audit log folders group-owned by wheel. +discussion: The audit service must be configured to create log files with the correct + group ownership to prevent normal users from reading audit logs. Audit logs contain + sensitive data about the system and about users. If log files are set to be readable + and writable only by root or administrative users with sudo, the risk is mitigated. +check: '/usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control + | awk -F: ''{print $2}'')' +result: '[''The results should show the group (fourth column) to be "wheel".'', '''', + ''If they do not, this is a finding.'']' +fix: 'For any log folder that has an incorrect group, run the following command: + + + /usr/bin/sudo chgrp wheel [audit log folder]' +references: + srg: + - SRG-OS-000057-GPOS-00027 + disa_stig: + - APPL-12-001015 + cci: + - CCI-000162 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001016.yml b/rules/stig/APPL-12-001016.yml new file mode 100644 index 000000000..46db1d501 --- /dev/null +++ b/rules/stig/APPL-12-001016.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with audit log files set to mode 440 or + less permissive. +discussion: The audit service must be configured to create log files with the correct + permissions to prevent normal users from reading audit logs. Audit logs contain + sensitive data about the system and about users. If log files are set to be readable + and writable only by root or administrative users with sudo, the risk is mitigated. +check: '/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control + | awk -F: ''{print $2}'') | /usr/bin/grep -v current' +result: '[''The results should show the permissions (first column) to be "440" or + less permissive.'', '''', ''If they do not, this is a finding.'']' +fix: 'For any log file that returns an incorrect permission value, run the following + command: + + + /usr/bin/sudo chmod 440 [audit log file] + + + [audit log file] is the full path to the log file in question.' +references: + srg: + - SRG-OS-000057-GPOS-00027 + disa_stig: + - APPL-12-001016 + cci: + - CCI-000162 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001017.yml b/rules/stig/APPL-12-001017.yml new file mode 100644 index 000000000..653e92c35 --- /dev/null +++ b/rules/stig/APPL-12-001017.yml @@ -0,0 +1,35 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with audit log folders set to mode 700 + or less permissive. +discussion: 'The audit service must be configured to create log folders with the correct + permissions to prevent normal users from reading audit logs. Audit logs contain + sensitive data about the system and users. If log folders are set to be readable + and writable only by root or administrative users with sudo, the risk is mitigated. + + + ' +check: '/usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control + | awk -F: ''{print $2}'')' +result: '[''The results should show the permissions (first column) to be "700" or + less permissive.'', '''', ''If they do not, this is a finding.'']' +fix: 'For any log folder that returns an incorrect permission value, run the following + command: + + + /usr/bin/sudo chmod 700 [audit log folder]' +references: + srg: + - SRG-OS-000057-GPOS-00027 + - SRG-OS-000058-GPOS-00028 + - SRG-OS-000059-GPOS-00029 + disa_stig: + - APPL-12-001017 + cci: + - CCI-000162 + - CCI-000163 + - CCI-000164 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001020.yml b/rules/stig/APPL-12-001020.yml new file mode 100644 index 000000000..1b5e78084 --- /dev/null +++ b/rules/stig/APPL-12-001020.yml @@ -0,0 +1,53 @@ +rule_id: MSCP RULE +title: The macOS system must audit the enforcement actions used to restrict access + associated with changes to the system. +discussion: "By auditing access restriction enforcement, changes to application and\ + \ OS configuration files can be audited. Without auditing the enforcement of access\ + \ restrictions, it will be difficult to identify attempted attacks and an audit\ + \ trail will not be available for forensic investigation.\n\nEnforcement actions\ + \ are the methods or mechanisms used to prevent unauthorized changes to configuration\ + \ settings. Enforcement action methods may be as simple as denying access to a file\ + \ based on the application of file permissions (access restriction). Audit items\ + \ may consist of lists of actions blocked by access restrictions or changes identified\ + \ after the fact. \n\nWithout generating audit records that are specific to the\ + \ security and mission needs of the organization, it would be difficult to establish,\ + \ correlate, and investigate the events relating to an incident or identify those\ + \ responsible for one.\n\nAudit records can be generated from various components\ + \ within the information system (e.g., module or policy filter). \n\n" +check: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control +result: '[''Enforcement actions are logged by way of the "fm" flag, which audits permission + changes, and "-fr" and "-fw", which denote failed attempts to read or write to a + file, and -fd, which audits failed file deletion.'', '''', ''If "fm", "-fr", "-fw", + and "-fd" are not listed in the result of the check, this is a finding.'']' +fix: 'To set the audit flags to the recommended setting, run the following command + to add the flags "fm", "-fr", "-fw", and "-fd" all at once: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''/^flags/ s/$/,fm,-fr,-fw,-fd/'' /etc/security/audit_control; + /usr/bin/sudo /usr/sbin/audit -s + + + A text editor may also be used to implement the required updates to the "/etc/security/audit_control" + file.' +references: + srg: + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 + disa_stig: + - APPL-12-001020 + cci: + - CCI-000172 + - CCI-001814 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001029.yml b/rules/stig/APPL-12-001029.yml new file mode 100644 index 000000000..658c8eccc --- /dev/null +++ b/rules/stig/APPL-12-001029.yml @@ -0,0 +1,34 @@ +rule_id: MSCP RULE +title: The macOS system must allocate audit record storage capacity to store at least + one week's worth of audit records when audit records are not immediately sent to + a central audit record storage facility. +discussion: The audit service must be configured to require that records are kept + for seven days or longer before deletion when there is no central audit record storage + facility. When "expire-after" is set to "7d", the audit service will not delete + audit logs until the log data is at least seven days old. +check: /usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control +result: '[''If this returns no results, or does not contain "7d" or a larger value, + this is a finding.'']' +fix: 'Edit the "/etc/security/audit_control" file and change the value for "expire-after" + to the amount of time audit logs should be kept for the system. Use the following + command to set the "expire-after" value to "7d": + + + /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*expire-after.*/expire-after:7d/'' /etc/security/audit_control; + /usr/bin/sudo /usr/sbin/audit -s + + + A text editor may also be used to implement the required updates to the "/etc/security/audit_control" + file.' +references: + srg: + - SRG-OS-000341-GPOS-00132 + disa_stig: + - APPL-12-001029 + cci: + - CCI-001849 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001030.yml b/rules/stig/APPL-12-001030.yml new file mode 100644 index 000000000..93cf4dc7e --- /dev/null +++ b/rules/stig/APPL-12-001030.yml @@ -0,0 +1,37 @@ +rule_id: MSCP RULE +title: The macOS system must provide an immediate warning to the System Administrator + (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated + audit record storage volume reaches 75 percent of repository maximum audit record + storage capacity. +discussion: 'The audit service must be configured to require a minimum percentage + of free disk space in order to run. This ensures that audit will notify the administrator + that action is required to free up more disk space for audit logs. + + + When "minfree" is set to 25 percent, security personnel are notified immediately + when the storage volume is 75 percent full and are able to plan for audit record + storage capacity expansion.' +check: /usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control +result: '[''If this returns no results, or does not contain "25", this is a finding.'']' +fix: 'Edit the "/etc/security/audit_control" file and change the value for "minfree" + to "25" using the following command: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*minfree.*/minfree:25/'' /etc/security/audit_control; + /usr/bin/sudo /usr/sbin/audit -s + + + A text editor may also be used to implement the required updates to the "/etc/security/audit_control + file".' +references: + srg: + - SRG-OS-000343-GPOS-00134 + disa_stig: + - APPL-12-001030 + cci: + - CCI-001855 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001031.yml b/rules/stig/APPL-12-001031.yml new file mode 100644 index 000000000..f630fe70e --- /dev/null +++ b/rules/stig/APPL-12-001031.yml @@ -0,0 +1,32 @@ +rule_id: MSCP RULE +title: The macOS system must provide an immediate real-time alert to the System Administrator + (SA) and Information System Security Officer (ISSO), at a minimum, of all audit + failure events requiring real-time alerts. +discussion: The audit service should be configured to immediately print messages to + the console or email administrator users when an auditing failure occurs. It is + critical for the appropriate personnel to be aware if a system is at risk of failing + to process audit logs as required. Without a real-time alert, security personnel + may be unaware of an impending failure of the audit capability and system operation + may be adversely affected. +check: /usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn +result: '[''If the argument "-s" is missing, or if "audit_warn" has not been otherwise + modified to print errors to the console or send email alerts to the SA and ISSO, + this is a finding.'']' +fix: 'To make "auditd" log errors to standard error as well as "syslogd", run the + following command: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''s/logger -p/logger -s -p/'' /etc/security/audit_warn; + /usr/bin/sudo /usr/sbin/audit -s' +references: + srg: + - SRG-OS-000344-GPOS-00135 + disa_stig: + - APPL-12-001031 + cci: + - CCI-001858 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001044.yml b/rules/stig/APPL-12-001044.yml new file mode 100644 index 000000000..78ce18d4e --- /dev/null +++ b/rules/stig/APPL-12-001044.yml @@ -0,0 +1,44 @@ +rule_id: MSCP RULE +title: The macOS system must generate audit records for DoD-defined events such as + successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, + starting and ending time for user access, and concurrent logons to the same account + from different sources. +discussion: 'Without generating audit records that are specific to the security and + mission needs of the organization, it would be difficult to establish, correlate, + and investigate the events relating to an incident or identify those responsible + for one. + + + Audit records can be generated from various components within the information system + (e.g., module or policy filter). + + + ' +check: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control +result: '[''Logon events are logged by way of the "aa" flag.'', '''', ''If "aa" is + not listed in the result of the check, this is a finding.'']' +fix: 'To ensure the appropriate flags are enabled for auditing, run the following + command: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''/^flags/ s/$/,aa/'' /etc/security/audit_control; + /usr/bin/sudo /usr/sbin/audit -s + + + A text editor may also be used to implement the required updates to the "/etc/security/audit_control" + file.' +references: + srg: + - SRG-OS-000470-GPOS-00214 + - SRG-OS-000472-GPOS-00217 + - SRG-OS-000473-GPOS-00218 + - SRG-OS-000475-GPOS-00220 + disa_stig: + - APPL-12-001044 + cci: + - CCI-000172 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001060.yml b/rules/stig/APPL-12-001060.yml new file mode 100644 index 000000000..e5a79d45f --- /dev/null +++ b/rules/stig/APPL-12-001060.yml @@ -0,0 +1,47 @@ +rule_id: MSCP RULE +title: The macOS system must accept and verify Personal Identity Verification (PIV) + credentials, implement a local cache of revocation data to support path discovery + and validation in case of the inability to access revocation information via the + network, and only allow the use of DoD PKI-established certificate authorities for + verification of the establishment of protected sessions. +discussion: "The use of PIV credentials facilitates standardization and reduces the\ + \ risk of unauthorized access. \n\nWithout configuring\ + \ a local cache of revocation data, there is the potential to allow access to users\ + \ who are no longer authorized (users with revoked certificates). \ + \ \n\nUntrusted Certificate Authorities (CA) can issue certificates, but they\ + \ may be issued by organizations or individuals that seek to compromise DoD systems\ + \ or by organizations with insufficient security controls. If the CA used for verifying\ + \ the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\ + \nDoD has mandated the use of the CAC to support identity management and personal\ + \ authentication for systems covered under Homeland Security Presidential Directive\ + \ (HSPD) 12, as well as making the CAC a primary component of layered protection\ + \ for national security systems. \n\nThe DoD will only accept PKI-certificates\ + \ obtained from a DoD-approved internal or external certificate authority. Reliance\ + \ on CAs for the establishment of secure sessions includes, for example, the use\ + \ of SSL/TLS certificates.\n\n" +check: Unable to parse the check text +result: Unable to parse the check text +fix: "This setting is enforced using the \"Smart Card Policy\" configuration profile.\ + \ \n\nNote: Before applying the \"Smart Card Policy\", the supplemental guidance\ + \ provided with the STIG should be consulted to ensure continued access to the operating\ + \ system." +references: + srg: + - SRG-OS-000376-GPOS-00161 + - SRG-OS-000377-GPOS-00162 + - SRG-OS-000384-GPOS-00167 + - SRG-OS-000403-GPOS-00182 + - SRG-OS-000067-GPOS-00035 + disa_stig: + - APPL-12-001060 + cci: + - CCI-000186 + - CCI-001953 + - CCI-001954 + - CCI-001991 + - CCI-002470 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-001100.yml b/rules/stig/APPL-12-001100.yml new file mode 100644 index 000000000..b59e2b9f9 --- /dev/null +++ b/rules/stig/APPL-12-001100.yml @@ -0,0 +1,26 @@ +rule_id: MSCP RULE +title: The macOS system must require individuals to be authenticated with an individual + authenticator prior to using a group authenticator. +discussion: Administrator users must never log in directly as root. To assure individual + accountability and prevent unauthorized access, logging in as root over a remote + connection must be disabled. Administrators should only run commands as root after + first authenticating with their individual user names and passwords. +check: /usr/bin/grep ^PermitRootLogin /etc/ssh/sshd_config +result: '[''If there is no result, or the result is set to "yes", this is a finding.'']' +fix: 'To ensure that "PermitRootLogin" is disabled by sshd, run the following command: + + + /usr/bin/sudo /usr/bin/sed -i.bak ''s/^[\#]*PermitRootLogin.*/PermitRootLogin no/'' + /etc/ssh/sshd_config' +references: + srg: + - SRG-OS-000109-GPOS-00056 + disa_stig: + - APPL-12-001100 + cci: + - CCI-000770 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002001.yml b/rules/stig/APPL-12-002001.yml new file mode 100644 index 000000000..0f24955b4 --- /dev/null +++ b/rules/stig/APPL-12-002001.yml @@ -0,0 +1,28 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable SMB File Sharing unless it is + required. +discussion: File Sharing is usually non-essential and must be disabled if not required. + Enabling any service increases the attack surface for an intruder. By disabling + unnecessary services, the attack surface is minimized. +check: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.smbd +result: '[''If the results do not show the following, this is a finding:'', '''', + ''"com.apple.smbd" => true'']' +fix: 'To disable the SMB File Sharing service, run the following command: + + + /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd + + + The system may need to be restarted for the update to take effect.' +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002001 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002003.yml b/rules/stig/APPL-12-002003.yml new file mode 100644 index 000000000..2ac41f045 --- /dev/null +++ b/rules/stig/APPL-12-002003.yml @@ -0,0 +1,29 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the Network File System (NFS) + daemon unless it is required. +discussion: If the system does not require access to NFS file shares or is not acting + as an NFS server, support for NFS is non-essential and NFS services must be disabled. + NFS is a network file system protocol supported by UNIX-like operating systems. + Enabling any service increases the attack surface for an intruder. By disabling + unnecessary services, the attack surface is minimized. +check: '' +result: '['''', ''"com.apple.nfsd" => true'']' +fix: 'To disable the NFS daemon, run the following command: + + + /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd + + + The system may need to be restarted for the update to take effect.' +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002003 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002004.yml b/rules/stig/APPL-12-002004.yml new file mode 100644 index 000000000..76264946b --- /dev/null +++ b/rules/stig/APPL-12-002004.yml @@ -0,0 +1,33 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable Location Services. +discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ + \ of information, or unauthorized tunneling (i.e., embedding of data types within\ + \ data types), organizations must disable or restrict unused or unnecessary physical\ + \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ + \ of providing a wide variety of functions and services. Some of the functions and\ + \ services provided by default may not be necessary to support essential organizational\ + \ operations. Additionally, it is sometimes convenient to provide multiple services\ + \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ + \ over limiting the services provided by any one component. \n\nTo support the requirements\ + \ and principles of least functionality, the operating system must support the organizational\ + \ requirements, providing only essential capabilities and limiting the use of ports,\ + \ protocols, and/or services to only those required, authorized, and approved to\ + \ conduct official business or to address authorized quality-of-life issues.\n\n\ + Location Services must be disabled." +check: '' +result: '['''', "If ''LocationServicesEnabled'' is not set to ''0'', this is a finding."]' +fix: "Disable the Location Services by running the following command: \n\n/usr/bin/sudo\ + \ /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd\ + \ LocationServicesEnabled -bool false" +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002004 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002005.yml b/rules/stig/APPL-12-002005.yml new file mode 100644 index 000000000..bae187756 --- /dev/null +++ b/rules/stig/APPL-12-002005.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable Bonjour multicast advertising. +discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ + \ of information, or unauthorized tunneling (i.e., embedding of data types within\ + \ data types), organizations must disable or restrict unused or unnecessary physical\ + \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ + \ of providing a wide variety of functions and services. Some of the functions and\ + \ services provided by default may not be necessary to support essential organizational\ + \ operations. Additionally, it is sometimes convenient to provide multiple services\ + \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ + \ over limiting the services provided by any one component. \n\nTo support the requirements\ + \ and principles of least functionality, the operating system must support the organizational\ + \ requirements, providing only essential capabilities and limiting the use of ports,\ + \ protocols, and/or services to only those required, authorized, and approved to\ + \ conduct official business or to address authorized quality of life issues.\n\n\ + Bonjour multicast advertising must be disabled on the system." +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep NoMulticastAdvertisements +result: '[''If the return is not, "NoMulticastAdvertisements = 1", this is a finding.'']' +fix: This setting is enforced using the "Custom Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002005 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002006.yml b/rules/stig/APPL-12-002006.yml new file mode 100644 index 000000000..f5ee51947 --- /dev/null +++ b/rules/stig/APPL-12-002006.yml @@ -0,0 +1,35 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the UUCP service. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe system must not have the UUCP service active." +check: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.uucp +result: '[''If the results do not show the following, this is a finding:'', '''', + ''"com.apple.uucp" => true'']' +fix: 'To disable the UUCP service, run the following command: + + + /usr/bin/sudo /bin/launchctl disable system/com.apple.uucp + + + The system may need to be restarted for the update to take effect.' +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002006 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002007.yml b/rules/stig/APPL-12-002007.yml new file mode 100644 index 000000000..5e26892aa --- /dev/null +++ b/rules/stig/APPL-12-002007.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable Internet Sharing. +discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ + \ of information, or unauthorized tunneling (i.e., embedding of data types within\ + \ data types), organizations must disable or restrict unused or unnecessary physical\ + \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ + \ of providing a wide variety of functions and services. Some of the functions and\ + \ services provided by default may not be necessary to support essential organizational\ + \ operations. Additionally, it is sometimes convenient to provide multiple services\ + \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ + \ over limiting the services provided by any one component. \n\nTo support the requirements\ + \ and principles of least functionality, the operating system must support the organizational\ + \ requirements, providing only essential capabilities and limiting the use of ports,\ + \ protocols, and/or services to only those required, authorized, and approved to\ + \ conduct official business or to address authorized quality of life issues.\n\n\ + Internet Sharing is non-essential and must be disabled." +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep forceInternetSharingOff +result: '[''If the return is not, "forceInternetSharingOff = 1", this is a finding.'']' +fix: This setting is enforced using the "Custom Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002007 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002008.yml b/rules/stig/APPL-12-002008.yml new file mode 100644 index 000000000..63d2f1767 --- /dev/null +++ b/rules/stig/APPL-12-002008.yml @@ -0,0 +1,37 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable Web Sharing. +discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ + \ of information, or unauthorized tunneling (i.e., embedding of data types within\ + \ data types), organizations must disable or restrict unused or unnecessary physical\ + \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ + \ of providing a wide variety of functions and services. Some of the functions and\ + \ services provided by default may not be necessary to support essential organizational\ + \ operations. Additionally, it is sometimes convenient to provide multiple services\ + \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ + \ over limiting the services provided by any one component. \n\nTo support the requirements\ + \ and principles of least functionality, the operating system must support the organizational\ + \ requirements, providing only essential capabilities and limiting the use of ports,\ + \ protocols, and/or services to only those required, authorized, and approved to\ + \ conduct official business or to address authorized quality of life issues.\n\n\ + Web Sharing is non-essential and must be disabled." +check: '' +result: '['''', ''"org.apache.httpd" => true'']' +fix: 'To disable Web Sharing, run the following command: + + + /usr/bin/sudo /bin/launchctl disable system/org.apache.httpd + + + The system may need to be restarted for the update to take effect.' +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002008 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002009.yml b/rules/stig/APPL-12-002009.yml new file mode 100644 index 000000000..7407e6bbf --- /dev/null +++ b/rules/stig/APPL-12-002009.yml @@ -0,0 +1,33 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable AirDrop. +discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ + \ of information, or unauthorized tunneling (i.e., embedding of data types within\ + \ data types), organizations must disable or restrict unused or unnecessary physical\ + \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ + \ of providing a wide variety of functions and services. Some of the functions and\ + \ services provided by default may not be necessary to support essential organizational\ + \ operations. Additionally, it is sometimes convenient to provide multiple services\ + \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ + \ over limiting the services provided by any one component. \n\nTo support the requirements\ + \ and principles of least functionality, the operating system must support the organizational\ + \ requirements, providing only essential capabilities and limiting the use of ports,\ + \ protocols, and/or services to only those required, authorized, and approved to\ + \ conduct official business or to address authorized quality of life issues.\n\n\ + AirDrop must be disabled.\n\nNote: There is a known bug in the graphical user interface\ + \ where the user can toggle AirDrop in the UI, which indicates the service has been\ + \ turned on, but it remains disabled if the Restrictions Profile has been applied." +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowAirDrop +result: '[''If the return is not, "allowAirDrop = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002009 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-002012.yml b/rules/stig/APPL-12-002012.yml new file mode 100644 index 000000000..9283cb4b0 --- /dev/null +++ b/rules/stig/APPL-12-002012.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the iCloud Calendar services. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Calendar application's connections to Apple's\ + \ iCloud must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudCalendar +result: '[''If the return is not "allowCloudCalendar = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002012 + cci: + - CCI-000381 + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-002013.yml b/rules/stig/APPL-12-002013.yml new file mode 100644 index 000000000..5299b9303 --- /dev/null +++ b/rules/stig/APPL-12-002013.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the iCloud Reminders services. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Reminder application's connections to Apple's\ + \ iCloud must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudReminders +result: "['If the return is not \u201CallowCloudReminders = 0\u201D, this is a finding.']" +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002013 + cci: + - CCI-001774 + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-002014.yml b/rules/stig/APPL-12-002014.yml new file mode 100644 index 000000000..4d2683c91 --- /dev/null +++ b/rules/stig/APPL-12-002014.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable iCloud Address Book services. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Address Book(Contacts) application's connections\ + \ to Apple's iCloud must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudAddressBook +result: '[''If the result is not "allowCloudAddressBook = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002014 + cci: + - CCI-000381 + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-002015.yml b/rules/stig/APPL-12-002015.yml new file mode 100644 index 000000000..337751133 --- /dev/null +++ b/rules/stig/APPL-12-002015.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the Mail iCloud services. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Mail application's connections to Apple's iCloud\ + \ must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudMail +result: '[''If the result is not "allowCloudMail = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002015 + cci: + - CCI-000381 + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-002016.yml b/rules/stig/APPL-12-002016.yml new file mode 100644 index 000000000..2c5cc4505 --- /dev/null +++ b/rules/stig/APPL-12-002016.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the iCloud Notes services. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Notes application's connections to Apple's iCloud\ + \ must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudNotes +result: '[''If the return is not "allowCloudNotes = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002016 + cci: + - CCI-001774 + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-002017.yml b/rules/stig/APPL-12-002017.yml new file mode 100644 index 000000000..b51900d00 --- /dev/null +++ b/rules/stig/APPL-12-002017.yml @@ -0,0 +1,36 @@ +rule_id: MSCP RULE +title: The macOS system must cover or disable the built-in or attached camera when + not in use. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Failing to disconnect from collaborative computing devices (i.e., cameras) can result + in subsequent compromises of organizational information. Providing easy methods + to physically disconnect from such devices after a collaborative computing session + helps to ensure that participants actually carry out the disconnect activity without + having to go through complex and tedious procedures. + + + ' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCamera +result: '[''If the result is "allowCamera = 1" and the collaborative computing device + has not been authorized for use, this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002017 + cci: + - CCI-000381 + - CCI-001150 + - CCI-001153 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002020.yml b/rules/stig/APPL-12-002020.yml new file mode 100644 index 000000000..b6141d6c2 --- /dev/null +++ b/rules/stig/APPL-12-002020.yml @@ -0,0 +1,32 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable Siri and dictation. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nSiri and dictation must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -e + "Assistant Allowed" -e "Ironwood Allowed" +result: '[''If the output is not:'', ''"Assistant Allowed = 0"'', ''"Ironwood Allowed + = 0",'', ''this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002020 + cci: + - CCI-000381 + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002021.yml b/rules/stig/APPL-12-002021.yml new file mode 100644 index 000000000..119a06713 --- /dev/null +++ b/rules/stig/APPL-12-002021.yml @@ -0,0 +1,47 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable sending diagnostic and usage + data to Apple. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe ability to submit diagnostic data to Apple must\ + \ be disabled." +check: /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep + allowDiagnosticSubmission +result: '[''If "allowDiagnosticSubmission" is not set to "0", this is a finding.'', + '''', ''Alternately, the setting is found in System Preferences >> Security & Privacy + >> Privacy >> Analytics & Improvement.'', '''', ''If the box that says, "Send diagnostic + & usage data to Apple" is checked, this is a finding.'', ''If the box that says, + "Improve Siri & Dictation" is checked, this is a finding.'', ''If the box that says, + "Share with App Developers" is checked, this is a finding.'']' +fix: 'This setting is enforced using the "Restrictions Policy" configuration profile. + + + The setting "Send diagnostic & usage data to Apple" can also be configured in System + Preferences >> Security & Privacy >> Privacy >> Analytics & Improvement. + + + Uncheck the box that says, "Share Mac Analytics". + + Uncheck the box that says, "Improve Siri & Dictation". + + Uncheck the box that says, "Share with App Developers".' +references: + srg: + - SRG-OS-000096-GPOS-00050 + disa_stig: + - APPL-12-002021 + cci: + - CCI-000382 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002022.yml b/rules/stig/APPL-12-002022.yml new file mode 100644 index 000000000..de4a8f5fc --- /dev/null +++ b/rules/stig/APPL-12-002022.yml @@ -0,0 +1,35 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable Remote Apple Events. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nRemote Apple Events must be disabled." +check: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.AEServer +result: '[''If the results do not show the following, this is a finding.'', '''', + ''"com.apple.AEServer" => true'']' +fix: 'To disable Remote Apple Events, run the following command: + + + /usr/bin/sudo /bin/launchctl disable system/com.apple.AEServer + + + The system may need to be restarted for the update to take effect.' +references: + srg: + - SRG-OS-000096-GPOS-00050 + disa_stig: + - APPL-12-002022 + cci: + - CCI-000382 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002031.yml b/rules/stig/APPL-12-002031.yml new file mode 100644 index 000000000..ccb97f851 --- /dev/null +++ b/rules/stig/APPL-12-002031.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the system preference pane for + Apple ID. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Apple ID System Preference Pane must be disabled." +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A + 6 'DisabledPreferencePanes' +result: '[''If the return is not an array, DisabledPreferencePanes, containing: "com.apple.preferences.AppleIDPrefPane", + this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002031 + cci: + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-002032.yml b/rules/stig/APPL-12-002032.yml new file mode 100644 index 000000000..8808004a0 --- /dev/null +++ b/rules/stig/APPL-12-002032.yml @@ -0,0 +1,34 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the system preference pane for + Internet Accounts. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Internet Accounts System Preference Pane must\ + \ be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A + 6 -E 'DisabledPreferencePanes|HiddenPreferencePanes' +result: '[''If the return is not two arrays (HiddenPreferencePanes and DisabledPreferencePanes) + each containing: "com.apple.preferences.internetaccounts", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000370-GPOS-00155 + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002032 + cci: + - CCI-001774 + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002035.yml b/rules/stig/APPL-12-002035.yml new file mode 100644 index 000000000..83f4a0a64 --- /dev/null +++ b/rules/stig/APPL-12-002035.yml @@ -0,0 +1,32 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the Cloud Setup services. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipCloudSetup +result: '[''If the return is not "SkipCloudSetup = 1", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002035 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002036.yml b/rules/stig/APPL-12-002036.yml new file mode 100644 index 000000000..f15ecf9d0 --- /dev/null +++ b/rules/stig/APPL-12-002036.yml @@ -0,0 +1,32 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the Privacy Setup services. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipPrivacySetup +result: '[''If the return is not "SkipPrivacySetup = 1", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002036 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002037.yml b/rules/stig/APPL-12-002037.yml new file mode 100644 index 000000000..2d3a67c9d --- /dev/null +++ b/rules/stig/APPL-12-002037.yml @@ -0,0 +1,32 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the Cloud Storage Setup services. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipiCloudStorageSetup +result: '[''If the return is not "SkipiCloudStorageSetup = 1", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002037 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002038.yml b/rules/stig/APPL-12-002038.yml new file mode 100644 index 000000000..ffbfc10a3 --- /dev/null +++ b/rules/stig/APPL-12-002038.yml @@ -0,0 +1,29 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the tftp service. +discussion: "The \"tftp\" service must be disabled as it sends all data in a clear-text\ + \ form that can be easily intercepted and read. The data needs to be protected at\ + \ all times during transmission, and encryption is the standard method for protecting\ + \ data in transit. \n\nIf the data is not encrypted during transmission, it can\ + \ be plainly read (i.e., clear text) and easily compromised. Disabling ftp is one\ + \ way to mitigate this risk. Administrators should be instructed to use an alternate\ + \ service for data transmission that uses encryption, such as SFTP.\n\nAdditionally,\ + \ the \"tftp\" service uses UDP, which is not secure." +check: /bin/launchctl print-disabled system | grep tftpd +result: '[''If the results do not show the following, this is a finding:'', ''"com.apple.tftpd" + => true'']' +fix: 'To disable the tfpd service, run the following command: + + + /usr/bin/sudo /bin/launchctl disable system/com.apple.tftpd' +references: + srg: + - SRG-OS-000074-GPOS-00042 + disa_stig: + - APPL-12-002038 + cci: + - CCI-000197 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-002039.yml b/rules/stig/APPL-12-002039.yml new file mode 100644 index 000000000..bbdceae4b --- /dev/null +++ b/rules/stig/APPL-12-002039.yml @@ -0,0 +1,30 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the Siri Setup services. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Siri setup pop-up must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipSiriSetup +result: '[''If the return is not "SkipSiriSetup = 1", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002039 + cci: + - CCI-000381 + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002040.yml b/rules/stig/APPL-12-002040.yml new file mode 100644 index 000000000..60d943cc5 --- /dev/null +++ b/rules/stig/APPL-12-002040.yml @@ -0,0 +1,30 @@ +rule_id: MSCP RULE +title: The macOS system must disable iCloud Keychain synchronization. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nKeychain synchronization must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudKeychainSync +result: '[''If the output is null or not "allowCloudKeychainSync = 0" this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002040 + cci: + - CCI-001774 + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002041.yml b/rules/stig/APPL-12-002041.yml new file mode 100644 index 000000000..c7e5acfee --- /dev/null +++ b/rules/stig/APPL-12-002041.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must disable iCloud document synchronization. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\niCloud document synchronization must be disabled.\n\ + \n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudDocumentSync +result: '[''If the output is null or not "allowCloudDocumentSync = 0" this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002041 + cci: + - CCI-000381 + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002042.yml b/rules/stig/APPL-12-002042.yml new file mode 100644 index 000000000..0cdb52742 --- /dev/null +++ b/rules/stig/APPL-12-002042.yml @@ -0,0 +1,30 @@ +rule_id: MSCP RULE +title: The macOS system must disable iCloud bookmark synchronization. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\niCloud Bookmark syncing must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudBookmarks +result: '[''If the output is null or not "allowCloudBookmarks = 0" this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002042 + cci: + - CCI-001774 + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002043.yml b/rules/stig/APPL-12-002043.yml new file mode 100644 index 000000000..8e4a9bc79 --- /dev/null +++ b/rules/stig/APPL-12-002043.yml @@ -0,0 +1,30 @@ +rule_id: MSCP RULE +title: The macOS system must disable iCloud photo library. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\niCloud Photo Library must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudPhotoLibrary +result: '[''If the output is null or not "allowCloudPhotoLibrary = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002043 + cci: + - CCI-000381 + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002050.yml b/rules/stig/APPL-12-002050.yml new file mode 100644 index 000000000..e4ff1d148 --- /dev/null +++ b/rules/stig/APPL-12-002050.yml @@ -0,0 +1,28 @@ +rule_id: MSCP RULE +title: The macOS system must disable the Screen Sharing feature. +discussion: The Screen Sharing feature allows remote users to view or control the + desktop of the current user. A malicious user can take advantage of screen sharing + to gain full access to the system remotely, either with stolen credentials or by + guessing the username and password. Disabling Screen Sharing mitigates this risk. +check: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.screensharing +result: '[''If the results do not show the following, this is a finding:'', '''', + ''"com.apple.screensharing" => true'']' +fix: 'To disable the Screen Sharing service, run the following command: + + + /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing + + + The system may need to be restarted for the update to take effect.' +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-002050 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002051.yml b/rules/stig/APPL-12-002051.yml new file mode 100644 index 000000000..74de191bc --- /dev/null +++ b/rules/stig/APPL-12-002051.yml @@ -0,0 +1,34 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the system preference pane for + TouchID. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe TouchID System Preference Pane must be disabled.\n\ + \n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A + 6 -E 'DisabledPreferencePanes|HiddenPreferencePanes' +result: '[''If the return is not two arrays (HiddenPreferencePanes and DisabledPreferencePanes) + each containing: "com.apple.preferences.password", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000370-GPOS-00155 + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002051 + cci: + - CCI-001774 + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002052.yml b/rules/stig/APPL-12-002052.yml new file mode 100644 index 000000000..ab1f64a43 --- /dev/null +++ b/rules/stig/APPL-12-002052.yml @@ -0,0 +1,34 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the system preference pane for + Wallet and ApplePay. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Wallet & ApplePay Preference Pane must be disabled.\n\ + \n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A + 6 -E 'DisabledPreferencePanes|HiddenPreferencePanes' +result: '[''If the return is not two arrays (HiddenPreferencePanes and DisabledPreferencePanes) + each containing: "com.apple.preferences.wallet", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000370-GPOS-00155 + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002052 + cci: + - CCI-001774 + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002053.yml b/rules/stig/APPL-12-002053.yml new file mode 100644 index 000000000..1c2c609f5 --- /dev/null +++ b/rules/stig/APPL-12-002053.yml @@ -0,0 +1,33 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable the system preference pane for + Siri. +discussion: "It is detrimental for operating systems to provide, or install by default,\ + \ functionality exceeding requirements or mission objectives. These unnecessary\ + \ capabilities or services are often overlooked and therefore may remain unsecured.\ + \ They increase the risk to the platform by providing additional attack vectors.\n\ + \nOperating systems are capable of providing a wide variety of functions and services.\ + \ Some of the functions and services, provided by default, may not be necessary\ + \ to support essential organizational operations (e.g., key missions, functions).\ + \ \n\nExamples of non-essential capabilities include but are not limited to games,\ + \ software packages, tools, and demonstration software not related to requirements\ + \ or providing a wide array of functionality not required for every mission but\ + \ that cannot be disabled.\n\nThe Siri Preference Pane must be disabled.\n\n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A + 6 -E 'DisabledPreferencePanes|HiddenPreferencePanes' +result: '[''If the return is not two arrays (HiddenPreferencePanes and DisabledPreferencePanes) + each containing: "com.apple.preference.speech", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000370-GPOS-00155 + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002053 + cci: + - CCI-000381 + - CCI-001774 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002060.yml b/rules/stig/APPL-12-002060.yml new file mode 100644 index 000000000..77b157004 --- /dev/null +++ b/rules/stig/APPL-12-002060.yml @@ -0,0 +1,28 @@ +rule_id: MSCP RULE +title: The macOS system must allow only applications that have a valid digital signature + to run. +discussion: Gatekeeper settings must be configured correctly to only allow the system + to run applications signed with a valid Apple Developer ID code. Administrator users + will still have the option to override these settings on a per-app basis. Gatekeeper + is a security feature that ensures that applications must be digitally signed by + an Apple-issued certificate in order to run. Digital signatures allow the macOS + host to verify that the application has not been modified by a malicious third party. +check: '' +result: '['''', ''Verify only applications with a valid digital signature are allowed + to run:'', '''', "/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep + -E ''(EnableAssessment | AllowIdentifiedDevelopers)''", '''', ''If the return is + null or is not the following, this is a finding:'', '''', ''AllowIdentifiedDevelopers + = 1;'', ''EnableAssessment = 1;'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-002060 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002062.yml b/rules/stig/APPL-12-002062.yml new file mode 100644 index 000000000..3cc23c545 --- /dev/null +++ b/rules/stig/APPL-12-002062.yml @@ -0,0 +1,53 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with Bluetooth turned off unless approved + by the organization. +discussion: 'Without protection of communications with wireless peripherals, confidentiality + and integrity may be compromised because unprotected communications can be intercepted + and either read, altered, or used to compromise the operating system. + + + This requirement applies to wireless peripheral technologies (e.g., wireless mice, + keyboards, displays, etc.) used with an operating system. Wireless peripherals (e.g., + Wi-Fi/Bluetooth/IR keyboards, mice, and pointing devices and Near Field Communications + [NFC]) present a unique challenge by creating an open, unsecured port on a computer. + Wireless peripherals must meet DoD requirements for wireless data transmission and + be approved for use by the AO. Even though some wireless peripherals, such as mice + and pointing devices, do not ordinarily carry information that need to be protected, + modification of communications with these wireless peripherals may be used to compromise + the operating system. Communication paths outside the physical protection of a controlled + boundary are exposed to the possibility of interception and modification. + + + Protecting the confidentiality and integrity of communications with wireless peripherals + can be accomplished by physical means (e.g., employing physical barriers to wireless + radio frequencies) or by logical means (e.g., employing cryptographic techniques). + If physical means of protection are employed, then logical means (cryptography) + do not have to be employed, and vice versa. If the wireless peripheral is only passing + telemetry data, encryption of the data may not be required. + + + ' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableBluetooth +result: "['If the return is null or is not \"DisableBluetooth = 1\", this is a finding.',\ + \ '', 'To check if the system is configured to disable access to the Bluetooth preference\ + \ pane and prevent it from being displayed, run the following command:', '', \"\ + /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 -E\ + \ 'DisabledPreferencePanes|HiddenPreferencePanes'\", '', 'If the return is not two\ + \ arrays (HiddenPreferencePanes and DisabledPreferencePanes) each containing: \u201C\ + com.apple.preferences.Bluetooth\u201D, this is a finding.']" +fix: This setting is enforced using the "Custom Policy" and "Restrictions Policy" + configuration profiles. +references: + srg: + - SRG-OS-000481-GPOS-000481 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-002062 + cci: + - CCI-001967 + - CCI-002418 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-002063.yml b/rules/stig/APPL-12-002063.yml new file mode 100644 index 000000000..c6000e3bd --- /dev/null +++ b/rules/stig/APPL-12-002063.yml @@ -0,0 +1,39 @@ +rule_id: MSCP RULE +title: The macOS system must enforce access restrictions. +discussion: 'Failure to provide logical access restrictions associated with changes + to system configuration may have significant effects on the overall security of + the system. + + + When dealing with access restrictions pertaining to change control, it should be + noted that any changes to the hardware, software, and/or firmware components of + the operating system can have significant effects on the overall security of the + system. + + + Accordingly, only qualified and authorized individuals should be allowed to obtain + access to operating system components for the purposes of initiating changes, including + upgrades and modifications. + + + Logical access restrictions include, for example, controls that restrict access + to workflow automation, media libraries, abstract layers (e.g., changes implemented + into third-party interfaces rather than directly into information systems), and + change windows (e.g., changes occur only during specified times, making unauthorized + changes easy to discover).' +check: '# /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep + DisableGuestAccount' +result: '[''If the result is null or not "DisableGuestAccount = 1", this is a finding.'']' +fix: This setting is enforced using the "Login Window Policy" configuration profile. +references: + srg: + - SRG-OS-000364-GPOS-00151 + disa_stig: + - APPL-12-002063 + cci: + - CCI-001813 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-002064.yml b/rules/stig/APPL-12-002064.yml new file mode 100644 index 000000000..4cd4ac04e --- /dev/null +++ b/rules/stig/APPL-12-002064.yml @@ -0,0 +1,27 @@ +rule_id: MSCP RULE +title: The macOS system must have the security assessment policy subsystem enabled. +discussion: 'Any changes to the hardware, software, and/or firmware components of + the information system and/or application can potentially have significant effects + on the overall security of the system. + + + Accordingly, software defined by the organization as critical must be signed with + a certificate that is recognized and approved by the organization.' +check: /usr/sbin/spctl --status 2> /dev/null | /usr/bin/grep enabled +result: '[''If "assessments enabled" is not returned, this is a finding.'']' +fix: 'To enable the Security assessment policy subsystem, run the following command: + + + /usr/bin/sudo /usr/sbin/spctl --master-enable' +references: + srg: + - SRG-OS-000366-GPOS-00153 + disa_stig: + - APPL-12-002064 + cci: + - CCI-001749 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-002066.yml b/rules/stig/APPL-12-002066.yml new file mode 100644 index 000000000..f5ba36b4e --- /dev/null +++ b/rules/stig/APPL-12-002066.yml @@ -0,0 +1,20 @@ +rule_id: MSCP RULE +title: The macOS system must not allow an unattended or automatic logon to the system. +discussion: Failure to restrict system access to authenticated users negatively impacts + operating system security. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableAutoLoginClient +result: '[''If "com.apple.login.mcx.DisableAutoLoginClient" is not set to "1", this + is a finding.'']' +fix: This setting is enforced using the "Login Window Policy" configuration profile. +references: + srg: + - SRG-OS-000480-GPOS-00229 + disa_stig: + - APPL-12-002066 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002068.yml b/rules/stig/APPL-12-002068.yml new file mode 100644 index 000000000..f1db61611 --- /dev/null +++ b/rules/stig/APPL-12-002068.yml @@ -0,0 +1,40 @@ +rule_id: MSCP RULE +title: The macOS system must set permissions on user home directories to prevent users + from having access to read or modify another user's files. +discussion: 'Configuring the operating system to use the most restrictive permissions + possible for user home directories helps to protect against inadvertent disclosures. + + + ' +check: ls -le /Users +result: '[''Should return a listing of the permissions of the root of every user account + configured on the system. For each of the users, the permissions should be:'', ''"drwxr-xr-x+" + with the user listed as the owner and the group listed as "staff". The plus(+) sign + indicates an associated Access Control List, which should be:'', '' 0: group:everyone + deny delete'', '''', ''For every authorized user account, also run the following + command:'', ''/usr/bin/sudo ls -le /Users/userid, where userid is an existing user. + '', '''', "This command will return the permissions of all of the objects under + the users'' home directory. The permissions for each of the subdirectories should + be:", ''drwx------+ '', '' 0: group:everyone deny delete'', '''', ''With the exception + of the "Public" directory, whose permissions should match the following:'', ''drwxr-xr-x+ + '', '' 0: group:everyone deny delete'', '''', ''If the permissions returned by either + of these checks differ from what is shown, this is a finding.'']' +fix: 'To ensure the appropriate permissions are set for each user on the system, run + the following command: + + + diskutil resetUserPermissions / userid, where userid is the user name for the user + whose home directory permissions need to be repaired.' +references: + srg: + - SRG-OS-000480-GPOS-00228 + - SRG-OS-000480-GPOS-00230 + disa_stig: + - APPL-12-002068 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002069.yml b/rules/stig/APPL-12-002069.yml new file mode 100644 index 000000000..025b7571f --- /dev/null +++ b/rules/stig/APPL-12-002069.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must authenticate peripherals before establishing a connection. +discussion: 'Without authenticating devices, unidentified or unknown devices may be + introduced, thereby facilitating malicious activity. + + + Peripherals include, but are not limited to, such devices as flash drives, external + storage, and printers.' +check: /usr/bin/sudo /usr/bin/security authorizationdb read system.preferences | grep + -A1 shared +result: '[''If what is returned does not include the following, this is a finding.'', + ''\tshared'', ''\t'']' +fix: "To ensure that authentication is required to access all system level preference\ + \ panes use the following procedure:\n\nCopy the authorization database to a file\ + \ using the following command:\n/usr/bin/sudo /usr/bin/security authorizationdb\ + \ read system.preferences > ~/Desktop/authdb.txt\nedit the file to change:\n \ + \ shared\n \nTo read:\n shared\n \n\ + \nReload the authorization database with the following command:\n/usr/bin/sudo /usr/bin/security\ + \ authorizationdb write system.preferences < ~/Desktop/authdb.txt" +references: + srg: + - SRG-OS-000378-GPOS-00163 + disa_stig: + - APPL-12-002069 + cci: + - CCI-001958 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-002070.yml b/rules/stig/APPL-12-002070.yml new file mode 100644 index 000000000..bb5fcaa19 --- /dev/null +++ b/rules/stig/APPL-12-002070.yml @@ -0,0 +1,41 @@ +rule_id: MSCP RULE +title: The macOS system must use an approved antivirus program. +discussion: 'An approved antivirus product must be installed and configured to run. + + + Malicious software can establish a base on individual desktops and servers. Employing + an automated mechanism to detect this type of software will aid in elimination of + the software from the operating system.' +check: /bin/launchctl print-disabled system | grep mrt +result: '[''If the results show "com.apple.mrt" => false", the MRT Service is running.'', + '''', ''If the MRT service is running, verify that it is configured to update automatically + by using the following command:'', '''', ''/usr/sbin/system_profiler SPConfigurationProfileDataType + | /usr/bin/grep ConfigDataInstall'', '''', ''If, "ConfigDataInstall = 1" is not + returned, this is a finding.'', '''', ''If the MRT service is not running, ask the + System Administrator (SA) or Information System Security Officer (ISSO) if an approved + antivirus solution is loaded on the system. The antivirus solution may be bundled + with an approved host-based security solution.'', '''', ''If there is no local antivirus + solution installed on the system, this is a finding.'']' +fix: 'Enable the MRT service: + + + /usr/bin/sudo /bin/launchctl enable system/com.apple.mrt + + + Installing the "Restrictions Policy" will configure the MRT Service to update automatically. + + + If the MRT Service is not being used, install an approved antivirus solution onto + the system.' +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-002070 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-003001.yml b/rules/stig/APPL-12-003001.yml new file mode 100644 index 000000000..20f469583 --- /dev/null +++ b/rules/stig/APPL-12-003001.yml @@ -0,0 +1,40 @@ +rule_id: MSCP RULE +title: The macOS system must issue or obtain public key certificates under an appropriate + certificate policy from an approved service provider. +discussion: 'DoD-approved certificates must be installed to the System Keychain so + they will be available to all users. + + + For user certificates, each organization obtains certificates from an approved, + shared service provider, as required by OMB policy. For federal agencies operating + a legacy public key infrastructure cross-certified with the Federal Bridge Certification + Authority at medium assurance or higher, this Certification Authority will suffice. + This control focuses on certificates with a visibility external to the information + system and does not include certificates related to internal system operations; + for example, application-specific time services. Use of weak or untested encryption + algorithms undermines the purposes of utilizing encryption to protect data. The + operating system must implement cryptographic modules adhering to the higher standards + approved by the federal government since this provides assurance they have been + tested and validated. + + + ' +check: /usr/bin/sudo /usr/bin/security dump-keychain | /usr/bin/grep labl | awk -F\" + '{ print $4 }' +result: '[''If this list contains unapproved certificates, this is a finding.'']' +fix: Obtain the approved DOD certificates from the appropriate authority. Use Keychain + Access from "/Applications/Utilities" to add certificates to the System Keychain. +references: + srg: + - SRG-OS-000066-GPOS-00034 + - SRG-OS-000478-GPOS-00223 + disa_stig: + - APPL-12-003001 + cci: + - CCI-000185 + - CCI-002450 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-003007.yml b/rules/stig/APPL-12-003007.yml new file mode 100644 index 000000000..27c770b1c --- /dev/null +++ b/rules/stig/APPL-12-003007.yml @@ -0,0 +1,26 @@ +rule_id: MSCP RULE +title: The macOS system must enforce password complexity by requiring that at least + one numeric character be used. +discussion: 'Use of a complex password helps to increase the time and resources required + to compromise the password. Password complexity, or strength, is a measure of the + effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + + Password complexity is one factor of several that determines how long it takes to + crack a password. The more complex the password, the greater the number of possible + combinations that need to be tested before the password is compromised.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep requireAlphanumeric +result: '[''If the return is not "requireAlphanumeric = 1", this is a finding.'']' +fix: This setting is enforced using the "Passcode Policy" configuration profile. +references: + srg: + - SRG-OS-000071-GPOS-00039 + disa_stig: + - APPL-12-003007 + cci: + - CCI-000194 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003008.yml b/rules/stig/APPL-12-003008.yml new file mode 100644 index 000000000..32f3889c2 --- /dev/null +++ b/rules/stig/APPL-12-003008.yml @@ -0,0 +1,25 @@ +rule_id: MSCP RULE +title: The macOS system must enforce a 60-day maximum password lifetime restriction. +discussion: 'Any password, no matter how complex, can eventually be cracked. Therefore, + passwords need to be changed periodically. + + + One method of minimizing this risk is to use complex passwords and periodically + change them. If the operating system does not limit the lifetime of passwords and + force users to change their passwords, there is the risk that the operating system + passwords could be compromised.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep maxPINAgeInDays +result: '[''If "maxPINAgeInDays" is set a value greater than "60", this is a finding.'']' +fix: This setting is enforced using the "Passcode Policy" configuration profile. +references: + srg: + - SRG-OS-000076-GPOS-00044 + disa_stig: + - APPL-12-003008 + cci: + - CCI-000199 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003009.yml b/rules/stig/APPL-12-003009.yml new file mode 100644 index 000000000..814494fba --- /dev/null +++ b/rules/stig/APPL-12-003009.yml @@ -0,0 +1,22 @@ +rule_id: MSCP RULE +title: The macOS system must prohibit password reuse for a minimum of five generations. +discussion: Password complexity, or strength, is a measure of the effectiveness of + a password in resisting attempts at guessing and brute-force attacks. If the information + system or application allows the user to consecutively reuse their password when + that password has exceeded its defined lifetime, the end result is a password that + is not changed as per policy requirements. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep pinHistory +result: '[''If the return is not "pinHistory = 5" or greater, this is a finding.'']' +fix: This setting is enforced using the "Passcode Policy" configuration profile. +references: + srg: + - SRG-OS-000077-GPOS-00045 + disa_stig: + - APPL-12-003009 + cci: + - CCI-000200 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003010.yml b/rules/stig/APPL-12-003010.yml new file mode 100644 index 000000000..13ca5c6f3 --- /dev/null +++ b/rules/stig/APPL-12-003010.yml @@ -0,0 +1,23 @@ +rule_id: MSCP RULE +title: The macOS system must enforce a minimum 15-character password length. +discussion: The minimum password length must be set to 15 characters. Password complexity, + or strength, is a measure of the effectiveness of a password in resisting attempts + at guessing and brute-force attacks. Password length is one factor of several that + helps to determine strength and how long it takes to crack a password. The use of + more characters in a password helps to exponentially increase the time and/or resources + required to compromise the password. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minLength +result: '[''If the return is null or not "minLength = 15", this is a finding.'']' +fix: This setting is enforced using the "Passcode Policy" configuration profile. +references: + srg: + - SRG-OS-000078-GPOS-00046 + disa_stig: + - APPL-12-003010 + cci: + - CCI-000205 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003011.yml b/rules/stig/APPL-12-003011.yml new file mode 100644 index 000000000..c4d3ce9c9 --- /dev/null +++ b/rules/stig/APPL-12-003011.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must enforce password complexity by requiring that at least + one special character be used. +discussion: 'Use of a complex password helps to increase the time and resources required + to compromise the password. Password complexity or strength is a measure of the + effectiveness of a password in resisting attempts at guessing and brute-force attacks. + Password complexity is one factor in determining how long it takes to crack a password. + The more complex the password, the greater the number of possible combinations that + need to be tested before the password is compromised. Special characters are those + characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minComplexChars +result: '[''If the return is null or not "minComplexChars = 1", this is a finding.'', + '''', ''Run the following command to check if the system is configured to require + that passwords not contain repeated sequential characters or characters in increasing + and decreasing sequential order:'', '''', ''/usr/sbin/system_profiler SPConfigurationProfileDataType + | /usr/bin/grep allowSimple'', '''', ''If "allowSimple" is not set to "0" or is + undefined, this is a finding.'']' +fix: This setting may be enforced using the "Passcode Policy" configuration profile + or by a directory service. +references: + srg: + - SRG-OS-000266-GPOS-00101 + disa_stig: + - APPL-12-003011 + cci: + - CCI-001619 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003012.yml b/rules/stig/APPL-12-003012.yml new file mode 100644 index 000000000..5dd0b2f57 --- /dev/null +++ b/rules/stig/APPL-12-003012.yml @@ -0,0 +1,19 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to prevent displaying password hints. +discussion: Password hints leak information about passwords in use and can lead to + loss of confidentiality. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep RetriesUntilHint +result: '[''If the return is null or is not "RetriesUntilHint = 0", this is a finding.'']' +fix: This setting is enforce using the "Login Window" Policy. +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-003012 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003013.yml b/rules/stig/APPL-12-003013.yml new file mode 100644 index 000000000..e2a6a095d --- /dev/null +++ b/rules/stig/APPL-12-003013.yml @@ -0,0 +1,30 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with a firmware password to prevent access + to single user mode and booting from alternative media. +discussion: Single user mode and the boot picker, as well as numerous other tools + are available on macOS through booting while holding the "Option" key down. Setting + a firmware password restricts access to these tools. +check: $ sudo /usr/sbin/firmwarepasswd -check +result: '[''If the return is not "Password Enabled: Yes", this is a finding.'']' +fix: 'To set a firmware passcode use the following command. + + + sudo /usr/sbin/firmwarepasswd -setpasswd + + + Note: If firmware password or passcode is forgotten, the only way to reset the forgotten + password is through the use of a machine specific binary generated and provided + by Apple. Schedule a support call, and provide proof of purchase before the firmware + binary will be generated.' +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-003013 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003020.yml b/rules/stig/APPL-12-003020.yml new file mode 100644 index 000000000..26808ce45 --- /dev/null +++ b/rules/stig/APPL-12-003020.yml @@ -0,0 +1,36 @@ +rule_id: MSCP RULE +title: The macOS system must use multifactor authentication for local access to privileged + and non-privileged accounts. +discussion: "Without the use of multifactor authentication, the ease of access to\ + \ privileged and non-privileged functions is greatly increased.\n\nMultifactor authentication\ + \ requires using two or more factors to achieve authentication.\n\nFactors include:\ + \ \n1) something a user knows (e.g., password/PIN);\n2) something a user has (e.g.,\ + \ cryptographic identification device, token); and\n3) something a user is (e.g.,\ + \ biometric).\n\nA privileged account is defined as an information system account\ + \ with authorizations of a privileged user.\n\nLocal access is defined as access\ + \ to an organizational information system by a user (or process acting on behalf\ + \ of a user) communicating through a direct connection without the use of a network.\n\ + \nThe DoD CAC with DoD-approved PKI is an example of multifactor authentication.\n\ + \n" +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep enforceSmartCard +result: '[''If the results do not show "enforceSmartCard=1", this is a finding.'']' +fix: "This setting is enforced using the \"Smart Card Policy\" configuration profile.\ + \ \n\nNote: Before applying the \"Smart Card Policy\", the supplemental guidance\ + \ provided with the STIG must be consulted to ensure continued access to the operating\ + \ system." +references: + srg: + - SRG-OS-000107-GPOS-00054 + - SRG-OS-000108-GPOS-00055 + - SRG-OS-000068-GPOS-00036 + disa_stig: + - APPL-12-003020 + cci: + - CCI-000187 + - CCI-000767 + - CCI-000768 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-003050.yml b/rules/stig/APPL-12-003050.yml new file mode 100644 index 000000000..f0c486b21 --- /dev/null +++ b/rules/stig/APPL-12-003050.yml @@ -0,0 +1,41 @@ +rule_id: MSCP RULE +title: The macOS system must be configured so that the login command requires smart + card authentication. +discussion: 'Configuring the operating system to implement organization-wide security + implementation guides and security checklists ensures compliance with federal standards + and establishes a common security baseline across DoD that reflects the most restrictive + security posture consistent with operational requirements. + + + Configuration settings are the set of parameters that can be changed in hardware, + software, or firmware components of the system that affect the security posture + and/or functionality of the system. Security-related parameters are those parameters + impacting the security state of the system, including the parameters required to + satisfy other security control requirements. Security-related parameters include, + for example: registry settings; account, file, directory permission settings; and + settings for functions, ports, protocols, services, and remote connections.' +check: '# cat /etc/pam.d/login | grep -i pam_smartcard.so' +result: '[''If the text that returns does not include the line, "auth sufficient pam_smartcard.so" + at the TOP of the listing, this is a finding.'']' +fix: "Make a backup of the PAM LOGIN settings using the following command:\nsudo cp\ + \ /etc/pam.d/login /etc/pam.d/login_backup_`date \"+%Y-%m-%d_%H:%M\"`\n\nReplace\ + \ the contents of \"/etc/pam.d/login\" with the following:\n\n# login: auth account\ + \ password session\nauth\t\tsufficient\t pam_smartcard.so\nauth optional pam_krb5.so\ + \ use_kcminit\nauth optional pam_ntlm.so try_first_pass\nauth optional\ + \ pam_mount.so try_first_pass\nauth required pam_opendirectory.so try_first_pass\n\ + auth required pam_deny.so\naccount required pam_nologin.so\naccount required\ + \ pam_opendirectory.so\npassword required pam_opendirectory.so\nsession \ + \ required pam_launchd.so\nsession required pam_uwtmp.so\nsession optional\ + \ pam_mount.so" +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-003050 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003051.yml b/rules/stig/APPL-12-003051.yml new file mode 100644 index 000000000..6e3e4957a --- /dev/null +++ b/rules/stig/APPL-12-003051.yml @@ -0,0 +1,54 @@ +rule_id: MSCP RULE +title: The macOS system must be configured so that the su command requires smart card + authentication. +discussion: 'Configuring the operating system to implement organization-wide security + implementation guides and security checklists ensures compliance with federal standards + and establishes a common security baseline across DoD that reflects the most restrictive + security posture consistent with operational requirements. + + + Configuration settings are the set of parameters that can be changed in hardware, + software, or firmware components of the system that affect the security posture + and/or functionality of the system. Security-related parameters are those parameters + impacting the security state of the system, including the parameters required to + satisfy other security control requirements. Security-related parameters include, + for example: registry settings; account, file, directory permission settings; and + settings for functions, ports, protocols, services, and remote connections.' +check: cat /etc/pam.d/su | grep -i pam_smartcard.so +result: '[''If the text that returns does not include the line, "auth sufficient pam_smartcard.so" + at the TOP of the listing, this is a finding.'']' +fix: 'Make a backup of the PAM SU settings using the following command: + + cp /etc/pam.d/su /etc/pam.d/su_backup_`date "+%Y-%m-%d_%H:%M"` + + + Replace the contents of "/etc/pam.d/su" with the following: + + + # su: auth account password session + + auth sufficient pam_smartcard.so + + auth required pam_rootok.so + + auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe + + account required pam_permit.so + + account required pam_opendirectory.so no_check_shell + + password required pam_opendirectory.so + + session required pam_launchd.so' +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-003051 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-003052.yml b/rules/stig/APPL-12-003052.yml new file mode 100644 index 000000000..4b06d7e85 --- /dev/null +++ b/rules/stig/APPL-12-003052.yml @@ -0,0 +1,53 @@ +rule_id: MSCP RULE +title: The macOS system must be configured so that the sudo command requires smart + card authentication. +discussion: 'Configuring the operating system to implement organization-wide security + implementation guides and security checklists ensures compliance with federal standards + and establishes a common security baseline across DoD that reflects the most restrictive + security posture consistent with operational requirements. + + + Configuration settings are the set of parameters that can be changed in hardware, + software, or firmware components of the system that affect the security posture + and/or functionality of the system. Security-related parameters are those parameters + impacting the security state of the system, including the parameters required to + satisfy other security control requirements. Security-related parameters include, + for example: registry settings; account, file, directory permission settings; and + settings for functions, ports, protocols, services, and remote connections.' +check: cat /etc/pam.d/sudo | grep -i pam_smartcard.so +result: '[''If the text that returns does not include the line, "auth sufficient pam_smartcard.so" + at the TOP of the listing, this is a finding.'']' +fix: 'Make a backup of the PAM SUDO settings using the following command: + + + cp /etc/pam.d/login /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"` + + + Replace the contents of "/etc/pam.d/sudo" with the following: + + + # sudo: auth account password session + + auth sufficient pam_smartcard.so + + #auth required pam_opendirectory.so + + auth required pam_deny.so + + account required pam_permit.so + + password required pam_deny.so + + session required pam_permit.so' +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-003052 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-004001.yml b/rules/stig/APPL-12-004001.yml new file mode 100644 index 000000000..8b8b37971 --- /dev/null +++ b/rules/stig/APPL-12-004001.yml @@ -0,0 +1,29 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with system log files owned by root and + group-owned by wheel or admin. +discussion: System logs should only be readable by root or admin users. System logs + frequently contain sensitive information that could be used by an attacker. Setting + the correct owner mitigates this risk. +check: Unable to parse the check text +result: Unable to parse the check text +fix: "For any log file that returns an incorrect owner or group value, run the following\ + \ command:\n\n/usr/bin/sudo chown root:wheel [log file]\n\n[log file] is the full\ + \ path to the log file in question. If the file is managed by \"newsyslog\", find\ + \ the configuration line in the directory \"/etc/newsyslog.d/\" or the file \"/etc/newsyslog.conf\"\ + \ and ensure that the owner:group column is set to \"root:wheel\" or the appropriate\ + \ service user account and group. \n\nIf the file is managed by \"aslmanager\",\ + \ find the configuration line in the directory \"/etc/asl/\" or the file \"/etc/asl.conf\"\ + \ and ensure that \"uid\" and \"gid\" options are either not present or are set\ + \ to a service user account and group respectively." +references: + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-12-004001 + cci: + - CCI-001314 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-004002.yml b/rules/stig/APPL-12-004002.yml new file mode 100644 index 000000000..0d1257112 --- /dev/null +++ b/rules/stig/APPL-12-004002.yml @@ -0,0 +1,30 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with system log files set to mode 640 or + less permissive. +discussion: System logs should only be readable by root or admin users. System logs + frequently contain sensitive information that could be used by an attacker. Setting + the correct permissions mitigates this risk. +check: /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | + awk '{ print $1 }') 2> /dev/null +result: '['''', ''Each command may return zero or more files. If the permissions on + log files are not "640" or less permissive, this is a finding.'']' +fix: "For any log file that returns an incorrect permission value, run the following\ + \ command:\n\n/usr/bin/sudo chmod 640 [log file]\n\n[log file] is the full path\ + \ to the log file in question. If the file is managed by \"newsyslog\", find the\ + \ configuration line in the directory \"/etc/newsyslog.d/\" or the file \"/etc/newsyslog.conf\"\ + \ and edit the mode column to be \"640\" or less permissive. \n\nIf the file is\ + \ managed by \"aslmanager\", find the configuration line in the directory \"/etc/asl/\"\ + \ or the file \"/etc/asl.conf\" and add or edit the mode option to be \"mode=0640\"\ + \ or less permissive." +references: + srg: + - SRG-OS-000206-GPOS-00084 + disa_stig: + - APPL-12-004002 + cci: + - CCI-001314 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-004021.yml b/rules/stig/APPL-12-004021.yml new file mode 100644 index 000000000..ece2671f7 --- /dev/null +++ b/rules/stig/APPL-12-004021.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must be configured with the sudoers file configured to authenticate + users on a per -tty basis. +discussion: "The \"sudo\" command must be configured to prompt for the administrator's\ + \ password at least once in each newly opened Terminal window or remote logon session,\ + \ as this prevents a malicious user from taking advantage of an unlocked computer\ + \ or an abandoned logon session to bypass the normal password prompt requirement.\ + \ \n\nWithout the \"tty_tickets\" option, all open local and remote logon sessions\ + \ would be authenticated to use sudo without a password for the duration of the\ + \ configured password timeout window." +check: /usr/bin/sudo /usr/bin/grep tty_tickets /etc/sudoers +result: '[''If there is no result, this is a finding.'']' +fix: 'Edit the "/etc/sudoers" file to contain the line: + + + Defaults tty_tickets + + + This line can be placed in the defaults section or at the end of the file.' +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-004021 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: high diff --git a/rules/stig/APPL-12-005001.yml b/rules/stig/APPL-12-005001.yml new file mode 100644 index 000000000..fed224034 --- /dev/null +++ b/rules/stig/APPL-12-005001.yml @@ -0,0 +1,64 @@ +rule_id: MSCP RULE +title: The macOS system must enable System Integrity Protection. +discussion: 'System Integrity Protection (SIP) is vital to the protection of the integrity + of macOS. SIP restricts what actions can be performed by administrative users, including + root, against protected parts of the operating system. SIP protects all system binaries, + including audit tools, from unauthorized access by preventing the modification or + deletion of system binaries, or the changing of the permissions associated with + those binaries. SIP limits the privileges to change software resident within software + libraries to processes that have signed by Apple and have special entitlements to + write to system files, such as Apple software updates and Apple installers. By protecting + audit binaries, SIP ensures the presence of an audit record generation capability + for DoD-defined auditable events for all operating system components and supports + on-demand and after-the-fact reporting requirements. + + + ' +check: /usr/bin/csrutil status +result: '[''If the result does not show the following, this is a finding.'', '''', + ''System Integrity Protection status: enabled'']' +fix: 'To re-enable "System Integrity Protection", boot the affected system into "Recovery" + mode, launch "Terminal" from the "Utilities" menu, and run the following command: + + + /usr/bin/csrutil enable' +references: + srg: + - SRG-OS-000051-GPOS-00024 + - SRG-OS-000054-GPOS-00025 + - SRG-OS-000062-GPOS-00031 + - SRG-OS-000122-GPOS-00063 + - SRG-OS-000256-GPOS-00097 + - SRG-OS-000257-GPOS-00098 + - SRG-OS-000258-GPOS-00099 + - SRG-OS-000259-GPOS-00100 + - SRG-OS-000348-GPOS-00136 + - SRG-OS-000349-GPOS-00137 + - SRG-OS-000350-GPOS-00138 + - SRG-OS-000351-GPOS-00139 + - SRG-OS-000352-GPOS-00140 + - SRG-OS-000353-GPOS-00141 + - SRG-OS-000354-GPOS-00142 + disa_stig: + - APPL-12-005001 + cci: + - CCI-000169 + - CCI-000154 + - CCI-000158 + - CCI-001493 + - CCI-001494 + - CCI-001495 + - CCI-001499 + - CCI-001875 + - CCI-001876 + - CCI-001877 + - CCI-001878 + - CCI-001879 + - CCI-001880 + - CCI-001881 + - CCI-001882 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-005020.yml b/rules/stig/APPL-12-005020.yml new file mode 100644 index 000000000..606cd19d9 --- /dev/null +++ b/rules/stig/APPL-12-005020.yml @@ -0,0 +1,43 @@ +rule_id: MSCP RULE +title: The macOS system must implement cryptographic mechanisms to protect the confidentiality + and integrity of all information at rest. +discussion: 'Information at rest refers to the state of information when it is located + on a secondary storage device (e.g., disk drive and tape drive) within an organizational + information system. Mobile devices, laptops, desktops, and storage devices can be + lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile + memory) can be read, copied, or altered. By encrypting the system hard drive, the + confidentiality and integrity of any data stored on the system is ensured. FileVault + Disk Encryption mitigates this risk. + + + ' +check: /usr/bin/fdesetup status +result: '[''If "FileVault" is "Off" and the device is a mobile device or the organization + has determined that the drive must encrypt data at rest, this is a finding.'']' +fix: 'Open System Preferences >> Security and Privacy and navigate to the "FileVault" + tab. Use this panel to configure full-disk encryption. + + + Alternately, from the command line, run the following command to enable "FileVault": + + + /usr/bin/sudo /usr/bin/fdesetup enable + + + After "FileVault" is initially set up, additional users can be added.' +references: + srg: + - SRG-OS-000185-GPOS-00079 + - SRG-OS-000404-GPOS-00183 + - SRG-OS-000405-GPOS-00184 + disa_stig: + - APPL-12-005020 + cci: + - CCI-001199 + - CCI-002475 + - CCI-002476 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-005050.yml b/rules/stig/APPL-12-005050.yml new file mode 100644 index 000000000..161603441 --- /dev/null +++ b/rules/stig/APPL-12-005050.yml @@ -0,0 +1,22 @@ +rule_id: MSCP RULE +title: The macOS Application Firewall must be enabled. +discussion: Firewalls protect computers from network attacks by blocking or limiting + access to open network ports. Application firewalls limit which applications are + allowed to communicate over the network. +check: '# /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep + ''EnableFirewall\|EnableStealthMode'' ' +result: '[''If the return is not "EnableFirewall = 1;" and "EnableStealthMode = 1;" + this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000480-GPOS-00232 + disa_stig: + - APPL-12-005050 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-005051.yml b/rules/stig/APPL-12-005051.yml new file mode 100644 index 000000000..c7081ab53 --- /dev/null +++ b/rules/stig/APPL-12-005051.yml @@ -0,0 +1,31 @@ +rule_id: MSCP RULE +title: The macOS system must restrict the ability of individuals to use USB storage + devices. +discussion: 'External writeable media devices must be disabled for users. External + USB devices are a potential vector for malware and can be used to exfiltrate sensitive + data if an approved data-loss prevention (DLP) solution is not installed. + + + ' +check: $ /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/egrep + -A 3 'blankbd|blankcd|blankdvd|disk-image|dvdram|harddisk-external' +result: "['\u201Cblankbd\" = (', 'deny,', 'eject', ');', '', '\u201Cblankcd\" = (',\ + \ 'deny,', 'eject', ');', '', '\u201Cblankdvd\" = (', 'deny,', 'eject', ');', '',\ + \ '\u201Cdisk-image\" = (', 'deny,', 'eject', ');', '', '\u201Cdvdram\" = (', 'deny,',\ + \ 'eject', ');', '', '\u201Charddisk-external\" = (', 'deny,', 'eject', ');', '',\ + \ 'If the result does not match the output above, this is a finding.']" +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-005051 + cci: + - CCI-000366 + - CCI-001967 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-005052.yml b/rules/stig/APPL-12-005052.yml new file mode 100644 index 000000000..44bd1ca88 --- /dev/null +++ b/rules/stig/APPL-12-005052.yml @@ -0,0 +1,23 @@ +rule_id: MSCP RULE +title: The macOS system logon window must be configured to prompt for username and + password, rather than show a list of users. +discussion: The logon window must be configured to prompt all users for both a username + and a password. By default, the system displays a list of known users at the logon + screen. This gives an advantage to an attacker with physical access to the system, + as the attacker would only have to guess the password for one of the listed accounts. +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SHOWFULLNAME +result: '[''If there is no result, or "SHOWFULLNAME" is not set to "1", this is a + finding.'']' +fix: This setting is enforced using the "Login Window Policy" configuration profile. +references: + srg: + - SRG-OS-000480-GPOS-00229 + disa_stig: + - APPL-12-005052 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-005053.yml b/rules/stig/APPL-12-005053.yml new file mode 100644 index 000000000..a6e685c72 --- /dev/null +++ b/rules/stig/APPL-12-005053.yml @@ -0,0 +1,25 @@ +rule_id: MSCP RULE +title: The macOS system must restrict the ability of individuals to write to external + optical media. +discussion: External writeable media devices must be disabled for users. External + optical media devices can be used to exfiltrate sensitive data if an approved data-loss + prevention (DLP) solution is not installed. +check: $ /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep + 'BurnSupport' +result: '[''BurnSupport = off;'', '''', ''If the command does not return a line, this + is a finding.'', "If ''BurnSupport'' is set to a value other than ''off'' and is + not documented with the Information System Security Officer (ISSO) as an operational + requirement, this is a finding."]' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-005053 + cci: + - CCI-000366 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-005054.yml b/rules/stig/APPL-12-005054.yml new file mode 100644 index 000000000..736a81aa3 --- /dev/null +++ b/rules/stig/APPL-12-005054.yml @@ -0,0 +1,32 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable prompts to configure Touch ID. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipTouchIDSetup +result: '[''If the return is not "SkipTouchIDSetup = 1", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-005054 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-005055.yml b/rules/stig/APPL-12-005055.yml new file mode 100644 index 000000000..9495925ee --- /dev/null +++ b/rules/stig/APPL-12-005055.yml @@ -0,0 +1,32 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable prompts to configure ScreenTime. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipScreenTime +result: '[''If the return is not "SkipScreenTime = 1", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-005055 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-005056.yml b/rules/stig/APPL-12-005056.yml new file mode 100644 index 000000000..9ef8f5343 --- /dev/null +++ b/rules/stig/APPL-12-005056.yml @@ -0,0 +1,33 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to disable promts to configure Unlock with + Watch. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep skipUnlockWithWatch +result: '[''If the return is not "skipUnlockWithWatch = 1", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-005056 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-005058.yml b/rules/stig/APPL-12-005058.yml new file mode 100644 index 000000000..23b2b816d --- /dev/null +++ b/rules/stig/APPL-12-005058.yml @@ -0,0 +1,33 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to prevent activity continuation between + Apple Devices. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowActivityContinuation +result: '[''If the return is not "allowActivityContinuation = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-005058 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: low diff --git a/rules/stig/APPL-12-005060.yml b/rules/stig/APPL-12-005060.yml new file mode 100644 index 000000000..dd0d07cb5 --- /dev/null +++ b/rules/stig/APPL-12-005060.yml @@ -0,0 +1,33 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to prevent password proximity sharing requests + from nearby Apple Devices. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowPasswordProximityRequests +result: '[''If the return is not "allowPasswordProximityRequests = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-005060 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium diff --git a/rules/stig/APPL-12-005061.yml b/rules/stig/APPL-12-005061.yml new file mode 100644 index 000000000..1557dfe5a --- /dev/null +++ b/rules/stig/APPL-12-005061.yml @@ -0,0 +1,33 @@ +rule_id: MSCP RULE +title: The macOS system must be configured to prevent users from erasing all system + content and settings. +discussion: 'It is detrimental for operating systems to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary capabilities + or services are often overlooked and therefore may remain unsecured. They increase + the risk to the platform by providing additional attack vectors. + + + Operating systems are capable of providing a wide variety of functions and services. + Some of the functions and services, provided by default, may not be necessary to + support essential organizational operations (e.g., key missions, functions). + + + Examples of non-essential capabilities include, but are not limited to, games, software + packages, tools, and demonstration software, not related to requirements or providing + a wide array of functionality not required for every mission, but which cannot be + disabled.' +check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowEraseContentAndSettings +result: '[''If the return is not "allowEraseContentAndSettings = 0", this is a finding.'']' +fix: This setting is enforced using the "Restrictions Policy" configuration profile. +references: + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-005061 + cci: + - CCI-000381 +macOS: +- '12' +tags: +- stig +severity: medium From 9dbadd5d914667aea884b5680bf02f38d4512865 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 8 Feb 2022 09:14:11 -0500 Subject: [PATCH 116/193] removed smart quotes --- rules/audit/audit_auditd_enabled.yaml | 2 +- rules/audit/audit_settings_failure_notify.yaml | 2 +- rules/auth/auth_smartcard_enforce.yaml | 2 +- rules/icloud/icloud_addressbook_disable.yaml | 4 ++-- rules/icloud/icloud_bookmarks_disable.yaml | 2 +- rules/icloud/icloud_calendar_disable.yaml | 4 ++-- rules/icloud/icloud_drive_disable.yaml | 2 +- rules/icloud/icloud_keychain_disable.yaml | 4 ++-- rules/icloud/icloud_mail_disable.yaml | 4 ++-- rules/icloud/icloud_notes_disable.yaml | 4 ++-- rules/icloud/icloud_photos_disable.yaml | 4 ++-- rules/icloud/icloud_reminders_disable.yaml | 4 ++-- rules/icloud/icloud_sync_disable.yaml | 4 ++-- rules/os/os_facetime_app_disable.yaml | 2 +- rules/os/os_home_folders_secure.yaml | 4 ++-- rules/os/os_limit_dos_attacks.yaml | 2 +- rules/os/os_mail_app_disable.yaml | 2 +- rules/os/os_malicious_code_prevention.yaml | 4 ++-- rules/os/os_messages_app_disable.yaml | 2 +- rules/os/os_pii_deidentification.yaml | 2 +- rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 2 +- rules/os/os_sudoers_timestamp_type_configure.yaml | 2 +- rules/os/os_sudoers_tty_configure.yaml | 2 +- rules/os/os_unlock_active_user_session_disable.yaml | 6 +++--- rules/supplemental/supplemental_filevault.yaml | 4 ++-- rules/supplemental/supplemental_firewall_pf.yaml | 2 +- rules/supplemental/supplemental_smartcard.yaml | 4 ++-- rules/sysprefs/sysprefs_automatic_logout_enforce.yaml | 2 +- rules/sysprefs/sysprefs_find_my_disable.yaml | 4 ++-- ...sprefs_loginwindow_prompt_username_password_enforce.yaml | 2 +- rules/sysprefs/sysprefs_media_sharing_disabled.yaml | 2 +- .../sysprefs/sysprefs_personalized_advertising_disable.yaml | 2 +- rules/sysprefs/sysprefs_screensaver_password_enforce.yaml | 2 +- rules/sysprefs/sysprefs_touchid_unlock_disable.yaml | 2 +- 34 files changed, 49 insertions(+), 49 deletions(-) diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index dd4beb6c0..400bc247b 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -5,7 +5,7 @@ discussion: | Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. - The content required to be captured in an audit record varies based on the impact level of an organization’s system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. + The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system start-up. diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index f57d376ef..0413b8a7e 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Failure Notification" discussion: | The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. - It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system’s capability, and system operation may be adversely affected. + It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. check: | /usr/bin/grep -c "logger -s -p" /etc/security/audit_warn result: diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index a0f8caf88..c8296ddba 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -5,7 +5,7 @@ discussion: | The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. - When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver. + When enforceSmartCard is set to "true", the smartcard must be used for login, authorization, and unlocking the screensaver. CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement. diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index a77d1ace0..6a6905b65 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -1,9 +1,9 @@ id: icloud_addressbook_disable title: "Disable iCloud Address Book" discussion: | - The macOS built-in Contacts.app connection to Apple’s iCloud service _MUST_ be disabled. + The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudAddressBook = 0' result: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index ae61759ee..5d80520bf 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -3,7 +3,7 @@ title: "Disable iCloud Bookmarks" discussion: | The macOS built-in Safari.app bookmark synchronization via the iCloud service _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudBookmarks = 0' result: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 743132c11..ae8a5b1c6 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -1,9 +1,9 @@ id: icloud_calendar_disable title: "Disable the iCloud Calendar Services" discussion: | - The macOS built-in Calendar.app connection to Apple’s iCloud service _MUST_ be disabled. + The macOS built-in Calendar.app connection to Apple's iCloud service _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service. check: /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudCalendar = 0' result: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 71b682689..64d2e5bf1 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -3,7 +3,7 @@ title: "Disable iCloud Document Sync" discussion: | The macOS built-in iCloud document synchronization service _MUST_ be disabled to prevent organizational data from being synchronized to personal or non-approved storage. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDocumentSync = 0' result: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index b3361be76..00fbecd8b 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -1,9 +1,9 @@ id: icloud_keychain_disable title: "Disable iCloud Keychain Sync" discussion: | - The macOS system’s ability to automatically synchronize a user’s passwords to their iCloud account _MUST_ be disabled. + The macOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudKeychainSync = 0' result: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 2f22d2c2d..48aa0d8cd 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -1,9 +1,9 @@ id: icloud_mail_disable title: "Disable iCloud Mail" discussion: | - The macOS built-in Mail.app connection to Apple’s iCloud service _MUST_ be disabled. + The macOS built-in Mail.app connection to Apple's iCloud service _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudMail = 0' result: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index f913634be..c79b9ccbb 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -1,9 +1,9 @@ id: icloud_notes_disable title: "Disable iCloud Notes" discussion: | - The macOS built-in Notes.app connection to Apple’s iCloud service _MUST_ be disabled. + The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudNotes = 0' result: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index e7ae6123c..4e06dcda7 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -1,9 +1,9 @@ id: icloud_photos_disable title: "Disable iCloud Photo Library" discussion: | - The macOS built-in Photos.app connection to Apple’s iCloud service _MUST_ be disabled. + The macOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudPhotoLibrary = 0' result: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 43789dd30..52bad4731 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -1,9 +1,9 @@ id: icloud_reminders_disable title: "Disable iCloud Reminders" discussion: | - The macOS built-in Reminders.app connection to Apple’s iCloud service _MUST_ be disabled. + The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudReminders = 0' result: diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 2cecdb533..2bb73c6c2 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -1,9 +1,9 @@ id: icloud_sync_disable title: "Disable iCloud Desktop and Document Folder Sync" discussion: | - The macOS system’s ability to automatically synchronize a user’s desktop and documents folder to their iCloud Drive _MUST_ be disabled. + The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled. - Apple’s iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudDesktopAndDocuments = 0' result: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 37252c115..14d68894b 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -3,7 +3,7 @@ title: "Disable FaceTime.app" discussion: | The macOS built-in FaceTime.app _MUST_ be disabled. - The FaceTime.app establishes a connection to Apple’s iCloud service, even when security controls have been put in place to disable iCloud access. + The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/FaceTime.app" result: diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 080469278..094637050 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -1,9 +1,9 @@ id: os_home_folders_secure title: "Secure User's Home Folders" discussion: | - The system _MUST_ be configured to prevent access to other users’ home folders. + The system _MUST_ be configured to prevent access to other user's home folders. - The default behavior of macOS is to allow all valid users access to the the top level of every other user’s home folder while restricting access only to the Apple default folders within. + The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within. check: | /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d -perm -1 | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs result: diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 07609d059..0b6244e89 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -5,7 +5,7 @@ discussion: | DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. - To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems’ susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. + To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index f8829586d..449a6af9f 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Mail App" discussion: | The macOS built-in Mail.app _MUST_ be disabled. - The Mail.app contains functionality that can establish connections to Apple’s iCloud, even when security controls to disable iCloud access have been put in place. + The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place. [IMPORTANT] ==== diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 28d155065..9f8928006 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -12,7 +12,7 @@ discussion: | * an app has been changed (in the file system), and * XProtect signatures are updated. * YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. - * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer’s signing certificate and prevents unsafe apps from running. + * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running. * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. @@ -23,7 +23,7 @@ discussion: | 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: - * Apple’s Malware Removal Tool (MRT): a technology included on all macOS systems. MRT is an agent that remediates based on automatic updates delivered from Apple. MRT will remove the malware upon receiving updated information and check for malware on restart and login. + * Apple's Malware Removal Tool (MRT): a technology included on all macOS systems. MRT is an agent that remediates based on automatic updates delivered from Apple. MRT will remove the malware upon receiving updated information and check for malware on restart and login. link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 124c7f370..689bef98d 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Messages App" discussion: | The macOS built-in Messages.app _MUST_ be disabled. - The Messages.app establishes a connection to Apple’s iCloud service, even when security controls to disable iCloud access have been put in place. + The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Messages.app" result: diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml index 7ccd96fc7..f11bffe69 100644 --- a/rules/os/os_pii_deidentification.yaml +++ b/rules/os/os_pii_deidentification.yaml @@ -3,7 +3,7 @@ title: "Remove Elements of Personally Identifiable Information from Datasets" discussion: | Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification. - De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk. + De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk. check: | This requirement is NA for this technology. fix: | diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index d98bbc924..5b4b7b39d 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -7,7 +7,7 @@ discussion: | The implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are FIPS 140-2 approved, the module implementing them has not been validated. - By specifying a Key Exchange Algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections. + By specifying a Key Exchange Algorithm list with the order of hashes being in a "strongest to weakest" orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index 9f63fb069..81b405d1e 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Sudoers Timestamp Type" discussion: | The file /etc/sudoers _MUST_ be configured to not include a timestamp_type of global or ppid. - This rule ensures that the "sudo" command will prompt for the administrator’s password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. + This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. check: | /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E '(^Defaults\s+timestamp_type=global|^Defaults\s+timestamp_type=ppid)' '{}' \; | /usr/bin/wc -l | /usr/bin/xargs result: diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index e238c08f1..a9e88e0ac 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Sudoers to Authenticate Users on a Per -tty Basis" discussion: | The file /etc/sudoers _MUST_ be configured to include tty_tickets. - This rule ensures that the "sudo" command will prompt for the administrator’s password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window. + This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window. check: | /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+\!tty_tickets" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs result: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 696ffc05f..3cefa9d86 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -1,9 +1,9 @@ id: os_unlock_active_user_session_disable -title: "Disable Login to Other User’s Active and Locked Sessions" +title: "Disable Login to Other User's Active and Locked Sessions" discussion: | - The ability to log in to another user’s active or locked session _MUST_ be disabled. + The ability to log in to another user's active or locked session _MUST_ be disabled. - macOS has a privilege that can be granted to any user that will allow that user to unlock active user’s sessions. Disabling the admins and/or user’s ability to log into another user’s active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. + macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. check: | /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui' result: diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index 2d5c9003d..b8831b7b3 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -47,9 +47,9 @@ discussion: | The `UserEntersMissingInfo` key will only work if installed through manual installation, and it will prompt for the username and password immediately. - When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple’s Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[]. + When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple's Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[]. - It’s recommended that you use a Personal Recovery key instead of an Institutional key as it will generate a specific key for each device. You can find more guidance on choosing a recover key here: link:https://docs.jamf.com/technical-papers/jamf-pro/administering-filevault-macos/10.7.1/Choosing_a_Recovery_Key.html[]. + It's recommended that you use a Personal Recovery key instead of an Institutional key as it will generate a specific key for each device. You can find more guidance on choosing a recover key here: link:https://docs.jamf.com/technical-papers/jamf-pro/administering-filevault-macos/10.7.1/Choosing_a_Recovery_Key.html[]. NOTE: FileVault currently only uses password-based authentication and cannot be done using a smartcard or any other type of multi-factor authentication. check: | diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index c22cc06c4..678c82633 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -13,7 +13,7 @@ discussion: | * The PF firewall can manipulate virtually any packet data and is highly configurable. ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html - Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to “detailed”, set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system’s pf ruleset. + Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset. The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`. diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index eaf3f9472..8f97916ab 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -25,7 +25,7 @@ discussion: | [discrete] ==== Smartcard Pairing - The default method for using smartcards in macOS is a method called "local account pairing". Local account pairing is automatically initiated when a user inserts a smartcard into the Mac. The user is prompted to pair their smartcard with their account. If a user receives a new smartcard, the previous card must be unpaired, and the new card paired to the account. Local account pairing employs fixed key mapping with the hash of a public key on the user’s smartcard with a local account. + The default method for using smartcards in macOS is a method called "local account pairing". Local account pairing is automatically initiated when a user inserts a smartcard into the Mac. The user is prompted to pair their smartcard with their account. If a user receives a new smartcard, the previous card must be unpaired, and the new card paired to the account. Local account pairing employs fixed key mapping with the hash of a public key on the user's smartcard with a local account. [discrete] ==== Smartcard Attribute Mapping @@ -60,7 +60,7 @@ discussion: | - 2: certificate trust check is turned on, and a soft revocation check is performed. Until the certificate is explicitly rejected by CRL/OCSP, it is considered valid. This implies that unavailable/unreachable CRL/OCSP allows this check to succeed. - - 3: certificate trust check is turned on, plus a hard revocation check is performed. Unless CRL/OCSP explicitly states that “this certificate is OK”, the certificate is considered invalid. This is the most secure value for this setting. + - 3: certificate trust check is turned on, plus a hard revocation check is performed. Unless CRL/OCSP explicitly states that "this certificate is OK", the certificate is considered invalid. This is the most secure value for this setting. <.^|oneCardPerUser ^.^|bool diff --git a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 775de6e35..8606229a6 100644 --- a/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -7,7 +7,7 @@ discussion: | [IMPORTANT] ==== - The 24-hour automatic logout may cause disruptions to an organization’s workflow and/or loss of data. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the 24-hour automatic logout setting. + The 24-hour automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the 24-hour automatic logout setting. ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.autologout.AutoLogOutDelay" = 86400' diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 2d2d05c21..acf4ea058 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -3,9 +3,9 @@ title: "Disable Find My Service" discussion: | The Find My service _MUST_ be disabled. - A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple’s Find My service. + A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service. - Apple’s Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. + Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(allowFindMyDevice = 0|allowFindMyFriends = 0|DisableFMMiCloudSetting = 1)' result: diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index 49ae66fad..beb7191ab 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -3,7 +3,7 @@ title: "Configure Login Window to Prompt for Username and Password" discussion: | The login window _MUST_ be configured to prompt all users for both a username and a password. - By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else’s account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system. + By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SHOWFULLNAME = 1' result: diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index b50d6df1a..1eea49b6e 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -3,7 +3,7 @@ title: "Disable Media Sharing" discussion: | Media sharing _MUST_ be disabled. - When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user’s music collection with other users in the same subnet. + When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index bc6400b10..0af86e48a 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Personalized Advertising" discussion: | Ad tracking and targeted ads _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users’ interests and deliver targeted advertisements. + The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowApplePersonalizedAdvertising = 0;' result: diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 00d502f27..431d89cef 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -3,7 +3,7 @@ title: "Enforce Screen Saver Password" discussion: | Users _MUST_ authenticate when unlocking the screen saver. - The screen saver acts as a session lock and prevents unauthorized users from accessing the current user’s account. + The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'askForPassword = 1' result: diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index 92fe3858c..0ae8ff671 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -1,7 +1,7 @@ id: sysprefs_touchid_unlock_disable title: "Disable TouchID for Unlocking the Device" discussion: | - TouchID enables the ability to unlock a Mac system with a user’s fingerprint. + TouchID enables the ability to unlock a Mac system with a user's fingerprint. TouchID _MUST_ be disabled for "Unlocking your Mac" on all macOS devices that are capable of using Touch ID. From 46318ef076c5ea0ce126f8404d07464631d92823 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 8 Feb 2022 16:49:13 -0500 Subject: [PATCH 117/193] srg and disa_stig added for macOS 12 --- rules/audit/audit_acls_files_configure.yaml | 6 ++++-- rules/audit/audit_acls_folders_configure.yaml | 5 +++-- rules/audit/audit_auditd_enabled.yaml | 18 ++++++++++++++++-- .../audit/audit_configure_capacity_notify.yaml | 5 +++-- rules/audit/audit_failure_halt.yaml | 5 +++-- rules/audit/audit_files_group_configure.yaml | 5 +++-- rules/audit/audit_files_mode_configure.yaml | 5 +++-- rules/audit/audit_files_owner_configure.yaml | 5 +++-- rules/audit/audit_flags_aa_configure.yaml | 8 ++++++-- rules/audit/audit_flags_ad_configure.yaml | 14 ++++++++++++-- rules/audit/audit_flags_fd_configure.yaml | 14 ++++++++++++-- rules/audit/audit_flags_fm_configure.yaml | 14 ++++++++++++-- rules/audit/audit_flags_fr_configure.yaml | 14 ++++++++++++-- rules/audit/audit_flags_fw_configure.yaml | 14 ++++++++++++-- rules/audit/audit_flags_lo_configure.yaml | 6 ++++-- rules/audit/audit_folder_group_configure.yaml | 5 +++-- rules/audit/audit_folder_owner_configure.yaml | 5 +++-- rules/audit/audit_folders_mode_configure.yaml | 7 +++++-- rules/audit/audit_retention_configure.yaml | 8 +++----- rules/audit/audit_settings_failure_notify.yaml | 5 +++-- rules/auth/auth_smartcard_enforce.yaml | 7 +++++-- rules/icloud/icloud_addressbook_disable.yaml | 6 ++++-- rules/icloud/icloud_bookmarks_disable.yaml | 6 ++++-- rules/icloud/icloud_calendar_disable.yaml | 6 ++++-- rules/icloud/icloud_drive_disable.yaml | 6 ++++-- rules/icloud/icloud_keychain_disable.yaml | 6 ++++-- rules/icloud/icloud_mail_disable.yaml | 6 ++++-- rules/icloud/icloud_notes_disable.yaml | 6 ++++-- rules/icloud/icloud_photos_disable.yaml | 6 ++++-- rules/icloud/icloud_reminders_disable.yaml | 6 ++++-- rules/os/os_airdrop_disable.yaml | 5 +++-- ...os_asl_log_files_owner_group_configure.yaml | 5 +++-- ...os_asl_log_files_permissions_configure.yaml | 5 +++-- rules/os/os_camera_disable.yaml | 6 ++++-- rules/os/os_directory_services_configured.yaml | 7 +++---- rules/os/os_filevault_authorized_users.yaml | 5 +++-- rules/os/os_filevault_autologin_disable.yaml | 7 +++---- rules/os/os_firmware_password_require.yaml | 5 +++-- rules/os/os_home_folders_secure.yaml | 6 ++++-- ..._newsyslog_files_owner_group_configure.yaml | 5 +++-- ..._newsyslog_files_permissions_configure.yaml | 5 +++-- rules/os/os_nfsd_disable.yaml | 5 +++-- .../os/os_screensaver_loginwindow_enforce.yaml | 5 +++-- rules/os/os_sudoers_tty_configure.yaml | 5 +++-- rules/os/os_tftpd_disable.yaml | 5 +++-- ...emporary_or_emergency_accounts_disable.yaml | 6 ++++-- .../sysprefs_automatic_login_disable.yaml | 5 +++-- .../sysprefs_firewall_stealth_mode_enable.yaml | 6 ++++-- .../sysprefs_guest_account_disable.yaml | 5 +++-- .../sysprefs_password_hints_disable.yaml | 5 +++-- rules/sysprefs/sysprefs_smbd_disable.yaml | 5 +++-- 51 files changed, 233 insertions(+), 109 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 0211cd2b2..ad9a4b8a8 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -26,9 +26,10 @@ references: - AU-9 - SI-11 srg: - - N/A + - SRG-OS-000057-GPOS-00027 + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-000030 800-171r2: - 3.3.8 macOS: @@ -42,6 +43,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index ef58e7306..9689363a2 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-000031 800-171r2: - 3.3.8 macOS: @@ -39,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 9fb99ced7..a55e91529 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -54,9 +54,22 @@ references: - AU-12(3) - AU-14(1) srg: - - N/A + - SRG-OS-000037-GPOS-00015 + - SRG-OS-000038-GPOS-00016 + - SRG-OS-000039-GPOS-00017 + - SRG-OS-000040-GPOS-00018 + - SRG-OS-000041-GPOS-00019 + - SRG-OS-000042-GPOS-00020 + - SRG-OS-000042-GPOS-00021 + - SRG-OS-000055-GPOS-00026 + - SRG-OS-000254-GPOS-00095 + - SRG-OS-000255-GPOS-00096 + - SRG-OS-000303-GPOS-00120 + - SRG-OS-000337-GPOS-00129 + - SRG-OS-000358-GPOS-00145 + - SRG-OS-000359-GPOS-00146 disa_stig: - - N/A + - APPL-12-001003 800-171r2: - 3.3.1 - 3.3.2 @@ -76,6 +89,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 8ff583de6..b8885938a 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -23,14 +23,15 @@ references: 800-53r4: - AU-5(1) srg: - - N/A + - SRG-OS-000343-GPOS-00134 disa_stig: - - N/A + - APPL-12-001030 macOS: - "12.0" tags: - 800-53r5_high - 800-53r4_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index ab64fff69..3cc790852 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AU-5 srg: - - N/A + - SRG-OS-000047-GPOS-00023 disa_stig: - - N/A + - APPL-12-001010 800-171r2: - 3.3.4 macOS: @@ -39,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 128b45999..cb0c3dec9 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001014 800-171r2: - 3.3.8 macOS: @@ -41,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index d55950494..cb2588f3d 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -21,9 +21,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001016 800-171r2: - 3.3.8 macOS: @@ -37,6 +37,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 0bdcfcd1d..7b70d89ea 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001012 800-171r2: - 3.3.8 macOS: @@ -41,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 9754e6406..9d4d374e5 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -31,9 +31,12 @@ references: - AU-12 - MA-4(1) srg: - - N/A + - SRG-OS-000470-GPOS-00214 + - SRG-OS-000472-GPOS-00217 + - SRG-OS-000473-GPOS-00218 + - SRG-OS-000475-GPOS-00220 disa_stig: - - N/A + - APPL-12-001044 800-171r2: - 3.3.1 - 3.3.2 @@ -54,6 +57,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 0a22abc7b..056d70638 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -45,9 +45,18 @@ references: - AU-12 - MA-4(1) srg: - - N/A + - SRG-OS-000004-GPOS-00004 + - SRG-OS-000239-GPOS-00089 + - SRG-OS-000240-GPOS-00090 + - SRG-OS-000241-GPOS-00091 + - SRG-OS-000327-GPOS-00127 + - SRG-OS-000392-GPOS-00172 + - SRG-OS-000471-GPOS-00215 + - SRG-OS-000471-GPOS-00216 + - SRG-OS-000476-GPOS-00221 + - SRG-OS-000477-GPOS-00222 disa_stig: - - N/A + - APPL-12-001001 800-171r2: - 3.1.7 - 3.3.1 @@ -69,6 +78,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 742ae0a43..bcd01d447 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -37,9 +37,18 @@ references: - CM-5(1) - MA-4(1) srg: - - N/A + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 disa_stig: - - N/A + - APPL-12-001020 800-171r2: - N/A cisv8: @@ -54,6 +63,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 7bc34da8d..f1b458f8c 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -37,9 +37,18 @@ references: - CM-5(1) - MA-4(1) srg: - - N/A + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 disa_stig: - - N/A + - APPL-12-001020 800-171r2: - N/A cisv8: @@ -51,6 +60,7 @@ macOS: tags: - stig - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index a054a5b40..d2db251c4 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -37,9 +37,18 @@ references: - CM-5(1) - MA-4(1) srg: - - N/A + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 disa_stig: - - N/A + - APPL-12-001020 800-171r2: - 3.3.1 - 3.3.2 @@ -61,6 +70,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index f638b8003..3d2d82237 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -36,9 +36,18 @@ references: - CM-5(1) - MA-4(1) srg: - - N/A + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 disa_stig: - - N/A + - APPL-12-001020 800-171r2: - 3.3.1 - 3.3.2 @@ -60,6 +69,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 34453690b..85967d67a 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -33,9 +33,10 @@ references: - AU-12 - MA-4(1) srg: - - N/A + - SRG-OS-000032-GPOS-00013 + - SRG-OS-000462-GPOS-00206 disa_stig: - - N/A + - APPL-12-001002 800-171r2: - 3.1.12 - 3.3.1 @@ -57,6 +58,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index d0aefb04a..6fd2285d4 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001015 800-171r2: - 3.3.8 macOS: @@ -41,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index afbc5db8e..be0a6c21f 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001013 800-171r2: - 3.3.8 macOS: @@ -41,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 07e3bb467..d6307f934 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -25,9 +25,11 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 + - SRG-OS-000058-GPOS-00028 + - SRG-OS-000059-GPOS-00029 disa_stig: - - N/A + - APPL-12-001017 800-171r2: - 3.3.8 macOS: @@ -41,6 +43,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 0a39cd572..682af429e 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -25,12 +25,9 @@ references: - AU-4 - AU-11 srg: - - N/A + - SRG-OS-000341-GPOS-00132 disa_stig: - - N/A - cisv8: - - 8.3 - - 8.1 + - APPL-12-001029 macOS: - "12.0" tags: @@ -43,6 +40,7 @@ tags: - 800-53r5_high - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index f57d376ef..712cabab5 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -25,9 +25,9 @@ references: - AU-5 - AU-5(2) srg: - - N/A + - SRG-OS-000344-GPOS-00135 disa_stig: - - N/A + - APPL-12-001031 800-171r2: - 3.3.4 macOS: @@ -38,6 +38,7 @@ tags: - 800-53r4_high - 800-53r5_high - 800-171 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index a0f8caf88..aed868060 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -42,9 +42,11 @@ references: - IA-5(2) - IA-5(11) srg: - - N/A + - SRG-OS-000107-GPOS-00054 + - SRG-OS-000108-GPOS-00055 + - SRG-OS-000068-GPOS-00036 disa_stig: - - N/A + - APPL-12-003020 800-171r2: - 3.5.1 - 3.5.2 @@ -65,6 +67,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index fa467da3d..782aa7bd9 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002014 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 62a6f0614..b886828ae 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002042 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index c8c06ff30..cb826dc5f 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002012 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index c99985d44..2a3b5866f 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002041 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index fa648805a..68b7eddb5 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002040 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 842a139fe..e3cc43eaa 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002015 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index f09c04bd7..9202516e8 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002016 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 6e7735cc8..5d8c79fb0 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002043 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index fc59d0b4e..4423b4efe 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002013 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 15c214d9f..779a91d06 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -26,9 +26,9 @@ references: - AC-3 - AC-20 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-12-002009 800-171r2: - 3.1.1 - 3.1.2 @@ -51,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 8683137b1..7c054ed48 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - SI-11 srg: - - N/A + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-004001 800-171r2: - N/A macOS: @@ -33,6 +33,7 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index c556e28e5..55ec4bd06 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -21,9 +21,9 @@ references: 800-53r4: - SI-11 srg: - - N/A + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-004002 800-171r2: - N/A macOS: @@ -31,6 +31,7 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 3fb18df08..93eb4cc29 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -20,13 +20,15 @@ references: 800-53r4: - N/A srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002017 macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 57f10e7cf..8bd40f8be 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -20,15 +20,14 @@ references: 800-53r4: - N/A srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A - cisv8: - - 6.7 + - APPL-12-000016 macOS: - "12.0" tags: - cisv8 + - stig severity: "high" mobileconfig: mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index a78d98b46..c0ac40c49 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -23,14 +23,15 @@ references: 800-53r4: - N/A srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-000032 macOS: - "12.0" tags: - 800-53r5_high - manual + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 510645fe8..44a23f439 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -24,11 +24,9 @@ references: - AC-3 - IA-5(13) srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A - cci: - - CCI-002143 + - APPL-12-000033 800-171r2: - 3.1.1 - 3.1.2 @@ -47,6 +45,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index e7de701d5..be1a79f6e 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -32,9 +32,9 @@ references: 800-53r4: - AC-6 srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-003013 800-171r2: - 3.1.5 macOS: @@ -47,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - i386 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 3addf698b..7d483baa6 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -27,9 +27,10 @@ references: 800-53r4: - AC-6 srg: - - N/A + - SRG-OS-000480-GPOS-00228 + - SRG-OS-000480-GPOS-00230 disa_stig: - - N/A + - APPL-12-002068 800-171r2: - 3.1.5 macOS: @@ -41,6 +42,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index c9886100b..f878723a6 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - SI-11 srg: - - N/A + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-004001 800-171r2: - N/A macOS: @@ -33,6 +33,7 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index ccb066b16..9993eb920 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -22,9 +22,9 @@ references: 800-53r4: - SI-11 srg: - - N/A + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-004002 800-171r2: - N/A macOS: @@ -32,6 +32,7 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 61f07e7ba..c4d9ef48f 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AC-3 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-12-002003 800-171r2: - 3.1.1 - 3.1.2 @@ -44,6 +44,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index f704e3217..eb9dad5a6 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -18,9 +18,9 @@ references: 800-53r4: - AC-11(1) srg: - - N/A + - SRG-OS-000031-GPOS-00012 disa_stig: - - N/A + - APPL-12-000006 800-171r2: - 3.1.10 macOS: @@ -32,6 +32,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 7687d4496..15bd907e0 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -24,9 +24,9 @@ references: 800-53r4: - IA-11 srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-004021 macOS: - "12.0" tags: @@ -34,6 +34,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253 + - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 9a735f5b1..a6985a8ec 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -29,9 +29,9 @@ references: - AC-3 - IA-5(1) srg: - - N/A + - SRG-OS-000074-GPOS-00042 disa_stig: - - N/A + - APPL-12-002038 800-171r2: - 3.1.1 - 3.1.2 @@ -51,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 0b9be9dd1..9b3dc3f3e 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -65,9 +65,10 @@ references: 800-53r4: - AC-2(2) srg: - - N/A + - SRG-OS-000002-GPOS-00002 + - SRG-OS-000123-GPOS-00064 disa_stig: - - N/A + - APPL-12-000012 macOS: - "12.0" tags: @@ -76,6 +77,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - manual + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 85d475f43..c5b059aae 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -22,9 +22,9 @@ references: - IA-2 - IA-5(13) srg: - - N/A + - SRG-OS-000480-GPOS-00229 disa_stig: - - N/A + - APPL-12-002066 800-171r2: - 3.5.1 - 3.5.2 @@ -39,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index a932e0716..7024f67d1 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -29,9 +29,9 @@ references: - CM-7(1) - SC-7(16) srg: - - N/A + - SRG-OS-000480-GPOS-00232 disa_stig: - - N/A + - APPL-12-005050 800-171r2: - 3.4.6 - 3.13.1 @@ -53,6 +53,8 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index 4947d17aa..dd9f1633b 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -22,9 +22,9 @@ references: - AC-2 - AC-2(9) srg: - - N/A + - SRG-OS-000364-GPOS-00151 disa_stig: - - N/A + - APPL-12-002063 800-171r2: - 3.5.1 - 3.5.2 @@ -44,6 +44,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 14c430814..5d42b6cb4 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - IA-6 srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-003012 800-171r2: - 3.5.11 macOS: @@ -36,6 +36,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index 5608aef93..a9eefb53f 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AC-3 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-12-002001 800-171r2: - 3.1.1 - 3.1.2 @@ -46,6 +46,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file From 4d748c09ee268b9ab8fbfded14d540e0bae4b25d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 8 Feb 2022 16:59:22 -0500 Subject: [PATCH 118/193] added srg, cci, and disa stig --- rules/os/os_handoff_disable.yaml | 10 ++++++---- rules/os/os_password_proximity_disable.yaml | 11 ++++------- rules/os/os_skip_unlock_with_watch_enable.yaml | 5 +++-- rules/os/os_touchid_prompt_disable.yaml | 8 +++++--- ..._loginwindow_prompt_username_password_enforce.yaml | 8 +++++--- 5 files changed, 23 insertions(+), 19 deletions(-) diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 9edbb67ab..41acc8888 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -13,6 +13,8 @@ fix: | references: cce: - CCE-90929-1 + cci: + - CCI-000381 800-53r5: - AC-3 - AC-20 @@ -24,11 +26,9 @@ references: - CM-7 - CM-7(1) disa_stig: - - N/A + - APPL-12-005058 srg: - - N/A - cci: - - N/A + - SRG-OS-000095-GPOS-00049 800-171r2: - 3.1.1 - 3.1.2 @@ -49,6 +49,8 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig +severity: "low" mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index ca225634a..bc55fcdb9 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -14,20 +14,15 @@ references: cce: - CCE-90968-9 cci: - - N/A + - CCI-000381 800-53r5: - IA-5 800-53r4: - IA-5 srg: - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A - srg: - - N/A - cci: - - N/A + - APPL-12-005060 800-171r2: - 3.5.1 - 3.5.2 @@ -46,6 +41,8 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index d94b7e591..d49beb71c 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-20 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-12-005056 800-171r2: - 3.1.20 cisv8: @@ -39,6 +39,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 1f9978a67..7df5b2699 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -14,15 +14,15 @@ references: cce: - CCE-91020-8 cci: - - N/A + - CCI-000381 800-53r5: - CM-6 800-53r4: - CM-6 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-12-005054 800-171r2: - 3.4.1 - 3.4.2 @@ -40,6 +40,8 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index 04f430ee9..73c27e8e9 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -14,15 +14,15 @@ references: cce: - CCE-91065-3 cci: - - N/A + - CCI-000366 800-53r5: - IA-2 800-53r4: - IA-2 srg: - - N/A + - SRG-OS-000480-GPOS-00229 disa_stig: - - N/A + - APPL-12-005052 800-171r2: - 3.5.1 - 3.5.2 @@ -37,6 +37,8 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig +severity: "low" mobileconfig: true mobileconfig_info: com.apple.loginwindow: From 2c2cec7e3f487af1cc48e5d7e77fafbe1c50cf53 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 8 Feb 2022 17:13:48 -0500 Subject: [PATCH 119/193] Revert "srg and disa_stig added for macOS 12" This reverts commit 46318ef076c5ea0ce126f8404d07464631d92823. --- rules/audit/audit_acls_files_configure.yaml | 6 ++---- rules/audit/audit_acls_folders_configure.yaml | 5 ++--- rules/audit/audit_auditd_enabled.yaml | 18 ++---------------- .../audit/audit_configure_capacity_notify.yaml | 5 ++--- rules/audit/audit_failure_halt.yaml | 5 ++--- rules/audit/audit_files_group_configure.yaml | 5 ++--- rules/audit/audit_files_mode_configure.yaml | 5 ++--- rules/audit/audit_files_owner_configure.yaml | 5 ++--- rules/audit/audit_flags_aa_configure.yaml | 8 ++------ rules/audit/audit_flags_ad_configure.yaml | 14 ++------------ rules/audit/audit_flags_fd_configure.yaml | 14 ++------------ rules/audit/audit_flags_fm_configure.yaml | 14 ++------------ rules/audit/audit_flags_fr_configure.yaml | 14 ++------------ rules/audit/audit_flags_fw_configure.yaml | 14 ++------------ rules/audit/audit_flags_lo_configure.yaml | 6 ++---- rules/audit/audit_folder_group_configure.yaml | 5 ++--- rules/audit/audit_folder_owner_configure.yaml | 5 ++--- rules/audit/audit_folders_mode_configure.yaml | 7 ++----- rules/audit/audit_retention_configure.yaml | 8 +++++--- rules/audit/audit_settings_failure_notify.yaml | 5 ++--- rules/auth/auth_smartcard_enforce.yaml | 7 ++----- rules/icloud/icloud_addressbook_disable.yaml | 6 ++---- rules/icloud/icloud_bookmarks_disable.yaml | 6 ++---- rules/icloud/icloud_calendar_disable.yaml | 6 ++---- rules/icloud/icloud_drive_disable.yaml | 6 ++---- rules/icloud/icloud_keychain_disable.yaml | 6 ++---- rules/icloud/icloud_mail_disable.yaml | 6 ++---- rules/icloud/icloud_notes_disable.yaml | 6 ++---- rules/icloud/icloud_photos_disable.yaml | 6 ++---- rules/icloud/icloud_reminders_disable.yaml | 6 ++---- rules/os/os_airdrop_disable.yaml | 5 ++--- ...os_asl_log_files_owner_group_configure.yaml | 5 ++--- ...os_asl_log_files_permissions_configure.yaml | 5 ++--- rules/os/os_camera_disable.yaml | 6 ++---- rules/os/os_directory_services_configured.yaml | 7 ++++--- rules/os/os_filevault_authorized_users.yaml | 5 ++--- rules/os/os_filevault_autologin_disable.yaml | 7 ++++--- rules/os/os_firmware_password_require.yaml | 5 ++--- rules/os/os_home_folders_secure.yaml | 6 ++---- ..._newsyslog_files_owner_group_configure.yaml | 5 ++--- ..._newsyslog_files_permissions_configure.yaml | 5 ++--- rules/os/os_nfsd_disable.yaml | 5 ++--- .../os/os_screensaver_loginwindow_enforce.yaml | 5 ++--- rules/os/os_sudoers_tty_configure.yaml | 5 ++--- rules/os/os_tftpd_disable.yaml | 5 ++--- ...emporary_or_emergency_accounts_disable.yaml | 6 ++---- .../sysprefs_automatic_login_disable.yaml | 5 ++--- .../sysprefs_firewall_stealth_mode_enable.yaml | 6 ++---- .../sysprefs_guest_account_disable.yaml | 5 ++--- .../sysprefs_password_hints_disable.yaml | 5 ++--- rules/sysprefs/sysprefs_smbd_disable.yaml | 5 ++--- 51 files changed, 109 insertions(+), 233 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index ad9a4b8a8..0211cd2b2 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -26,10 +26,9 @@ references: - AU-9 - SI-11 srg: - - SRG-OS-000057-GPOS-00027 - - SRG-OS-000206-GPOS-00084 + - N/A disa_stig: - - APPL-12-000030 + - N/A 800-171r2: - 3.3.8 macOS: @@ -43,7 +42,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 9689363a2..ef58e7306 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AU-9 srg: - - SRG-OS-000057-GPOS-00027 + - N/A disa_stig: - - APPL-12-000031 + - N/A 800-171r2: - 3.3.8 macOS: @@ -39,7 +39,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index a55e91529..9fb99ced7 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -54,22 +54,9 @@ references: - AU-12(3) - AU-14(1) srg: - - SRG-OS-000037-GPOS-00015 - - SRG-OS-000038-GPOS-00016 - - SRG-OS-000039-GPOS-00017 - - SRG-OS-000040-GPOS-00018 - - SRG-OS-000041-GPOS-00019 - - SRG-OS-000042-GPOS-00020 - - SRG-OS-000042-GPOS-00021 - - SRG-OS-000055-GPOS-00026 - - SRG-OS-000254-GPOS-00095 - - SRG-OS-000255-GPOS-00096 - - SRG-OS-000303-GPOS-00120 - - SRG-OS-000337-GPOS-00129 - - SRG-OS-000358-GPOS-00145 - - SRG-OS-000359-GPOS-00146 + - N/A disa_stig: - - APPL-12-001003 + - N/A 800-171r2: - 3.3.1 - 3.3.2 @@ -89,7 +76,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index b8885938a..8ff583de6 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -23,15 +23,14 @@ references: 800-53r4: - AU-5(1) srg: - - SRG-OS-000343-GPOS-00134 + - N/A disa_stig: - - APPL-12-001030 + - N/A macOS: - "12.0" tags: - 800-53r5_high - 800-53r4_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 3cc790852..ab64fff69 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AU-5 srg: - - SRG-OS-000047-GPOS-00023 + - N/A disa_stig: - - APPL-12-001010 + - N/A 800-171r2: - 3.3.4 macOS: @@ -39,7 +39,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index cb0c3dec9..128b45999 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - SRG-OS-000057-GPOS-00027 + - N/A disa_stig: - - APPL-12-001014 + - N/A 800-171r2: - 3.3.8 macOS: @@ -41,7 +41,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index cb2588f3d..d55950494 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -21,9 +21,9 @@ references: 800-53r4: - AU-9 srg: - - SRG-OS-000057-GPOS-00027 + - N/A disa_stig: - - APPL-12-001016 + - N/A 800-171r2: - 3.3.8 macOS: @@ -37,7 +37,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 7b70d89ea..0bdcfcd1d 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - SRG-OS-000057-GPOS-00027 + - N/A disa_stig: - - APPL-12-001012 + - N/A 800-171r2: - 3.3.8 macOS: @@ -41,7 +41,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 9d4d374e5..9754e6406 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -31,12 +31,9 @@ references: - AU-12 - MA-4(1) srg: - - SRG-OS-000470-GPOS-00214 - - SRG-OS-000472-GPOS-00217 - - SRG-OS-000473-GPOS-00218 - - SRG-OS-000475-GPOS-00220 + - N/A disa_stig: - - APPL-12-001044 + - N/A 800-171r2: - 3.3.1 - 3.3.2 @@ -57,7 +54,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 056d70638..0a22abc7b 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -45,18 +45,9 @@ references: - AU-12 - MA-4(1) srg: - - SRG-OS-000004-GPOS-00004 - - SRG-OS-000239-GPOS-00089 - - SRG-OS-000240-GPOS-00090 - - SRG-OS-000241-GPOS-00091 - - SRG-OS-000327-GPOS-00127 - - SRG-OS-000392-GPOS-00172 - - SRG-OS-000471-GPOS-00215 - - SRG-OS-000471-GPOS-00216 - - SRG-OS-000476-GPOS-00221 - - SRG-OS-000477-GPOS-00222 + - N/A disa_stig: - - APPL-12-001001 + - N/A 800-171r2: - 3.1.7 - 3.3.1 @@ -78,7 +69,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index bcd01d447..742ae0a43 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -37,18 +37,9 @@ references: - CM-5(1) - MA-4(1) srg: - - SRG-OS-000064-GPOS-00033 - - SRG-OS-000365-GPOS-00152 - - SRG-OS-000458-GPOS-00203 - - SRG-OS-000461-GPOS-00205 - - SRG-OS-000463-GPOS-00207 - - SRG-OS-000465-GPOS-00209 - - SRG-OS-000466-GPOS-00210 - - SRG-OS-000467-GPOS-00211 - - SRG-OS-000468-GPOS-00212 - - SRG-OS-000474-GPOS-00219 + - N/A disa_stig: - - APPL-12-001020 + - N/A 800-171r2: - N/A cisv8: @@ -63,7 +54,6 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index f1b458f8c..7bc34da8d 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -37,18 +37,9 @@ references: - CM-5(1) - MA-4(1) srg: - - SRG-OS-000064-GPOS-00033 - - SRG-OS-000365-GPOS-00152 - - SRG-OS-000458-GPOS-00203 - - SRG-OS-000461-GPOS-00205 - - SRG-OS-000463-GPOS-00207 - - SRG-OS-000465-GPOS-00209 - - SRG-OS-000466-GPOS-00210 - - SRG-OS-000467-GPOS-00211 - - SRG-OS-000468-GPOS-00212 - - SRG-OS-000474-GPOS-00219 + - N/A disa_stig: - - APPL-12-001020 + - N/A 800-171r2: - N/A cisv8: @@ -60,7 +51,6 @@ macOS: tags: - stig - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index d2db251c4..a054a5b40 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -37,18 +37,9 @@ references: - CM-5(1) - MA-4(1) srg: - - SRG-OS-000064-GPOS-00033 - - SRG-OS-000365-GPOS-00152 - - SRG-OS-000458-GPOS-00203 - - SRG-OS-000461-GPOS-00205 - - SRG-OS-000463-GPOS-00207 - - SRG-OS-000465-GPOS-00209 - - SRG-OS-000466-GPOS-00210 - - SRG-OS-000467-GPOS-00211 - - SRG-OS-000468-GPOS-00212 - - SRG-OS-000474-GPOS-00219 + - N/A disa_stig: - - APPL-12-001020 + - N/A 800-171r2: - 3.3.1 - 3.3.2 @@ -70,7 +61,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 3d2d82237..f638b8003 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -36,18 +36,9 @@ references: - CM-5(1) - MA-4(1) srg: - - SRG-OS-000064-GPOS-00033 - - SRG-OS-000365-GPOS-00152 - - SRG-OS-000458-GPOS-00203 - - SRG-OS-000461-GPOS-00205 - - SRG-OS-000463-GPOS-00207 - - SRG-OS-000465-GPOS-00209 - - SRG-OS-000466-GPOS-00210 - - SRG-OS-000467-GPOS-00211 - - SRG-OS-000468-GPOS-00212 - - SRG-OS-000474-GPOS-00219 + - N/A disa_stig: - - APPL-12-001020 + - N/A 800-171r2: - 3.3.1 - 3.3.2 @@ -69,7 +60,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 85967d67a..34453690b 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -33,10 +33,9 @@ references: - AU-12 - MA-4(1) srg: - - SRG-OS-000032-GPOS-00013 - - SRG-OS-000462-GPOS-00206 + - N/A disa_stig: - - APPL-12-001002 + - N/A 800-171r2: - 3.1.12 - 3.3.1 @@ -58,7 +57,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index 6fd2285d4..d0aefb04a 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - SRG-OS-000057-GPOS-00027 + - N/A disa_stig: - - APPL-12-001015 + - N/A 800-171r2: - 3.3.8 macOS: @@ -41,7 +41,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index be0a6c21f..afbc5db8e 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - SRG-OS-000057-GPOS-00027 + - N/A disa_stig: - - APPL-12-001013 + - N/A 800-171r2: - 3.3.8 macOS: @@ -41,7 +41,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index d6307f934..07e3bb467 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -25,11 +25,9 @@ references: 800-53r4: - AU-9 srg: - - SRG-OS-000057-GPOS-00027 - - SRG-OS-000058-GPOS-00028 - - SRG-OS-000059-GPOS-00029 + - N/A disa_stig: - - APPL-12-001017 + - N/A 800-171r2: - 3.3.8 macOS: @@ -43,7 +41,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 682af429e..0a39cd572 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -25,9 +25,12 @@ references: - AU-4 - AU-11 srg: - - SRG-OS-000341-GPOS-00132 + - N/A disa_stig: - - APPL-12-001029 + - N/A + cisv8: + - 8.3 + - 8.1 macOS: - "12.0" tags: @@ -40,7 +43,6 @@ tags: - 800-53r5_high - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 712cabab5..f57d376ef 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -25,9 +25,9 @@ references: - AU-5 - AU-5(2) srg: - - SRG-OS-000344-GPOS-00135 + - N/A disa_stig: - - APPL-12-001031 + - N/A 800-171r2: - 3.3.4 macOS: @@ -38,7 +38,6 @@ tags: - 800-53r4_high - 800-53r5_high - 800-171 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index aed868060..a0f8caf88 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -42,11 +42,9 @@ references: - IA-5(2) - IA-5(11) srg: - - SRG-OS-000107-GPOS-00054 - - SRG-OS-000108-GPOS-00055 - - SRG-OS-000068-GPOS-00036 + - N/A disa_stig: - - APPL-12-003020 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -67,7 +65,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 782aa7bd9..fa467da3d 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002014 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index b886828ae..62a6f0614 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002042 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index cb826dc5f..c8c06ff30 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002012 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 2a3b5866f..c99985d44 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002041 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 68b7eddb5..fa648805a 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002040 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index e3cc43eaa..842a139fe 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002015 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 9202516e8..f09c04bd7 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002016 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 5d8c79fb0..6e7735cc8 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002043 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 4423b4efe..fc59d0b4e 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -28,10 +28,9 @@ references: - AC-20 - AC-20(1) srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002013 + - N/A 800-171r2: - 3.1.20 - 3.4.6 @@ -51,7 +50,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 779a91d06..15c214d9f 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -26,9 +26,9 @@ references: - AC-3 - AC-20 srg: - - SRG-OS-000095-GPOS-00049 + - N/A disa_stig: - - APPL-12-002009 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -51,7 +51,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 7c054ed48..8683137b1 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - SI-11 srg: - - SRG-OS-000206-GPOS-00084 + - N/A disa_stig: - - APPL-12-004001 + - N/A 800-171r2: - N/A macOS: @@ -33,7 +33,6 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index 55ec4bd06..c556e28e5 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -21,9 +21,9 @@ references: 800-53r4: - SI-11 srg: - - SRG-OS-000206-GPOS-00084 + - N/A disa_stig: - - APPL-12-004002 + - N/A 800-171r2: - N/A macOS: @@ -31,7 +31,6 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 93eb4cc29..3fb18df08 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -20,15 +20,13 @@ references: 800-53r4: - N/A srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 + - N/A disa_stig: - - APPL-12-002017 + - N/A macOS: - "12.0" tags: - none - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 8bd40f8be..57f10e7cf 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -20,14 +20,15 @@ references: 800-53r4: - N/A srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - - APPL-12-000016 + - N/A + cisv8: + - 6.7 macOS: - "12.0" tags: - cisv8 - - stig severity: "high" mobileconfig: mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index c0ac40c49..a78d98b46 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -23,15 +23,14 @@ references: 800-53r4: - N/A srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - - APPL-12-000032 + - N/A macOS: - "12.0" tags: - 800-53r5_high - manual - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 44a23f439..510645fe8 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -24,9 +24,11 @@ references: - AC-3 - IA-5(13) srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - - APPL-12-000033 + - N/A + cci: + - CCI-002143 800-171r2: - 3.1.1 - 3.1.2 @@ -45,7 +47,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index be1a79f6e..e7de701d5 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -32,9 +32,9 @@ references: 800-53r4: - AC-6 srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - - APPL-12-003013 + - N/A 800-171r2: - 3.1.5 macOS: @@ -47,7 +47,6 @@ tags: - 800-171 - cnssi-1253 - i386 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 7d483baa6..3addf698b 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -27,10 +27,9 @@ references: 800-53r4: - AC-6 srg: - - SRG-OS-000480-GPOS-00228 - - SRG-OS-000480-GPOS-00230 + - N/A disa_stig: - - APPL-12-002068 + - N/A 800-171r2: - 3.1.5 macOS: @@ -42,7 +41,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index f878723a6..c9886100b 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - SI-11 srg: - - SRG-OS-000206-GPOS-00084 + - N/A disa_stig: - - APPL-12-004001 + - N/A 800-171r2: - N/A macOS: @@ -33,7 +33,6 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index 9993eb920..ccb066b16 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -22,9 +22,9 @@ references: 800-53r4: - SI-11 srg: - - SRG-OS-000206-GPOS-00084 + - N/A disa_stig: - - APPL-12-004002 + - N/A 800-171r2: - N/A macOS: @@ -32,7 +32,6 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index c4d9ef48f..61f07e7ba 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AC-3 srg: - - SRG-OS-000095-GPOS-00049 + - N/A disa_stig: - - APPL-12-002003 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -44,7 +44,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index eb9dad5a6..f704e3217 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -18,9 +18,9 @@ references: 800-53r4: - AC-11(1) srg: - - SRG-OS-000031-GPOS-00012 + - N/A disa_stig: - - APPL-12-000006 + - N/A 800-171r2: - 3.1.10 macOS: @@ -32,7 +32,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 15bd907e0..7687d4496 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -24,9 +24,9 @@ references: 800-53r4: - IA-11 srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - - APPL-12-004021 + - N/A macOS: - "12.0" tags: @@ -34,7 +34,6 @@ tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index a6985a8ec..9a735f5b1 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -29,9 +29,9 @@ references: - AC-3 - IA-5(1) srg: - - SRG-OS-000074-GPOS-00042 + - N/A disa_stig: - - APPL-12-002038 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -51,7 +51,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 9b3dc3f3e..0b9be9dd1 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -65,10 +65,9 @@ references: 800-53r4: - AC-2(2) srg: - - SRG-OS-000002-GPOS-00002 - - SRG-OS-000123-GPOS-00064 + - N/A disa_stig: - - APPL-12-000012 + - N/A macOS: - "12.0" tags: @@ -77,7 +76,6 @@ tags: - 800-53r4_moderate - 800-53r4_high - manual - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index c5b059aae..85d475f43 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -22,9 +22,9 @@ references: - IA-2 - IA-5(13) srg: - - SRG-OS-000480-GPOS-00229 + - N/A disa_stig: - - APPL-12-002066 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -39,7 +39,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 7024f67d1..a932e0716 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -29,9 +29,9 @@ references: - CM-7(1) - SC-7(16) srg: - - SRG-OS-000480-GPOS-00232 + - N/A disa_stig: - - APPL-12-005050 + - N/A 800-171r2: - 3.4.6 - 3.13.1 @@ -53,8 +53,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index dd9f1633b..4947d17aa 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -22,9 +22,9 @@ references: - AC-2 - AC-2(9) srg: - - SRG-OS-000364-GPOS-00151 + - N/A disa_stig: - - APPL-12-002063 + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -44,7 +44,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 5d42b6cb4..14c430814 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - IA-6 srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - - APPL-12-003012 + - N/A 800-171r2: - 3.5.11 macOS: @@ -36,7 +36,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index a9eefb53f..5608aef93 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AC-3 srg: - - SRG-OS-000095-GPOS-00049 + - N/A disa_stig: - - APPL-12-002001 + - N/A 800-171r2: - 3.1.1 - 3.1.2 @@ -46,7 +46,6 @@ tags: - 800-171 - cnssi-1253 - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file From 2c19bbf91ae1af97e0b2e220035ad080ee6796c3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 8 Feb 2022 17:20:14 -0500 Subject: [PATCH 120/193] srg and disa_stig added for macOS 12 --- rules/audit/audit_acls_files_configure.yaml | 6 ++++-- rules/audit/audit_acls_folders_configure.yaml | 5 +++-- rules/audit/audit_auditd_enabled.yaml | 18 ++++++++++++++-- .../audit_configure_capacity_notify.yaml | 5 +++-- rules/audit/audit_failure_halt.yaml | 5 +++-- rules/audit/audit_files_group_configure.yaml | 5 +++-- rules/audit/audit_files_mode_configure.yaml | 5 +++-- rules/audit/audit_files_owner_configure.yaml | 5 +++-- rules/audit/audit_flags_aa_configure.yaml | 8 +++++-- rules/audit/audit_flags_ad_configure.yaml | 14 +++++++++++-- rules/audit/audit_flags_fd_configure.yaml | 14 +++++++++++-- rules/audit/audit_flags_fm_configure.yaml | 14 +++++++++++-- .../audit_flags_fm_failed_configure.yaml | 2 +- rules/audit/audit_flags_fr_configure.yaml | 14 +++++++++++-- rules/audit/audit_flags_fw_configure.yaml | 14 +++++++++++-- rules/audit/audit_flags_lo_configure.yaml | 6 ++++-- rules/audit/audit_folder_group_configure.yaml | 5 +++-- rules/audit/audit_folder_owner_configure.yaml | 5 +++-- rules/audit/audit_folders_mode_configure.yaml | 7 +++++-- rules/audit/audit_retention_configure.yaml | 8 +++---- .../audit/audit_settings_failure_notify.yaml | 5 +++-- .../auth_pam_login_smartcard_enforce.yaml | 7 ++++--- rules/auth/auth_pam_su_smartcard_enforce.yaml | 7 ++++--- .../auth/auth_pam_sudo_smartcard_enforce.yaml | 7 ++++--- ...rtcard_certificate_trust_enforce_high.yaml | 2 +- ...rd_certificate_trust_enforce_moderate.yaml | 2 +- rules/auth/auth_smartcard_enforce.yaml | 7 +++++-- rules/icloud/icloud_addressbook_disable.yaml | 6 ++++-- .../icloud_appleid_prefpane_disable.yaml | 7 ++++--- rules/icloud/icloud_bookmarks_disable.yaml | 6 ++++-- rules/icloud/icloud_calendar_disable.yaml | 6 ++++-- rules/icloud/icloud_drive_disable.yaml | 6 ++++-- rules/icloud/icloud_keychain_disable.yaml | 6 ++++-- rules/icloud/icloud_mail_disable.yaml | 6 ++++-- rules/icloud/icloud_notes_disable.yaml | 6 ++++-- rules/icloud/icloud_photos_disable.yaml | 6 ++++-- rules/icloud/icloud_reminders_disable.yaml | 6 ++++-- rules/os/os_airdrop_disable.yaml | 5 +++-- rules/os/os_anti_virus_installed.yaml | 7 ++++--- rules/os/os_appleid_prompt_disable.yaml | 7 ++++--- ...s_asl_log_files_owner_group_configure.yaml | 5 +++-- ...s_asl_log_files_permissions_configure.yaml | 5 +++-- rules/os/os_bonjour_disable.yaml | 7 ++++--- rules/os/os_camera_disable.yaml | 6 ++++-- rules/os/os_certificate_authority_trust.yaml | 7 +++---- .../os/os_directory_services_configured.yaml | 7 +++---- rules/os/os_ess_installed.yaml | 12 ++++------- rules/os/os_filevault_authorized_users.yaml | 5 +++-- rules/os/os_filevault_autologin_disable.yaml | 7 +++---- rules/os/os_firewall_log_enable.yaml | 2 +- rules/os/os_firmware_password_require.yaml | 5 +++-- rules/os/os_gatekeeper_enable.yaml | 7 ++++--- rules/os/os_gatekeeper_rearm.yaml | 2 +- rules/os/os_home_folders_secure.yaml | 6 ++++-- rules/os/os_httpd_disable.yaml | 7 ++++--- .../os/os_icloud_storage_prompt_disable.yaml | 7 ++++--- ...os_internet_accounts_prefpane_disable.yaml | 8 ++++--- rules/os/os_ir_support_disable.yaml | 2 +- ...newsyslog_files_owner_group_configure.yaml | 5 +++-- ...newsyslog_files_permissions_configure.yaml | 5 +++-- rules/os/os_nfsd_disable.yaml | 5 +++-- rules/os/os_parental_controls_enable.yaml | 2 +- .../os_policy_banner_loginwindow_enforce.yaml | 9 +++++--- rules/os/os_policy_banner_ssh_configure.yaml | 7 ++++--- rules/os/os_policy_banner_ssh_enforce.yaml | 8 ++++--- rules/os/os_privacy_setup_prompt_disable.yaml | 10 ++++----- rules/os/os_removable_media_disable.yaml | 2 +- .../os_screensaver_loginwindow_enforce.yaml | 5 +++-- rules/os/os_sip_enable.yaml | 21 ++++++++++++++++--- rules/os/os_siri_prompt_disable.yaml | 8 ++++--- .../os/os_skip_unlock_with_watch_enable.yaml | 2 +- rules/os/os_ssh_fips_compliant.yaml | 2 +- ..._ssh_server_alive_count_max_configure.yaml | 2 +- ...s_ssh_server_alive_interval_configure.yaml | 2 +- ...sshd_client_alive_count_max_configure.yaml | 7 ++++--- ..._sshd_client_alive_interval_configure.yaml | 7 ++++--- rules/os/os_sshd_fips_compliant.yaml | 2 +- ...sshd_key_exchange_algorithm_configure.yaml | 12 ++++++++--- .../os_sshd_login_grace_time_configure.yaml | 7 ++++--- .../os_sshd_permit_root_login_configure.yaml | 7 ++++--- rules/os/os_sudoers_tty_configure.yaml | 5 +++-- rules/os/os_tftpd_disable.yaml | 5 +++-- rules/os/os_time_server_enabled.yaml | 8 ++++--- rules/os/os_touchid_prompt_disable.yaml | 2 +- rules/os/os_uucp_disable.yaml | 7 ++++--- rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 7 ++++--- .../pwpolicy_account_inactivity_enforce.yaml | 2 +- .../pwpolicy_account_lockout_enforce.yaml | 7 ++++--- ...olicy_account_lockout_timeout_enforce.yaml | 7 ++++--- .../pwpolicy_alpha_numeric_enforce.yaml | 7 ++++--- rules/pwpolicy/pwpolicy_history_enforce.yaml | 7 ++++--- ...pwpolicy_lower_case_character_enforce.yaml | 2 +- .../pwpolicy_minimum_length_enforce.yaml | 7 ++++--- .../pwpolicy_minimum_lifetime_enforce.yaml | 2 +- .../pwpolicy_simple_sequence_disable.yaml | 2 +- .../pwpolicy_special_character_enforce.yaml | 7 ++++--- ...mporary_or_emergency_accounts_disable.yaml | 6 ++++-- ...pwpolicy_upper_case_character_enforce.yaml | 2 +- .../sysprefs_airplay_receiver_disable.yaml | 2 +- .../sysprefs_apple_watch_unlock_disable.yaml | 7 ++++--- .../sysprefs_automatic_login_disable.yaml | 5 +++-- .../sysprefs/sysprefs_bluetooth_disable.yaml | 8 ++++--- .../sysprefs_bluetooth_sharing_disable.yaml | 2 +- ...prefs_critical_update_install_enforce.yaml | 2 +- .../sysprefs_diagnostics_reports_disable.yaml | 7 ++++--- .../sysprefs/sysprefs_filevault_enforce.yaml | 9 +++++--- rules/sysprefs/sysprefs_find_my_disable.yaml | 2 +- rules/sysprefs/sysprefs_firewall_enable.yaml | 7 ++++--- ...sysprefs_firewall_stealth_mode_enable.yaml | 6 ++++-- ...ekeeper_identified_developers_allowed.yaml | 7 ++++--- ...sysprefs_gatekeeper_override_disallow.yaml | 2 +- .../sysprefs_guest_account_disable.yaml | 5 +++-- .../sysprefs_hot_corners_disable.yaml | 7 ++++--- .../sysprefs_internet_sharing_disable.yaml | 7 ++++--- .../sysprefs_location_services_disable.yaml | 7 ++++--- ...ndow_prompt_username_password_enforce.yaml | 2 +- .../sysprefs_password_hints_disable.yaml | 5 +++-- ...refs_personalized_advertising_disable.yaml | 2 +- rules/sysprefs/sysprefs_rae_disable.yaml | 7 ++++--- .../sysprefs_screen_sharing_disable.yaml | 7 ++++--- ...nsaver_ask_for_password_delay_enforce.yaml | 7 ++++--- ...sysprefs_screensaver_password_enforce.yaml | 7 ++++--- .../sysprefs_screensaver_timeout_enforce.yaml | 7 ++++--- rules/sysprefs/sysprefs_siri_disable.yaml | 8 ++++--- rules/sysprefs/sysprefs_smbd_disable.yaml | 5 +++-- rules/sysprefs/sysprefs_ssh_disable.yaml | 17 ++++++++++++--- rules/sysprefs/sysprefs_ssh_enable.yaml | 2 +- ...efs_system_wide_preferences_configure.yaml | 5 ++--- .../sysprefs_time_server_configure.yaml | 8 ++++--- .../sysprefs_time_server_enforce.yaml | 8 ++++--- .../sysprefs_token_removal_enforce.yaml | 7 ++++--- .../sysprefs_touchid_unlock_disable.yaml | 2 +- rules/sysprefs/sysprefs_wifi_disable.yaml | 2 +- ...fi_disable_when_connected_to_ethernet.yaml | 2 +- 134 files changed, 513 insertions(+), 307 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 0211cd2b2..ad9a4b8a8 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -26,9 +26,10 @@ references: - AU-9 - SI-11 srg: - - N/A + - SRG-OS-000057-GPOS-00027 + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-000030 800-171r2: - 3.3.8 macOS: @@ -42,6 +43,7 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index ef58e7306..9689363a2 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-000031 800-171r2: - 3.3.8 macOS: @@ -39,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 9fb99ced7..a55e91529 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -54,9 +54,22 @@ references: - AU-12(3) - AU-14(1) srg: - - N/A + - SRG-OS-000037-GPOS-00015 + - SRG-OS-000038-GPOS-00016 + - SRG-OS-000039-GPOS-00017 + - SRG-OS-000040-GPOS-00018 + - SRG-OS-000041-GPOS-00019 + - SRG-OS-000042-GPOS-00020 + - SRG-OS-000042-GPOS-00021 + - SRG-OS-000055-GPOS-00026 + - SRG-OS-000254-GPOS-00095 + - SRG-OS-000255-GPOS-00096 + - SRG-OS-000303-GPOS-00120 + - SRG-OS-000337-GPOS-00129 + - SRG-OS-000358-GPOS-00145 + - SRG-OS-000359-GPOS-00146 disa_stig: - - N/A + - APPL-12-001003 800-171r2: - 3.3.1 - 3.3.2 @@ -76,6 +89,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 8ff583de6..b8885938a 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -23,14 +23,15 @@ references: 800-53r4: - AU-5(1) srg: - - N/A + - SRG-OS-000343-GPOS-00134 disa_stig: - - N/A + - APPL-12-001030 macOS: - "12.0" tags: - 800-53r5_high - 800-53r4_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index ab64fff69..3cc790852 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AU-5 srg: - - N/A + - SRG-OS-000047-GPOS-00023 disa_stig: - - N/A + - APPL-12-001010 800-171r2: - 3.3.4 macOS: @@ -39,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 128b45999..cb0c3dec9 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001014 800-171r2: - 3.3.8 macOS: @@ -41,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index d55950494..cb2588f3d 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -21,9 +21,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001016 800-171r2: - 3.3.8 macOS: @@ -37,6 +37,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index 0bdcfcd1d..7b70d89ea 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001012 800-171r2: - 3.3.8 macOS: @@ -41,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 9754e6406..9d4d374e5 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -31,9 +31,12 @@ references: - AU-12 - MA-4(1) srg: - - N/A + - SRG-OS-000470-GPOS-00214 + - SRG-OS-000472-GPOS-00217 + - SRG-OS-000473-GPOS-00218 + - SRG-OS-000475-GPOS-00220 disa_stig: - - N/A + - APPL-12-001044 800-171r2: - 3.3.1 - 3.3.2 @@ -54,6 +57,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 0a22abc7b..056d70638 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -45,9 +45,18 @@ references: - AU-12 - MA-4(1) srg: - - N/A + - SRG-OS-000004-GPOS-00004 + - SRG-OS-000239-GPOS-00089 + - SRG-OS-000240-GPOS-00090 + - SRG-OS-000241-GPOS-00091 + - SRG-OS-000327-GPOS-00127 + - SRG-OS-000392-GPOS-00172 + - SRG-OS-000471-GPOS-00215 + - SRG-OS-000471-GPOS-00216 + - SRG-OS-000476-GPOS-00221 + - SRG-OS-000477-GPOS-00222 disa_stig: - - N/A + - APPL-12-001001 800-171r2: - 3.1.7 - 3.3.1 @@ -69,6 +78,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 742ae0a43..bcd01d447 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -37,9 +37,18 @@ references: - CM-5(1) - MA-4(1) srg: - - N/A + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 disa_stig: - - N/A + - APPL-12-001020 800-171r2: - N/A cisv8: @@ -54,6 +63,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 7bc34da8d..f1b458f8c 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -37,9 +37,18 @@ references: - CM-5(1) - MA-4(1) srg: - - N/A + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 disa_stig: - - N/A + - APPL-12-001020 800-171r2: - N/A cisv8: @@ -51,6 +60,7 @@ macOS: tags: - stig - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index d5ffe8d97..94cdec89d 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -37,7 +37,7 @@ references: - MA-4(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.3.1 diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index a054a5b40..d2db251c4 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -37,9 +37,18 @@ references: - CM-5(1) - MA-4(1) srg: - - N/A + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 disa_stig: - - N/A + - APPL-12-001020 800-171r2: - 3.3.1 - 3.3.2 @@ -61,6 +70,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index f638b8003..3d2d82237 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -36,9 +36,18 @@ references: - CM-5(1) - MA-4(1) srg: - - N/A + - SRG-OS-000064-GPOS-00033 + - SRG-OS-000365-GPOS-00152 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000461-GPOS-00205 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000465-GPOS-00209 + - SRG-OS-000466-GPOS-00210 + - SRG-OS-000467-GPOS-00211 + - SRG-OS-000468-GPOS-00212 + - SRG-OS-000474-GPOS-00219 disa_stig: - - N/A + - APPL-12-001020 800-171r2: - 3.3.1 - 3.3.2 @@ -60,6 +69,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 34453690b..85967d67a 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -33,9 +33,10 @@ references: - AU-12 - MA-4(1) srg: - - N/A + - SRG-OS-000032-GPOS-00013 + - SRG-OS-000462-GPOS-00206 disa_stig: - - N/A + - APPL-12-001002 800-171r2: - 3.1.12 - 3.3.1 @@ -57,6 +58,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index d0aefb04a..6fd2285d4 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001015 800-171r2: - 3.3.8 macOS: @@ -41,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index afbc5db8e..be0a6c21f 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 disa_stig: - - N/A + - APPL-12-001013 800-171r2: - 3.3.8 macOS: @@ -41,6 +41,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 07e3bb467..d6307f934 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -25,9 +25,11 @@ references: 800-53r4: - AU-9 srg: - - N/A + - SRG-OS-000057-GPOS-00027 + - SRG-OS-000058-GPOS-00028 + - SRG-OS-000059-GPOS-00029 disa_stig: - - N/A + - APPL-12-001017 800-171r2: - 3.3.8 macOS: @@ -41,6 +43,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 0a39cd572..682af429e 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -25,12 +25,9 @@ references: - AU-4 - AU-11 srg: - - N/A + - SRG-OS-000341-GPOS-00132 disa_stig: - - N/A - cisv8: - - 8.3 - - 8.1 + - APPL-12-001029 macOS: - "12.0" tags: @@ -43,6 +40,7 @@ tags: - 800-53r5_high - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index f57d376ef..712cabab5 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -25,9 +25,9 @@ references: - AU-5 - AU-5(2) srg: - - N/A + - SRG-OS-000344-GPOS-00135 disa_stig: - - N/A + - APPL-12-001031 800-171r2: - 3.3.4 macOS: @@ -38,6 +38,7 @@ tags: - 800-53r4_high - 800-53r5_high - 800-171 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index f407d8675..9b5c4e4f1 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -49,9 +49,9 @@ references: - IA-2(4) - IA-5(11) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-003050 800-171r2: - 3.5.3 cisv8: @@ -70,6 +70,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 5199a699b..3c0c14c8d 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -44,9 +44,9 @@ references: - IA-2(4) - IA-5(11) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-003051 800-171r2: - 3.5.3 cisv8: @@ -65,6 +65,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 4ed3ba997..a5145cc04 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -43,9 +43,9 @@ references: - IA-2(4) - IA-5(11) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-003052 800-171r2: - 3.5.3 cisv8: @@ -64,6 +64,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 2bd446bd2..f5df6074c 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -27,7 +27,7 @@ references: - IA-5(2) srg: - N/A - disa_stig: + disa_stig: - N/A macOS: - "12.0" diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 7bc3074f3..fd3f05cb6 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -31,7 +31,7 @@ references: - IA-5(2) srg: - N/A - disa_stig: + disa_stig: - APPL-12-XXXXXX macOS: - "12.0" diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index a0f8caf88..aed868060 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -42,9 +42,11 @@ references: - IA-5(2) - IA-5(11) srg: - - N/A + - SRG-OS-000107-GPOS-00054 + - SRG-OS-000108-GPOS-00055 + - SRG-OS-000068-GPOS-00036 disa_stig: - - N/A + - APPL-12-003020 800-171r2: - 3.5.1 - 3.5.2 @@ -65,6 +67,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index fa467da3d..782aa7bd9 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002014 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index 2aa1ca6ed..2e6c177e8 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -26,9 +26,9 @@ references: - AC-20 - AC-20(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002031 800-171r2: - 3.1.20 - 3.4.6 @@ -47,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 62a6f0614..b886828ae 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002042 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index c8c06ff30..cb826dc5f 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002012 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index c99985d44..2a3b5866f 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002041 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index fa648805a..68b7eddb5 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002040 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 842a139fe..e3cc43eaa 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002015 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index f09c04bd7..9202516e8 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002016 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 6e7735cc8..5d8c79fb0 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002043 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index fc59d0b4e..4423b4efe 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -28,9 +28,10 @@ references: - AC-20 - AC-20(1) srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002013 800-171r2: - 3.1.20 - 3.4.6 @@ -50,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 15c214d9f..779a91d06 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -26,9 +26,9 @@ references: - AC-3 - AC-20 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-12-002009 800-171r2: - 3.1.1 - 3.1.2 @@ -51,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index bf0150289..6e89266fa 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -19,13 +19,14 @@ references: 800-53r4: - SI-2 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-002070 macOS: - "12.0" tags: - manual + - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index eeb9bdb2d..a1b414611 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-20 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002035 800-171r2: - 3.1.20 cisv8: @@ -40,6 +40,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index 8683137b1..7c054ed48 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - SI-11 srg: - - N/A + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-004001 800-171r2: - N/A macOS: @@ -33,6 +33,7 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index c556e28e5..55ec4bd06 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -21,9 +21,9 @@ references: 800-53r4: - SI-11 srg: - - N/A + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-004002 800-171r2: - N/A macOS: @@ -31,6 +31,7 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index c6b2ad77f..8dff409c3 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -20,9 +20,9 @@ references: - CM-7 - CM-7(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002005 800-171r2: - 3.4.6 cisv8: @@ -40,6 +40,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 3fb18df08..93eb4cc29 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -20,13 +20,15 @@ references: 800-53r4: - N/A srg: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 disa_stig: - - N/A + - APPL-12-002017 macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index e1ced3826..ce5812349 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -18,10 +18,8 @@ references: - SC-17 800-53r4: - SC-17 - disa_stig: - - N/A - srg: - - N/A + disa_stig: + - APPL-12-003001 macOS: - "12.0" tags: @@ -31,6 +29,7 @@ tags: - 800-53r4_high - cnssi-1253 - manual + - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 57f10e7cf..8bd40f8be 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -20,15 +20,14 @@ references: 800-53r4: - N/A srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A - cisv8: - - 6.7 + - APPL-12-000016 macOS: - "12.0" tags: - cisv8 + - stig severity: "high" mobileconfig: mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml index 57384efc4..5fe7045d1 100644 --- a/rules/os/os_ess_installed.yaml +++ b/rules/os/os_ess_installed.yaml @@ -19,19 +19,15 @@ references: 800-53r4: - SI-2(2) srg: - - N/A - disa_stig: - - N/A - cisv8: - - 10.1 - - 10.2 - - 10.6 - - 10.7 + - SRG-OS-000191-GPOS-00080 + disa_stig: + - APPL-12-000015 macOS: - "12.0" tags: - manual - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml index a78d98b46..c0ac40c49 100644 --- a/rules/os/os_filevault_authorized_users.yaml +++ b/rules/os/os_filevault_authorized_users.yaml @@ -23,14 +23,15 @@ references: 800-53r4: - N/A srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-000032 macOS: - "12.0" tags: - 800-53r5_high - manual + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 510645fe8..44a23f439 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -24,11 +24,9 @@ references: - AC-3 - IA-5(13) srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A - cci: - - CCI-002143 + - APPL-12-000033 800-171r2: - 3.1.1 - 3.1.2 @@ -47,6 +45,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 8901cd7fb..9adfa7940 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -25,7 +25,7 @@ references: - AU-12 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.3.1 diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index e7de701d5..be1a79f6e 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -32,9 +32,9 @@ references: 800-53r4: - AC-6 srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-003013 800-171r2: - 3.1.5 macOS: @@ -47,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - i386 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 2cad2a915..6c3883de7 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -32,9 +32,9 @@ references: - SI-3 - SI-7(15) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000366-GPOS-00153 + disa_stig: + - APPL-12-002064 800-171r2: - 3.4.5 cisv8: @@ -52,6 +52,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 587219c49..b4875cbf2 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -20,7 +20,7 @@ references: - SI-3 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.4.5 diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 3addf698b..7d483baa6 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -27,9 +27,10 @@ references: 800-53r4: - AC-6 srg: - - N/A + - SRG-OS-000480-GPOS-00228 + - SRG-OS-000480-GPOS-00230 disa_stig: - - N/A + - APPL-12-002068 800-171r2: - 3.1.5 macOS: @@ -41,6 +42,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 87e2c0630..ccd431e63 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -24,9 +24,9 @@ references: 800-53r4: - AC-3 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002008 800-171r2: - 3.1.1 - 3.1.2 @@ -45,6 +45,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index 977dca7c8..ce79973c7 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-20 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002037 800-171r2: - 3.1.20 cisv8: @@ -40,6 +40,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index 09f146c8b..da81d744d 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -26,9 +26,10 @@ references: - AC-20 - CM-7(5) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000370-GPOS-00155 + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002032 800-171r2: - 3.1.20 cisv8: @@ -46,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index bcfd551a1..0ab5c6b23 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -27,7 +27,7 @@ references: - AC-18 srg: - N/A - disa_stig: + disa_stig: - AOSX-13-000075 800-171r2: - 3.1.16 diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index c9886100b..f878723a6 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - SI-11 srg: - - N/A + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-004001 800-171r2: - N/A macOS: @@ -33,6 +33,7 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index ccb066b16..9993eb920 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -22,9 +22,9 @@ references: 800-53r4: - SI-11 srg: - - N/A + - SRG-OS-000206-GPOS-00084 disa_stig: - - N/A + - APPL-12-004002 800-171r2: - N/A macOS: @@ -32,6 +32,7 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 61f07e7ba..c4d9ef48f 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -23,9 +23,9 @@ references: 800-53r4: - AC-3 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-12-002003 800-171r2: - 3.1.1 - 3.1.2 @@ -44,6 +44,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 666616890..e954d830c 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -24,7 +24,7 @@ references: - CM-7(2) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.4.7 diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index f09a80677..3fb6954cf 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -40,9 +40,11 @@ references: 800-53r4: - AC-8 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000023-GPOS-00006 + - SRG-OS-000024-GPOS-00007 + - SRG-OS-000228-GPOS-00088 + disa_stig: + - APPL-12-000025 800-171r2: - 3.1.9 macOS: @@ -56,6 +58,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 1a6d58ab3..b1f3ef59b 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -27,15 +27,16 @@ references: 800-53r4: - AC-8 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000023-GPOS-00006 + disa_stig: + - APPL-12-000023 800-171r2: - 3.1.9 macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 5719e5404..572e26f3c 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -28,15 +28,17 @@ references: 800-53r4: - AC-8 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000023-GPOS-00006 + - SRG-OS-000024-GPOS-00007 + disa_stig: + - APPL-12-000024 800-171r2: - 3.1.9 macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index d5d669c4c..2a0dab88e 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -22,17 +22,15 @@ references: - CM-7 - CM-7(1) srg: - - N/A - disa_stig: - - N/A - cisv8: - - 4.1 - - 4.8 + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002036 macOS: - "12.0" tags: - none - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 396ee8e50..191f65f81 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -26,7 +26,7 @@ references: - MP-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.8.8 diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index f704e3217..eb9dad5a6 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -18,9 +18,9 @@ references: 800-53r4: - AC-11(1) srg: - - N/A + - SRG-OS-000031-GPOS-00012 disa_stig: - - N/A + - APPL-12-000006 800-171r2: - 3.1.10 macOS: @@ -32,6 +32,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index 10461fb00..2dd7e23be 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -55,9 +55,23 @@ references: - CM-5 - SC-4 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000051-GPOS-00024 + - SRG-OS-000054-GPOS-00025 + - SRG-OS-000062-GPOS-00031 + - SRG-OS-000122-GPOS-00063 + - SRG-OS-000256-GPOS-00097 + - SRG-OS-000257-GPOS-00098 + - SRG-OS-000258-GPOS-00099 + - SRG-OS-000259-GPOS-00100 + - SRG-OS-000348-GPOS-00136 + - SRG-OS-000349-GPOS-00137 + - SRG-OS-000350-GPOS-00138 + - SRG-OS-000351-GPOS-00139 + - SRG-OS-000352-GPOS-00140 + - SRG-OS-000353-GPOS-00141 + - SRG-OS-000354-GPOS-00142 + disa_stig: + - APPL-12-005001 800-171r2: - 3.1.1 - 3.1.2 @@ -81,6 +95,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 5c6aaa366..ddaa7f58f 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -25,9 +25,10 @@ references: - CM-7(1) - AC-20 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002039 800-171r2: - 3.1.20 - 3.4.6 @@ -46,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index d49beb71c..7417e7091 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -21,7 +21,7 @@ references: - AC-20 srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-005056 800-171r2: - 3.1.20 diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index 4d0be812e..8205d769f 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -54,7 +54,7 @@ references: - SC-13 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.1.13 diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index de6774573..e196534f5 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -24,7 +24,7 @@ references: - SC-10 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.13.9 diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index 9053e5f07..0b776351f 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -27,7 +27,7 @@ references: - SC-10 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.13.9 diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 9b4ec791f..548a27265 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -23,15 +23,16 @@ references: 800-53r4: - SC-10 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000163-GPOS-00072 + disa_stig: + - APPL-12-000052 800-171r2: - 3.13.9 macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 18fce9cbc..66c15b349 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -26,15 +26,16 @@ references: 800-53r4: - SC-10 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000163-GPOS-00072 + disa_stig: + - APPL-12-000051 800-171r2: - 3.13.9 macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index 373db873b..0820e07da 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -53,7 +53,7 @@ references: - MA-4(6) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.1.13 diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index d98bbc924..579fb45d4 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -37,15 +37,21 @@ references: - AC-17(2) - MA-4(6) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000120-GPOS-00061 + - SRG-OS-000125-GPOS-00065 + - SRG-OS-000250-GPOS-00093 + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + disa_stig: + - APPL-12-000056 800-171r2: - N/A macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index a2b8168e4..fa41d557f 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -23,15 +23,16 @@ references: 800-53r4: - SC-10 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000163-GPOS-00072 + disa_stig: + - APPL-12-000053 800-171r2: - 3.13.9 macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index 4d44b6857..c2ae676a8 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -25,13 +25,14 @@ references: 800-53r4: - IA-2(5) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000109-GPOS-00056 + disa_stig: + - APPL-12-001100 macOS: - "12.0" tags: - none + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 7687d4496..15bd907e0 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -24,9 +24,9 @@ references: 800-53r4: - IA-11 srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-004021 macOS: - "12.0" tags: @@ -34,6 +34,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cnssi-1253 + - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 9a735f5b1..a6985a8ec 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -29,9 +29,9 @@ references: - AC-3 - IA-5(1) srg: - - N/A + - SRG-OS-000074-GPOS-00042 disa_stig: - - N/A + - APPL-12-002038 800-171r2: - 3.1.1 - 3.1.2 @@ -51,6 +51,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "high" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 9d41d2a5d..019d76f53 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -25,9 +25,10 @@ references: 800-53r4: - AU-8(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000355-GPOS-00143 + - SRG-OS-000356-GPOS-00144 + disa_stig: + - APPL-12-000014 800-171r2: - 3.3.7 cisv8: @@ -43,6 +44,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 7df5b2699..cfd2ca5b6 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -21,7 +21,7 @@ references: - CM-6 srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-005054 800-171r2: - 3.4.1 diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 2ee40966f..96a1c680d 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -27,9 +27,9 @@ references: 800-53r4: - AC-3 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002006 800-171r2: - 3.1.1 - 3.1.2 @@ -49,6 +49,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 9a44432c6..b190d79f3 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -23,9 +23,9 @@ references: - IA-5 - IA-5(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000076-GPOS-00044 + disa_stig: + - APPL-12-003008 800-171r2: - 3.5.1 - 3.5.2 @@ -47,6 +47,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 678dae8d9..f7617265a 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -45,7 +45,7 @@ references: - IA-4 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.5.5 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 164a84c5c..881732449 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-7 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000329-GPOS-00128 + disa_stig: + - APPL-12-000022 800-171r2: - 3.1.8 cisv8: @@ -39,6 +39,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index bc92b833b..197bc8775 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-7 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000329-GPOS-00128 + disa_stig: + - APPL-12-000022 800-171r2: - 3.1.8 cisv8: @@ -39,6 +39,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 2ba366f9f..7890375a5 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -23,9 +23,9 @@ references: - IA-5 - IA-5(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000071-GPOS-00039 + disa_stig: + - APPL-12-003007 800-171r2: - 3.5.1 - 3.5.2 @@ -47,6 +47,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 09aac6670..0f300cf32 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -24,9 +24,9 @@ references: 800-53r4: - IA-5(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000077-GPOS-00045 + disa_stig: + - APPL-12-003009 800-171r2: - 3.5.7 - 3.5.8 @@ -46,6 +46,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 436937607..dcf65a3ae 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -46,7 +46,7 @@ references: 800-53r4: - IA-5 - IA-5(1) - disa_stig: + disa_stig: - N/A srg: - N/A diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index b6bb32e26..71d29774f 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -23,9 +23,9 @@ references: - IA-5 - IA-5(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000078-GPOS-00046 + disa_stig: + - APPL-12-003010 800-171r2: - 3.5.1 - 3.5.2 @@ -47,6 +47,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 2ef25f10f..3a361e99e 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -45,7 +45,7 @@ references: - IA-5 800-53r4: - IA-5(1) - disa_stig: + disa_stig: - N/A srg: - N/A diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 3a41ce183..6928f45d6 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -24,7 +24,7 @@ references: - IA-5(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.5.1 diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 9d9923a2b..dd8a174ac 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -25,9 +25,9 @@ references: - IA-5 - IA-5(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000266-GPOS-00101 + disa_stig: + - APPL-12-003011 800-171r2: - 3.5.1 - 3.5.2 @@ -49,6 +49,7 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 0b9be9dd1..9b3dc3f3e 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -65,9 +65,10 @@ references: 800-53r4: - AC-2(2) srg: - - N/A + - SRG-OS-000002-GPOS-00002 + - SRG-OS-000123-GPOS-00064 disa_stig: - - N/A + - APPL-12-000012 macOS: - "12.0" tags: @@ -76,6 +77,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - manual + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 4590872ba..6e6ec0141 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -46,7 +46,7 @@ references: 800-53r4: - IA-5 - IA-5(1) - disa_stig: + disa_stig: - N/A srg: - N/A diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index ce2a46928..076eb6d21 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -24,7 +24,7 @@ references: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.4.6 diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index d51fdee97..67a999cf4 100644 --- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-11 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000028-GPOS-00009 + disa_stig: + - APPL-12-000001 800-171r2: - 3.1.10 macOS: @@ -34,6 +34,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 85d475f43..c5b059aae 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -22,9 +22,9 @@ references: - IA-2 - IA-5(13) srg: - - N/A + - SRG-OS-000480-GPOS-00229 disa_stig: - - N/A + - APPL-12-002066 800-171r2: - 3.5.1 - 3.5.2 @@ -39,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index b993f4f95..732a35adb 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -26,9 +26,10 @@ references: - AC-18(3) - SC-8 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000481-GPOS-000481 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-002062 800-171r2: - 3.13.8 cisv8: @@ -46,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "low" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 96ed99513..f26d6a96e 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -39,7 +39,7 @@ references: - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.1.1 diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index b1c1f6f61..6393d3591 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -19,7 +19,7 @@ references: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index e90751a15..473d2b5cd 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -23,9 +23,9 @@ references: - AC-20 - SI-11 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000096-GPOS-00050 + disa_stig: + - APPL-12-002021 800-171r2: - 3.1.20 cisv8: @@ -43,6 +43,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 29bbddd74..be024f7d6 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -24,9 +24,11 @@ references: - SC-28 - SC-28(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000185-GPOS-00079 + - SRG-OS-000404-GPOS-00183 + - SRG-OS-000405-GPOS-00184 + disa_stig: + - APPL-12-005020 800-171r2: - 3.13.16 cisv8: @@ -42,6 +44,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 2d2d05c21..4539dc02a 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -27,7 +27,7 @@ references: - AC-20 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.1.20 diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 00c95fb6c..f9235e28a 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -30,9 +30,9 @@ references: - CM-7(1) - SC-7(12) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000480-GPOS-00232 + disa_stig: + - APPL-12-005050 800-171r2: - 3.1.3 - 3.1.5 @@ -57,6 +57,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index a932e0716..7024f67d1 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -29,9 +29,9 @@ references: - CM-7(1) - SC-7(16) srg: - - N/A + - SRG-OS-000480-GPOS-00232 disa_stig: - - N/A + - APPL-12-005050 800-171r2: - 3.4.6 - 3.13.1 @@ -53,6 +53,8 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index 76fddbaa2..1a82d75b6 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -28,9 +28,9 @@ references: - CM-5 - SI-7(15) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-002060 800-171r2: - 3.4.5 macOS: @@ -43,6 +43,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index 837510f9a..46f8bb27c 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -29,7 +29,7 @@ references: - SI-7(15) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.4.5 diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index 4947d17aa..dd9f1633b 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -22,9 +22,9 @@ references: - AC-2 - AC-2(9) srg: - - N/A + - SRG-OS-000364-GPOS-00151 disa_stig: - - N/A + - APPL-12-002063 800-171r2: - 3.5.1 - 3.5.2 @@ -44,6 +44,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "high" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 5f223926e..7eb56e4d8 100644 --- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-11(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000031-GPOS-00012 + disa_stig: + - APPL-12-000007 800-171r2: - 3.1.10 macOS: @@ -34,6 +34,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 6626b3a6e..66b21091c 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -22,9 +22,9 @@ references: - AC-4 - AC-20 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002007 800-171r2: - 3.1.3 - 3.1.20 @@ -43,6 +43,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index d51307ebd..f33d15859 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -26,9 +26,9 @@ references: - CM-7 - CM-7(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002004 800-171r2: - 3.4.6 cisv8: @@ -46,6 +46,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index 73c27e8e9..c4dbf8c31 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -21,7 +21,7 @@ references: - IA-2 srg: - SRG-OS-000480-GPOS-00229 - disa_stig: + disa_stig: - APPL-12-005052 800-171r2: - 3.5.1 diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 14c430814..5d42b6cb4 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - IA-6 srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-003012 800-171r2: - 3.5.11 macOS: @@ -36,6 +36,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 196c17afc..abbb010a5 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -26,7 +26,7 @@ references: - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.1.20 diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index 29fa870f4..6d23107ea 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -26,9 +26,9 @@ references: 800-53r4: - AC-3 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000096-GPOS-00050 + disa_stig: + - APPL-12-002022 800-171r2: - 3.1.1 - 3.1.2 @@ -47,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index 6bf39667f..a80e738a7 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -26,9 +26,9 @@ references: - AC-3 - AC-17 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-002050 800-171r2: - 3.1.1 - 3.1.2 @@ -47,6 +47,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index a5735af5d..2cf850c76 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-11 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000028-GPOS-00009 + disa_stig: + - APPL-12-000003 800-171r2: - 3.1.10 macOS: @@ -34,6 +34,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 00d502f27..c2f117785 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -20,9 +20,9 @@ references: 800-53r4: - AC-11 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000028-GPOS-00009 + disa_stig: + - APPL-12-000002 800-171r2: - 3.1.10 macOS: @@ -34,6 +34,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index c655a07ac..17a57f6f2 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -21,9 +21,9 @@ references: 800-53r4: - AC-11 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000029-GPOS-00010 + disa_stig: + - APPL-12-000004 800-171r2: - 3.1.10 cisv8: @@ -39,6 +39,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index 444312ac7..83a7585fb 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -26,9 +26,10 @@ references: - CM-7(1) - AC-20 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002020 800-171r2: - 3.1.20 - 3.4.6 @@ -47,6 +48,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index 5608aef93..a9eefb53f 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AC-3 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-12-002001 800-171r2: - 3.1.1 - 3.1.2 @@ -46,6 +46,7 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index 1cc04e9de..af737ac93 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -27,9 +27,19 @@ references: - CM-7 - CM-7(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000250-GPOS-00093 + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000319-GPOS-00164 + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + - SRG-OS-000112-GPOS-00057 + - SRG-OS-000113-GPOS-00058 + - SRG-OS-000423-GPOS-00187 + - SRG-OS-000424-GPOS-00188 + - SRG-OS-000425-GPOS-00189 + - SRG-OS-000426-GPOS-00190 + disa_stig: + - APPL-12-000011 800-171r2: - 3.1.1 - 3.1.2 @@ -41,6 +51,7 @@ macOS: - "12.0" tags: - cisv8 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml index 7db5212ba..d3eeaf287 100644 --- a/rules/sysprefs/sysprefs_ssh_enable.yaml +++ b/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -30,7 +30,7 @@ references: - IA-2(9) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.1.1 diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index 52f64c2f7..0f005574d 100644 --- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -27,9 +27,7 @@ references: - AC-6(1) - AC-6(2) disa_stig: - - N/A - srg: - - N/A + - APPL-12-002069 800-171r2: - 3.1.5 - 3.1.6 @@ -42,6 +40,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 4a587580b..e3217fdb5 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -22,9 +22,10 @@ references: 800-53r4: - AU-8(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000355-GPOS-00143 + - SRG-OS-000356-GPOS-00144 + disa_stig: + - APPL-12-000014 800-171r2: - 3.3.7 cisv8: @@ -40,6 +41,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index acd264193..1dfb35473 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -22,9 +22,10 @@ references: 800-53r4: - AU-8(1) srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000355-GPOS-00143 + - SRG-OS-000356-GPOS-00144 + disa_stig: + - APPL-12-000014 800-171r2: - 3.3.7 cisv8: @@ -40,6 +41,7 @@ tags: - 800-53r4_moderate - 800-53r4_high - cisv8 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml index f78e670d7..b747b353e 100644 --- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -25,9 +25,9 @@ references: 800-53r4: - AC-11 srg: - - N/A - disa_stig: - - N/A + - SRG-OS-000030-GPOS-00011 + disa_stig: + - APPL-12-000005 800-171r2: - 3.1.10 macOS: @@ -39,6 +39,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index 92fe3858c..ca31499c5 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -23,7 +23,7 @@ references: - AC-11 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.1.10 diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index d15d31ecb..3c5ea7b09 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -30,7 +30,7 @@ references: - AC-4 - AC-18(1) - AC-18(3) - disa_stig: + disa_stig: - N/A srg: - N/A diff --git a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml index 6c257edc1..fb834a1c5 100644 --- a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml @@ -23,7 +23,7 @@ references: - AC-4 - AC-18(1) - AC-18(3) - disa_stig: + disa_stig: - N/A srg: - N/A From 66efe551940b79f31f1a4e11200031b203c3c104 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 9 Feb 2022 12:28:38 -0500 Subject: [PATCH 121/193] new stig rules added. disable bluray,dvdram,cds, and more --- rules/os/os_blank_bluray_disable.yaml | 44 +++++++++++++++++++ rules/os/os_blank_cd_disable.yaml | 44 +++++++++++++++++++ rules/os/os_blank_dvd_disable.yaml | 43 ++++++++++++++++++ rules/os/os_bluray_read_only_enforce.yaml | 43 ++++++++++++++++++ rules/os/os_burn_support_disable.yaml | 39 ++++++++++++++++ rules/os/os_cd_read_only_enforce.yaml | 43 ++++++++++++++++++ rules/os/os_disk_image_disable.yaml | 43 ++++++++++++++++++ rules/os/os_dvdram_disable.yaml | 44 +++++++++++++++++++ ...os_erase_content_and_settings_disable.yaml | 34 ++++++++++++++ rules/os/os_removable_media_disable.yaml | 8 ++-- .../os/os_skip_screen_time_prompt_enable.yaml | 34 ++++++++++++++ .../sysprefs_bluetooth_prefpane_hide.yaml | 36 +++++++++++++++ ...prefs_internet_accounts_prefpane_hide.yaml | 44 +++++++++++++++++++ .../sysprefs_siri_prefpane_disable.yaml | 40 +++++++++++++++++ .../sysprefs/sysprefs_siri_prefpane_hide.yaml | 40 +++++++++++++++++ .../sysprefs_touchid_prefpane_disable.yaml | 40 +++++++++++++++++ .../sysprefs_touchid_prefpane_hide.yaml | 40 +++++++++++++++++ ...refs_wallet_applepay_prefpane_disable.yaml | 40 +++++++++++++++++ ...ysprefs_wallet_applepay_prefpane_hide.yaml | 40 +++++++++++++++++ 19 files changed, 736 insertions(+), 3 deletions(-) create mode 100644 rules/os/os_blank_bluray_disable.yaml create mode 100644 rules/os/os_blank_cd_disable.yaml create mode 100644 rules/os/os_blank_dvd_disable.yaml create mode 100644 rules/os/os_bluray_read_only_enforce.yaml create mode 100644 rules/os/os_burn_support_disable.yaml create mode 100644 rules/os/os_cd_read_only_enforce.yaml create mode 100644 rules/os/os_disk_image_disable.yaml create mode 100644 rules/os/os_dvdram_disable.yaml create mode 100644 rules/os/os_erase_content_and_settings_disable.yaml create mode 100644 rules/os/os_skip_screen_time_prompt_enable.yaml create mode 100644 rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml create mode 100644 rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml create mode 100644 rules/sysprefs/sysprefs_siri_prefpane_disable.yaml create mode 100644 rules/sysprefs/sysprefs_siri_prefpane_hide.yaml create mode 100644 rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml create mode 100644 rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml create mode 100644 rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml create mode 100644 rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml new file mode 100644 index 000000000..ff1f20a57 --- /dev/null +++ b/rules/os/os_blank_bluray_disable.yaml @@ -0,0 +1,44 @@ +id: os_blank_bluray_disable +title: "Disable Blank Blu Ray" +discussion: | + Blank Blu Ray media _MUST_ be disabled. + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep 'blankbd' -A3 | /usr/bin/grep -Ec "eject|alert" +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + - CCI-001967 + 800-53r5: + - MP-7 + 800-53r4: + - MP-7(1) + srg: + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-005051 + 800-171r2: + - 3.8.8 +macOS: + - "12.0" +tags: + - stig +mobileconfig: true +mobileconfig_info: + com.apple.systemuiserver: + mount-controls: + blankbd: + - alert + - eject + diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml new file mode 100644 index 000000000..26a9a621b --- /dev/null +++ b/rules/os/os_blank_cd_disable.yaml @@ -0,0 +1,44 @@ +id: os_blank_cd_disable +title: "Disable Blank CD" +discussion: | + Blank CD media _MUST_ be disabled. + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep 'blankcd' -A3 | /usr/bin/grep -Ec "eject|alert" +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + - CCI-001967 + 800-53r5: + - MP-7 + 800-53r4: + - MP-7(1) + srg: + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-005051 + 800-171r2: + - 3.8.8 +macOS: + - "12.0" +tags: + - stig +mobileconfig: true +mobileconfig_info: + com.apple.systemuiserver: + mount-controls: + blankcd: + - alert + - eject + diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml new file mode 100644 index 000000000..854d87d8c --- /dev/null +++ b/rules/os/os_blank_dvd_disable.yaml @@ -0,0 +1,43 @@ +id: os_blank_dvd_disable +title: "Disable Blank DVD" +discussion: | + Blank DVD media _MUST_ be disabled. + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep 'blankdvd' -A3 | /usr/bin/grep -Ec "eject|alert" +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + - CCI-001967 + 800-53r5: + - MP-7 + 800-53r4: + - MP-7(1) + srg: + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-005051 + 800-171r2: + - 3.8.8 +macOS: + - "12.0" +tags: + - stig +mobileconfig: true +mobileconfig_info: + com.apple.systemuiserver: + mount-controls: + blankdvd: + - alert + - eject \ No newline at end of file diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml new file mode 100644 index 000000000..d13dc1dbd --- /dev/null +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -0,0 +1,43 @@ +id: os_bluray_read_only_enforce +title: "Enforce Blu Ray Read Only" +discussion: | + Blu Ray media _MUST_ be set to read only. + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep ' bd =' -A1 | /usr/bin/grep -Ec "read-only" +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + - CCI-001967 + 800-53r5: + - MP-7 + 800-53r4: + - MP-7(1) + srg: + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-005051 + 800-171r2: + - 3.8.8 +macOS: + - "12.0" +tags: + - stig +mobileconfig: true +mobileconfig_info: + com.apple.systemuiserver: + mount-controls: + bd: + - read-only + diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml new file mode 100644 index 000000000..b570fdc80 --- /dev/null +++ b/rules/os/os_burn_support_disable.yaml @@ -0,0 +1,39 @@ +id: os_burn_support_disable +title: "Disable Burn Support" +discussion: + Burn support _MUST_ be disabled. + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(ProhibitBurn = 0|BurnSupport = "off")' +result: + integer: 2 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - MP-7 + 800-53r4: + - MP-7(1) + srg: + - SRG-OS-000480-GPOS-00227 + disa_stig: + - APPL-12-005053 +macOS: + - "12.0" +tags: + - stig +severity: "low" +mobileconfig: true +mobileconfig_info: + com.apple.finder: + ProhibitBurn: true + com.apple.DiscRecording: + BurnSupport: "off" \ No newline at end of file diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml new file mode 100644 index 000000000..5a3e23019 --- /dev/null +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -0,0 +1,43 @@ +id: os_cd_read_only_enforce +title: "Enforce CD Read Only" +discussion: | + CD media _MUST_ be set to read only. + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep ' cd =' -A1 | /usr/bin/grep -Ec "read-only" +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + - CCI-001967 + 800-53r5: + - MP-7 + 800-53r4: + - MP-7(1) + srg: + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-005051 + 800-171r2: + - 3.8.8 +macOS: + - "12.0" +tags: + - stig +mobileconfig: true +mobileconfig_info: + com.apple.systemuiserver: + mount-controls: + cd: + - read-only + diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml new file mode 100644 index 000000000..7f1c7e5d7 --- /dev/null +++ b/rules/os/os_disk_image_disable.yaml @@ -0,0 +1,43 @@ +id: os_disk_image_disable +title: "Disable Disk Images" +discussion: | + Disk images _MUST_ be disabled. + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep 'disk-image' -A3 | /usr/bin/grep -Ec "eject|alert" +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + - CCI-001967 + 800-53r5: + - MP-7 + 800-53r4: + - MP-7(1) + srg: + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-005051 + 800-171r2: + - 3.8.8 +macOS: + - "12.0" +tags: + - stig +mobileconfig: true +mobileconfig_info: + com.apple.systemuiserver: + mount-controls: + disk-image: + - alert + - eject \ No newline at end of file diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml new file mode 100644 index 000000000..9457197a7 --- /dev/null +++ b/rules/os/os_dvdram_disable.yaml @@ -0,0 +1,44 @@ +id: os_dvdram_disable +title: "Disable Blank CD" +discussion: | + Blank CD media _MUST_ be disabled. + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep 'dvdram' -A3 | /usr/bin/grep -Ec "eject|alert" +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000366 + - CCI-001967 + 800-53r5: + - MP-7 + 800-53r4: + - MP-7(1) + srg: + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 + disa_stig: + - APPL-12-005051 + 800-171r2: + - 3.8.8 +macOS: + - "12.0" +tags: + - stig +mobileconfig: true +mobileconfig_info: + com.apple.systemuiserver: + mount-controls: + dvdram: + - alert + - eject + diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml new file mode 100644 index 000000000..2c2b0c493 --- /dev/null +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -0,0 +1,34 @@ +id: os_erase_content_and_settings_disable +title: "Disable Erase Content and Settings" +discussion: + Erase Content and Settings _MUST_ be disabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowEraseContentAndSettings = 0' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-005061 +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowEraseContentAndSettings: false diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 191f65f81..64919a919 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -19,15 +19,17 @@ references: cce: - CCE-90991-1 cci: - - N/A + - CCI-000366 + - CCI-001967 800-53r5: - MP-7 800-53r4: - MP-7(1) srg: - - N/A + - SRG-OS-000480-GPOS-00227 + - SRG-OS-000319-GPOS-00164 disa_stig: - - N/A + - APPL-12-005051 800-171r2: - 3.8.8 macOS: diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml new file mode 100644 index 000000000..7e656ade3 --- /dev/null +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -0,0 +1,34 @@ +id: os_skip_screen_time_prompt_enable +title: "Disable Screen Time Prompt During Setup Assistant" +discussion: + The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipScreenTime = 1' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-005055 +macOS: + - "12.0" +tags: + - stig +severity: "low" +mobileconfig: true +mobileconfig_info: + com.apple.SetupAssistant.managed: + SkipScreenTime: true diff --git a/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml new file mode 100644 index 000000000..1998b55cc --- /dev/null +++ b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml @@ -0,0 +1,36 @@ +id: sysprefs_bluetooth_prefpane_hide +title: "Hide the Bluetooth System Preference Pane" +discussion: | + The Bluetooth System Preference pane _MUST_ be hidden to prevent access to the bluetooth configuration. + +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-002418 + 800-53r5: + - N/A + 800-53r4: + - SC-8 + srg: + - SRG-OS-000481-GPOS-000481 + disa_stig: + - APPL-12-002062 + 800-171r2: + - N/A +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + HiddenPreferencePanes: + - com.apple.preferences.Bluetooth diff --git a/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml new file mode 100644 index 000000000..6ff69f7bc --- /dev/null +++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml @@ -0,0 +1,44 @@ +id: sysprefs_internet_accounts_prefpane_hide +title: "Hide the Internet Accounts System Preference Pane" +discussion: | + The Internet Accounts System Preference pane _MUST_ be hidden to prevent the addition of unauthorized internet accounts. + + [IMPORTANT] + ==== + Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-001774 + - CCI-000381 + 800-53r5: + - CM-7(5) + - AC-20 + 800-53r4: + - AC-20 + - CM-7(5) + srg: + - SRG-OS-000095-GPOS-00049 + - SRG-OS-000370-GPOS-00155 + disa_stig: + - APPL-12-002032 + 800-171r2: + - 3.1.20 +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + HiddenPreferencePanes: + - com.apple.preferences.internetaccounts diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml new file mode 100644 index 000000000..534db16b0 --- /dev/null +++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -0,0 +1,40 @@ +id: sysprefs_siri_prefpane_disable +title: "Disable the System Preference Pane for Siri" +discussion: | + The system preference pane for Siri _MUST_ be disabled. + + Disabling the system preference pane prevents the users from configuring Siri. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-001774 + - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(5) + 800-53r4: + - CM-7 + - CM-7(5) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002053 + 800-171r2: + - N/A +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + DisabledPreferencePanes: + - com.apple.preferences.speech diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml new file mode 100644 index 000000000..140c121cb --- /dev/null +++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -0,0 +1,40 @@ +id: sysprefs_siri_prefpane_hide +title: "Hide the System Preference Pane for Siri" +discussion: | + The system preference pane for Siri _MUST_ be hidden. + + HIding the system preference pane prevents the users from configuring Siri. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-001774 + - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(5) + 800-53r4: + - CM-7 + - CM-7(5) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002053 + 800-171r2: + - N/A +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + HiddenPreferencePanes: + - com.apple.preferences.speech diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml new file mode 100644 index 000000000..a6ba0d516 --- /dev/null +++ b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml @@ -0,0 +1,40 @@ +id: sysprefs_touchid_prefpane_disable +title: "Disable the System Preference Pane for Touch ID" +discussion: | + The system preference pane for Touch ID _MUST_ be disabled. + + Disabling the system preference pane prevents the users from configuring Touch ID. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-001774 + - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(5) + 800-53r4: + - CM-7 + - CM-7(5) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002051 + 800-171r2: + - N/A +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + DisabledPreferencePanes: + - com.apple.preferences.password diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml new file mode 100644 index 000000000..4a63171a7 --- /dev/null +++ b/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml @@ -0,0 +1,40 @@ +id: sysprefs_touchid_prefpane_hide +title: "Hide the System Preference Pane for Touch ID" +discussion: | + The system preference pane for Touch ID _MUST_ be hidden. + + Hiding the system preference pane prevents the users from configuring Touch ID. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-001774 + - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(5) + 800-53r4: + - CM-7 + - CM-7(5) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002051 + 800-171r2: + - N/A +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + HiddenPreferencePanes: + - com.apple.preferences.password diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml new file mode 100644 index 000000000..d41b42b10 --- /dev/null +++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml @@ -0,0 +1,40 @@ +id: sysprefs_wallet_applepay_prefpane_disable +title: "Disable the System Preference Pane for Wallet and Apple Pay" +discussion: | + The system preference pane for Wallet and Apple Pay _MUST_ be disabled. + + Disabling the system preference pane prevents the users from configuring Wallet and Apple Pay. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-001774 + - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(5) + 800-53r4: + - CM-7 + - CM-7(5) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002052 + 800-171r2: + - N/A +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + DisabledPreferencePanes: + - com.apple.preferences.wallet diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml new file mode 100644 index 000000000..cdf4e2e4c --- /dev/null +++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml @@ -0,0 +1,40 @@ +id: sysprefs_wallet_applepay_prefpane_hide +title: "Hide the System Preference Pane for Wallet and Apple Pay" +discussion: | + The system preference pane for Wallet and Apple Pay _MUST_ be hidden. + + Hiding the system preference pane prevents the users from configuring Wallet and Apple Pay. +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - N/A + cci: + - CCI-001774 + - CCI-000381 + 800-53r5: + - CM-7 + - CM-7(5) + 800-53r4: + - CM-7 + - CM-7(5) + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-12-002052 + 800-171r2: + - N/A +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + HiddenPreferencePanes: + - com.apple.preferences.wallet From 6824abe7380b27cb72d2e7ea7152fc219151ef49 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 9 Feb 2022 12:43:06 -0500 Subject: [PATCH 122/193] APPL-12-000054 --- rules/os/os_sshd_fips_140_ciphers.yaml | 58 ++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/os/os_sshd_fips_140_ciphers.yaml diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml new file mode 100644 index 000000000..64479c236 --- /dev/null +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -0,0 +1,58 @@ +id: os_sshd_fips_140_ciphers +title: "Limit SSHD to FIPS 140 Validated Ciphers" +discussion: | + If SSHD is enabled then it _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. + + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. + + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + ---- +references: + cce: + - N/A + cci: + - CCI-000803 + - CCI-000068 + - CCI-003123 + - CCI-002890 + 800-53r5: + - AC-17(2) + - IA-7 + - SC-13 + - SC-8(1) + 800-53r4: + - AC-17(2) + - IA-7 + - SC-8(1) + - SC-13 + - MA-4(6) + srg: + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000120-GPOS-00061 + - SRG-OS-000125-GPOS-00065 + - SRG-OS-000250-GPOS-00093 + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + disa_stig: + - APPL-12-000054 + 800-171r2: + - 3.1.13 + - 3.13.8 + - 3.13.11 +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file From c58b3515e67af5c4c97c1017c7886ff1a72e87cd Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 9 Feb 2022 12:44:48 -0500 Subject: [PATCH 123/193] APPL-12-000055 --- rules/os/os_sshd_fips_140_macs.yaml | 58 +++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/os/os_sshd_fips_140_macs.yaml diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml new file mode 100644 index 000000000..69879ec0d --- /dev/null +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -0,0 +1,58 @@ +id: os_sshd_fips_140_macs +title: "Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms" +discussion: | + If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. + + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. + + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + ---- +references: + cce: + - N/A + cci: + - CCI-000068 + - CCI-000803 + - CCI-003123 + - CCI-002890 + 800-53r5: + - AC-17(2) + - IA-7 + - SC-13 + - SC-8(1) + 800-53r4: + - AC-17(2) + - IA-7 + - SC-8(1) + - SC-13 + - MA-4(6) + srg: + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000120-GPOS-00061 + - SRG-OS-000125-GPOS-00065 + - SRG-OS-000250-GPOS-00093 + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + disa_stig: + - APPL-12-000055 + 800-171r2: + - 3.1.13 + - 3.13.8 + - 3.13.11 +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file From b4485c764cc3ad6c4d004a7759dcab774eb80a22 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 9 Feb 2022 12:47:13 -0500 Subject: [PATCH 124/193] APPL-12-001060 --- ...martcard_certificate_trust_enforce_moderate.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index fd3f05cb6..1512b5781 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -19,10 +19,10 @@ references: - CCE-90882-2 cci: - CCI-000186 - - CCI-002470 - - CCI-001991 - CCI-001953 - CCI-001954 + - CCI-001991 + - CCI-002470 800-53r5: - IA-5(2) - SC-17 @@ -30,15 +30,20 @@ references: - IA-2(12) - IA-5(2) srg: - - N/A + - SRG-OS-000376-GPOS-00161 + - SRG-OS-000377-GPOS-00162 + - SRG-OS-000384-GPOS-00167 + - SRG-OS-000403-GPOS-00182 + - SRG-OS-000067-GPOS-00035 disa_stig: - - APPL-12-XXXXXX + - APPL-12-001060 macOS: - "12.0" tags: - 800-53r4_moderate - 800-53r5_moderate - cnssi-1253 + - stig severity: "medium" mobileconfig: true mobileconfig_info: From 3669ed7dca66c019441dc8ae2d4a3219ea74ae24 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 9 Feb 2022 13:02:58 -0500 Subject: [PATCH 125/193] APPL-12-002070 --- rules/os/os_anti_virus_installed.yaml | 12 ++++++------ rules/os/os_config_data_install_enforce.yaml | 8 +++++--- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 6e89266fa..2e3b1b5a4 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -1,14 +1,15 @@ id: os_anti_virus_installed title: "Must Use an Approved Antivirus Program" discussion: | - An approved antivirus product _MUST_ be installed and configured to run. + An approved antivirus product _MUST_ be installed and configured to run. - Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system. + Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.' check: | - Ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved antivirus solution is loaded on the system. The antivirus solution may be bundled with an approved host-based security solution. - If there is no local antivirus solution installed on the system, this is a finding. + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.mrt" => false' +result: + integer: 1 fix: | - Install an approved antivirus solution onto the system. + /usr/bin/sudo /bin/launchctl enable system/com.apple.mrt references: cce: - CCE-90900-2 @@ -25,7 +26,6 @@ references: macOS: - "12.0" tags: - - manual - stig severity: "high" mobileconfig: false diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 87ac56322..c63122042 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -18,16 +18,16 @@ references: cce: - CCE-90913-5 cci: - - N/A + - CCI-000366 800-53r5: - SI-3 - SI-2(5) 800-53r4: - N/A srg: - - N/A + - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-12-002070 800-171r2: - N/A cisv8: @@ -41,6 +41,8 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 + - stig +severity: "high" mobileconfig: true mobileconfig_info: com.apple.SoftwareUpdate: From d5ea936862044b089ea5b0751f3b3b1ccaa5e59c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 9 Feb 2022 16:05:17 -0500 Subject: [PATCH 126/193] fixes --- rules/os/os_blank_cd_disable.yaml | 3 +-- rules/os/os_cd_read_only_enforce.yaml | 3 +-- rules/os/os_removable_media_disable.yaml | 1 + .../sysprefs_internet_accounts_prefpane_disable.yaml} | 2 +- 4 files changed, 4 insertions(+), 5 deletions(-) rename rules/{os/os_internet_accounts_prefpane_disable.yaml => sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml} (96%) diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 26a9a621b..a07e59a5a 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -40,5 +40,4 @@ mobileconfig_info: mount-controls: blankcd: - alert - - eject - + - eject \ No newline at end of file diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index 5a3e23019..d2f66e2ff 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -39,5 +39,4 @@ mobileconfig_info: com.apple.systemuiserver: mount-controls: cd: - - read-only - + - read-only \ No newline at end of file diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 64919a919..de8116a25 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -42,6 +42,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - stig mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml similarity index 96% rename from rules/os/os_internet_accounts_prefpane_disable.yaml rename to rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml index da81d744d..a7a764cd6 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml @@ -1,4 +1,4 @@ -id: os_internet_accounts_prefpane_disable +id: sysprefs_internet_accounts_prefpane_disable title: "Disable the Internet Accounts System Preference Pane" discussion: | The Internet Accounts System Preference pane _MUST_ be disabled to prevent the addition of unauthorized internet accounts. From 14655a0b64db518ae0b508e4d3af16bbe4c4a9a8 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 9 Feb 2022 16:10:21 -0500 Subject: [PATCH 127/193] updated syspref profiles, media controls, and safari user level settings --- scripts/generate_oval.py | 209 ++++++++++++++++++++++++++++++++++----- 1 file changed, 185 insertions(+), 24 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index fc1cfbe18..af286c69b 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -290,6 +290,7 @@ def main(): continue for key, value in info.items(): + if key == "familyControlsEnabled": xpath_search = "" if len(info) > 1: @@ -383,43 +384,203 @@ def main(): x = x + 1 continue + if payload_type == "com.apple.finder": + oval_definition = oval_definition + ''' + + + {} + + + {} + + + + + + '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) + + oval_test = oval_test + ''' + + + + + '''.format(rule_yaml['id'],x,x,x) + + oval_object = oval_object + ''' + + /Library/Preferences/com.apple.loginwindow.plist + /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() + + + + '''.format(x+1999,rule_yaml['id'],x,x) + + state_kind = "" + if type(value) == bool: + oval_object = oval_object + ''' +name(//*[contains(text(), "{}")]/following-sibling::*[1]) +'''.format(key) + state_kind = "boolean" + elif type(value) == int: + state_kind = "int" + oval_object = oval_object + ''' +//*[contains(text(), "{}")]/following-sibling::*[1]/text() +'''.format(key) + elif type(value) == str: + state_kind = "string" + oval_object = oval_object + ''' +//*[contains(text(), "{}")]/following-sibling::*[1]/text() +'''.format(key) + + oval_state = oval_state + ''' + + {} + + '''.format(rule_yaml['id'],x,state_kind,value) + + + oval_variable = oval_variable + ''' + + + /Library/Managed Preferences/ + + /com.apple.finder.plist + + '''.format(x,x+1999) + x += 1 + continue - if payload_type == "com.apple.systemuiserver" and key == "mount-controls": + if payload_type == "com.apple.DiscRecording": oval_definition = oval_definition + ''' - + - {} + {} {} - + - - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) + + + '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) oval_test = oval_test + ''' + + + + + '''.format(rule_yaml['id'],x,x,x) - + oval_object = oval_object + ''' + + /Library/Preferences/com.apple.loginwindow.plist + /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() + + + + '''.format(x+1999,rule_yaml['id'],x,x) + + state_kind = "" + if type(value) == bool: + oval_object = oval_object + ''' +name(//*[contains(text(), "{}")]/following-sibling::*[1]) +'''.format(key) + state_kind = "boolean" + elif type(value) == int: + state_kind = "int" + oval_object = oval_object + ''' +//*[contains(text(), "{}")]/following-sibling::*[1]/text() +'''.format(key) + elif type(value) == str: + state_kind = "string" + oval_object = oval_object + ''' +//*[contains(text(), "{}")]/following-sibling::*[1]/text() +'''.format(key) + + oval_state = oval_state + ''' + + {} + + '''.format(rule_yaml['id'],x,state_kind,value) + + + oval_variable = oval_variable + ''' + + + /Library/Managed Preferences/ + + /com.apple.DiscRecording.plist + + '''.format(x,x+1999) + x += 1 + continue + if payload_type == "com.apple.Safari" and key == "AutoOpenSafeDownloads": + oval_definition = oval_definition + ''' + + + {} + + + {} + + + + + + '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) + + oval_test = oval_test + ''' + - '''.format(rule_yaml['id'],x,x,x) + + '''.format(rule_yaml['id'],x,x,x) oval_object = oval_object + ''' - - /Library/Managed Preferences/com.apple.systemuiserver.plist - /plist/dict/dict/array/string/text() - '''.format(rule_yaml['id'],x) + + /Library/Preferences/com.apple.loginwindow.plist + /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() + + + + '''.format(x+1999,rule_yaml['id'],x,x) + + state_kind = "" + if type(value) == bool: + oval_object = oval_object + ''' +name(//*[contains(text(), "{}")]/following-sibling::*[1]) +'''.format(key) + state_kind = "boolean" + elif type(value) == int: + state_kind = "int" + oval_object = oval_object + ''' +//*[contains(text(), "{}")]/following-sibling::*[1]/text() +'''.format(key) + elif type(value) == str: + state_kind = "string" + oval_object = oval_object + ''' +//*[contains(text(), "{}")]/following-sibling::*[1]/text() +'''.format(key) oval_state = oval_state + ''' - - deny - - '''.format(rule_yaml['id'],x) - x = x + 1 - continue - if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes": + + {} + + '''.format(rule_yaml['id'],x,state_kind,value) + + + oval_variable = oval_variable + ''' + + + /Library/Managed Preferences/ + + /com.apple.Safari.plist + + '''.format(x,x+1999) + x += 1 + continue + if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "HiddenPreferencePanes": oval_definition = oval_definition + ''' @@ -449,18 +610,18 @@ def main(): - boolean(plist/dict/array/string/text() = "{}") + /plist/dict/key[string()="{}"]/following-sibling::*[1]/string[string()="{}"]/text() - '''.format(x+1999,rule_yaml['id'],x,x,str(value).strip('[]').strip("'")) + '''.format(x+1999,rule_yaml['id'],x,x,key,str(value).strip('[]').strip("'")) oval_state = oval_state + ''' - true + {} - '''.format(rule_yaml['id'],x) + '''.format(rule_yaml['id'],x,str(value).strip('[]').strip("'")) oval_variable = oval_variable + ''' From 69cdb6a1b3660908f08b80d59542e1c025593c5c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 9 Feb 2022 17:24:38 -0500 Subject: [PATCH 128/193] fixed tabbing issue with defaults --- scripts/generate_oval.py | 152 ++++++++++++++++++++------------------- 1 file changed, 79 insertions(+), 73 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index af286c69b..1b6de9c4e 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -1147,6 +1147,7 @@ def main(): if "defaults" in rule_yaml['check']: + if rule_yaml['id'] == "sysprefs_hot_corners_secure": oval_definition = oval_definition + ''' @@ -1164,106 +1165,111 @@ def main(): '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x,rule_yaml['id'],x+5000,rule_yaml['id'],x+5001,rule_yaml['id'],x+5002) - oval_test = oval_test + ''' + oval_test = oval_test + ''' '''.format(rule_yaml['id'],x,x,x) - oval_test = oval_test + ''' + oval_test = oval_test + ''' '''.format(rule_yaml['id'],x+5000,x+5000,x+5000) - oval_test = oval_test + ''' + oval_test = oval_test + ''' '''.format(rule_yaml['id'],x+5001,x+5001,x+5001) - oval_test = oval_test + ''' + oval_test = oval_test + ''' '''.format(rule_yaml['id'],x+5002,x+5002,x+5002) - plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].split("\n")[0].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' - - .* - oval:mscp:ste:{} - - - - - '''.format(x+1999,x+1999,rule_yaml['id'],x,x) - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) + plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") + check_length = len(rule_yaml['check'].split()) + key = rule_yaml['check'].split("\n")[0].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') + + oval_object = oval_object + ''' + + .* + oval:mscp:ste:{} + + + + + '''.format(x+1999,x+1999,rule_yaml['id'],x,x) + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) - key = rule_yaml['check'].split("\n")[1].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - oval_object = oval_object + ''' - - - '''.format(rule_yaml['id'],x+5000,x) + key = rule_yaml['check'].split("\n")[1].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') + + oval_object = oval_object + ''' + + + '''.format(rule_yaml['id'],x+5000,x) - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) - key = rule_yaml['check'].split("\n")[2].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - oval_object = oval_object + ''' - - - '''.format(rule_yaml['id'],x+5001,x) + key = rule_yaml['check'].split("\n")[2].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') + + oval_object = oval_object + ''' + + + '''.format(rule_yaml['id'],x+5001,x) - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) - key = rule_yaml['check'].split("\n")[3].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - oval_object = oval_object + ''' - - - '''.format(rule_yaml['id'],x+5002,x) - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) + key = rule_yaml['check'].split("\n")[3].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') + + oval_object = oval_object + ''' + + + '''.format(rule_yaml['id'],x+5002,x) + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() + '''.format(key) - oval_state = oval_state + ''' - - ^[^_\s].* - 0 - 0 - /usr/bin/false - '''.format(x+1999) - - after_user = plist.split('"')[2] - oval_variable = oval_variable + ''' - - - - {} - .plist - - '''.format(x,x+1999,after_user,x+999) - - check_if = rule_yaml['check'].split("\n")[5] - modifier = 0 - for n in check_if.split(): + oval_state = oval_state + ''' + + ^[^_\s].* + 0 + 0 + /usr/bin/false + '''.format(x+1999) - if n.replace('"',"").isdigit(): - if modifier >= 4999: - modifier = modifier + 1 - oval_state = oval_state + ''' - {} - '''.format(rule_yaml['id'],x+modifier,n.replace('"',"")) - if modifier == 0: - modifier = 4999 - + + after_user = plist.split('"')[2] + oval_variable = oval_variable + ''' + + + + {} + .plist + + '''.format(x,x+1999,after_user,x+999) + try: + check_if = rule_yaml['check'].split("\n")[5] + + modifier = 0 + for n in check_if.split(): + + if n.replace('"',"").isdigit(): + if modifier >= 4999: + modifier = modifier + 1 + oval_state = oval_state + ''' + {} + '''.format(rule_yaml['id'],x+modifier,n.replace('"',"")) + if modifier == 0: + modifier = 4999 + continue + except: + continue - - continue oval_definition = oval_definition + ''' @@ -1610,7 +1616,7 @@ def main(): config_file = str() oval_variable_need = bool() if "grep" in s.split()[3]: - print(s.split()[3]) + oval_variable_need = True grep_search = re.search('\((.*?)\)', s).group(1) From 792ade75482c7f3c953a927cdd58d5284885be23 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 9 Feb 2022 20:03:19 -0500 Subject: [PATCH 129/193] added support for multiple mount-controls --- scripts/generate_guidance.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 9c22b151c..cda17d98f 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -388,6 +388,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign # setup lists and dictionaries profile_errors = [] profile_types = {} + mount_controls = {} for sections in baseline_yaml['profile']: for profile_rule in sections['rules']: @@ -431,7 +432,13 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign valid = False if valid: - if payload_type == "com.apple.ManagedClient.preferences": + if payload_type == "com.apple.systemuiserver": + for setting_key, setting_value in info['mount-controls'].items(): + mount_controls[setting_key] = setting_value + payload_settings = {"mount-controls": mount_controls} + profile_types.setdefault( + payload_type, []).append(payload_settings) + elif payload_type == "com.apple.ManagedClient.preferences": for payload_domain, settings in info.items(): for key, value in settings.items(): payload_settings = ( From 8ef37541f64a4258c78056d6dfbd80f835c177d6 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 9 Feb 2022 20:10:02 -0500 Subject: [PATCH 130/193] added missing severity values --- rules/os/os_blank_bluray_disable.yaml | 1 + rules/os/os_blank_cd_disable.yaml | 1 + rules/os/os_blank_dvd_disable.yaml | 1 + rules/os/os_bluray_read_only_enforce.yaml | 1 + rules/os/os_cd_read_only_enforce.yaml | 1 + rules/os/os_disk_image_disable.yaml | 1 + rules/os/os_dvdram_disable.yaml | 1 + rules/os/os_removable_media_disable.yaml | 1 + 8 files changed, 8 insertions(+) diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index ff1f20a57..c757def12 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -34,6 +34,7 @@ macOS: - "12.0" tags: - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index a07e59a5a..09418dde2 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -34,6 +34,7 @@ macOS: - "12.0" tags: - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 854d87d8c..3de083f6d 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -34,6 +34,7 @@ macOS: - "12.0" tags: - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index d13dc1dbd..0df8d9863 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -34,6 +34,7 @@ macOS: - "12.0" tags: - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index d2f66e2ff..cb912cf71 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -34,6 +34,7 @@ macOS: - "12.0" tags: - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 7f1c7e5d7..96b0c31d8 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -34,6 +34,7 @@ macOS: - "12.0" tags: - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index 9457197a7..790ba4b42 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -34,6 +34,7 @@ macOS: - "12.0" tags: - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systemuiserver: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index de8116a25..14221640f 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -43,6 +43,7 @@ tags: - 800-171 - cnssi-1253 - stig +severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systemuiserver: From 792038a004d101b8a91af2f9952d85a796d573f5 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 11:41:24 -0500 Subject: [PATCH 131/193] removed stig folder --- rules/stig/APPL-12-000001.yml | 23 ----------- rules/stig/APPL-12-000002.yml | 22 ---------- rules/stig/APPL-12-000003.yml | 22 ---------- rules/stig/APPL-12-000004.yml | 29 ------------- rules/stig/APPL-12-000005.yml | 32 --------------- rules/stig/APPL-12-000006.yml | 25 ------------ rules/stig/APPL-12-000007.yml | 23 ----------- rules/stig/APPL-12-000011.yml | 64 ----------------------------- rules/stig/APPL-12-000012.yml | 70 -------------------------------- rules/stig/APPL-12-000014.yml | 45 --------------------- rules/stig/APPL-12-000015.yml | 23 ----------- rules/stig/APPL-12-000016.yml | 20 --------- rules/stig/APPL-12-000022.yml | 22 ---------- rules/stig/APPL-12-000023.yml | 52 ------------------------ rules/stig/APPL-12-000024.yml | 38 ------------------ rules/stig/APPL-12-000025.yml | 60 --------------------------- rules/stig/APPL-12-000030.yml | 33 --------------- rules/stig/APPL-12-000031.yml | 28 ------------- rules/stig/APPL-12-000032.yml | 35 ---------------- rules/stig/APPL-12-000033.yml | 24 ----------- rules/stig/APPL-12-000051.yml | 29 ------------- rules/stig/APPL-12-000052.yml | 29 ------------- rules/stig/APPL-12-000053.yml | 28 ------------- rules/stig/APPL-12-000054.yml | 60 --------------------------- rules/stig/APPL-12-000055.yml | 60 --------------------------- rules/stig/APPL-12-000056.yml | 59 --------------------------- rules/stig/APPL-12-001001.yml | 76 ----------------------------------- rules/stig/APPL-12-001002.yml | 44 -------------------- rules/stig/APPL-12-001003.yml | 74 ---------------------------------- rules/stig/APPL-12-001010.yml | 39 ------------------ rules/stig/APPL-12-001012.yml | 29 ------------- rules/stig/APPL-12-001013.yml | 26 ------------ rules/stig/APPL-12-001014.yml | 29 ------------- rules/stig/APPL-12-001015.yml | 26 ------------ rules/stig/APPL-12-001016.yml | 31 -------------- rules/stig/APPL-12-001017.yml | 35 ---------------- rules/stig/APPL-12-001020.yml | 53 ------------------------ rules/stig/APPL-12-001029.yml | 34 ---------------- rules/stig/APPL-12-001030.yml | 37 ----------------- rules/stig/APPL-12-001031.yml | 32 --------------- rules/stig/APPL-12-001044.yml | 44 -------------------- rules/stig/APPL-12-001060.yml | 47 ---------------------- rules/stig/APPL-12-001100.yml | 26 ------------ rules/stig/APPL-12-002001.yml | 28 ------------- rules/stig/APPL-12-002003.yml | 29 ------------- rules/stig/APPL-12-002004.yml | 33 --------------- rules/stig/APPL-12-002005.yml | 31 -------------- rules/stig/APPL-12-002006.yml | 35 ---------------- rules/stig/APPL-12-002007.yml | 31 -------------- rules/stig/APPL-12-002008.yml | 37 ----------------- rules/stig/APPL-12-002009.yml | 33 --------------- rules/stig/APPL-12-002012.yml | 31 -------------- rules/stig/APPL-12-002013.yml | 31 -------------- rules/stig/APPL-12-002014.yml | 31 -------------- rules/stig/APPL-12-002015.yml | 31 -------------- rules/stig/APPL-12-002016.yml | 31 -------------- rules/stig/APPL-12-002017.yml | 36 ----------------- rules/stig/APPL-12-002020.yml | 32 --------------- rules/stig/APPL-12-002021.yml | 47 ---------------------- rules/stig/APPL-12-002022.yml | 35 ---------------- rules/stig/APPL-12-002031.yml | 31 -------------- rules/stig/APPL-12-002032.yml | 34 ---------------- rules/stig/APPL-12-002035.yml | 32 --------------- rules/stig/APPL-12-002036.yml | 32 --------------- rules/stig/APPL-12-002037.yml | 32 --------------- rules/stig/APPL-12-002038.yml | 29 ------------- rules/stig/APPL-12-002039.yml | 30 -------------- rules/stig/APPL-12-002040.yml | 30 -------------- rules/stig/APPL-12-002041.yml | 31 -------------- rules/stig/APPL-12-002042.yml | 30 -------------- rules/stig/APPL-12-002043.yml | 30 -------------- rules/stig/APPL-12-002050.yml | 28 ------------- rules/stig/APPL-12-002051.yml | 34 ---------------- rules/stig/APPL-12-002052.yml | 34 ---------------- rules/stig/APPL-12-002053.yml | 33 --------------- rules/stig/APPL-12-002060.yml | 28 ------------- rules/stig/APPL-12-002062.yml | 53 ------------------------ rules/stig/APPL-12-002063.yml | 39 ------------------ rules/stig/APPL-12-002064.yml | 27 ------------- rules/stig/APPL-12-002066.yml | 20 --------- rules/stig/APPL-12-002068.yml | 40 ------------------ rules/stig/APPL-12-002069.yml | 31 -------------- rules/stig/APPL-12-002070.yml | 41 ------------------- rules/stig/APPL-12-003001.yml | 40 ------------------ rules/stig/APPL-12-003007.yml | 26 ------------ rules/stig/APPL-12-003008.yml | 25 ------------ rules/stig/APPL-12-003009.yml | 22 ---------- rules/stig/APPL-12-003010.yml | 23 ----------- rules/stig/APPL-12-003011.yml | 31 -------------- rules/stig/APPL-12-003012.yml | 19 --------- rules/stig/APPL-12-003013.yml | 30 -------------- rules/stig/APPL-12-003020.yml | 36 ----------------- rules/stig/APPL-12-003050.yml | 41 ------------------- rules/stig/APPL-12-003051.yml | 54 ------------------------- rules/stig/APPL-12-003052.yml | 53 ------------------------ rules/stig/APPL-12-004001.yml | 29 ------------- rules/stig/APPL-12-004002.yml | 30 -------------- rules/stig/APPL-12-004021.yml | 31 -------------- rules/stig/APPL-12-005001.yml | 64 ----------------------------- rules/stig/APPL-12-005020.yml | 43 -------------------- rules/stig/APPL-12-005050.yml | 22 ---------- rules/stig/APPL-12-005051.yml | 31 -------------- rules/stig/APPL-12-005052.yml | 23 ----------- rules/stig/APPL-12-005053.yml | 25 ------------ rules/stig/APPL-12-005054.yml | 32 --------------- rules/stig/APPL-12-005055.yml | 32 --------------- rules/stig/APPL-12-005056.yml | 33 --------------- rules/stig/APPL-12-005058.yml | 33 --------------- rules/stig/APPL-12-005060.yml | 33 --------------- rules/stig/APPL-12-005061.yml | 33 --------------- 110 files changed, 3842 deletions(-) delete mode 100644 rules/stig/APPL-12-000001.yml delete mode 100644 rules/stig/APPL-12-000002.yml delete mode 100644 rules/stig/APPL-12-000003.yml delete mode 100644 rules/stig/APPL-12-000004.yml delete mode 100644 rules/stig/APPL-12-000005.yml delete mode 100644 rules/stig/APPL-12-000006.yml delete mode 100644 rules/stig/APPL-12-000007.yml delete mode 100644 rules/stig/APPL-12-000011.yml delete mode 100644 rules/stig/APPL-12-000012.yml delete mode 100644 rules/stig/APPL-12-000014.yml delete mode 100644 rules/stig/APPL-12-000015.yml delete mode 100644 rules/stig/APPL-12-000016.yml delete mode 100644 rules/stig/APPL-12-000022.yml delete mode 100644 rules/stig/APPL-12-000023.yml delete mode 100644 rules/stig/APPL-12-000024.yml delete mode 100644 rules/stig/APPL-12-000025.yml delete mode 100644 rules/stig/APPL-12-000030.yml delete mode 100644 rules/stig/APPL-12-000031.yml delete mode 100644 rules/stig/APPL-12-000032.yml delete mode 100644 rules/stig/APPL-12-000033.yml delete mode 100644 rules/stig/APPL-12-000051.yml delete mode 100644 rules/stig/APPL-12-000052.yml delete mode 100644 rules/stig/APPL-12-000053.yml delete mode 100644 rules/stig/APPL-12-000054.yml delete mode 100644 rules/stig/APPL-12-000055.yml delete mode 100644 rules/stig/APPL-12-000056.yml delete mode 100644 rules/stig/APPL-12-001001.yml delete mode 100644 rules/stig/APPL-12-001002.yml delete mode 100644 rules/stig/APPL-12-001003.yml delete mode 100644 rules/stig/APPL-12-001010.yml delete mode 100644 rules/stig/APPL-12-001012.yml delete mode 100644 rules/stig/APPL-12-001013.yml delete mode 100644 rules/stig/APPL-12-001014.yml delete mode 100644 rules/stig/APPL-12-001015.yml delete mode 100644 rules/stig/APPL-12-001016.yml delete mode 100644 rules/stig/APPL-12-001017.yml delete mode 100644 rules/stig/APPL-12-001020.yml delete mode 100644 rules/stig/APPL-12-001029.yml delete mode 100644 rules/stig/APPL-12-001030.yml delete mode 100644 rules/stig/APPL-12-001031.yml delete mode 100644 rules/stig/APPL-12-001044.yml delete mode 100644 rules/stig/APPL-12-001060.yml delete mode 100644 rules/stig/APPL-12-001100.yml delete mode 100644 rules/stig/APPL-12-002001.yml delete mode 100644 rules/stig/APPL-12-002003.yml delete mode 100644 rules/stig/APPL-12-002004.yml delete mode 100644 rules/stig/APPL-12-002005.yml delete mode 100644 rules/stig/APPL-12-002006.yml delete mode 100644 rules/stig/APPL-12-002007.yml delete mode 100644 rules/stig/APPL-12-002008.yml delete mode 100644 rules/stig/APPL-12-002009.yml delete mode 100644 rules/stig/APPL-12-002012.yml delete mode 100644 rules/stig/APPL-12-002013.yml delete mode 100644 rules/stig/APPL-12-002014.yml delete mode 100644 rules/stig/APPL-12-002015.yml delete mode 100644 rules/stig/APPL-12-002016.yml delete mode 100644 rules/stig/APPL-12-002017.yml delete mode 100644 rules/stig/APPL-12-002020.yml delete mode 100644 rules/stig/APPL-12-002021.yml delete mode 100644 rules/stig/APPL-12-002022.yml delete mode 100644 rules/stig/APPL-12-002031.yml delete mode 100644 rules/stig/APPL-12-002032.yml delete mode 100644 rules/stig/APPL-12-002035.yml delete mode 100644 rules/stig/APPL-12-002036.yml delete mode 100644 rules/stig/APPL-12-002037.yml delete mode 100644 rules/stig/APPL-12-002038.yml delete mode 100644 rules/stig/APPL-12-002039.yml delete mode 100644 rules/stig/APPL-12-002040.yml delete mode 100644 rules/stig/APPL-12-002041.yml delete mode 100644 rules/stig/APPL-12-002042.yml delete mode 100644 rules/stig/APPL-12-002043.yml delete mode 100644 rules/stig/APPL-12-002050.yml delete mode 100644 rules/stig/APPL-12-002051.yml delete mode 100644 rules/stig/APPL-12-002052.yml delete mode 100644 rules/stig/APPL-12-002053.yml delete mode 100644 rules/stig/APPL-12-002060.yml delete mode 100644 rules/stig/APPL-12-002062.yml delete mode 100644 rules/stig/APPL-12-002063.yml delete mode 100644 rules/stig/APPL-12-002064.yml delete mode 100644 rules/stig/APPL-12-002066.yml delete mode 100644 rules/stig/APPL-12-002068.yml delete mode 100644 rules/stig/APPL-12-002069.yml delete mode 100644 rules/stig/APPL-12-002070.yml delete mode 100644 rules/stig/APPL-12-003001.yml delete mode 100644 rules/stig/APPL-12-003007.yml delete mode 100644 rules/stig/APPL-12-003008.yml delete mode 100644 rules/stig/APPL-12-003009.yml delete mode 100644 rules/stig/APPL-12-003010.yml delete mode 100644 rules/stig/APPL-12-003011.yml delete mode 100644 rules/stig/APPL-12-003012.yml delete mode 100644 rules/stig/APPL-12-003013.yml delete mode 100644 rules/stig/APPL-12-003020.yml delete mode 100644 rules/stig/APPL-12-003050.yml delete mode 100644 rules/stig/APPL-12-003051.yml delete mode 100644 rules/stig/APPL-12-003052.yml delete mode 100644 rules/stig/APPL-12-004001.yml delete mode 100644 rules/stig/APPL-12-004002.yml delete mode 100644 rules/stig/APPL-12-004021.yml delete mode 100644 rules/stig/APPL-12-005001.yml delete mode 100644 rules/stig/APPL-12-005020.yml delete mode 100644 rules/stig/APPL-12-005050.yml delete mode 100644 rules/stig/APPL-12-005051.yml delete mode 100644 rules/stig/APPL-12-005052.yml delete mode 100644 rules/stig/APPL-12-005053.yml delete mode 100644 rules/stig/APPL-12-005054.yml delete mode 100644 rules/stig/APPL-12-005055.yml delete mode 100644 rules/stig/APPL-12-005056.yml delete mode 100644 rules/stig/APPL-12-005058.yml delete mode 100644 rules/stig/APPL-12-005060.yml delete mode 100644 rules/stig/APPL-12-005061.yml diff --git a/rules/stig/APPL-12-000001.yml b/rules/stig/APPL-12-000001.yml deleted file mode 100644 index 1d0510db1..000000000 --- a/rules/stig/APPL-12-000001.yml +++ /dev/null @@ -1,23 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to prevent Apple Watch from terminating - a session lock. -discussion: Users must be prompted to enter their passwords when unlocking the screen - saver. The screen saver acts as a session lock and prevents unauthorized users from - accessing the current user's account. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAutoUnlock" -result: '[''allowAutoUnlock = 0;'', '''', ''If there is no result or "allowAutoUnlock" - is not set to "0", this is a finding.'']' -fix: "This setting is enforced using the \u201CRestrictions Policy\" configuration\ - \ profile." -references: - srg: - - SRG-OS-000028-GPOS-00009 - disa_stig: - - APPL-12-000001 - cci: - - CCI-000056 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000002.yml b/rules/stig/APPL-12-000002.yml deleted file mode 100644 index ae379dc2b..000000000 --- a/rules/stig/APPL-12-000002.yml +++ /dev/null @@ -1,22 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must retain the session lock until the user reestablishes - access using established identification and authentication procedures. -discussion: Users must be prompted to enter their passwords when unlocking the screen - saver. The screen saver acts as a session lock and prevents unauthorized users from - accessing the current user's account. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPassword -result: '[''If there is no result, or if "askForPassword" is not set to "1", this - is a finding.'']' -fix: This setting is enforced using the "Login Window Policy" configuration profile. -references: - srg: - - SRG-OS-000028-GPOS-00009 - disa_stig: - - APPL-12-000002 - cci: - - CCI-000056 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000003.yml b/rules/stig/APPL-12-000003.yml deleted file mode 100644 index abc7c0faf..000000000 --- a/rules/stig/APPL-12-000003.yml +++ /dev/null @@ -1,22 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must initiate the session lock no more than five seconds after - a screen saver is started. -discussion: A screen saver must be enabled and set to require a password to unlock. - An excessive grace period impacts the ability for a session to be truly locked, - requiring authentication to unlock. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPasswordDelay -result: '[''If there is no result, or if "askForPasswordDelay" is not set to "5.0" - or less, this is a finding.'']' -fix: This setting is enforced using the "Login Window Policy" configuration profile. -references: - srg: - - SRG-OS-000028-GPOS-00009 - disa_stig: - - APPL-12-000003 - cci: - - CCI-000056 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000004.yml b/rules/stig/APPL-12-000004.yml deleted file mode 100644 index 4a77ae137..000000000 --- a/rules/stig/APPL-12-000004.yml +++ /dev/null @@ -1,29 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must initiate a session lock after a 15-minute period of inactivity. -discussion: 'A screen saver must be enabled and set to require a password to unlock. - The timeout should be set to 15 minutes of inactivity. This mitigates the risk that - a user might forget to manually lock the screen before stepping away from the computer. - - - A session time-out lock is a temporary action taken when a user stops work and moves - away from the immediate physical vicinity of the information system but does not - log out because of the temporary nature of the absence. Rather than relying on the - user to manually lock their operating system session prior to vacating the vicinity, - operating systems need to be able to identify when a user''s session has idled and - take action to initiate the session lock.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep loginWindowIdleTime -result: '[''If there is no result, or if "loginWindowIdleTime" is not set to "900" - seconds or less, this is a finding.'']' -fix: This setting is enforced using the "Login Window Policy" configuration profile. -references: - srg: - - SRG-OS-000029-GPOS-00010 - disa_stig: - - APPL-12-000004 - cci: - - CCI-000057 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000005.yml b/rules/stig/APPL-12-000005.yml deleted file mode 100644 index 8a8c0310a..000000000 --- a/rules/stig/APPL-12-000005.yml +++ /dev/null @@ -1,32 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to lock the user session when a smart token - is removed. -discussion: 'A session lock is a temporary action taken when a user stops work and - moves away from the immediate physical vicinity of the information system but does - not want to log out because of the temporary nature of the absence. - - - The session lock is implemented at the point where session activity can be determined. - Rather than be forced to wait for a period of time to expire before the user session - can be locked, operating systems need to provide users with the ability to manually - invoke a session lock so users may secure their session should they need to temporarily - vacate the immediate physical vicinity.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "tokenRemovalAction - = 1;" -result: '[''If there is no result, this is a finding.'']' -fix: "This setting is enforced using the \"Smart Card Policy\" configuration profile.\ - \ \n\nNote: Before applying the \"Smart Card Policy\", the supplemental guidance\ - \ provided with the STIG should be consulted to ensure continued access to the operating\ - \ system." -references: - srg: - - SRG-OS-000030-GPOS-00011 - disa_stig: - - APPL-12-000005 - cci: - - CCI-000058 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000006.yml b/rules/stig/APPL-12-000006.yml deleted file mode 100644 index 9161e7d0b..000000000 --- a/rules/stig/APPL-12-000006.yml +++ /dev/null @@ -1,25 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must conceal, via the session lock, information previously - visible on the display with a publicly viewable image. -discussion: A default screen saver must be configured for all users, as the screen - saver will act as a session time-out lock for the system and must conceal the contents - of the screen from unauthorized users. The screen saver must not display any sensitive - information or reveal the contents of the locked session screen. Publicly viewable - images can include static or dynamic images such as patterns used with screen savers, - photographic images, solid colors, a clock, a battery life indicator, or a blank - screen. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep loginWindowModulePath -result: '[''If there is no result or defined "modulePath", this is a finding.'']' -fix: This setting is enforced using the "Login Window Policy" configuration profile. -references: - srg: - - SRG-OS-000031-GPOS-00012 - disa_stig: - - APPL-12-000006 - cci: - - CCI-000060 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-000007.yml b/rules/stig/APPL-12-000007.yml deleted file mode 100644 index 3a73aa693..000000000 --- a/rules/stig/APPL-12-000007.yml +++ /dev/null @@ -1,23 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable hot corners. -discussion: Although hot corners can be used to initiate a session lock or launch - useful applications, they can also be configured to disable an automatic session - lock from initiating. Such a configuration introduces the risk that a user might - forget to manually lock the screen before stepping away from the computer. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep wvous -result: '[''If the return is null, or does not equal:'', ''"wvous-bl-corner = 0'', - ''wvous-br-corner = 0;'', ''wvous-tl-corner = 0;'', ''wvous-tr-corner = 0;" '', - ''this is a finding.'']' -fix: This setting is enforced using the "Custom Policy" configuration profile. -references: - srg: - - SRG-OS-000031-GPOS-00012 - disa_stig: - - APPL-12-000007 - cci: - - CCI-000060 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000011.yml b/rules/stig/APPL-12-000011.yml deleted file mode 100644 index 6d2ff9d23..000000000 --- a/rules/stig/APPL-12-000011.yml +++ /dev/null @@ -1,64 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must disable the SSHD service. -discussion: "Without confidentiality and integrity protection mechanisms, unauthorized\ - \ individuals may gain access to sensitive information via a remote access session.\n\ - \nRemote access is access to DoD non-public information systems by an authorized\ - \ user (or an information system) communicating through an external, non-organization-controlled\ - \ network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\ - \nEncryption provides a means to secure the remote connection to prevent unauthorized\ - \ access to the data traversing the remote access connection (e.g., Remote Desktop\ - \ Protocol [RDP]), thereby providing a degree of confidentiality. The encryption\ - \ strength of a mechanism is selected based on the security categorization of the\ - \ information.\n\nPrivileged access contains control and configuration information\ - \ and is particularly sensitive, so additional protections are necessary. This is\ - \ maintained by using cryptographic mechanisms, such as a hash function or digital\ - \ signature, to protect integrity. \n\nNonlocal maintenance and diagnostic activities\ - \ are those activities conducted by individuals communicating through a network,\ - \ either an external network (e.g., the Internet) or an internal network. \n\n\ - Use of weak or untested encryption algorithms undermines the purposes of using encryption\ - \ to protect data. The operating system must implement cryptographic modules adhering\ - \ to the higher standards approved by the federal government since this provides\ - \ assurance they have been tested and validated.\n\nThe implementation of OpenSSH\ - \ that is included with macOS does not utilize a FIPS 140-2 validated cryptographic\ - \ module.\n\n" -check: /bin/launchctl print-disabled system | grep sshd -result: '[''If the results do not show "com.openssh.sshd => true", this is a finding.'']' -fix: 'Disable the "SSHD" service by using the following command: - - - /usr/bin/sudo /bin/launchctl disable system/com.openssh.sshd - - - The system may need to be restarted for the update to take effect.' -references: - srg: - - SRG-OS-000250-GPOS-00093 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000319-GPOS-00164 - - SRG-OS-000393-GPOS-00173 - - SRG-OS-000394-GPOS-00174 - - SRG-OS-000112-GPOS-00057 - - SRG-OS-000113-GPOS-00058 - - SRG-OS-000423-GPOS-00187 - - SRG-OS-000424-GPOS-00188 - - SRG-OS-000425-GPOS-00189 - - SRG-OS-000426-GPOS-00190 - disa_stig: - - APPL-12-000011 - cci: - - CCI-000068 - - CCI-001453 - - CCI-001941 - - CCI-001942 - - CCI-001967 - - CCI-002418 - - CCI-002420 - - CCI-002421 - - CCI-002422 - - CCI-002890 - - CCI-003123 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000012.yml b/rules/stig/APPL-12-000012.yml deleted file mode 100644 index a7effd866..000000000 --- a/rules/stig/APPL-12-000012.yml +++ /dev/null @@ -1,70 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must automatically remove or disable temporary and emergency - user accounts after 72 hours. -discussion: 'If temporary user accounts remain active when no longer needed or for - an excessive period, these accounts may be targeted by attackers to gain unauthorized - access. To mitigate this risk, automated termination of all temporary accounts must - be set upon account creation. - - - Temporary accounts are established as part of normal account activation procedures - when there is a need for short-term accounts without the demand for immediacy in - account activation. - - - If temporary accounts are used, the operating system must be configured to automatically - terminate these types of accounts after a DoD-defined time period of 72 hours. - - - Emergency administrator accounts are privileged accounts established in response - to crisis situations where the need for rapid account activation is required. Therefore, - emergency account activation may bypass normal account authorization processes. - If these accounts are automatically disabled, system maintenance during emergencies - may not be possible, thus adversely affecting system availability. - - - Emergency administrator accounts are different from infrequently used accounts (i.e., - local logon accounts used by system administrators when network or normal logon/access - is not available). Infrequently used accounts also remain available and are not - subject to automatic termination dates. However, an emergency administrator account - is normally a different account created for use by vendors or system maintainers. - - - To address access requirements, many operating systems may be integrated with enterprise-level - authentication/access mechanisms that meet or exceed access control policy requirements. - - - ' -check: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 -result: '[''If there is no output, and password policy is not controlled by a directory - service, this is a finding.'', '''', ''Otherwise, look for the line "policyCategoryAuthentication".'', - '''', ''In the array that follows, there should be a section that contains - a check that allows users to log in if "policyAttributeCurrentTime" is - less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 - seconds). The check might use a variable defined in its "policyParameters" section.'', - '''', ''If the check does not exist or if the check adds too great an amount of - time to "policyAttributeCreationTime", this is a finding.'']' -fix: "This setting may be enforced using local policy or by a directory service.\n\ - \nTo set local policy to disable a temporary or emergency user, create a plain text\ - \ file containing the following:\n\n \n policyCategoryAuthentication\n\ - \ \n \n policyContent\n policyAttributeCurrentTime\ - \ < policyAttributeCreationTime+259299\n policyIdentifier\n\ - \ Disable Tmp Accounts \n \n \n\ - \ \n\nAfter saving the file and exiting to the command prompt, run the\ - \ following command to load the new policy file, substituting the correct user name\ - \ in place of \"username\" and the path to the file in place of \"/path/to/file\"\ - .\n\n/usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file" -references: - srg: - - SRG-OS-000002-GPOS-00002 - - SRG-OS-000123-GPOS-00064 - disa_stig: - - APPL-12-000012 - cci: - - CCI-001682 - - CCI-000016 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000014.yml b/rules/stig/APPL-12-000014.yml deleted file mode 100644 index 3aa9d5fcd..000000000 --- a/rules/stig/APPL-12-000014.yml +++ /dev/null @@ -1,45 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must, for networked systems, compare internal information - system clocks at least every 24 hours with a server that is synchronized to one - of the redundant United States Naval Observatory (USNO) time servers or a time server - designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning - System (GPS). -discussion: "Inaccurate time stamps make it more difficult to correlate events and\ - \ can lead to an inaccurate analysis. Determining the correct time a particular\ - \ event occurred on a system is critical when conducting forensic analysis and investigating\ - \ system events. Sources outside of the configured acceptable allowance (drift)\ - \ may be inaccurate.\n\nSynchronizing internal information system clocks provides\ - \ uniformity of time stamps for information systems with multiple system clocks\ - \ and systems connected over a network. \n\nOrganizations should consider endpoints\ - \ that may not have regular access to the authoritative time server (e.g., mobile,\ - \ teleworking, and tactical endpoints).\n\n" -check: sudo systemsetup -getusingnetworktime -result: '[''If the following in not returned, this is a finding:'', ''Network Time: - On'', '''', ''To verify that an authorized Time Server is configured, run the following - command:'', '' sudo systemsetup -getnetworktimeserver'', '''', ''Only approved time - servers should be configured for use.'', '''', ''If no server is configured, or - if an unapproved time server is in use, this is a finding.'']' -fix: 'To enable the TIMED service, run the following command: - - - /usr/bin/sudo systemsetup -setusingnetworktime on - - - To configure a time server, use the following command: - - - /usr/bin/sudo systemsetup -setnetworktimeserver "server"' -references: - srg: - - SRG-OS-000355-GPOS-00143 - - SRG-OS-000356-GPOS-00144 - disa_stig: - - APPL-12-000014 - cci: - - CCI-002046 - - CCI-001891 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000015.yml b/rules/stig/APPL-12-000015.yml deleted file mode 100644 index 3aa1a066d..000000000 --- a/rules/stig/APPL-12-000015.yml +++ /dev/null @@ -1,23 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must utilize an ESS solution and implement all DoD required - modules. -discussion: The macOS system must employ automated mechanisms to determine the state - of system components. The DoD requires the installation and use of an approved HBSS - solution to be implemented on the operating system. For additional information, - reference all applicable HBSS OPORDs and FRAGOs on SIPRNET. -check: Unable to parse the check text -result: Unable to parse the check text -fix: Install an approved ESS solution onto the system and ensure that all components - are at least updated to their DoD approved minimal versions. -references: - srg: - - SRG-OS-000191-GPOS-00080 - disa_stig: - - APPL-12-000015 - cci: - - CCI-001233 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000016.yml b/rules/stig/APPL-12-000016.yml deleted file mode 100644 index 5b53fc18e..000000000 --- a/rules/stig/APPL-12-000016.yml +++ /dev/null @@ -1,20 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be integrated into a directory services infrastructure. -discussion: Distinct user account databases on each separate system cause problems - with username and password policy enforcement. Most approved directory services - infrastructure solutions allow centralized management of users and passwords. -check: /usr/bin/dscl localhost -list . | /usr/bin/grep "Active Directory" -result: '[''If no results are returned, this is a finding.'']' -fix: Integrate the system into an existing directory services infrastructure. -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-000016 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-000022.yml b/rules/stig/APPL-12-000022.yml deleted file mode 100644 index efb9363ce..000000000 --- a/rules/stig/APPL-12-000022.yml +++ /dev/null @@ -1,22 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must enforce the limit of three consecutive invalid logon - attempts by a user before the user account is locked. -discussion: By limiting the number of failed logon attempts, the risk of unauthorized - system access via user password guessing, otherwise known as brute forcing, is reduced. - Limits are imposed by locking the account. -check: Unable to parse the check text -result: Unable to parse the check text -fix: This setting may be enforced using the "Passcode Policy" configuration profile - or by a directory service. -references: - srg: - - SRG-OS-000329-GPOS-00128 - disa_stig: - - APPL-12-000022 - cci: - - CCI-002238 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000023.yml b/rules/stig/APPL-12-000023.yml deleted file mode 100644 index a6ca54eb0..000000000 --- a/rules/stig/APPL-12-000023.yml +++ /dev/null @@ -1,52 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must display the Standard Mandatory DoD Notice and Consent - Banner before granting remote access to the operating system. -discussion: 'Display of a standardized and approved use notification before granting - access to the operating system ensures privacy and security notification verbiage - used is consistent with applicable federal laws, Executive Orders, directives, policies, - regulations, standards, and guidance. - - - System use notifications are required only for access via logon interfaces with - human users and are not required when such human interfaces do not exist. - - - The banner must be formatted in accordance with DTM-08-060.' -check: '# more /etc/banner' -result: '[''The command should return the following text:'', ''"You are accessing - a U.S. Government (USG) Information System (IS) that is provided for USG-authorized - use only.'', '''', ''By using this IS (which includes any device attached to this - IS), you consent to the following conditions:'', '''', ''-The USG routinely intercepts - and monitors communications on this IS for purposes including, but not limited to, - penetration testing, COMSEC monitoring, network operations and defense, personnel - misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.'', - '''', ''-At any time, the USG may inspect and seize data stored on this IS.'', '''', - ''-Communications using, or data stored on, this IS are not private, are subject - to routine monitoring, interception, and search, and may be disclosed or used for - any USG-authorized purpose.'', '''', ''-This IS includes security measures (e.g., - authentication and access controls) to protect USG interests--not for your personal - benefit or privacy.'', '''', ''-Notwithstanding the above, using this IS does not - constitute consent to PM, LE or CI investigative searching or monitoring of the - content of privileged communications, or work product, related to personal representation - or services by attorneys, psychotherapists, or clergy, and their assistants. Such - communications and work product are private and confidential. See User Agreement - for details."'', '''', ''If the operating system does not display a graphical logon - banner or the banner does not match the Standard Mandatory DoD Notice and Consent - Banner, this is a finding.'', '''', ''If the text in the "/etc/banner" file does - not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.'']' -fix: 'Create a text file containing the required DoD text. - - - Name the file "banner" and place it in "/etc/".' -references: - srg: - - SRG-OS-000023-GPOS-00006 - disa_stig: - - APPL-12-000023 - cci: - - CCI-000048 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000024.yml b/rules/stig/APPL-12-000024.yml deleted file mode 100644 index b5e6fbb9c..000000000 --- a/rules/stig/APPL-12-000024.yml +++ /dev/null @@ -1,38 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must display the Standard Mandatory DoD Notice and Consent - Banner before granting access to the system via SSH. -discussion: 'Display of a standardized and approved use notification before granting - access to the operating system ensures privacy and security notification verbiage - used is consistent with applicable federal laws, Executive Orders, directives, policies, - regulations, standards, and guidance. - - - System use notifications are required only for access via logon interfaces with - human users and are not required when such human interfaces do not exist. - - - The banner must be formatted in accordance with DTM-08-060. - - - ' -check: '# /usr/bin/grep Banner /etc/ssh/sshd_config' -result: '[''Banner /etc/banner'', '''', ''If the sshd Banner configuration option - does not point to "/etc/banner", this is a finding.'']' -fix: 'For systems that allow remote access through SSH run the following command: - - - # /usr/bin/sudo /usr/bin/sed -i.bak ''s/^#Banner.*/Banner \/etc\/banner/'' /etc/ssh/sshd_config' -references: - srg: - - SRG-OS-000023-GPOS-00006 - - SRG-OS-000024-GPOS-00007 - disa_stig: - - APPL-12-000024 - cci: - - CCI-000048 - - CCI-000050 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000025.yml b/rules/stig/APPL-12-000025.yml deleted file mode 100644 index 2663e51e6..000000000 --- a/rules/stig/APPL-12-000025.yml +++ /dev/null @@ -1,60 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured so that any connection to the system must - display the Standard Mandatory DoD Notice and Consent Banner before granting GUI - access to the system. -discussion: 'Display of a standardized and approved use notification before granting - access to the operating system ensures privacy and security notification verbiage - used is consistent with applicable federal laws, Executive Orders, directives, policies, - regulations, standards, and guidance. - - - System use notifications are required only for access via logon interfaces with - human users and are not required when such human interfaces do not exist. - - - The banner must be formatted in accordance with DTM-08-060. - - - ' -check: /bin/ls -l /Library/Security/PolicyBanner.rtf* -result: '[''If neither "PolicyBanner.rtf" nor "PolicyBanner.rtfd" exists, this is - a finding. '', '''', ''The banner text of the document MUST read:'', '''', ''"You - are accessing a U.S. Government (USG) Information System (IS) that is provided for - USG-authorized use only. By using this IS (which includes any device attached to - this IS), you consent to the following conditions:'', ''-The USG routinely intercepts - and monitors communications on this IS for purposes including, but not limited to, - penetration testing, COMSEC monitoring, network operations and defense, personnel - misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.'', - ''-At any time, the USG may inspect and seize data stored on this IS.'', ''-Communications - using, or data stored on, this IS are not private, are subject to routine monitoring, - interception, and search, and may be disclosed or used for any USG authorized purpose.'', - ''-This IS includes security measures (e.g., authentication and access controls) - to protect USG interests--not for your personal benefit or privacy.'', ''-Notwithstanding - the above, using this IS does not constitute consent to PM, LE or CI investigative - searching or monitoring of the content of privileged communications, or work product, - related to personal representation or services by attorneys, psychotherapists, or - clergy, and their assistants. Such communications and work product are private and - confidential. See User Agreement for details."'', '''', ''If the text is not worded - exactly this way, this is a finding.'']' -fix: Create an RTF file containing the required text. Name the file "PolicyBanner.rtf" - or "PolicyBanner.rtfd" and place it in "/Library/Security/". -references: - srg: - - SRG-OS-000023-GPOS-00006 - - SRG-OS-000024-GPOS-00007 - - SRG-OS-000228-GPOS-00088 - disa_stig: - - APPL-12-000025 - cci: - - CCI-000048 - - CCI-000050 - - CCI-001384 - - CCI-001385 - - CCI-001386 - - CCI-001387 - - CCI-001388 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000030.yml b/rules/stig/APPL-12-000030.yml deleted file mode 100644 index 8b5788f19..000000000 --- a/rules/stig/APPL-12-000030.yml +++ /dev/null @@ -1,33 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured so that log files must not contain access - control lists (ACLs). -discussion: 'The audit service must be configured to create log files with the correct - permissions to prevent normal users from reading audit logs. Audit logs contain - sensitive data about the system and users. If log files are set to be readable and - writable only by root or administrative users with sudo, the risk is mitigated. - - - ' -check: '/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control - | awk -F: ''{print $2}'') | /usr/bin/grep -v current' -result: '[''In the output from the above commands, ACLs will be listed under any file - that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity").'', - '''', ''If any such line exists, this is a finding.'']' -fix: 'For any log file that contains ACLs, run the following command: - - - /usr/bin/sudo chmod -N [audit log file]' -references: - srg: - - SRG-OS-000057-GPOS-00027 - - SRG-OS-000206-GPOS-00084 - disa_stig: - - APPL-12-000030 - cci: - - CCI-001314 - - CCI-000162 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000031.yml b/rules/stig/APPL-12-000031.yml deleted file mode 100644 index b0fdfa347..000000000 --- a/rules/stig/APPL-12-000031.yml +++ /dev/null @@ -1,28 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured so that log folders must not contain access - control lists (ACLs). -discussion: The audit service must be configured to create log folders with the correct - permissions to prevent normal users from reading audit logs. Audit logs contain - sensitive data about the system and users. If log folders are set to be readable - and writable only by root or administrative users with sudo, the risk is mitigated. -check: '/usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control - | awk -F: ''{print $2}'')' -result: '[''In the output from the above commands, ACLs will be listed under any folder - that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity").'', - '''', ''If any such line exists, this is a finding.'']' -fix: 'For any log folder that contains ACLs, run the following command: - - - /usr/bin/sudo chmod -N [audit log folder]' -references: - srg: - - SRG-OS-000057-GPOS-00027 - disa_stig: - - APPL-12-000031 - cci: - - CCI-000162 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000032.yml b/rules/stig/APPL-12-000032.yml deleted file mode 100644 index 4ec6db9bc..000000000 --- a/rules/stig/APPL-12-000032.yml +++ /dev/null @@ -1,35 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with dedicated user accounts to decrypt - the hard disk upon startup. -discussion: When "FileVault" and Multifactor Authentication are configured on the - operating system, a dedicated user must be configured to ensure that the implemented - Multifactor Authentication rules are enforced. If a dedicated user is not configured - to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor - Authentication rules during initial startup and first login. -check: $ sudo fdesetup list -result: "['fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A', '', 'If any unauthorized\ - \ users are listed, this is a finding.', '', 'Verify that the shell for authorized\ - \ FileVault users is set to \u201C/usr/bin/false\u201D, which prevents console logins:',\ - \ '', '$ sudo dscl . read /Users/ UserShell', '', 'UserShell: /usr/bin/false',\ - \ '', 'If the FileVault users\\' shell is not set to \"/usr/bin/false\", this is\ - \ a finding.']" -fix: "Note: In previous versions of macOS, this setting was implemented differently.\ - \ Systems that used the previous method should prepare the system for the new method\ - \ by creating a new unlock user, verifying its ability to unlock FileVault after\ - \ reboot, then deleting the old FileVault unlock user. \n\n\nDisable the login ability\ - \ of the newly created user account:\n\n$ sudo /usr/bin/dscl . change /Users/\ - \ UserShell /usr/bin/false\n\nRemove all FileVault login\ - \ access from each user account defined on the system that is not a designated FileVault\ - \ user:\n\n$ sudo fdesetup remove -user " -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-000032 - cci: - - CCI-002143 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000033.yml b/rules/stig/APPL-12-000033.yml deleted file mode 100644 index c685ece74..000000000 --- a/rules/stig/APPL-12-000033.yml +++ /dev/null @@ -1,24 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable password forwarding for FileVault2. -discussion: When "FileVault" and Multifactor Authentication are configured on the - operating system, a dedicated user must be configured to ensure that the implemented - Multifactor Authentication rules are enforced. If a dedicated user is not configured - to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor - Authentication rules during initial startup and first login. -check: '# /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep - "DisableFDEAutoLogin"' -result: '[''DisableFDEAutologin = 1;'', '''', ''If "DisableFDEAutologin" is not set - to a value of "1", this is a finding.'']' -fix: This setting is enforced using the "Smart Card" configuration profile. -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-000033 - cci: - - CCI-002143 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000051.yml b/rules/stig/APPL-12-000051.yml deleted file mode 100644 index e93c6c60e..000000000 --- a/rules/stig/APPL-12-000051.yml +++ /dev/null @@ -1,29 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with the SSH daemon ClientAliveInterval - option set to 900 or less. -discussion: SSH should be configured to log users out after a 15-minute interval of - inactivity and to wait only 30 seconds before timing out logon attempts. Terminating - an idle session within a short time period reduces the window of opportunity for - unauthorized personnel to take control of a management session enabled on the console - or console port that has been left unattended. In addition, quickly terminating - an idle session or an incomplete logon attempt will also free up resources committed - by the managed network element. -check: /usr/bin/grep ^ClientAliveInterval /etc/ssh/sshd_config -result: '[''If the setting is not "900" or less, this is a finding.'']' -fix: 'To ensure that "ClientAliveInterval" is set correctly, run the following command: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*ClientAliveInterval.*/ClientAliveInterval - 900/'' /etc/ssh/sshd_config' -references: - srg: - - SRG-OS-000163-GPOS-00072 - disa_stig: - - APPL-12-000051 - cci: - - CCI-001133 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000052.yml b/rules/stig/APPL-12-000052.yml deleted file mode 100644 index 61f257e11..000000000 --- a/rules/stig/APPL-12-000052.yml +++ /dev/null @@ -1,29 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with the SSH daemon ClientAliveCountMax - option set to 0. -discussion: SSH should be configured with an Active Client Alive Maximum Count of - 0. Terminating an idle session within a short time period reduces the window of - opportunity for unauthorized personnel to take control of a management session enabled - on the console or console port that has been left unattended. In addition, quickly - terminating an idle session or an incomplete logon attempt will also free up resources - committed by the managed network element. -check: /usr/bin/grep ^ClientAliveCountMax /etc/ssh/sshd_config -result: '[''If the setting is not "ClientAliveCountMax 0", this is a finding.'']' -fix: 'To ensure that the SSH idle timeout occurs precisely when the "ClientAliveCountMax" - is set, run the following command: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*ClientAliveCountMax.*/ClientAliveCountMax - 0/'' /etc/ssh/sshd_config' -references: - srg: - - SRG-OS-000163-GPOS-00072 - disa_stig: - - APPL-12-000052 - cci: - - CCI-001133 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000053.yml b/rules/stig/APPL-12-000053.yml deleted file mode 100644 index 9fb55cd15..000000000 --- a/rules/stig/APPL-12-000053.yml +++ /dev/null @@ -1,28 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with the SSH daemon LoginGraceTime set - to 30 or less. -discussion: SSH should be configured to log users out after a 15-minute interval of - inactivity and to wait only 30 seconds before timing out logon attempts. Terminating - an idle session within a short time period reduces the window of opportunity for - unauthorized personnel to take control of a management session enabled on the console - or console port that has been left unattended. In addition, quickly terminating - an idle session or an incomplete logon attempt will also free up resources committed - by the managed network element. -check: /usr/bin/grep ^LoginGraceTime /etc/ssh/sshd_config -result: '[''If the value is not set to "30" or less, this is a finding.'']' -fix: 'To ensure that "LoginGraceTime" is configured correctly, run the following command: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*LoginGraceTime.*/LoginGraceTime 30/'' /etc/ssh/sshd_config' -references: - srg: - - SRG-OS-000163-GPOS-00072 - disa_stig: - - APPL-12-000053 - cci: - - CCI-001133 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000054.yml b/rules/stig/APPL-12-000054.yml deleted file mode 100644 index 4f133de3f..000000000 --- a/rules/stig/APPL-12-000054.yml +++ /dev/null @@ -1,60 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must implement approved ciphers to protect the confidentiality - of SSH connections. -discussion: 'Unapproved mechanisms for authentication to the cryptographic module - are not verified, and therefore cannot be relied upon to provide confidentiality - or integrity, resulting in the compromise of DoD data. - - - Operating systems using encryption are required to use FIPS-compliant mechanisms - for authenticating to cryptographic modules. - - - The implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 - validated cryptographic module. While the listed ciphers are FIPS 140-2 approved - algorithms, the module implementing them has not been validated. - - - By specifying a cipher list with the order of ciphers being in a "strongest to weakest" - orientation, the system will automatically attempt to use the strongest cipher for - securing SSH connections. - - - ' -check: '' -result: '['''', ''Ciphers aes256-ctr,aes192-ctr,aes128-ctr'', '''', ''If any ciphers - other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs - from the example above, or the "Ciphers" keyword is missing, this is a finding.'']' -fix: 'Configure SSH to use secure cryptographic algorithms. - - - To ensure that "Ciphers" set correctly, run the following command: - - - /usr/bin/sudo /usr/bin/grep -q ''^Ciphers'' /etc/ssh/sshd_config && /usr/bin/sudo - /usr/bin/sed -i.bak ''s/^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/'' /etc/ssh/sshd_config - || /usr/bin/sudo /usr/bin/sed -i.bak ''/.*Ciphers and keying.*/a\''$''\nCiphers - aes256-ctr,aes192-ctr,aes128-ctr''$''\n'' /etc/ssh/sshd_config - - - The SSH service must be restarted for changes to take effect.' -references: - srg: - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000120-GPOS-00061 - - SRG-OS-000125-GPOS-00065 - - SRG-OS-000250-GPOS-00093 - - SRG-OS-000393-GPOS-00173 - - SRG-OS-000394-GPOS-00174 - disa_stig: - - APPL-12-000054 - cci: - - CCI-000803 - - CCI-000068 - - CCI-003123 - - CCI-002890 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000055.yml b/rules/stig/APPL-12-000055.yml deleted file mode 100644 index e1eddc4c9..000000000 --- a/rules/stig/APPL-12-000055.yml +++ /dev/null @@ -1,60 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must use only Message Authentication Codes (MACs) employing - FIPS 140-2 validated cryptographic hash algorithms. -discussion: 'Unapproved mechanisms for authentication to the cryptographic module - are not verified, and therefore cannot be relied upon to provide confidentiality - or integrity, resulting in the compromise of DoD data. - - - Operating systems using encryption are required to use FIPS-compliant mechanisms - for authenticating to cryptographic modules. - - - The implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 - validated cryptographic module. While the listed MACs are FIPS 140-2 approved algorithms, - the module implementing them has not been validated. - - - By specifying a Keyed-Hash Message Authentication Code list with the order of hashes - being in a "strongest to weakest" orientation, the system will automatically attempt - to use the strongest hash for securing SSH connections. - - - ' -check: '' -result: '['''', ''MACs hmac-sha2-512,hmac-sha2-256'', '''', ''If any hashes other - than "hmac-sha2-512" and/or "hmac-sha2-256" are listed, the order differs from the - example above, or the "MACs" keyword is missing, this is a finding.'']' -fix: 'Configure SSH to use secure Keyed-Hash Message Authentication Codes. - - - To ensure that "MACs" set correctly, run the following command: - - - /usr/bin/sudo /usr/bin/grep -q ''^MACs'' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed - -i.bak ''s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/'' /etc/ssh/sshd_config || /usr/bin/sudo - /usr/bin/sed -i.bak ''/.*Ciphers and keying.*/a\''$''\nMACs hmac-sha2-512,hmac-sha2-256''$''\n'' - /etc/ssh/sshd_config - - - The SSH service must be restarted for changes to take effect.' -references: - srg: - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000120-GPOS-00061 - - SRG-OS-000125-GPOS-00065 - - SRG-OS-000250-GPOS-00093 - - SRG-OS-000393-GPOS-00173 - - SRG-OS-000394-GPOS-00174 - disa_stig: - - APPL-12-000055 - cci: - - CCI-000068 - - CCI-000803 - - CCI-003123 - - CCI-002890 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-000056.yml b/rules/stig/APPL-12-000056.yml deleted file mode 100644 index ee27d2cf4..000000000 --- a/rules/stig/APPL-12-000056.yml +++ /dev/null @@ -1,59 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must implement an approved Key Exchange Algorithm. -discussion: 'Unapproved mechanisms for authentication to the cryptographic module - are not verified, and therefore cannot be relied upon to provide confidentiality - or integrity, resulting in the compromise of DoD data. - - - Operating systems using encryption are required to use FIPS-compliant mechanisms - for authenticating to cryptographic modules. - - - The implementation of OpenSSH that is included with macOS does not utilize a FIPS - 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are - FIPS 140-2 approved, the module implementing them has not been validated. - - - By specifying a Key Exchange Algorithm list with the order of hashes being in a - "strongest to weakest" orientation, the system will automatically attempt to use - the strongest Key Exchange Algorithm for securing SSH connections. - - - ' -check: '' -result: '['''', ''KexAlgorithms diffie-hellman-group-exchange-sha256'', '''', ''If - any algorithm other than "diffie-hellman-group-exchange-sha256" is listed or the - "KexAlgorithms" keyword is missing, this is a finding.'']' -fix: 'Configure SSH to use a secure Key Exchange Algorithm. - - - To ensure that "KexAlgorithms" set correctly, run the following command: - - - /usr/bin/sudo /usr/bin/grep -q ''^KexAlgorithms'' /etc/ssh/sshd_config && /usr/bin/sudo - /usr/bin/sed -i.bak ''s/^KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/'' - /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak ''/.*Ciphers and keying.*/a\''$''\nKexAlgorithms - diffie-hellman-group-exchange-sha256''$''\n'' /etc/ssh/sshd_config - - - The SSH service must be restarted for changes to take effect.' -references: - srg: - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000120-GPOS-00061 - - SRG-OS-000125-GPOS-00065 - - SRG-OS-000250-GPOS-00093 - - SRG-OS-000393-GPOS-00173 - - SRG-OS-000394-GPOS-00174 - disa_stig: - - APPL-12-000056 - cci: - - CCI-000803 - - CCI-000068 - - CCI-002890 - - CCI-003123 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001001.yml b/rules/stig/APPL-12-001001.yml deleted file mode 100644 index 53f59425f..000000000 --- a/rules/stig/APPL-12-001001.yml +++ /dev/null @@ -1,76 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must generate audit records for all account creations, modifications, - disabling, and termination events; privileged activities or other system-level access; - all kernel module load, unload, and restart actions; all program initiations; and - organizationally defined events for all non-local maintenance and diagnostic sessions. -discussion: 'Without generating audit records that are specific to the security and - mission needs of the organization, it would be difficult to establish, correlate, - and investigate the events relating to an incident or identify those responsible - for one. Audit records can be generated from various components within the information - system (e.g., module or policy filter). If events associated with nonlocal administrative - access or diagnostic sessions are not logged, a major tool for assessing and investigating - attacks would not be available. - - - This requirement addresses auditing-related issues associated with maintenance tools - used specifically for diagnostic and repair actions on organizational information - systems. - - - Nonlocal maintenance and diagnostic activities are those activities conducted by - individuals communicating through a network, either an external network (e.g., the - internet) or an internal network. Local maintenance and diagnostic activities are - those activities carried out by individuals physically present at the information - system or information system component and not communicating across a network connection. - - - This requirement applies to hardware/software diagnostic test equipment or tools. - This requirement does not cover hardware/software components that may support information - system maintenance, yet are a part of the system, for example, the software implementing - "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring - port of an Ethernet switch. - - - ' -check: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control -result: '[''Administrative and Privileged access, including administrative use of - the command line tools "kextload" and "kextunload" and changes to configuration - settings are logged by way of the "ad" flag.'', '''', ''If "ad" is not listed in - the result of the check, this is a finding.'']' -fix: 'To ensure the appropriate flags are enabled for auditing, run the following - command: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''/^flags/ s/$/,ad/'' /etc/security/audit_control; - /usr/bin/sudo /usr/sbin/audit -s - - - A text editor may also be used to implement the required updates to the "/etc/security/audit_control" - file.' -references: - srg: - - SRG-OS-000004-GPOS-00004 - - SRG-OS-000239-GPOS-00089 - - SRG-OS-000240-GPOS-00090 - - SRG-OS-000241-GPOS-00091 - - SRG-OS-000327-GPOS-00127 - - SRG-OS-000392-GPOS-00172 - - SRG-OS-000471-GPOS-00215 - - SRG-OS-000471-GPOS-00216 - - SRG-OS-000476-GPOS-00221 - - SRG-OS-000477-GPOS-00222 - disa_stig: - - APPL-12-001001 - cci: - - CCI-000018 - - CCI-000172 - - CCI-001403 - - CCI-001404 - - CCI-001405 - - CCI-002884 - - CCI-002234 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001002.yml b/rules/stig/APPL-12-001002.yml deleted file mode 100644 index 5c59f7277..000000000 --- a/rules/stig/APPL-12-001002.yml +++ /dev/null @@ -1,44 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must monitor remote access methods and generate audit records - when successful/unsuccessful attempts to access/modify privileges occur. -discussion: 'Frequently, an attacker that successfully gains access to a system has - only gained access to an account with limited privileges, such as a guest account - or a service account. The attacker must attempt to change to another user account - with normal or elevated privileges in order to proceed. Without generating audit - records that are specific to the security and mission needs of the organization, - it would be difficult to establish, correlate, and investigate the events relating - to an incident or identify those responsible for one. - - - Audit records can be generated from various components within the information system - (e.g., module or policy filter). - - - ' -check: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control -result: '[''Attempts to log in as another user are logged by way of the "lo" flag.'', - '''', ''If "lo" is not listed in the result of the check, this is a finding.'']' -fix: 'To ensure the appropriate flags are enabled for auditing, run the following - command: - - - /usr/bin/sudo sed -i.bak ''/^flags/ s/$/,lo/'' /etc/security/audit_control; /usr/bin/sudo - /usr/sbin/audit -s - - - A text editor may also be used to implement the required updates to the "/etc/security/audit_control" - file.' -references: - srg: - - SRG-OS-000032-GPOS-00013 - - SRG-OS-000462-GPOS-00206 - disa_stig: - - APPL-12-001002 - cci: - - CCI-000172 - - CCI-000067 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001003.yml b/rules/stig/APPL-12-001003.yml deleted file mode 100644 index 1d5efa0ad..000000000 --- a/rules/stig/APPL-12-001003.yml +++ /dev/null @@ -1,74 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must initiate session audits at system startup, using internal - clocks with time stamps for audit records that meet a minimum granularity of one - second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time - (GMT), in order to generate audit records containing information to establish what - type of events occurred, the identity of any individual or process associated with - the event, including individual identities of group account users, establish where - the events occurred, source of the event, and outcome of the events including all - account enabling actions, full-text recording of privileged commands, and information - about the use of encryption for access wireless access to and from the system. -discussion: 'Without establishing what type of events occurred, when they occurred, - and by whom it would be difficult to establish, correlate, and investigate the events - leading up to an outage or attack. - - - Audit record content that may be necessary to satisfy this requirement includes, - for example, time stamps, source and destination addresses, user/process identifiers, - event descriptions, success/fail indications, filenames involved, and access control - or flow control rules invoked. - - - Associating event types with detected events in the operating system audit logs - provides a means of investigating an attack, recognizing resource utilization or - capacity thresholds, or identifying an improperly configured operating system. - - - ' -check: launchctl print-disabled system| grep auditd -result: '[''If the return is not:'', ''"com.apple.auditd" => false"'', '' the audit - service is disabled, and this is a finding.'']' -fix: 'To enable the audit service, run the following command: - - - /usr/bin/sudo /bin/launchctl enable system/com.apple.auditd - - - The system may need to be restarted for the update to take effect.' -references: - srg: - - SRG-OS-000037-GPOS-00015 - - SRG-OS-000038-GPOS-00016 - - SRG-OS-000039-GPOS-00017 - - SRG-OS-000040-GPOS-00018 - - SRG-OS-000041-GPOS-00019 - - SRG-OS-000042-GPOS-00020 - - SRG-OS-000042-GPOS-00021 - - SRG-OS-000055-GPOS-00026 - - SRG-OS-000254-GPOS-00095 - - SRG-OS-000255-GPOS-00096 - - SRG-OS-000303-GPOS-00120 - - SRG-OS-000337-GPOS-00129 - - SRG-OS-000358-GPOS-00145 - - SRG-OS-000359-GPOS-00146 - disa_stig: - - APPL-12-001003 - cci: - - CCI-000159 - - CCI-000130 - - CCI-000131 - - CCI-000132 - - CCI-000133 - - CCI-000134 - - CCI-000135 - - CCI-001464 - - CCI-001487 - - CCI-002130 - - CCI-001914 - - CCI-001889 - - CCI-001890 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001010.yml b/rules/stig/APPL-12-001010.yml deleted file mode 100644 index a66837da9..000000000 --- a/rules/stig/APPL-12-001010.yml +++ /dev/null @@ -1,39 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must shut down by default upon audit failure (unless availability - is an overriding concern). -discussion: "The audit service should shut down the computer if it is unable to audit\ - \ system events. Once audit failure occurs, user and system activity is no longer\ - \ recorded and malicious activity could go undetected. Audit processing failures\ - \ include software/hardware errors, failures in the audit capturing mechanisms,\ - \ and audit storage capacity being reached or exceeded. Responses to audit failure\ - \ depend on the nature of the failure mode.\n\nWhen availability is an overriding\ - \ concern, other approved actions in response to an audit failure are as follows:\ - \ \n\n(i) If the failure was caused by the lack of audit record storage capacity,\ - \ the operating system must continue generating audit records if possible (automatically\ - \ restarting the audit service if necessary), overwriting the oldest audit records\ - \ in a first-in-first-out manner. \n\n(ii) If audit records are sent to a centralized\ - \ collection server and communication with this server is lost or the server fails,\ - \ the operating system must queue audit records locally until communication is restored\ - \ or until the audit records are retrieved manually. Upon restoration of the connection\ - \ to the centralized collection server, action should be taken to synchronize the\ - \ local audit data with the collection server." -check: sudo /usr/bin/grep ^policy /etc/security/audit_control | /usr/bin/grep ahlt -result: '[''If there is no result, this is a finding.'']' -fix: 'Edit the "/etc/security/audit_control file" and change the value for policy - to include the setting "ahlt". To do this programmatically, run the following command: - - - sudo /usr/bin/sed -i.bak ''/^policy/ s/$/,ahlt/'' /etc/security/audit_control; sudo - /usr/sbin/audit -s' -references: - srg: - - SRG-OS-000047-GPOS-00023 - disa_stig: - - APPL-12-001010 - cci: - - CCI-000140 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001012.yml b/rules/stig/APPL-12-001012.yml deleted file mode 100644 index b3ddaef6b..000000000 --- a/rules/stig/APPL-12-001012.yml +++ /dev/null @@ -1,29 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with audit log files owned by root. -discussion: The audit service must be configured to create log files with the correct - ownership to prevent normal users from reading audit logs. Audit logs contain sensitive - data about the system and users. If log files are set to only be readable and writable - by root or administrative users with sudo, the risk is mitigated. -check: '/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control - | awk -F: ''{print $2}'') | grep -v current' -result: '[''The results should show the owner (third column) to be "root". '', '''', - ''If they do not, this is a finding.'']' -fix: 'For any log file that returns an incorrect owner, run the following command: - - - /usr/bin/sudo chown root [audit log file] - - - [audit log file] is the full path to the log file in question.' -references: - srg: - - SRG-OS-000057-GPOS-00027 - disa_stig: - - APPL-12-001012 - cci: - - CCI-000162 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001013.yml b/rules/stig/APPL-12-001013.yml deleted file mode 100644 index 2ec0907ed..000000000 --- a/rules/stig/APPL-12-001013.yml +++ /dev/null @@ -1,26 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with audit log folders owned by root. -discussion: The audit service must be configured to create log files with the correct - ownership to prevent normal users from reading audit logs. Audit logs contain sensitive - data about the system and about users. If log files are set to be readable and writable - only by root or administrative users with sudo, the risk is mitigated. -check: '/usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control - | awk -F: ''{print $2}'')' -result: '[''The results should show the owner (third column) to be "root". '', '''', - ''If it does not, this is a finding.'']' -fix: 'For any log folder that has an incorrect owner, run the following command: - - - /usr/bin/sudo chown root [audit log folder]' -references: - srg: - - SRG-OS-000057-GPOS-00027 - disa_stig: - - APPL-12-001013 - cci: - - CCI-000162 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001014.yml b/rules/stig/APPL-12-001014.yml deleted file mode 100644 index 79d61d61f..000000000 --- a/rules/stig/APPL-12-001014.yml +++ /dev/null @@ -1,29 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with audit log files group-owned by wheel. -discussion: The audit service must be configured to create log files with the correct - group ownership to prevent normal users from reading audit logs. Audit logs contain - sensitive data about the system and users. If log files are set to be readable and - writable only by root or administrative users with sudo, the risk is mitigated. -check: '/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control - | awk -F: ''{print $2}'') | /usr/bin/grep -v current' -result: '[''The results should show the group owner (fourth column) to be "wheel". - '', '''', ''If they do not, this is a finding.'']' -fix: 'For any log file that returns an incorrect group owner, run the following command: - - - /usr/bin/sudo chgrp wheel [audit log file] - - - [audit log file] is the full path to the log file in question.' -references: - srg: - - SRG-OS-000057-GPOS-00027 - disa_stig: - - APPL-12-001014 - cci: - - CCI-000162 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001015.yml b/rules/stig/APPL-12-001015.yml deleted file mode 100644 index 9a1b07857..000000000 --- a/rules/stig/APPL-12-001015.yml +++ /dev/null @@ -1,26 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with audit log folders group-owned by wheel. -discussion: The audit service must be configured to create log files with the correct - group ownership to prevent normal users from reading audit logs. Audit logs contain - sensitive data about the system and about users. If log files are set to be readable - and writable only by root or administrative users with sudo, the risk is mitigated. -check: '/usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control - | awk -F: ''{print $2}'')' -result: '[''The results should show the group (fourth column) to be "wheel".'', '''', - ''If they do not, this is a finding.'']' -fix: 'For any log folder that has an incorrect group, run the following command: - - - /usr/bin/sudo chgrp wheel [audit log folder]' -references: - srg: - - SRG-OS-000057-GPOS-00027 - disa_stig: - - APPL-12-001015 - cci: - - CCI-000162 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001016.yml b/rules/stig/APPL-12-001016.yml deleted file mode 100644 index 46db1d501..000000000 --- a/rules/stig/APPL-12-001016.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with audit log files set to mode 440 or - less permissive. -discussion: The audit service must be configured to create log files with the correct - permissions to prevent normal users from reading audit logs. Audit logs contain - sensitive data about the system and about users. If log files are set to be readable - and writable only by root or administrative users with sudo, the risk is mitigated. -check: '/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control - | awk -F: ''{print $2}'') | /usr/bin/grep -v current' -result: '[''The results should show the permissions (first column) to be "440" or - less permissive.'', '''', ''If they do not, this is a finding.'']' -fix: 'For any log file that returns an incorrect permission value, run the following - command: - - - /usr/bin/sudo chmod 440 [audit log file] - - - [audit log file] is the full path to the log file in question.' -references: - srg: - - SRG-OS-000057-GPOS-00027 - disa_stig: - - APPL-12-001016 - cci: - - CCI-000162 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001017.yml b/rules/stig/APPL-12-001017.yml deleted file mode 100644 index 653e92c35..000000000 --- a/rules/stig/APPL-12-001017.yml +++ /dev/null @@ -1,35 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with audit log folders set to mode 700 - or less permissive. -discussion: 'The audit service must be configured to create log folders with the correct - permissions to prevent normal users from reading audit logs. Audit logs contain - sensitive data about the system and users. If log folders are set to be readable - and writable only by root or administrative users with sudo, the risk is mitigated. - - - ' -check: '/usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep ''^dir'' /etc/security/audit_control - | awk -F: ''{print $2}'')' -result: '[''The results should show the permissions (first column) to be "700" or - less permissive.'', '''', ''If they do not, this is a finding.'']' -fix: 'For any log folder that returns an incorrect permission value, run the following - command: - - - /usr/bin/sudo chmod 700 [audit log folder]' -references: - srg: - - SRG-OS-000057-GPOS-00027 - - SRG-OS-000058-GPOS-00028 - - SRG-OS-000059-GPOS-00029 - disa_stig: - - APPL-12-001017 - cci: - - CCI-000162 - - CCI-000163 - - CCI-000164 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001020.yml b/rules/stig/APPL-12-001020.yml deleted file mode 100644 index 1b5e78084..000000000 --- a/rules/stig/APPL-12-001020.yml +++ /dev/null @@ -1,53 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must audit the enforcement actions used to restrict access - associated with changes to the system. -discussion: "By auditing access restriction enforcement, changes to application and\ - \ OS configuration files can be audited. Without auditing the enforcement of access\ - \ restrictions, it will be difficult to identify attempted attacks and an audit\ - \ trail will not be available for forensic investigation.\n\nEnforcement actions\ - \ are the methods or mechanisms used to prevent unauthorized changes to configuration\ - \ settings. Enforcement action methods may be as simple as denying access to a file\ - \ based on the application of file permissions (access restriction). Audit items\ - \ may consist of lists of actions blocked by access restrictions or changes identified\ - \ after the fact. \n\nWithout generating audit records that are specific to the\ - \ security and mission needs of the organization, it would be difficult to establish,\ - \ correlate, and investigate the events relating to an incident or identify those\ - \ responsible for one.\n\nAudit records can be generated from various components\ - \ within the information system (e.g., module or policy filter). \n\n" -check: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control -result: '[''Enforcement actions are logged by way of the "fm" flag, which audits permission - changes, and "-fr" and "-fw", which denote failed attempts to read or write to a - file, and -fd, which audits failed file deletion.'', '''', ''If "fm", "-fr", "-fw", - and "-fd" are not listed in the result of the check, this is a finding.'']' -fix: 'To set the audit flags to the recommended setting, run the following command - to add the flags "fm", "-fr", "-fw", and "-fd" all at once: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''/^flags/ s/$/,fm,-fr,-fw,-fd/'' /etc/security/audit_control; - /usr/bin/sudo /usr/sbin/audit -s - - - A text editor may also be used to implement the required updates to the "/etc/security/audit_control" - file.' -references: - srg: - - SRG-OS-000064-GPOS-00033 - - SRG-OS-000365-GPOS-00152 - - SRG-OS-000458-GPOS-00203 - - SRG-OS-000461-GPOS-00205 - - SRG-OS-000463-GPOS-00207 - - SRG-OS-000465-GPOS-00209 - - SRG-OS-000466-GPOS-00210 - - SRG-OS-000467-GPOS-00211 - - SRG-OS-000468-GPOS-00212 - - SRG-OS-000474-GPOS-00219 - disa_stig: - - APPL-12-001020 - cci: - - CCI-000172 - - CCI-001814 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001029.yml b/rules/stig/APPL-12-001029.yml deleted file mode 100644 index 658c8eccc..000000000 --- a/rules/stig/APPL-12-001029.yml +++ /dev/null @@ -1,34 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must allocate audit record storage capacity to store at least - one week's worth of audit records when audit records are not immediately sent to - a central audit record storage facility. -discussion: The audit service must be configured to require that records are kept - for seven days or longer before deletion when there is no central audit record storage - facility. When "expire-after" is set to "7d", the audit service will not delete - audit logs until the log data is at least seven days old. -check: /usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control -result: '[''If this returns no results, or does not contain "7d" or a larger value, - this is a finding.'']' -fix: 'Edit the "/etc/security/audit_control" file and change the value for "expire-after" - to the amount of time audit logs should be kept for the system. Use the following - command to set the "expire-after" value to "7d": - - - /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*expire-after.*/expire-after:7d/'' /etc/security/audit_control; - /usr/bin/sudo /usr/sbin/audit -s - - - A text editor may also be used to implement the required updates to the "/etc/security/audit_control" - file.' -references: - srg: - - SRG-OS-000341-GPOS-00132 - disa_stig: - - APPL-12-001029 - cci: - - CCI-001849 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001030.yml b/rules/stig/APPL-12-001030.yml deleted file mode 100644 index 93cf4dc7e..000000000 --- a/rules/stig/APPL-12-001030.yml +++ /dev/null @@ -1,37 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must provide an immediate warning to the System Administrator - (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated - audit record storage volume reaches 75 percent of repository maximum audit record - storage capacity. -discussion: 'The audit service must be configured to require a minimum percentage - of free disk space in order to run. This ensures that audit will notify the administrator - that action is required to free up more disk space for audit logs. - - - When "minfree" is set to 25 percent, security personnel are notified immediately - when the storage volume is 75 percent full and are able to plan for audit record - storage capacity expansion.' -check: /usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control -result: '[''If this returns no results, or does not contain "25", this is a finding.'']' -fix: 'Edit the "/etc/security/audit_control" file and change the value for "minfree" - to "25" using the following command: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''s/.*minfree.*/minfree:25/'' /etc/security/audit_control; - /usr/bin/sudo /usr/sbin/audit -s - - - A text editor may also be used to implement the required updates to the "/etc/security/audit_control - file".' -references: - srg: - - SRG-OS-000343-GPOS-00134 - disa_stig: - - APPL-12-001030 - cci: - - CCI-001855 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001031.yml b/rules/stig/APPL-12-001031.yml deleted file mode 100644 index f630fe70e..000000000 --- a/rules/stig/APPL-12-001031.yml +++ /dev/null @@ -1,32 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must provide an immediate real-time alert to the System Administrator - (SA) and Information System Security Officer (ISSO), at a minimum, of all audit - failure events requiring real-time alerts. -discussion: The audit service should be configured to immediately print messages to - the console or email administrator users when an auditing failure occurs. It is - critical for the appropriate personnel to be aware if a system is at risk of failing - to process audit logs as required. Without a real-time alert, security personnel - may be unaware of an impending failure of the audit capability and system operation - may be adversely affected. -check: /usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn -result: '[''If the argument "-s" is missing, or if "audit_warn" has not been otherwise - modified to print errors to the console or send email alerts to the SA and ISSO, - this is a finding.'']' -fix: 'To make "auditd" log errors to standard error as well as "syslogd", run the - following command: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''s/logger -p/logger -s -p/'' /etc/security/audit_warn; - /usr/bin/sudo /usr/sbin/audit -s' -references: - srg: - - SRG-OS-000344-GPOS-00135 - disa_stig: - - APPL-12-001031 - cci: - - CCI-001858 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001044.yml b/rules/stig/APPL-12-001044.yml deleted file mode 100644 index 78ce18d4e..000000000 --- a/rules/stig/APPL-12-001044.yml +++ /dev/null @@ -1,44 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must generate audit records for DoD-defined events such as - successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, - starting and ending time for user access, and concurrent logons to the same account - from different sources. -discussion: 'Without generating audit records that are specific to the security and - mission needs of the organization, it would be difficult to establish, correlate, - and investigate the events relating to an incident or identify those responsible - for one. - - - Audit records can be generated from various components within the information system - (e.g., module or policy filter). - - - ' -check: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control -result: '[''Logon events are logged by way of the "aa" flag.'', '''', ''If "aa" is - not listed in the result of the check, this is a finding.'']' -fix: 'To ensure the appropriate flags are enabled for auditing, run the following - command: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''/^flags/ s/$/,aa/'' /etc/security/audit_control; - /usr/bin/sudo /usr/sbin/audit -s - - - A text editor may also be used to implement the required updates to the "/etc/security/audit_control" - file.' -references: - srg: - - SRG-OS-000470-GPOS-00214 - - SRG-OS-000472-GPOS-00217 - - SRG-OS-000473-GPOS-00218 - - SRG-OS-000475-GPOS-00220 - disa_stig: - - APPL-12-001044 - cci: - - CCI-000172 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001060.yml b/rules/stig/APPL-12-001060.yml deleted file mode 100644 index e5a79d45f..000000000 --- a/rules/stig/APPL-12-001060.yml +++ /dev/null @@ -1,47 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must accept and verify Personal Identity Verification (PIV) - credentials, implement a local cache of revocation data to support path discovery - and validation in case of the inability to access revocation information via the - network, and only allow the use of DoD PKI-established certificate authorities for - verification of the establishment of protected sessions. -discussion: "The use of PIV credentials facilitates standardization and reduces the\ - \ risk of unauthorized access. \n\nWithout configuring\ - \ a local cache of revocation data, there is the potential to allow access to users\ - \ who are no longer authorized (users with revoked certificates). \ - \ \n\nUntrusted Certificate Authorities (CA) can issue certificates, but they\ - \ may be issued by organizations or individuals that seek to compromise DoD systems\ - \ or by organizations with insufficient security controls. If the CA used for verifying\ - \ the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\ - \nDoD has mandated the use of the CAC to support identity management and personal\ - \ authentication for systems covered under Homeland Security Presidential Directive\ - \ (HSPD) 12, as well as making the CAC a primary component of layered protection\ - \ for national security systems. \n\nThe DoD will only accept PKI-certificates\ - \ obtained from a DoD-approved internal or external certificate authority. Reliance\ - \ on CAs for the establishment of secure sessions includes, for example, the use\ - \ of SSL/TLS certificates.\n\n" -check: Unable to parse the check text -result: Unable to parse the check text -fix: "This setting is enforced using the \"Smart Card Policy\" configuration profile.\ - \ \n\nNote: Before applying the \"Smart Card Policy\", the supplemental guidance\ - \ provided with the STIG should be consulted to ensure continued access to the operating\ - \ system." -references: - srg: - - SRG-OS-000376-GPOS-00161 - - SRG-OS-000377-GPOS-00162 - - SRG-OS-000384-GPOS-00167 - - SRG-OS-000403-GPOS-00182 - - SRG-OS-000067-GPOS-00035 - disa_stig: - - APPL-12-001060 - cci: - - CCI-000186 - - CCI-001953 - - CCI-001954 - - CCI-001991 - - CCI-002470 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-001100.yml b/rules/stig/APPL-12-001100.yml deleted file mode 100644 index b59e2b9f9..000000000 --- a/rules/stig/APPL-12-001100.yml +++ /dev/null @@ -1,26 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must require individuals to be authenticated with an individual - authenticator prior to using a group authenticator. -discussion: Administrator users must never log in directly as root. To assure individual - accountability and prevent unauthorized access, logging in as root over a remote - connection must be disabled. Administrators should only run commands as root after - first authenticating with their individual user names and passwords. -check: /usr/bin/grep ^PermitRootLogin /etc/ssh/sshd_config -result: '[''If there is no result, or the result is set to "yes", this is a finding.'']' -fix: 'To ensure that "PermitRootLogin" is disabled by sshd, run the following command: - - - /usr/bin/sudo /usr/bin/sed -i.bak ''s/^[\#]*PermitRootLogin.*/PermitRootLogin no/'' - /etc/ssh/sshd_config' -references: - srg: - - SRG-OS-000109-GPOS-00056 - disa_stig: - - APPL-12-001100 - cci: - - CCI-000770 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002001.yml b/rules/stig/APPL-12-002001.yml deleted file mode 100644 index 0f24955b4..000000000 --- a/rules/stig/APPL-12-002001.yml +++ /dev/null @@ -1,28 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable SMB File Sharing unless it is - required. -discussion: File Sharing is usually non-essential and must be disabled if not required. - Enabling any service increases the attack surface for an intruder. By disabling - unnecessary services, the attack surface is minimized. -check: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.smbd -result: '[''If the results do not show the following, this is a finding:'', '''', - ''"com.apple.smbd" => true'']' -fix: 'To disable the SMB File Sharing service, run the following command: - - - /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd - - - The system may need to be restarted for the update to take effect.' -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002001 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002003.yml b/rules/stig/APPL-12-002003.yml deleted file mode 100644 index 2ac41f045..000000000 --- a/rules/stig/APPL-12-002003.yml +++ /dev/null @@ -1,29 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the Network File System (NFS) - daemon unless it is required. -discussion: If the system does not require access to NFS file shares or is not acting - as an NFS server, support for NFS is non-essential and NFS services must be disabled. - NFS is a network file system protocol supported by UNIX-like operating systems. - Enabling any service increases the attack surface for an intruder. By disabling - unnecessary services, the attack surface is minimized. -check: '' -result: '['''', ''"com.apple.nfsd" => true'']' -fix: 'To disable the NFS daemon, run the following command: - - - /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd - - - The system may need to be restarted for the update to take effect.' -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002003 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002004.yml b/rules/stig/APPL-12-002004.yml deleted file mode 100644 index 76264946b..000000000 --- a/rules/stig/APPL-12-002004.yml +++ /dev/null @@ -1,33 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable Location Services. -discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ - \ of information, or unauthorized tunneling (i.e., embedding of data types within\ - \ data types), organizations must disable or restrict unused or unnecessary physical\ - \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ - \ of providing a wide variety of functions and services. Some of the functions and\ - \ services provided by default may not be necessary to support essential organizational\ - \ operations. Additionally, it is sometimes convenient to provide multiple services\ - \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ - \ over limiting the services provided by any one component. \n\nTo support the requirements\ - \ and principles of least functionality, the operating system must support the organizational\ - \ requirements, providing only essential capabilities and limiting the use of ports,\ - \ protocols, and/or services to only those required, authorized, and approved to\ - \ conduct official business or to address authorized quality-of-life issues.\n\n\ - Location Services must be disabled." -check: '' -result: '['''', "If ''LocationServicesEnabled'' is not set to ''0'', this is a finding."]' -fix: "Disable the Location Services by running the following command: \n\n/usr/bin/sudo\ - \ /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd\ - \ LocationServicesEnabled -bool false" -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002004 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002005.yml b/rules/stig/APPL-12-002005.yml deleted file mode 100644 index bae187756..000000000 --- a/rules/stig/APPL-12-002005.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable Bonjour multicast advertising. -discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ - \ of information, or unauthorized tunneling (i.e., embedding of data types within\ - \ data types), organizations must disable or restrict unused or unnecessary physical\ - \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ - \ of providing a wide variety of functions and services. Some of the functions and\ - \ services provided by default may not be necessary to support essential organizational\ - \ operations. Additionally, it is sometimes convenient to provide multiple services\ - \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ - \ over limiting the services provided by any one component. \n\nTo support the requirements\ - \ and principles of least functionality, the operating system must support the organizational\ - \ requirements, providing only essential capabilities and limiting the use of ports,\ - \ protocols, and/or services to only those required, authorized, and approved to\ - \ conduct official business or to address authorized quality of life issues.\n\n\ - Bonjour multicast advertising must be disabled on the system." -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep NoMulticastAdvertisements -result: '[''If the return is not, "NoMulticastAdvertisements = 1", this is a finding.'']' -fix: This setting is enforced using the "Custom Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002005 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002006.yml b/rules/stig/APPL-12-002006.yml deleted file mode 100644 index f5ee51947..000000000 --- a/rules/stig/APPL-12-002006.yml +++ /dev/null @@ -1,35 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the UUCP service. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe system must not have the UUCP service active." -check: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.uucp -result: '[''If the results do not show the following, this is a finding:'', '''', - ''"com.apple.uucp" => true'']' -fix: 'To disable the UUCP service, run the following command: - - - /usr/bin/sudo /bin/launchctl disable system/com.apple.uucp - - - The system may need to be restarted for the update to take effect.' -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002006 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002007.yml b/rules/stig/APPL-12-002007.yml deleted file mode 100644 index 5e26892aa..000000000 --- a/rules/stig/APPL-12-002007.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable Internet Sharing. -discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ - \ of information, or unauthorized tunneling (i.e., embedding of data types within\ - \ data types), organizations must disable or restrict unused or unnecessary physical\ - \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ - \ of providing a wide variety of functions and services. Some of the functions and\ - \ services provided by default may not be necessary to support essential organizational\ - \ operations. Additionally, it is sometimes convenient to provide multiple services\ - \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ - \ over limiting the services provided by any one component. \n\nTo support the requirements\ - \ and principles of least functionality, the operating system must support the organizational\ - \ requirements, providing only essential capabilities and limiting the use of ports,\ - \ protocols, and/or services to only those required, authorized, and approved to\ - \ conduct official business or to address authorized quality of life issues.\n\n\ - Internet Sharing is non-essential and must be disabled." -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep forceInternetSharingOff -result: '[''If the return is not, "forceInternetSharingOff = 1", this is a finding.'']' -fix: This setting is enforced using the "Custom Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002007 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002008.yml b/rules/stig/APPL-12-002008.yml deleted file mode 100644 index 63d2f1767..000000000 --- a/rules/stig/APPL-12-002008.yml +++ /dev/null @@ -1,37 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable Web Sharing. -discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ - \ of information, or unauthorized tunneling (i.e., embedding of data types within\ - \ data types), organizations must disable or restrict unused or unnecessary physical\ - \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ - \ of providing a wide variety of functions and services. Some of the functions and\ - \ services provided by default may not be necessary to support essential organizational\ - \ operations. Additionally, it is sometimes convenient to provide multiple services\ - \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ - \ over limiting the services provided by any one component. \n\nTo support the requirements\ - \ and principles of least functionality, the operating system must support the organizational\ - \ requirements, providing only essential capabilities and limiting the use of ports,\ - \ protocols, and/or services to only those required, authorized, and approved to\ - \ conduct official business or to address authorized quality of life issues.\n\n\ - Web Sharing is non-essential and must be disabled." -check: '' -result: '['''', ''"org.apache.httpd" => true'']' -fix: 'To disable Web Sharing, run the following command: - - - /usr/bin/sudo /bin/launchctl disable system/org.apache.httpd - - - The system may need to be restarted for the update to take effect.' -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002008 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002009.yml b/rules/stig/APPL-12-002009.yml deleted file mode 100644 index 7407e6bbf..000000000 --- a/rules/stig/APPL-12-002009.yml +++ /dev/null @@ -1,33 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable AirDrop. -discussion: "To prevent unauthorized connection of devices, unauthorized transfer\ - \ of information, or unauthorized tunneling (i.e., embedding of data types within\ - \ data types), organizations must disable or restrict unused or unnecessary physical\ - \ and logical ports/protocols on information systems.\n\nOperating systems are capable\ - \ of providing a wide variety of functions and services. Some of the functions and\ - \ services provided by default may not be necessary to support essential organizational\ - \ operations. Additionally, it is sometimes convenient to provide multiple services\ - \ from a single component (e.g., VPN and IPS); however, doing so increases risk\ - \ over limiting the services provided by any one component. \n\nTo support the requirements\ - \ and principles of least functionality, the operating system must support the organizational\ - \ requirements, providing only essential capabilities and limiting the use of ports,\ - \ protocols, and/or services to only those required, authorized, and approved to\ - \ conduct official business or to address authorized quality of life issues.\n\n\ - AirDrop must be disabled.\n\nNote: There is a known bug in the graphical user interface\ - \ where the user can toggle AirDrop in the UI, which indicates the service has been\ - \ turned on, but it remains disabled if the Restrictions Profile has been applied." -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowAirDrop -result: '[''If the return is not, "allowAirDrop = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002009 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-002012.yml b/rules/stig/APPL-12-002012.yml deleted file mode 100644 index 9283cb4b0..000000000 --- a/rules/stig/APPL-12-002012.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the iCloud Calendar services. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Calendar application's connections to Apple's\ - \ iCloud must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudCalendar -result: '[''If the return is not "allowCloudCalendar = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002012 - cci: - - CCI-000381 - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-002013.yml b/rules/stig/APPL-12-002013.yml deleted file mode 100644 index 5299b9303..000000000 --- a/rules/stig/APPL-12-002013.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the iCloud Reminders services. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Reminder application's connections to Apple's\ - \ iCloud must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudReminders -result: "['If the return is not \u201CallowCloudReminders = 0\u201D, this is a finding.']" -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002013 - cci: - - CCI-001774 - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-002014.yml b/rules/stig/APPL-12-002014.yml deleted file mode 100644 index 4d2683c91..000000000 --- a/rules/stig/APPL-12-002014.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable iCloud Address Book services. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Address Book(Contacts) application's connections\ - \ to Apple's iCloud must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudAddressBook -result: '[''If the result is not "allowCloudAddressBook = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002014 - cci: - - CCI-000381 - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-002015.yml b/rules/stig/APPL-12-002015.yml deleted file mode 100644 index 337751133..000000000 --- a/rules/stig/APPL-12-002015.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the Mail iCloud services. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Mail application's connections to Apple's iCloud\ - \ must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudMail -result: '[''If the result is not "allowCloudMail = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002015 - cci: - - CCI-000381 - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-002016.yml b/rules/stig/APPL-12-002016.yml deleted file mode 100644 index 2c5cc4505..000000000 --- a/rules/stig/APPL-12-002016.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the iCloud Notes services. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Notes application's connections to Apple's iCloud\ - \ must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudNotes -result: '[''If the return is not "allowCloudNotes = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002016 - cci: - - CCI-001774 - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-002017.yml b/rules/stig/APPL-12-002017.yml deleted file mode 100644 index b51900d00..000000000 --- a/rules/stig/APPL-12-002017.yml +++ /dev/null @@ -1,36 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must cover or disable the built-in or attached camera when - not in use. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Failing to disconnect from collaborative computing devices (i.e., cameras) can result - in subsequent compromises of organizational information. Providing easy methods - to physically disconnect from such devices after a collaborative computing session - helps to ensure that participants actually carry out the disconnect activity without - having to go through complex and tedious procedures. - - - ' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCamera -result: '[''If the result is "allowCamera = 1" and the collaborative computing device - has not been authorized for use, this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002017 - cci: - - CCI-000381 - - CCI-001150 - - CCI-001153 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002020.yml b/rules/stig/APPL-12-002020.yml deleted file mode 100644 index b6141d6c2..000000000 --- a/rules/stig/APPL-12-002020.yml +++ /dev/null @@ -1,32 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable Siri and dictation. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nSiri and dictation must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -e - "Assistant Allowed" -e "Ironwood Allowed" -result: '[''If the output is not:'', ''"Assistant Allowed = 0"'', ''"Ironwood Allowed - = 0",'', ''this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002020 - cci: - - CCI-000381 - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002021.yml b/rules/stig/APPL-12-002021.yml deleted file mode 100644 index 119a06713..000000000 --- a/rules/stig/APPL-12-002021.yml +++ /dev/null @@ -1,47 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable sending diagnostic and usage - data to Apple. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe ability to submit diagnostic data to Apple must\ - \ be disabled." -check: /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep - allowDiagnosticSubmission -result: '[''If "allowDiagnosticSubmission" is not set to "0", this is a finding.'', - '''', ''Alternately, the setting is found in System Preferences >> Security & Privacy - >> Privacy >> Analytics & Improvement.'', '''', ''If the box that says, "Send diagnostic - & usage data to Apple" is checked, this is a finding.'', ''If the box that says, - "Improve Siri & Dictation" is checked, this is a finding.'', ''If the box that says, - "Share with App Developers" is checked, this is a finding.'']' -fix: 'This setting is enforced using the "Restrictions Policy" configuration profile. - - - The setting "Send diagnostic & usage data to Apple" can also be configured in System - Preferences >> Security & Privacy >> Privacy >> Analytics & Improvement. - - - Uncheck the box that says, "Share Mac Analytics". - - Uncheck the box that says, "Improve Siri & Dictation". - - Uncheck the box that says, "Share with App Developers".' -references: - srg: - - SRG-OS-000096-GPOS-00050 - disa_stig: - - APPL-12-002021 - cci: - - CCI-000382 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002022.yml b/rules/stig/APPL-12-002022.yml deleted file mode 100644 index de4a8f5fc..000000000 --- a/rules/stig/APPL-12-002022.yml +++ /dev/null @@ -1,35 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable Remote Apple Events. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nRemote Apple Events must be disabled." -check: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.AEServer -result: '[''If the results do not show the following, this is a finding.'', '''', - ''"com.apple.AEServer" => true'']' -fix: 'To disable Remote Apple Events, run the following command: - - - /usr/bin/sudo /bin/launchctl disable system/com.apple.AEServer - - - The system may need to be restarted for the update to take effect.' -references: - srg: - - SRG-OS-000096-GPOS-00050 - disa_stig: - - APPL-12-002022 - cci: - - CCI-000382 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002031.yml b/rules/stig/APPL-12-002031.yml deleted file mode 100644 index ccb97f851..000000000 --- a/rules/stig/APPL-12-002031.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the system preference pane for - Apple ID. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Apple ID System Preference Pane must be disabled." -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A - 6 'DisabledPreferencePanes' -result: '[''If the return is not an array, DisabledPreferencePanes, containing: "com.apple.preferences.AppleIDPrefPane", - this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002031 - cci: - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-002032.yml b/rules/stig/APPL-12-002032.yml deleted file mode 100644 index 8808004a0..000000000 --- a/rules/stig/APPL-12-002032.yml +++ /dev/null @@ -1,34 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the system preference pane for - Internet Accounts. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Internet Accounts System Preference Pane must\ - \ be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A - 6 -E 'DisabledPreferencePanes|HiddenPreferencePanes' -result: '[''If the return is not two arrays (HiddenPreferencePanes and DisabledPreferencePanes) - each containing: "com.apple.preferences.internetaccounts", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000370-GPOS-00155 - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002032 - cci: - - CCI-001774 - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002035.yml b/rules/stig/APPL-12-002035.yml deleted file mode 100644 index 83f4a0a64..000000000 --- a/rules/stig/APPL-12-002035.yml +++ /dev/null @@ -1,32 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the Cloud Setup services. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipCloudSetup -result: '[''If the return is not "SkipCloudSetup = 1", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002035 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002036.yml b/rules/stig/APPL-12-002036.yml deleted file mode 100644 index f15ecf9d0..000000000 --- a/rules/stig/APPL-12-002036.yml +++ /dev/null @@ -1,32 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the Privacy Setup services. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipPrivacySetup -result: '[''If the return is not "SkipPrivacySetup = 1", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002036 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002037.yml b/rules/stig/APPL-12-002037.yml deleted file mode 100644 index 2d3a67c9d..000000000 --- a/rules/stig/APPL-12-002037.yml +++ /dev/null @@ -1,32 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the Cloud Storage Setup services. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipiCloudStorageSetup -result: '[''If the return is not "SkipiCloudStorageSetup = 1", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002037 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002038.yml b/rules/stig/APPL-12-002038.yml deleted file mode 100644 index ffbfc10a3..000000000 --- a/rules/stig/APPL-12-002038.yml +++ /dev/null @@ -1,29 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the tftp service. -discussion: "The \"tftp\" service must be disabled as it sends all data in a clear-text\ - \ form that can be easily intercepted and read. The data needs to be protected at\ - \ all times during transmission, and encryption is the standard method for protecting\ - \ data in transit. \n\nIf the data is not encrypted during transmission, it can\ - \ be plainly read (i.e., clear text) and easily compromised. Disabling ftp is one\ - \ way to mitigate this risk. Administrators should be instructed to use an alternate\ - \ service for data transmission that uses encryption, such as SFTP.\n\nAdditionally,\ - \ the \"tftp\" service uses UDP, which is not secure." -check: /bin/launchctl print-disabled system | grep tftpd -result: '[''If the results do not show the following, this is a finding:'', ''"com.apple.tftpd" - => true'']' -fix: 'To disable the tfpd service, run the following command: - - - /usr/bin/sudo /bin/launchctl disable system/com.apple.tftpd' -references: - srg: - - SRG-OS-000074-GPOS-00042 - disa_stig: - - APPL-12-002038 - cci: - - CCI-000197 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-002039.yml b/rules/stig/APPL-12-002039.yml deleted file mode 100644 index bbdceae4b..000000000 --- a/rules/stig/APPL-12-002039.yml +++ /dev/null @@ -1,30 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the Siri Setup services. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Siri setup pop-up must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipSiriSetup -result: '[''If the return is not "SkipSiriSetup = 1", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002039 - cci: - - CCI-000381 - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002040.yml b/rules/stig/APPL-12-002040.yml deleted file mode 100644 index 60d943cc5..000000000 --- a/rules/stig/APPL-12-002040.yml +++ /dev/null @@ -1,30 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must disable iCloud Keychain synchronization. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nKeychain synchronization must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudKeychainSync -result: '[''If the output is null or not "allowCloudKeychainSync = 0" this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002040 - cci: - - CCI-001774 - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002041.yml b/rules/stig/APPL-12-002041.yml deleted file mode 100644 index c7e5acfee..000000000 --- a/rules/stig/APPL-12-002041.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must disable iCloud document synchronization. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\niCloud document synchronization must be disabled.\n\ - \n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudDocumentSync -result: '[''If the output is null or not "allowCloudDocumentSync = 0" this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002041 - cci: - - CCI-000381 - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002042.yml b/rules/stig/APPL-12-002042.yml deleted file mode 100644 index 0cdb52742..000000000 --- a/rules/stig/APPL-12-002042.yml +++ /dev/null @@ -1,30 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must disable iCloud bookmark synchronization. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\niCloud Bookmark syncing must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudBookmarks -result: '[''If the output is null or not "allowCloudBookmarks = 0" this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002042 - cci: - - CCI-001774 - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002043.yml b/rules/stig/APPL-12-002043.yml deleted file mode 100644 index 8e4a9bc79..000000000 --- a/rules/stig/APPL-12-002043.yml +++ /dev/null @@ -1,30 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must disable iCloud photo library. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\niCloud Photo Library must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudPhotoLibrary -result: '[''If the output is null or not "allowCloudPhotoLibrary = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - - SRG-OS-000370-GPOS-00155 - disa_stig: - - APPL-12-002043 - cci: - - CCI-000381 - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002050.yml b/rules/stig/APPL-12-002050.yml deleted file mode 100644 index e4ff1d148..000000000 --- a/rules/stig/APPL-12-002050.yml +++ /dev/null @@ -1,28 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must disable the Screen Sharing feature. -discussion: The Screen Sharing feature allows remote users to view or control the - desktop of the current user. A malicious user can take advantage of screen sharing - to gain full access to the system remotely, either with stolen credentials or by - guessing the username and password. Disabling Screen Sharing mitigates this risk. -check: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.screensharing -result: '[''If the results do not show the following, this is a finding:'', '''', - ''"com.apple.screensharing" => true'']' -fix: 'To disable the Screen Sharing service, run the following command: - - - /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing - - - The system may need to be restarted for the update to take effect.' -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-002050 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002051.yml b/rules/stig/APPL-12-002051.yml deleted file mode 100644 index 74de191bc..000000000 --- a/rules/stig/APPL-12-002051.yml +++ /dev/null @@ -1,34 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the system preference pane for - TouchID. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe TouchID System Preference Pane must be disabled.\n\ - \n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A - 6 -E 'DisabledPreferencePanes|HiddenPreferencePanes' -result: '[''If the return is not two arrays (HiddenPreferencePanes and DisabledPreferencePanes) - each containing: "com.apple.preferences.password", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000370-GPOS-00155 - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002051 - cci: - - CCI-001774 - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002052.yml b/rules/stig/APPL-12-002052.yml deleted file mode 100644 index ab1f64a43..000000000 --- a/rules/stig/APPL-12-002052.yml +++ /dev/null @@ -1,34 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the system preference pane for - Wallet and ApplePay. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Wallet & ApplePay Preference Pane must be disabled.\n\ - \n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A - 6 -E 'DisabledPreferencePanes|HiddenPreferencePanes' -result: '[''If the return is not two arrays (HiddenPreferencePanes and DisabledPreferencePanes) - each containing: "com.apple.preferences.wallet", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000370-GPOS-00155 - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002052 - cci: - - CCI-001774 - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002053.yml b/rules/stig/APPL-12-002053.yml deleted file mode 100644 index 1c2c609f5..000000000 --- a/rules/stig/APPL-12-002053.yml +++ /dev/null @@ -1,33 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable the system preference pane for - Siri. -discussion: "It is detrimental for operating systems to provide, or install by default,\ - \ functionality exceeding requirements or mission objectives. These unnecessary\ - \ capabilities or services are often overlooked and therefore may remain unsecured.\ - \ They increase the risk to the platform by providing additional attack vectors.\n\ - \nOperating systems are capable of providing a wide variety of functions and services.\ - \ Some of the functions and services, provided by default, may not be necessary\ - \ to support essential organizational operations (e.g., key missions, functions).\ - \ \n\nExamples of non-essential capabilities include but are not limited to games,\ - \ software packages, tools, and demonstration software not related to requirements\ - \ or providing a wide array of functionality not required for every mission but\ - \ that cannot be disabled.\n\nThe Siri Preference Pane must be disabled.\n\n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A - 6 -E 'DisabledPreferencePanes|HiddenPreferencePanes' -result: '[''If the return is not two arrays (HiddenPreferencePanes and DisabledPreferencePanes) - each containing: "com.apple.preference.speech", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000370-GPOS-00155 - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-002053 - cci: - - CCI-000381 - - CCI-001774 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002060.yml b/rules/stig/APPL-12-002060.yml deleted file mode 100644 index 77b157004..000000000 --- a/rules/stig/APPL-12-002060.yml +++ /dev/null @@ -1,28 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must allow only applications that have a valid digital signature - to run. -discussion: Gatekeeper settings must be configured correctly to only allow the system - to run applications signed with a valid Apple Developer ID code. Administrator users - will still have the option to override these settings on a per-app basis. Gatekeeper - is a security feature that ensures that applications must be digitally signed by - an Apple-issued certificate in order to run. Digital signatures allow the macOS - host to verify that the application has not been modified by a malicious third party. -check: '' -result: '['''', ''Verify only applications with a valid digital signature are allowed - to run:'', '''', "/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep - -E ''(EnableAssessment | AllowIdentifiedDevelopers)''", '''', ''If the return is - null or is not the following, this is a finding:'', '''', ''AllowIdentifiedDevelopers - = 1;'', ''EnableAssessment = 1;'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-002060 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002062.yml b/rules/stig/APPL-12-002062.yml deleted file mode 100644 index 3cc23c545..000000000 --- a/rules/stig/APPL-12-002062.yml +++ /dev/null @@ -1,53 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with Bluetooth turned off unless approved - by the organization. -discussion: 'Without protection of communications with wireless peripherals, confidentiality - and integrity may be compromised because unprotected communications can be intercepted - and either read, altered, or used to compromise the operating system. - - - This requirement applies to wireless peripheral technologies (e.g., wireless mice, - keyboards, displays, etc.) used with an operating system. Wireless peripherals (e.g., - Wi-Fi/Bluetooth/IR keyboards, mice, and pointing devices and Near Field Communications - [NFC]) present a unique challenge by creating an open, unsecured port on a computer. - Wireless peripherals must meet DoD requirements for wireless data transmission and - be approved for use by the AO. Even though some wireless peripherals, such as mice - and pointing devices, do not ordinarily carry information that need to be protected, - modification of communications with these wireless peripherals may be used to compromise - the operating system. Communication paths outside the physical protection of a controlled - boundary are exposed to the possibility of interception and modification. - - - Protecting the confidentiality and integrity of communications with wireless peripherals - can be accomplished by physical means (e.g., employing physical barriers to wireless - radio frequencies) or by logical means (e.g., employing cryptographic techniques). - If physical means of protection are employed, then logical means (cryptography) - do not have to be employed, and vice versa. If the wireless peripheral is only passing - telemetry data, encryption of the data may not be required. - - - ' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableBluetooth -result: "['If the return is null or is not \"DisableBluetooth = 1\", this is a finding.',\ - \ '', 'To check if the system is configured to disable access to the Bluetooth preference\ - \ pane and prevent it from being displayed, run the following command:', '', \"\ - /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 -E\ - \ 'DisabledPreferencePanes|HiddenPreferencePanes'\", '', 'If the return is not two\ - \ arrays (HiddenPreferencePanes and DisabledPreferencePanes) each containing: \u201C\ - com.apple.preferences.Bluetooth\u201D, this is a finding.']" -fix: This setting is enforced using the "Custom Policy" and "Restrictions Policy" - configuration profiles. -references: - srg: - - SRG-OS-000481-GPOS-000481 - - SRG-OS-000319-GPOS-00164 - disa_stig: - - APPL-12-002062 - cci: - - CCI-001967 - - CCI-002418 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-002063.yml b/rules/stig/APPL-12-002063.yml deleted file mode 100644 index c6000e3bd..000000000 --- a/rules/stig/APPL-12-002063.yml +++ /dev/null @@ -1,39 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must enforce access restrictions. -discussion: 'Failure to provide logical access restrictions associated with changes - to system configuration may have significant effects on the overall security of - the system. - - - When dealing with access restrictions pertaining to change control, it should be - noted that any changes to the hardware, software, and/or firmware components of - the operating system can have significant effects on the overall security of the - system. - - - Accordingly, only qualified and authorized individuals should be allowed to obtain - access to operating system components for the purposes of initiating changes, including - upgrades and modifications. - - - Logical access restrictions include, for example, controls that restrict access - to workflow automation, media libraries, abstract layers (e.g., changes implemented - into third-party interfaces rather than directly into information systems), and - change windows (e.g., changes occur only during specified times, making unauthorized - changes easy to discover).' -check: '# /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep - DisableGuestAccount' -result: '[''If the result is null or not "DisableGuestAccount = 1", this is a finding.'']' -fix: This setting is enforced using the "Login Window Policy" configuration profile. -references: - srg: - - SRG-OS-000364-GPOS-00151 - disa_stig: - - APPL-12-002063 - cci: - - CCI-001813 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-002064.yml b/rules/stig/APPL-12-002064.yml deleted file mode 100644 index 4cd4ac04e..000000000 --- a/rules/stig/APPL-12-002064.yml +++ /dev/null @@ -1,27 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must have the security assessment policy subsystem enabled. -discussion: 'Any changes to the hardware, software, and/or firmware components of - the information system and/or application can potentially have significant effects - on the overall security of the system. - - - Accordingly, software defined by the organization as critical must be signed with - a certificate that is recognized and approved by the organization.' -check: /usr/sbin/spctl --status 2> /dev/null | /usr/bin/grep enabled -result: '[''If "assessments enabled" is not returned, this is a finding.'']' -fix: 'To enable the Security assessment policy subsystem, run the following command: - - - /usr/bin/sudo /usr/sbin/spctl --master-enable' -references: - srg: - - SRG-OS-000366-GPOS-00153 - disa_stig: - - APPL-12-002064 - cci: - - CCI-001749 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-002066.yml b/rules/stig/APPL-12-002066.yml deleted file mode 100644 index f5ba36b4e..000000000 --- a/rules/stig/APPL-12-002066.yml +++ /dev/null @@ -1,20 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must not allow an unattended or automatic logon to the system. -discussion: Failure to restrict system access to authenticated users negatively impacts - operating system security. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableAutoLoginClient -result: '[''If "com.apple.login.mcx.DisableAutoLoginClient" is not set to "1", this - is a finding.'']' -fix: This setting is enforced using the "Login Window Policy" configuration profile. -references: - srg: - - SRG-OS-000480-GPOS-00229 - disa_stig: - - APPL-12-002066 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002068.yml b/rules/stig/APPL-12-002068.yml deleted file mode 100644 index f1db61611..000000000 --- a/rules/stig/APPL-12-002068.yml +++ /dev/null @@ -1,40 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must set permissions on user home directories to prevent users - from having access to read or modify another user's files. -discussion: 'Configuring the operating system to use the most restrictive permissions - possible for user home directories helps to protect against inadvertent disclosures. - - - ' -check: ls -le /Users -result: '[''Should return a listing of the permissions of the root of every user account - configured on the system. For each of the users, the permissions should be:'', ''"drwxr-xr-x+" - with the user listed as the owner and the group listed as "staff". The plus(+) sign - indicates an associated Access Control List, which should be:'', '' 0: group:everyone - deny delete'', '''', ''For every authorized user account, also run the following - command:'', ''/usr/bin/sudo ls -le /Users/userid, where userid is an existing user. - '', '''', "This command will return the permissions of all of the objects under - the users'' home directory. The permissions for each of the subdirectories should - be:", ''drwx------+ '', '' 0: group:everyone deny delete'', '''', ''With the exception - of the "Public" directory, whose permissions should match the following:'', ''drwxr-xr-x+ - '', '' 0: group:everyone deny delete'', '''', ''If the permissions returned by either - of these checks differ from what is shown, this is a finding.'']' -fix: 'To ensure the appropriate permissions are set for each user on the system, run - the following command: - - - diskutil resetUserPermissions / userid, where userid is the user name for the user - whose home directory permissions need to be repaired.' -references: - srg: - - SRG-OS-000480-GPOS-00228 - - SRG-OS-000480-GPOS-00230 - disa_stig: - - APPL-12-002068 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002069.yml b/rules/stig/APPL-12-002069.yml deleted file mode 100644 index 025b7571f..000000000 --- a/rules/stig/APPL-12-002069.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must authenticate peripherals before establishing a connection. -discussion: 'Without authenticating devices, unidentified or unknown devices may be - introduced, thereby facilitating malicious activity. - - - Peripherals include, but are not limited to, such devices as flash drives, external - storage, and printers.' -check: /usr/bin/sudo /usr/bin/security authorizationdb read system.preferences | grep - -A1 shared -result: '[''If what is returned does not include the following, this is a finding.'', - ''\tshared'', ''\t'']' -fix: "To ensure that authentication is required to access all system level preference\ - \ panes use the following procedure:\n\nCopy the authorization database to a file\ - \ using the following command:\n/usr/bin/sudo /usr/bin/security authorizationdb\ - \ read system.preferences > ~/Desktop/authdb.txt\nedit the file to change:\n \ - \ shared\n \nTo read:\n shared\n \n\ - \nReload the authorization database with the following command:\n/usr/bin/sudo /usr/bin/security\ - \ authorizationdb write system.preferences < ~/Desktop/authdb.txt" -references: - srg: - - SRG-OS-000378-GPOS-00163 - disa_stig: - - APPL-12-002069 - cci: - - CCI-001958 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-002070.yml b/rules/stig/APPL-12-002070.yml deleted file mode 100644 index bb5fcaa19..000000000 --- a/rules/stig/APPL-12-002070.yml +++ /dev/null @@ -1,41 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must use an approved antivirus program. -discussion: 'An approved antivirus product must be installed and configured to run. - - - Malicious software can establish a base on individual desktops and servers. Employing - an automated mechanism to detect this type of software will aid in elimination of - the software from the operating system.' -check: /bin/launchctl print-disabled system | grep mrt -result: '[''If the results show "com.apple.mrt" => false", the MRT Service is running.'', - '''', ''If the MRT service is running, verify that it is configured to update automatically - by using the following command:'', '''', ''/usr/sbin/system_profiler SPConfigurationProfileDataType - | /usr/bin/grep ConfigDataInstall'', '''', ''If, "ConfigDataInstall = 1" is not - returned, this is a finding.'', '''', ''If the MRT service is not running, ask the - System Administrator (SA) or Information System Security Officer (ISSO) if an approved - antivirus solution is loaded on the system. The antivirus solution may be bundled - with an approved host-based security solution.'', '''', ''If there is no local antivirus - solution installed on the system, this is a finding.'']' -fix: 'Enable the MRT service: - - - /usr/bin/sudo /bin/launchctl enable system/com.apple.mrt - - - Installing the "Restrictions Policy" will configure the MRT Service to update automatically. - - - If the MRT Service is not being used, install an approved antivirus solution onto - the system.' -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-002070 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-003001.yml b/rules/stig/APPL-12-003001.yml deleted file mode 100644 index 20f469583..000000000 --- a/rules/stig/APPL-12-003001.yml +++ /dev/null @@ -1,40 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must issue or obtain public key certificates under an appropriate - certificate policy from an approved service provider. -discussion: 'DoD-approved certificates must be installed to the System Keychain so - they will be available to all users. - - - For user certificates, each organization obtains certificates from an approved, - shared service provider, as required by OMB policy. For federal agencies operating - a legacy public key infrastructure cross-certified with the Federal Bridge Certification - Authority at medium assurance or higher, this Certification Authority will suffice. - This control focuses on certificates with a visibility external to the information - system and does not include certificates related to internal system operations; - for example, application-specific time services. Use of weak or untested encryption - algorithms undermines the purposes of utilizing encryption to protect data. The - operating system must implement cryptographic modules adhering to the higher standards - approved by the federal government since this provides assurance they have been - tested and validated. - - - ' -check: /usr/bin/sudo /usr/bin/security dump-keychain | /usr/bin/grep labl | awk -F\" - '{ print $4 }' -result: '[''If this list contains unapproved certificates, this is a finding.'']' -fix: Obtain the approved DOD certificates from the appropriate authority. Use Keychain - Access from "/Applications/Utilities" to add certificates to the System Keychain. -references: - srg: - - SRG-OS-000066-GPOS-00034 - - SRG-OS-000478-GPOS-00223 - disa_stig: - - APPL-12-003001 - cci: - - CCI-000185 - - CCI-002450 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-003007.yml b/rules/stig/APPL-12-003007.yml deleted file mode 100644 index 27c770b1c..000000000 --- a/rules/stig/APPL-12-003007.yml +++ /dev/null @@ -1,26 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must enforce password complexity by requiring that at least - one numeric character be used. -discussion: 'Use of a complex password helps to increase the time and resources required - to compromise the password. Password complexity, or strength, is a measure of the - effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - - Password complexity is one factor of several that determines how long it takes to - crack a password. The more complex the password, the greater the number of possible - combinations that need to be tested before the password is compromised.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep requireAlphanumeric -result: '[''If the return is not "requireAlphanumeric = 1", this is a finding.'']' -fix: This setting is enforced using the "Passcode Policy" configuration profile. -references: - srg: - - SRG-OS-000071-GPOS-00039 - disa_stig: - - APPL-12-003007 - cci: - - CCI-000194 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003008.yml b/rules/stig/APPL-12-003008.yml deleted file mode 100644 index 32f3889c2..000000000 --- a/rules/stig/APPL-12-003008.yml +++ /dev/null @@ -1,25 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must enforce a 60-day maximum password lifetime restriction. -discussion: 'Any password, no matter how complex, can eventually be cracked. Therefore, - passwords need to be changed periodically. - - - One method of minimizing this risk is to use complex passwords and periodically - change them. If the operating system does not limit the lifetime of passwords and - force users to change their passwords, there is the risk that the operating system - passwords could be compromised.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep maxPINAgeInDays -result: '[''If "maxPINAgeInDays" is set a value greater than "60", this is a finding.'']' -fix: This setting is enforced using the "Passcode Policy" configuration profile. -references: - srg: - - SRG-OS-000076-GPOS-00044 - disa_stig: - - APPL-12-003008 - cci: - - CCI-000199 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003009.yml b/rules/stig/APPL-12-003009.yml deleted file mode 100644 index 814494fba..000000000 --- a/rules/stig/APPL-12-003009.yml +++ /dev/null @@ -1,22 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must prohibit password reuse for a minimum of five generations. -discussion: Password complexity, or strength, is a measure of the effectiveness of - a password in resisting attempts at guessing and brute-force attacks. If the information - system or application allows the user to consecutively reuse their password when - that password has exceeded its defined lifetime, the end result is a password that - is not changed as per policy requirements. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep pinHistory -result: '[''If the return is not "pinHistory = 5" or greater, this is a finding.'']' -fix: This setting is enforced using the "Passcode Policy" configuration profile. -references: - srg: - - SRG-OS-000077-GPOS-00045 - disa_stig: - - APPL-12-003009 - cci: - - CCI-000200 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003010.yml b/rules/stig/APPL-12-003010.yml deleted file mode 100644 index 13ca5c6f3..000000000 --- a/rules/stig/APPL-12-003010.yml +++ /dev/null @@ -1,23 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must enforce a minimum 15-character password length. -discussion: The minimum password length must be set to 15 characters. Password complexity, - or strength, is a measure of the effectiveness of a password in resisting attempts - at guessing and brute-force attacks. Password length is one factor of several that - helps to determine strength and how long it takes to crack a password. The use of - more characters in a password helps to exponentially increase the time and/or resources - required to compromise the password. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minLength -result: '[''If the return is null or not "minLength = 15", this is a finding.'']' -fix: This setting is enforced using the "Passcode Policy" configuration profile. -references: - srg: - - SRG-OS-000078-GPOS-00046 - disa_stig: - - APPL-12-003010 - cci: - - CCI-000205 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003011.yml b/rules/stig/APPL-12-003011.yml deleted file mode 100644 index c4d3ce9c9..000000000 --- a/rules/stig/APPL-12-003011.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must enforce password complexity by requiring that at least - one special character be used. -discussion: 'Use of a complex password helps to increase the time and resources required - to compromise the password. Password complexity or strength is a measure of the - effectiveness of a password in resisting attempts at guessing and brute-force attacks. - Password complexity is one factor in determining how long it takes to crack a password. - The more complex the password, the greater the number of possible combinations that - need to be tested before the password is compromised. Special characters are those - characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minComplexChars -result: '[''If the return is null or not "minComplexChars = 1", this is a finding.'', - '''', ''Run the following command to check if the system is configured to require - that passwords not contain repeated sequential characters or characters in increasing - and decreasing sequential order:'', '''', ''/usr/sbin/system_profiler SPConfigurationProfileDataType - | /usr/bin/grep allowSimple'', '''', ''If "allowSimple" is not set to "0" or is - undefined, this is a finding.'']' -fix: This setting may be enforced using the "Passcode Policy" configuration profile - or by a directory service. -references: - srg: - - SRG-OS-000266-GPOS-00101 - disa_stig: - - APPL-12-003011 - cci: - - CCI-001619 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003012.yml b/rules/stig/APPL-12-003012.yml deleted file mode 100644 index 5dd0b2f57..000000000 --- a/rules/stig/APPL-12-003012.yml +++ /dev/null @@ -1,19 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to prevent displaying password hints. -discussion: Password hints leak information about passwords in use and can lead to - loss of confidentiality. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep RetriesUntilHint -result: '[''If the return is null or is not "RetriesUntilHint = 0", this is a finding.'']' -fix: This setting is enforce using the "Login Window" Policy. -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-003012 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003013.yml b/rules/stig/APPL-12-003013.yml deleted file mode 100644 index e2a6a095d..000000000 --- a/rules/stig/APPL-12-003013.yml +++ /dev/null @@ -1,30 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with a firmware password to prevent access - to single user mode and booting from alternative media. -discussion: Single user mode and the boot picker, as well as numerous other tools - are available on macOS through booting while holding the "Option" key down. Setting - a firmware password restricts access to these tools. -check: $ sudo /usr/sbin/firmwarepasswd -check -result: '[''If the return is not "Password Enabled: Yes", this is a finding.'']' -fix: 'To set a firmware passcode use the following command. - - - sudo /usr/sbin/firmwarepasswd -setpasswd - - - Note: If firmware password or passcode is forgotten, the only way to reset the forgotten - password is through the use of a machine specific binary generated and provided - by Apple. Schedule a support call, and provide proof of purchase before the firmware - binary will be generated.' -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-003013 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003020.yml b/rules/stig/APPL-12-003020.yml deleted file mode 100644 index 26808ce45..000000000 --- a/rules/stig/APPL-12-003020.yml +++ /dev/null @@ -1,36 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must use multifactor authentication for local access to privileged - and non-privileged accounts. -discussion: "Without the use of multifactor authentication, the ease of access to\ - \ privileged and non-privileged functions is greatly increased.\n\nMultifactor authentication\ - \ requires using two or more factors to achieve authentication.\n\nFactors include:\ - \ \n1) something a user knows (e.g., password/PIN);\n2) something a user has (e.g.,\ - \ cryptographic identification device, token); and\n3) something a user is (e.g.,\ - \ biometric).\n\nA privileged account is defined as an information system account\ - \ with authorizations of a privileged user.\n\nLocal access is defined as access\ - \ to an organizational information system by a user (or process acting on behalf\ - \ of a user) communicating through a direct connection without the use of a network.\n\ - \nThe DoD CAC with DoD-approved PKI is an example of multifactor authentication.\n\ - \n" -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep enforceSmartCard -result: '[''If the results do not show "enforceSmartCard=1", this is a finding.'']' -fix: "This setting is enforced using the \"Smart Card Policy\" configuration profile.\ - \ \n\nNote: Before applying the \"Smart Card Policy\", the supplemental guidance\ - \ provided with the STIG must be consulted to ensure continued access to the operating\ - \ system." -references: - srg: - - SRG-OS-000107-GPOS-00054 - - SRG-OS-000108-GPOS-00055 - - SRG-OS-000068-GPOS-00036 - disa_stig: - - APPL-12-003020 - cci: - - CCI-000187 - - CCI-000767 - - CCI-000768 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-003050.yml b/rules/stig/APPL-12-003050.yml deleted file mode 100644 index f0c486b21..000000000 --- a/rules/stig/APPL-12-003050.yml +++ /dev/null @@ -1,41 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured so that the login command requires smart - card authentication. -discussion: 'Configuring the operating system to implement organization-wide security - implementation guides and security checklists ensures compliance with federal standards - and establishes a common security baseline across DoD that reflects the most restrictive - security posture consistent with operational requirements. - - - Configuration settings are the set of parameters that can be changed in hardware, - software, or firmware components of the system that affect the security posture - and/or functionality of the system. Security-related parameters are those parameters - impacting the security state of the system, including the parameters required to - satisfy other security control requirements. Security-related parameters include, - for example: registry settings; account, file, directory permission settings; and - settings for functions, ports, protocols, services, and remote connections.' -check: '# cat /etc/pam.d/login | grep -i pam_smartcard.so' -result: '[''If the text that returns does not include the line, "auth sufficient pam_smartcard.so" - at the TOP of the listing, this is a finding.'']' -fix: "Make a backup of the PAM LOGIN settings using the following command:\nsudo cp\ - \ /etc/pam.d/login /etc/pam.d/login_backup_`date \"+%Y-%m-%d_%H:%M\"`\n\nReplace\ - \ the contents of \"/etc/pam.d/login\" with the following:\n\n# login: auth account\ - \ password session\nauth\t\tsufficient\t pam_smartcard.so\nauth optional pam_krb5.so\ - \ use_kcminit\nauth optional pam_ntlm.so try_first_pass\nauth optional\ - \ pam_mount.so try_first_pass\nauth required pam_opendirectory.so try_first_pass\n\ - auth required pam_deny.so\naccount required pam_nologin.so\naccount required\ - \ pam_opendirectory.so\npassword required pam_opendirectory.so\nsession \ - \ required pam_launchd.so\nsession required pam_uwtmp.so\nsession optional\ - \ pam_mount.so" -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-003050 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003051.yml b/rules/stig/APPL-12-003051.yml deleted file mode 100644 index 6e3e4957a..000000000 --- a/rules/stig/APPL-12-003051.yml +++ /dev/null @@ -1,54 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured so that the su command requires smart card - authentication. -discussion: 'Configuring the operating system to implement organization-wide security - implementation guides and security checklists ensures compliance with federal standards - and establishes a common security baseline across DoD that reflects the most restrictive - security posture consistent with operational requirements. - - - Configuration settings are the set of parameters that can be changed in hardware, - software, or firmware components of the system that affect the security posture - and/or functionality of the system. Security-related parameters are those parameters - impacting the security state of the system, including the parameters required to - satisfy other security control requirements. Security-related parameters include, - for example: registry settings; account, file, directory permission settings; and - settings for functions, ports, protocols, services, and remote connections.' -check: cat /etc/pam.d/su | grep -i pam_smartcard.so -result: '[''If the text that returns does not include the line, "auth sufficient pam_smartcard.so" - at the TOP of the listing, this is a finding.'']' -fix: 'Make a backup of the PAM SU settings using the following command: - - cp /etc/pam.d/su /etc/pam.d/su_backup_`date "+%Y-%m-%d_%H:%M"` - - - Replace the contents of "/etc/pam.d/su" with the following: - - - # su: auth account password session - - auth sufficient pam_smartcard.so - - auth required pam_rootok.so - - auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe - - account required pam_permit.so - - account required pam_opendirectory.so no_check_shell - - password required pam_opendirectory.so - - session required pam_launchd.so' -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-003051 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-003052.yml b/rules/stig/APPL-12-003052.yml deleted file mode 100644 index 4b06d7e85..000000000 --- a/rules/stig/APPL-12-003052.yml +++ /dev/null @@ -1,53 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured so that the sudo command requires smart - card authentication. -discussion: 'Configuring the operating system to implement organization-wide security - implementation guides and security checklists ensures compliance with federal standards - and establishes a common security baseline across DoD that reflects the most restrictive - security posture consistent with operational requirements. - - - Configuration settings are the set of parameters that can be changed in hardware, - software, or firmware components of the system that affect the security posture - and/or functionality of the system. Security-related parameters are those parameters - impacting the security state of the system, including the parameters required to - satisfy other security control requirements. Security-related parameters include, - for example: registry settings; account, file, directory permission settings; and - settings for functions, ports, protocols, services, and remote connections.' -check: cat /etc/pam.d/sudo | grep -i pam_smartcard.so -result: '[''If the text that returns does not include the line, "auth sufficient pam_smartcard.so" - at the TOP of the listing, this is a finding.'']' -fix: 'Make a backup of the PAM SUDO settings using the following command: - - - cp /etc/pam.d/login /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"` - - - Replace the contents of "/etc/pam.d/sudo" with the following: - - - # sudo: auth account password session - - auth sufficient pam_smartcard.so - - #auth required pam_opendirectory.so - - auth required pam_deny.so - - account required pam_permit.so - - password required pam_deny.so - - session required pam_permit.so' -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-003052 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-004001.yml b/rules/stig/APPL-12-004001.yml deleted file mode 100644 index 8b8b37971..000000000 --- a/rules/stig/APPL-12-004001.yml +++ /dev/null @@ -1,29 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with system log files owned by root and - group-owned by wheel or admin. -discussion: System logs should only be readable by root or admin users. System logs - frequently contain sensitive information that could be used by an attacker. Setting - the correct owner mitigates this risk. -check: Unable to parse the check text -result: Unable to parse the check text -fix: "For any log file that returns an incorrect owner or group value, run the following\ - \ command:\n\n/usr/bin/sudo chown root:wheel [log file]\n\n[log file] is the full\ - \ path to the log file in question. If the file is managed by \"newsyslog\", find\ - \ the configuration line in the directory \"/etc/newsyslog.d/\" or the file \"/etc/newsyslog.conf\"\ - \ and ensure that the owner:group column is set to \"root:wheel\" or the appropriate\ - \ service user account and group. \n\nIf the file is managed by \"aslmanager\",\ - \ find the configuration line in the directory \"/etc/asl/\" or the file \"/etc/asl.conf\"\ - \ and ensure that \"uid\" and \"gid\" options are either not present or are set\ - \ to a service user account and group respectively." -references: - srg: - - SRG-OS-000206-GPOS-00084 - disa_stig: - - APPL-12-004001 - cci: - - CCI-001314 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-004002.yml b/rules/stig/APPL-12-004002.yml deleted file mode 100644 index 0d1257112..000000000 --- a/rules/stig/APPL-12-004002.yml +++ /dev/null @@ -1,30 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with system log files set to mode 640 or - less permissive. -discussion: System logs should only be readable by root or admin users. System logs - frequently contain sensitive information that could be used by an attacker. Setting - the correct permissions mitigates this risk. -check: /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | - awk '{ print $1 }') 2> /dev/null -result: '['''', ''Each command may return zero or more files. If the permissions on - log files are not "640" or less permissive, this is a finding.'']' -fix: "For any log file that returns an incorrect permission value, run the following\ - \ command:\n\n/usr/bin/sudo chmod 640 [log file]\n\n[log file] is the full path\ - \ to the log file in question. If the file is managed by \"newsyslog\", find the\ - \ configuration line in the directory \"/etc/newsyslog.d/\" or the file \"/etc/newsyslog.conf\"\ - \ and edit the mode column to be \"640\" or less permissive. \n\nIf the file is\ - \ managed by \"aslmanager\", find the configuration line in the directory \"/etc/asl/\"\ - \ or the file \"/etc/asl.conf\" and add or edit the mode option to be \"mode=0640\"\ - \ or less permissive." -references: - srg: - - SRG-OS-000206-GPOS-00084 - disa_stig: - - APPL-12-004002 - cci: - - CCI-001314 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-004021.yml b/rules/stig/APPL-12-004021.yml deleted file mode 100644 index ece2671f7..000000000 --- a/rules/stig/APPL-12-004021.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured with the sudoers file configured to authenticate - users on a per -tty basis. -discussion: "The \"sudo\" command must be configured to prompt for the administrator's\ - \ password at least once in each newly opened Terminal window or remote logon session,\ - \ as this prevents a malicious user from taking advantage of an unlocked computer\ - \ or an abandoned logon session to bypass the normal password prompt requirement.\ - \ \n\nWithout the \"tty_tickets\" option, all open local and remote logon sessions\ - \ would be authenticated to use sudo without a password for the duration of the\ - \ configured password timeout window." -check: /usr/bin/sudo /usr/bin/grep tty_tickets /etc/sudoers -result: '[''If there is no result, this is a finding.'']' -fix: 'Edit the "/etc/sudoers" file to contain the line: - - - Defaults tty_tickets - - - This line can be placed in the defaults section or at the end of the file.' -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-004021 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: high diff --git a/rules/stig/APPL-12-005001.yml b/rules/stig/APPL-12-005001.yml deleted file mode 100644 index fed224034..000000000 --- a/rules/stig/APPL-12-005001.yml +++ /dev/null @@ -1,64 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must enable System Integrity Protection. -discussion: 'System Integrity Protection (SIP) is vital to the protection of the integrity - of macOS. SIP restricts what actions can be performed by administrative users, including - root, against protected parts of the operating system. SIP protects all system binaries, - including audit tools, from unauthorized access by preventing the modification or - deletion of system binaries, or the changing of the permissions associated with - those binaries. SIP limits the privileges to change software resident within software - libraries to processes that have signed by Apple and have special entitlements to - write to system files, such as Apple software updates and Apple installers. By protecting - audit binaries, SIP ensures the presence of an audit record generation capability - for DoD-defined auditable events for all operating system components and supports - on-demand and after-the-fact reporting requirements. - - - ' -check: /usr/bin/csrutil status -result: '[''If the result does not show the following, this is a finding.'', '''', - ''System Integrity Protection status: enabled'']' -fix: 'To re-enable "System Integrity Protection", boot the affected system into "Recovery" - mode, launch "Terminal" from the "Utilities" menu, and run the following command: - - - /usr/bin/csrutil enable' -references: - srg: - - SRG-OS-000051-GPOS-00024 - - SRG-OS-000054-GPOS-00025 - - SRG-OS-000062-GPOS-00031 - - SRG-OS-000122-GPOS-00063 - - SRG-OS-000256-GPOS-00097 - - SRG-OS-000257-GPOS-00098 - - SRG-OS-000258-GPOS-00099 - - SRG-OS-000259-GPOS-00100 - - SRG-OS-000348-GPOS-00136 - - SRG-OS-000349-GPOS-00137 - - SRG-OS-000350-GPOS-00138 - - SRG-OS-000351-GPOS-00139 - - SRG-OS-000352-GPOS-00140 - - SRG-OS-000353-GPOS-00141 - - SRG-OS-000354-GPOS-00142 - disa_stig: - - APPL-12-005001 - cci: - - CCI-000169 - - CCI-000154 - - CCI-000158 - - CCI-001493 - - CCI-001494 - - CCI-001495 - - CCI-001499 - - CCI-001875 - - CCI-001876 - - CCI-001877 - - CCI-001878 - - CCI-001879 - - CCI-001880 - - CCI-001881 - - CCI-001882 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-005020.yml b/rules/stig/APPL-12-005020.yml deleted file mode 100644 index 606cd19d9..000000000 --- a/rules/stig/APPL-12-005020.yml +++ /dev/null @@ -1,43 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must implement cryptographic mechanisms to protect the confidentiality - and integrity of all information at rest. -discussion: 'Information at rest refers to the state of information when it is located - on a secondary storage device (e.g., disk drive and tape drive) within an organizational - information system. Mobile devices, laptops, desktops, and storage devices can be - lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile - memory) can be read, copied, or altered. By encrypting the system hard drive, the - confidentiality and integrity of any data stored on the system is ensured. FileVault - Disk Encryption mitigates this risk. - - - ' -check: /usr/bin/fdesetup status -result: '[''If "FileVault" is "Off" and the device is a mobile device or the organization - has determined that the drive must encrypt data at rest, this is a finding.'']' -fix: 'Open System Preferences >> Security and Privacy and navigate to the "FileVault" - tab. Use this panel to configure full-disk encryption. - - - Alternately, from the command line, run the following command to enable "FileVault": - - - /usr/bin/sudo /usr/bin/fdesetup enable - - - After "FileVault" is initially set up, additional users can be added.' -references: - srg: - - SRG-OS-000185-GPOS-00079 - - SRG-OS-000404-GPOS-00183 - - SRG-OS-000405-GPOS-00184 - disa_stig: - - APPL-12-005020 - cci: - - CCI-001199 - - CCI-002475 - - CCI-002476 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-005050.yml b/rules/stig/APPL-12-005050.yml deleted file mode 100644 index 161603441..000000000 --- a/rules/stig/APPL-12-005050.yml +++ /dev/null @@ -1,22 +0,0 @@ -rule_id: MSCP RULE -title: The macOS Application Firewall must be enabled. -discussion: Firewalls protect computers from network attacks by blocking or limiting - access to open network ports. Application firewalls limit which applications are - allowed to communicate over the network. -check: '# /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep - ''EnableFirewall\|EnableStealthMode'' ' -result: '[''If the return is not "EnableFirewall = 1;" and "EnableStealthMode = 1;" - this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000480-GPOS-00232 - disa_stig: - - APPL-12-005050 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-005051.yml b/rules/stig/APPL-12-005051.yml deleted file mode 100644 index c7081ab53..000000000 --- a/rules/stig/APPL-12-005051.yml +++ /dev/null @@ -1,31 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must restrict the ability of individuals to use USB storage - devices. -discussion: 'External writeable media devices must be disabled for users. External - USB devices are a potential vector for malware and can be used to exfiltrate sensitive - data if an approved data-loss prevention (DLP) solution is not installed. - - - ' -check: $ /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/egrep - -A 3 'blankbd|blankcd|blankdvd|disk-image|dvdram|harddisk-external' -result: "['\u201Cblankbd\" = (', 'deny,', 'eject', ');', '', '\u201Cblankcd\" = (',\ - \ 'deny,', 'eject', ');', '', '\u201Cblankdvd\" = (', 'deny,', 'eject', ');', '',\ - \ '\u201Cdisk-image\" = (', 'deny,', 'eject', ');', '', '\u201Cdvdram\" = (', 'deny,',\ - \ 'eject', ');', '', '\u201Charddisk-external\" = (', 'deny,', 'eject', ');', '',\ - \ 'If the result does not match the output above, this is a finding.']" -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000480-GPOS-00227 - - SRG-OS-000319-GPOS-00164 - disa_stig: - - APPL-12-005051 - cci: - - CCI-000366 - - CCI-001967 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-005052.yml b/rules/stig/APPL-12-005052.yml deleted file mode 100644 index 44bd1ca88..000000000 --- a/rules/stig/APPL-12-005052.yml +++ /dev/null @@ -1,23 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system logon window must be configured to prompt for username and - password, rather than show a list of users. -discussion: The logon window must be configured to prompt all users for both a username - and a password. By default, the system displays a list of known users at the logon - screen. This gives an advantage to an attacker with physical access to the system, - as the attacker would only have to guess the password for one of the listed accounts. -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SHOWFULLNAME -result: '[''If there is no result, or "SHOWFULLNAME" is not set to "1", this is a - finding.'']' -fix: This setting is enforced using the "Login Window Policy" configuration profile. -references: - srg: - - SRG-OS-000480-GPOS-00229 - disa_stig: - - APPL-12-005052 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-005053.yml b/rules/stig/APPL-12-005053.yml deleted file mode 100644 index a6e685c72..000000000 --- a/rules/stig/APPL-12-005053.yml +++ /dev/null @@ -1,25 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must restrict the ability of individuals to write to external - optical media. -discussion: External writeable media devices must be disabled for users. External - optical media devices can be used to exfiltrate sensitive data if an approved data-loss - prevention (DLP) solution is not installed. -check: $ /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep - 'BurnSupport' -result: '[''BurnSupport = off;'', '''', ''If the command does not return a line, this - is a finding.'', "If ''BurnSupport'' is set to a value other than ''off'' and is - not documented with the Information System Security Officer (ISSO) as an operational - requirement, this is a finding."]' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000480-GPOS-00227 - disa_stig: - - APPL-12-005053 - cci: - - CCI-000366 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-005054.yml b/rules/stig/APPL-12-005054.yml deleted file mode 100644 index 736a81aa3..000000000 --- a/rules/stig/APPL-12-005054.yml +++ /dev/null @@ -1,32 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable prompts to configure Touch ID. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipTouchIDSetup -result: '[''If the return is not "SkipTouchIDSetup = 1", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-005054 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-005055.yml b/rules/stig/APPL-12-005055.yml deleted file mode 100644 index 9495925ee..000000000 --- a/rules/stig/APPL-12-005055.yml +++ /dev/null @@ -1,32 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable prompts to configure ScreenTime. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipScreenTime -result: '[''If the return is not "SkipScreenTime = 1", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-005055 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-005056.yml b/rules/stig/APPL-12-005056.yml deleted file mode 100644 index 9ef8f5343..000000000 --- a/rules/stig/APPL-12-005056.yml +++ /dev/null @@ -1,33 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to disable promts to configure Unlock with - Watch. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep skipUnlockWithWatch -result: '[''If the return is not "skipUnlockWithWatch = 1", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-005056 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-005058.yml b/rules/stig/APPL-12-005058.yml deleted file mode 100644 index 23b2b816d..000000000 --- a/rules/stig/APPL-12-005058.yml +++ /dev/null @@ -1,33 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to prevent activity continuation between - Apple Devices. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowActivityContinuation -result: '[''If the return is not "allowActivityContinuation = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-005058 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: low diff --git a/rules/stig/APPL-12-005060.yml b/rules/stig/APPL-12-005060.yml deleted file mode 100644 index dd0d07cb5..000000000 --- a/rules/stig/APPL-12-005060.yml +++ /dev/null @@ -1,33 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to prevent password proximity sharing requests - from nearby Apple Devices. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowPasswordProximityRequests -result: '[''If the return is not "allowPasswordProximityRequests = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-005060 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium diff --git a/rules/stig/APPL-12-005061.yml b/rules/stig/APPL-12-005061.yml deleted file mode 100644 index 1557dfe5a..000000000 --- a/rules/stig/APPL-12-005061.yml +++ /dev/null @@ -1,33 +0,0 @@ -rule_id: MSCP RULE -title: The macOS system must be configured to prevent users from erasing all system - content and settings. -discussion: 'It is detrimental for operating systems to provide, or install by default, - functionality exceeding requirements or mission objectives. These unnecessary capabilities - or services are often overlooked and therefore may remain unsecured. They increase - the risk to the platform by providing additional attack vectors. - - - Operating systems are capable of providing a wide variety of functions and services. - Some of the functions and services, provided by default, may not be necessary to - support essential organizational operations (e.g., key missions, functions). - - - Examples of non-essential capabilities include, but are not limited to, games, software - packages, tools, and demonstration software, not related to requirements or providing - a wide array of functionality not required for every mission, but which cannot be - disabled.' -check: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowEraseContentAndSettings -result: '[''If the return is not "allowEraseContentAndSettings = 0", this is a finding.'']' -fix: This setting is enforced using the "Restrictions Policy" configuration profile. -references: - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - APPL-12-005061 - cci: - - CCI-000381 -macOS: -- '12' -tags: -- stig -severity: medium From dbd0ddaa1e1f93de94f636666f237c8ab92e66fc Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 12:06:09 -0500 Subject: [PATCH 132/193] fixed merge conflict --- .../sysprefs_system_wide_preferences_configure.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index 428309b46..4a10f29ab 100644 --- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -45,13 +45,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 -<<<<<<< HEAD - - cis_lvl1 - - cis_lvl2 - - cisv8 -======= - stig ->>>>>>> dev_mont_stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file From 8bbc370694bfe553c25e3930a9949569cfac0366 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 12:09:21 -0500 Subject: [PATCH 133/193] fixed merge conflict --- .../sysprefs_screensaver_ask_for_password_delay_enforce.yaml | 3 --- rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index be342002c..8fa8a1a49 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -42,13 +42,10 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 -<<<<<<< HEAD - cis_lvl1 - cis_lvl2 - cisv8 -======= - stig ->>>>>>> dev_mont_stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index 4a10f29ab..87d2e1b18 100644 --- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -45,6 +45,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 - stig severity: "medium" mobileconfig: false From 7848ae57d64bb9118914bcff772df88ce6b9bd6d Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 13:09:19 -0500 Subject: [PATCH 134/193] changed plist510 to 511 --- SCAP/macos-cpe-dictionary.xml | 2 +- SCAP/macos-cpe-oval.xml | 17 ++++++++--------- ...eensaver_ask_for_password_delay_enforce.yaml | 3 --- ...prefs_system_wide_preferences_configure.yaml | 3 +++ 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/SCAP/macos-cpe-dictionary.xml b/SCAP/macos-cpe-dictionary.xml index 2eb9c7b55..7d19a3209 100644 --- a/SCAP/macos-cpe-dictionary.xml +++ b/SCAP/macos-cpe-dictionary.xml @@ -9,7 +9,7 @@ macOS Security Compliance Project 2.3 - 2021-11-16T10:30:56Z + 2022-02-10T12:16:51Z Apple macOS 12.0 diff --git a/SCAP/macos-cpe-oval.xml b/SCAP/macos-cpe-oval.xml index 03e1a5464..c362fd29c 100644 --- a/SCAP/macos-cpe-oval.xml +++ b/SCAP/macos-cpe-oval.xml @@ -4,7 +4,7 @@ macOS Security Compliance Project 5.11.2 - 2021-11-16T10:30:56Z + 2022-02-10T12:16:51Z @@ -28,28 +28,27 @@ - - + - - ProductVersion + /System/Library/CoreServices/SystemVersion.plist - 1 - + //*[contains(text(), "ProductVersion")]/following-sibling::*[1]/text() + macos - + 12.0 - + diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index be342002c..8fa8a1a49 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -42,13 +42,10 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 -<<<<<<< HEAD - cis_lvl1 - cis_lvl2 - cisv8 -======= - stig ->>>>>>> dev_mont_stig severity: "medium" mobileconfig: true mobileconfig_info: diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index 4a10f29ab..87d2e1b18 100644 --- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -45,6 +45,9 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 + - cis_lvl1 + - cis_lvl2 + - cisv8 - stig severity: "medium" mobileconfig: false From 37970264e016819487dae2f197f42f1ebe386faa Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 10 Feb 2022 13:46:20 -0500 Subject: [PATCH 135/193] fix formatting --- rules/audit/audit_flags_aa_configure.yaml | 1 - rules/audit/audit_flags_ad_configure.yaml | 1 - rules/audit/audit_flags_fd_configure.yaml | 1 - rules/audit/audit_flags_fm_configure.yaml | 2 - rules/audit/audit_flags_fr_configure.yaml | 1 - rules/audit/audit_flags_fw_configure.yaml | 1 - rules/audit/audit_flags_lo_configure.yaml | 1 - .../auth_pam_login_smartcard_enforce.yaml | 11 +++-- rules/auth/auth_pam_su_smartcard_enforce.yaml | 11 +++-- .../auth/auth_pam_sudo_smartcard_enforce.yaml | 11 +++-- rules/auth/auth_smartcard_allow.yaml | 11 +++-- rules/auth/auth_smartcard_enforce.yaml | 11 +++-- ...h_ssh_password_authentication_disable.yaml | 11 +++-- rules/os/os_guest_folder_removed.yaml | 2 + rules/os/os_hbss_installed.yaml | 40 ------------------- ...ate_mode_destroyfvkeyonstandby_enable.yaml | 4 +- rules/os/os_hibernate_mode_enable.yaml | 2 + .../os_system_wide_applications_configure.yml | 4 +- .../pwpolicy_alpha_numeric_enforce.yaml | 2 +- .../pwpolicy_force_password_change.yaml | 2 +- .../pwpolicy_history_enforce_fifteen.yaml | 2 +- .../pwpolicy_minimum_length_enforce.yaml | 2 +- .../pwpolicy_minimum_lifetime_enforce.yaml | 2 +- .../pwpolicy_simple_sequence_disable.yaml | 2 +- .../pwpolicy_special_character_enforce.yaml | 2 +- ...pwpolicy_upper_case_character_enforce.yaml | 2 +- .../sysprefs_airplay_receiver_disable.yaml | 4 +- .../sysprefs/sysprefs_bluetooth_disable.yaml | 11 +++-- ...sprefs_improve_siri_dictation_disable.yaml | 9 +++-- .../sysprefs_screensaver_timeout_enforce.yaml | 2 +- .../sysprefs_time_server_configure.yaml | 4 +- .../sysprefs_time_server_enforce.yaml | 4 +- 32 files changed, 79 insertions(+), 97 deletions(-) delete mode 100644 rules/os/os_hbss_installed.yaml diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 5ffcc2db0..d3cda6618 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -52,7 +52,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cisv8 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index e3bc1b6cb..a3c50467a 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -73,7 +73,6 @@ tags: - 800-53r5_low - 800-171 - cnssi-1253 - - cisv8 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 1eada0727..63b7a0e3b 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -58,7 +58,6 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high - - cisv8 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index cf88ec928..9e106c89b 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -55,8 +55,6 @@ macOS: - "12.0" tags: - stig - - cisv8 - - stig severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 23061b04d..590cb5c7b 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -65,7 +65,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cisv8 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 1a041ba2b..126ce52cf 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -64,7 +64,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cisv8 - stig severity: "medium" mobileconfig: false diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 9c3c6f1be..69842c796 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -53,7 +53,6 @@ tags: - 800-53r5_high - 800-171 - cnssi-1253 - - cisv8 - stig severity: "medium" mobileconfig: false diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 9b5c4e4f1..bbd678b6c 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -54,10 +54,13 @@ references: - APPL-12-003050 800-171r2: - 3.5.3 - cisv8: - - 6.3 - - 6.4 - - 6.5 + cis: + benchmark: + - N/A + v8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 3c0c14c8d..31ea685bb 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -49,10 +49,13 @@ references: - APPL-12-003051 800-171r2: - 3.5.3 - cisv8: - - 6.3 - - 6.4 - - 6.5 + cis: + benchmark: + - N/A + v8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index a5145cc04..e49ee6fa3 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -48,10 +48,13 @@ references: - APPL-12-003052 800-171r2: - 3.5.3 - cisv8: - - 6.3 - - 6.4 - - 6.5 + cis: + benchmark: + - N/A + v8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index e5b1c2391..2be296de1 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -31,10 +31,13 @@ references: - N/A disa_stig: - N/A - cisv8: - - 6.3 - - 6.4 - - 6.5 + cis: + benchmark: + - N/A + v8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 29dd047cf..e495dfa23 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -54,10 +54,13 @@ references: - 3.5.1 - 3.5.2 - 3.5.3 - cisv8: - - 6.3 - - 6.4 - - 6.5 + cis: + benchmark: + - N/A + v8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index 38a279c70..9615f636b 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -48,10 +48,13 @@ references: - 3.5.2 - 3.5.3 - 3.7.5 - cisv8: - - 6.3 - - 6.4 - - 6.5 + cis: + benchmark: + - N/A + v8: + - 6.3 + - 6.4 + - 6.5 macOS: - "12.0" tags: diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index 4cd6eac80..2ff4efa8b 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -29,6 +29,8 @@ references: cis: benchmark: - 6.1.5 (level 1) + v8: + - N/A macOS: - "12.0" tags: diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml deleted file mode 100644 index 3d7bac6db..000000000 --- a/rules/os/os_hbss_installed.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: os_hbss_installed -title: "Must Use HBSS" -discussion: | - The approved HBSS solution _MUST_ be installed and configured to run. - - The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved HBSS solution to be implemented on the operating system. For additional information, reference all applicable HBSS OPORDs and FRAGOs on SIPRNET. -check: | - Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved HBSS solution is loaded on the system. - If the installed components of the HBSS solution are not at the DoD approved minimal versions, this is a finding. -fix: | - Install the approved HBSS solution onto the system. -references: - cce: - - CCE-90930-9 - cci: - - CCI-001233 - 800-53r5: - - N/A - 800-53r4: - - SI-2(2) - srg: - - N/A - disa_stig: - - N/A - cis: - benchmark: - - N/A - v8: - - 10.1 - - 10.2 - - 10.6 - - 10.7 -macOS: - - "12.0" -tags: - - manual - - cisv8 -severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 8ac79f732..ad6d129a6 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -28,7 +28,9 @@ references: - N/A cis: benchmark: - - 5.9 (level 2) + - 5.9 (level 2 + v8: + - N/A macOS: - "12.0" tags: diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml index 7d6f130ca..09051844e 100644 --- a/rules/os/os_hibernate_mode_enable.yaml +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -50,6 +50,8 @@ references: cis: benchmark: - 5.9 (level 2) + v8: + - N/A macOS: - "12.0" tags: diff --git a/rules/os/os_system_wide_applications_configure.yml b/rules/os/os_system_wide_applications_configure.yml index e02f8e963..8d89da2eb 100644 --- a/rules/os/os_system_wide_applications_configure.yml +++ b/rules/os/os_system_wide_applications_configure.yml @@ -32,8 +32,8 @@ references: cis: benchmark: - 5.1.6 (level 1) - v8: - - 3.3 + v8: + - 3.3 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index e0f9fba13..7f02e63b8 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -41,7 +41,7 @@ references: - 5.2.3 (level 2) - 5.2.4 (level 2) v8: - - 5.2 + - 5.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index d8ed7bc29..2b45c2703 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -40,7 +40,7 @@ references: benchmark: - N/A v8: - - 5.2 + - 5.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml index ab498a3cf..fb82453c9 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml @@ -34,7 +34,7 @@ references: benchmark: - 5.2.8 (level 1) v8: - - 5.2 + - 5.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index d962b8298..f220142e5 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -40,7 +40,7 @@ references: benchmark: - 5.2.2 (level 1) v8: - - 5.2 + - 5.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 6b65849b2..b50a146c4 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -58,7 +58,7 @@ references: benchmark: - N/A v8: - - 4.7 + - 4.7 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index cd3e71acc..9021666f0 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -40,7 +40,7 @@ references: benchmark: - N/A v8: - - 5.2 + - 5.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 0420fddfb..921432269 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -42,7 +42,7 @@ references: benchmark: - 5.2.5 (level 2) v8: - - 5.2 + - 5.2 macOS: - "12.0" tags: diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index f0b4c4fdb..6a9612530 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -61,7 +61,7 @@ references: benchmark: - 5.2.6 (level 2) v8: - - 5.2 + - 5.2 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index 35ae9f39e..71f27382f 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -35,8 +35,8 @@ references: benchmark: - 2.4.13 (level 1) v8: - - 4.1 - - 4.8 + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index f36b703f1..a38abecb5 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -35,10 +35,13 @@ references: - APPL-12-002062 800-171r2: - 3.13.8 - cisv8: - - 4.8 - - 12.6 - - 13.9 + cis: + benchmark: + - N/A + v8: + - 4.8 + - 12.6 + - 13.9 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 7ac4493ae..4b9e3025e 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -31,9 +31,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 8ac4110e4..4eada9580 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -10,7 +10,7 @@ check: | .objectForKey('idleTime').js EOS result: - integer: 900 + integer: 1200 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index fbe32281c..25e5cf35c 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -34,8 +34,8 @@ references: cis: benchmark: - 2.2.1 (level 1) - cisv8: - - 8.4 + v8: + - 8.4 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index e49d4e0a5..466b4af0a 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -34,8 +34,8 @@ references: cis: benchmark: - 2.2.1 (level 1) - cisv8: - - 8.4 + v8: + - 8.4 macOS: - "12.0" tags: From 184c81af9d8c344a63d3ff7cb5cde9658efa52cc Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 10 Feb 2022 13:49:41 -0500 Subject: [PATCH 136/193] fixed missing : --- rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 4b9e3025e..26c78f689 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -31,7 +31,7 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cis + cis: benchmark: - N/A v8: From 531273e84d19136b4b458e8b87ba8ba00331ac56 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 16:26:08 -0500 Subject: [PATCH 137/193] adjusted check --- rules/audit/audit_acls_files_configure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 9d686564a..81f1a55db 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -5,7 +5,7 @@ discussion: | This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files. check: | - /bin/ls -le $(/usr/bin/awk -F: '/^dir/{print $2}' /etc/security/audit_control) | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" + /bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" result: integer: 0 fix: | From 6a9dd90d62fe7f7ea0c7665ceb00ed9d62ab6b73 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 16:26:54 -0500 Subject: [PATCH 138/193] updates to generate_oval for audit --- scripts/generate_oval.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 1b6de9c4e..6e63dba9e 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -1266,8 +1266,10 @@ def main(): '''.format(rule_yaml['id'],x+modifier,n.replace('"',"")) if modifier == 0: modifier = 4999 + x = x + 1 continue - except: + except: + x = x + 1 continue @@ -1570,7 +1572,7 @@ def main(): {} '''.format(x,rule_yaml['id'],path.rstrip()) - + x += 1 continue @@ -1611,26 +1613,25 @@ def main(): '''.format(x,rule_yaml['id'],x+2999,rule_yaml['id']) x = x + 1 continue - + s = rule_yaml['check'] config_file = str() oval_variable_need = bool() - if "grep" in s.split()[3]: + if "grep" in s.split()[2]: + oval_variable_need = True grep_search = re.search('\((.*?)\)', s).group(1) substring = grep_search.split("|")[0] regex = re.search('\'(.*?)\'', substring).group(1) - + try: regex = re.search('/(.*?)/', regex).group(1) except: regex = regex - config_file = substring = grep_search.split("|")[0].split()[-1] - - + config_file = substring = grep_search.split("|")[0].split()[-1] oval_object = oval_object + ''' @@ -1648,7 +1649,6 @@ def main(): else: oval_variable_need = False config_file = s.split()[2] - s = rule_yaml['fix'] From 69b943fb1a02de5fa53d38f6d846d320115cb611 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 10 Feb 2022 16:29:24 -0500 Subject: [PATCH 139/193] fixed check --- rules/audit/audit_flags_configure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/audit/audit_flags_configure.yaml b/rules/audit/audit_flags_configure.yaml index 99790ba3f..bd18655d6 100644 --- a/rules/audit/audit_flags_configure.yaml +++ b/rules/audit/audit_flags_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Flags" discussion: | The auditing system _MUST_ be configured with at least the minimal flags of fm, ad, -ex, aa, -fr, lo, and -fw. check: | - /usr/bin/sed -n 's/^flags://p' test_file | /usr/bin/grep -ce 'fm,ad,\-ex,aa,\-fr,lo,\-fw' + /usr/bin/sed -n 's/^flags://p' /etc/security/audit_control | /usr/bin/grep -ce 'fm,ad,\-ex,aa,\-fr,lo,\-fw' result: integer: 1 fix: | From 744a122df6ce69494da5b94575e1c64c10997c73 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 17:21:53 -0500 Subject: [PATCH 140/193] added |. fix for compliance script generation --- rules/os/os_calendar_app_disable.yaml | 4 ++-- rules/os/os_facetime_app_disable.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index 49abd9570..bce3f3bc5 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -7,7 +7,7 @@ discussion: | ==== Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== -check: +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -23,7 +23,7 @@ check: } EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index ce1f64248..eec0dadf7 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -20,7 +20,7 @@ check: | } EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: From b4e9ccce5ae0729e105ac682999099813bab96b2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 20:33:11 -0500 Subject: [PATCH 141/193] fixed jxa --- rules/os/os_blank_bluray_disable.yaml | 7 +++++-- rules/os/os_blank_cd_disable.yaml | 7 +++++-- rules/os/os_blank_dvd_disable.yaml | 7 +++++-- rules/os/os_bluray_read_only_enforce.yaml | 7 +++++-- rules/os/os_cd_read_only_enforce.yaml | 7 +++++-- rules/os/os_disk_image_disable.yaml | 7 +++++-- rules/os/os_dvdram_disable.yaml | 7 +++++-- rules/os/os_facetime_app_disable.yaml | 2 +- rules/os/os_firewall_log_enable.yaml | 14 +++++++------- rules/os/os_mail_app_disable.yaml | 2 +- rules/os/os_messages_app_disable.yaml | 2 +- rules/os/os_removable_media_disable.yaml | 6 +++--- rules/os/os_user_app_installation_prohibit.yaml | 2 +- 13 files changed, 49 insertions(+), 28 deletions(-) diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index c757def12..1df7c5216 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -8,9 +8,12 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep 'blankbd' -A3 | /usr/bin/grep -Ec "eject|alert" + /usr/bin/osascript -l JavaScript << EOS + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls'))["blankbd"] + EOS result: - integer: 1 + string: "deny,eject" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 09418dde2..53ad31f6b 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -8,9 +8,12 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep 'blankcd' -A3 | /usr/bin/grep -Ec "eject|alert" + /usr/bin/osascript -l JavaScript << EOS + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls'))["blankcd"] + EOS result: - integer: 1 + string: "deny,eject" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 3de083f6d..8d04d5569 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -8,9 +8,12 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep 'blankdvd' -A3 | /usr/bin/grep -Ec "eject|alert" + /usr/bin/osascript -l JavaScript << EOS + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls'))["blankdvd"] + EOS result: - integer: 1 + string: "deny,eject" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index 0df8d9863..a4cca50f1 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -8,9 +8,12 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep ' bd =' -A1 | /usr/bin/grep -Ec "read-only" + /usr/bin/osascript -l JavaScript << EOS + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls'))["bd"] + EOS result: - integer: 1 + string: "read-only" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index cb912cf71..cd81757a8 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -8,9 +8,12 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep ' cd =' -A1 | /usr/bin/grep -Ec "read-only" + /usr/bin/osascript -l JavaScript << EOS + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls'))["cd"] + EOS result: - integer: 1 + string: "read-only" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 96b0c31d8..bc1581d26 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -8,9 +8,12 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep 'disk-image' -A3 | /usr/bin/grep -Ec "eject|alert" + /usr/bin/osascript -l JavaScript << EOS + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls'))["disk-image"] + EOS result: - integer: 1 + string: "deny,eject" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index 790ba4b42..803bdd098 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -8,9 +8,12 @@ discussion: | Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep 'dvdram' -A3 | /usr/bin/grep -Ec "eject|alert" + /usr/bin/osascript -l JavaScript << EOS + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls'))["dvdram"] + EOS result: - integer: 1 + string: "deny,eject" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index eec0dadf7..b9b3feb65 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -20,7 +20,7 @@ check: | } EOS result: - string: "false" + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 1c1546f17..bc2d26cff 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -9,15 +9,15 @@ discussion: | check: | osascript -l JavaScript << EOS function run() { - let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ - .objectForKey('EnableLogging').js - let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ - .objectForKey('LoggingOption').js - if ( pref1 == true && pref2 == "detail" ){ + let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('EnableLogging').js + let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ + .objectForKey('LoggingOption').js + if ( pref1 == true && pref2 == "detail" ){ return("true") - } else { + } else { return("false") - } + } } EOS result: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 47d67e7a3..215630ad4 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -25,7 +25,7 @@ check: | } EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 7f59b1632..fb62287c9 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -20,7 +20,7 @@ check: | } EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 391f7ebcc..f78441659 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -11,11 +11,11 @@ discussion: | ==== check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ - .objectForKey('mount-controls').js + ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ + .objectForKey('mount-controls'))["harddisk-external"] EOS result: - string: "harddisk-external:deny" + string: "deny,eject" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 34d384fa0..36a119b3e 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -20,7 +20,7 @@ check: | } EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: From d4ca661752d239ea1daa507d8e10486cc7a8c966 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 20:33:37 -0500 Subject: [PATCH 142/193] reverted to spctl check --- .../sysprefs_gatekeeper_identified_developers_allowed.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index a16f7c5b4..1a82d75b6 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -5,10 +5,7 @@ discussion: | Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party. check: | - /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\ - .objectForKey('AllowIdentifiedDevelopers').js - EOS + /usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled" result: integer: 1 fix: | From 4304bad769352f385ec04da627cb7c0dd62b4bce Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 20:33:55 -0500 Subject: [PATCH 143/193] fixed result --- .../sysprefs_loginwindow_prompt_username_password_enforce.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index f16d4c7f2..b520ee352 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -10,7 +10,7 @@ check: | .objectForKey('SHOWFULLNAME').js EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: From 27e9b8645f352745a2e0148633f6fc131c0c2c17 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 20:34:11 -0500 Subject: [PATCH 144/193] formated jxa better --- .../sysprefs_media_sharing_disabled.yaml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index 5b050a79c..810f17d75 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -11,17 +11,17 @@ discussion: | check: | osascript -l JavaScript << EOS function run() { - let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ - .objectForKey('homeSharingUIStatus')) - let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ - .objectForKey('legacySharingUIStatus')) - let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ - .objectForKey('mediaSharingUIStatus')) - if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) { - return("true") - } else { - return("false") - } + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ + .objectForKey('homeSharingUIStatus')) + let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ + .objectForKey('legacySharingUIStatus')) + let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ + .objectForKey('mediaSharingUIStatus')) + if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) { + return("true") + } else { + return("false") + } } EOS result: From ad03fffee0ea89cc14c0dda6acabb8b00a117b93 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 20:47:25 -0500 Subject: [PATCH 145/193] checks updated to jxa checks --- rules/os/os_erase_content_and_settings_disable.yaml | 7 +++++-- rules/os/os_skip_screen_time_prompt_enable.yaml | 7 +++++-- .../pwpolicy/pwpolicy_account_lockout_enforce_five.yaml | 7 +++++-- rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml | 7 +++++-- rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml | 7 +++++-- .../sysprefs/sysprefs_install_macos_updates_enforce.yaml | 7 +++++-- .../sysprefs_loginwindow_loginwindowtext_enable.yaml | 9 ++++++--- .../sysprefs_software_update_app_update_enforce.yaml | 7 +++++-- .../sysprefs_software_update_download_enforce.yaml | 7 +++++-- rules/sysprefs/sysprefs_wifi_menu_enable.yaml | 7 +++++-- 10 files changed, 51 insertions(+), 21 deletions(-) diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 2c2b0c493..89e54d1b0 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -3,9 +3,12 @@ title: "Disable Erase Content and Settings" discussion: Erase Content and Settings _MUST_ be disabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowEraseContentAndSettings = 0' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowEraseContentAndSettings').js + EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index 7e656ade3..b6e27de3d 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -3,9 +3,12 @@ title: "Disable Screen Time Prompt During Setup Assistant" discussion: The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipScreenTime = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipScreenTime').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml index 04c3fcb2c..f16a0e60c 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml @@ -5,9 +5,12 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'maxFailedAttempts = 5' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('maxFailedAttempts').js + EOS result: - integer: 1 + integer: 5 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml index fb82453c9..04c02ae84 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml @@ -6,8 +6,11 @@ discussion: | This rule ensures that users are not allowed to re-use a password that was used in any of the fifteen previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. -check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk '/pinHistory/{sub(/;.*/,"");print $3}' +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('pinHistory').js + EOS result: integer: 15 fix: | diff --git a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml index 1e277bd0f..280e3c572 100644 --- a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml @@ -3,9 +3,12 @@ title: "Enable Bluetooth Menu" discussion: | The bluetooth menu _MUST_ be enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'Bluetooth = 18' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ + .objectForKey('Bluetooth').js + EOS result: - integer: 1 + integer: 18 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml index 5431ec753..bc7437d75 100644 --- a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml +++ b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml @@ -3,9 +3,12 @@ title: "Enforce macOS Updates are Automatically Installed" discussion: | Software Update _MUST_ be configured to enforce automatic installation of macOS updates is enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticallyInstallMacOSUpdates = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('AutomaticallyInstallMacOSUpdates').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml index 5adda5a17..2072084d6 100644 --- a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml @@ -3,9 +3,12 @@ title: "Configure Login Window to Show A Custom Message" discussion: | The login window _MUST_ be configured to show a custom access warning message. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'LoginwindowText' -result: - integer: 1 + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('LoginwindowText').js + EOS +result: + string: "Approved message goes here" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml index edb6e8584..42be3ad58 100644 --- a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml @@ -3,9 +3,12 @@ title: "Enforce Software Update App Update Updates Automatically" discussion: | Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticallyInstallAppUpdates = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('AutomaticallyInstallAppUpdates').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml index 5691d7cd1..3efb8246b 100644 --- a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -3,9 +3,12 @@ title: "Enforce Software Update Downloads Updates Automatically" discussion: | Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticDownload = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.SoftwareUpdate')\ + .objectForKey('AutomaticDownload').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml index c016e63f5..5ae623ee4 100644 --- a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml @@ -3,9 +3,12 @@ title: "Enable Wifi Menu" discussion: | The WiFi menu _MUST_ be enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WiFi = 18' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ + .objectForKey('WiFi').js + EOS result: - integer: 1 + integer: 18 fix: | This is implemented by a Configuration Profile. references: From 71f5c0393a459bffa34d1d5116fd9a1c6acd0ba1 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 20:53:28 -0500 Subject: [PATCH 146/193] Fix for bug issue #107 --- rules/os/os_directory_services_configured.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index 426adf373..bffc50ec2 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -5,7 +5,7 @@ discussion: | A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system. check: | - /usr/bin/dscl localhost -list . | /usr/bin/grep -vE '(Contact|Search|Local|^$)'; /bin/echo $? + /usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $? result: integer: 0 fix: | From 73cdfe252a52603a8e9915db96f61267b2357791 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 20:59:47 -0500 Subject: [PATCH 147/193] fixed result --- rules/os/os_gatekeeper_enable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index 88375fc48..b80152fa6 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -9,7 +9,7 @@ discussion: | check: | /usr/sbin/spctl --status | /usr/bin/grep -c "assessments enabled" result: - string: "true" + integer: 1 fix: | [source,bash] ---- From f9bb11a36605e3051a0f2266362cade807447bb3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 21:11:56 -0500 Subject: [PATCH 148/193] fixed check to prevent false passes --- rules/sysprefs/sysprefs_softwareupdate_current.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/sysprefs/sysprefs_softwareupdate_current.yaml b/rules/sysprefs/sysprefs_softwareupdate_current.yaml index 0afffc370..2bfe1b782 100644 --- a/rules/sysprefs/sysprefs_softwareupdate_current.yaml +++ b/rules/sysprefs/sysprefs_softwareupdate_current.yaml @@ -7,8 +7,8 @@ discussion: | check: | softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s") thirty_days_epoch=$(/bin/date -v -30d "+%s") - if [[ $softwareupdate_date_epoch -gt $thirty_days_epoch ]]; then - /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastUpdatesAvailable + if [[ $softwareupdate_date_epoch -lt $thirty_days_epoch ]]; then + /bin/echo "0" else /bin/echo "1" fi From 23939435e6378c19c306e7c5fb193da572d59b64 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 21:19:57 -0500 Subject: [PATCH 149/193] removed duplicate cci and srg reference --- rules/os/os_password_sharing_disable.yaml | 6 +----- rules/os/os_unlock_active_user_session_disable.yaml | 2 -- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 5d4ee772d..39724307b 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -20,13 +20,9 @@ references: - IA-5 800-53r4: - IA-5 - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - N/A srg: - N/A - cci: + disa_stig: - N/A 800-171r2: - 3.5.1 diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 3cefa9d86..06b217ca5 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -28,8 +28,6 @@ references: - N/A srg: - N/A - cci: - - N/A 800-171r2: - 3.5.1 - 3.5.2 From 40bc3d55e5d58d4634057740ad15b9e573af6811 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 11 Feb 2022 14:58:54 -0500 Subject: [PATCH 150/193] fixed payload --- rules/sysprefs/sysprefs_software_update_download_enforce.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml index 3efb8246b..a15327f96 100644 --- a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -4,7 +4,7 @@ discussion: | Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.SoftwareUpdate')\ + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticDownload').js EOS result: From 765d15ea2e7bab8a4e033f59a8961f74a1e1a009 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 11 Feb 2022 15:01:05 -0500 Subject: [PATCH 151/193] fixed formatting --- rules/os/os_install_log_retention_configure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index 5158f4b63..9c67c2b4d 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -5,7 +5,7 @@ discussion: | check: | /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count==1 && ttl="True" && max != "True") { print "Yes" } else { print "No" }}' result: - string: Yes + string: "Yes" fix: | [source,bash] ---- From cb9c0415530d5e65974172d3b47da2949318fd47 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 15 Feb 2022 21:06:17 -0500 Subject: [PATCH 152/193] #106 --- includes/pwpolicy.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/pwpolicy.xml b/includes/pwpolicy.xml index 85d900484..3e59a98c8 100644 --- a/includes/pwpolicy.xml +++ b/includes/pwpolicy.xml @@ -102,9 +102,9 @@ policyContent - policyAttributePassword matches '(.*[A-Z].*){1,}+' + policyAttributePassword matches '(.*[A-Za-z].*){1,}+' policyIdentifier - Must have at least 1 uppercase letter + Must have at least 1 Letter policyParameters minimumAlphaCharacters From 9db9519e5458a59b02ecbf376ca0585b8b32342c Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 17 Feb 2022 16:01:28 -0500 Subject: [PATCH 153/193] fixed baselines --- baselines/all_rules.yaml | 6 ------ baselines/cnssi-1253.yaml | 7 ------- 2 files changed, 13 deletions(-) diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 9a272623b..888d6c139 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -8,12 +8,6 @@ authors: | |Allen Golbig|Jamf |=== title: "macOS 12.0: Security Configuration - all_rules" -description: | - This guide describes the actions to take when securing a macOS 12.0 system against the all_rules baseline. -authors: | - |=== - |Name|Organization - |=== profile: - section: "authentication" rules: diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index a43e01e1d..43a1cc715 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -7,13 +7,6 @@ authors: | |Ekkehard Koch| |Bob Gendler|National Institute of Standards and Technology |=== -title: "macOS 12.0: Security Configuration - cnssi-1253" -description: | - This guide describes the actions to take when securing a macOS 12.0 system against the cnssi-1253 baseline. -authors: | - |=== - |Name|Organization - |=== profile: - section: "authentication" rules: From 899818d9f4565c499e2a1dd31a0195cfa8f35602 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 17 Feb 2022 16:09:19 -0500 Subject: [PATCH 154/193] updated CIS refs --- rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml | 2 +- rules/sysprefs/sysprefs_ssh_disable.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index ad6d129a6..1d22cc113 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -28,7 +28,7 @@ references: - N/A cis: benchmark: - - 5.9 (level 2 + - 5.9 (level 2) v8: - N/A macOS: diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 1df7461e5..62b715b8a 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -42,7 +42,7 @@ references: - 3.13.5 cis: benchmark: - - 2.5.2.3 + - 2.5.2.3 (level 1) v8: - 4.1 - 4.5 diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index bfac6aa48..aa2925f51 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -46,7 +46,7 @@ references: - 3.4.6 cis: benchmark: - - 2.4.5 + - 2.4.5 (level 1) v8: - 4.1 - 4.8 From 58eda423eea9dae993f6c4ce17a9f43272e740a0 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Fri, 18 Feb 2022 12:50:50 -0500 Subject: [PATCH 155/193] Fixed CIS reference --- rules/os/os_sip_enable.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index f63c4a99c..c9145f9be 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -81,7 +81,7 @@ references: - 3.13.4 cis: benchmark: - - 5.1.2 + - 5.18 (level 1) v8: - 2.6 - 3.3 @@ -98,6 +98,8 @@ tags: - 800-171 - cnssi-1253 - cisv8 + - cis_lvl1 + - cis_lvl2 - stig severity: "medium" mobileconfig: false From 313b5c786f7e74f0686a61c6f31e47ce3d261d4f Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Wed, 23 Feb 2022 09:23:39 -0500 Subject: [PATCH 156/193] Fixes for #121 --- rules/audit/audit_flags_configure.yaml | 2 +- rules/os/os_install_log_retention_configure.yaml | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/audit/audit_flags_configure.yaml b/rules/audit/audit_flags_configure.yaml index bd18655d6..7bedd24bf 100644 --- a/rules/audit/audit_flags_configure.yaml +++ b/rules/audit/audit_flags_configure.yaml @@ -9,7 +9,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed 's/^flags:.*/flags:fm,ad,\-ex,aa,\-fr,lo,\-fw/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/sed -i '' 's/^flags:.*/flags:fm,ad,\-ex,aa,\-fr,lo,\-fw/' /etc/security/audit_control; /usr/sbin/audit -s ---- NOTE: NOTE: This fix will replace the contents of the flags: line in `/etc/security/audit_control`, if you have customized the flags, your changes may be overwritten. diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index 9c67c2b4d..af2d7ecf6 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -3,14 +3,16 @@ title: "Configure Install.log Retention to 365 Days or More" discussion: | The install.log _MUST_ be configured to require records be kept for 365 days or longer before deletion, unless the system uses a central audit record storage facility. check: | - /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count==1 && ttl="True" && max != "True") { print "Yes" } else { print "No" }}' + /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}' result: string: "Yes" fix: | [source,bash] ---- - /usr/bin/sed -i.bak "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" + /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install ---- + + NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: cce: - N/A From 5d86711348a7d3644d814222afd08e24e05e57fc Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 1 Mar 2022 10:01:19 -0500 Subject: [PATCH 157/193] fixed formatting --- rules/audit/audit_off_load_records.yaml | 8 ++++++-- rules/icloud/icloud_reminders_disable.yaml | 2 +- rules/os/os_ir_support_disable.yaml | 2 +- rules/sysprefs/sysprefs_find_my_disable.yaml | 11 +++++++---- .../sysprefs/sysprefs_location_services_disable.yaml | 3 --- rules/sysprefs/sysprefs_siri_disable.yaml | 9 ++++++--- rules/sysprefs/sysprefs_wifi_disable.yaml | 9 ++++++--- 7 files changed, 27 insertions(+), 17 deletions(-) diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index f3ff739f8..8edbfbde6 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -23,11 +23,15 @@ references: - N/A srg: - N/A - cisv8: - - 8.9 + cis: + benchmark: + - N/A + v8: + - 8.9 macOS: - "12.0" tags: - permanent + - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index ea177421b..3e44c5c7e 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - cisv8: + v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 57ade8611..d1dfda343 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - N/A - cisv8: + v8: - 4.1 - 4.8 - 12.6 diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 7b8ec21b7..853a0c0f4 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -46,10 +46,13 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 - - 15.3 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 + - 15.3 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index f6ebb0c6e..8a274ae0f 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -31,8 +31,6 @@ references: - APPL-12-002004 800-171r2: - 3.4.6 - cisv8: - - N/A macOS: - "12.0" tags: @@ -44,7 +42,6 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 - - cisv8 - stig severity: "medium" mobileconfig: false diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index eed97dce9..b4f1be6da 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -36,9 +36,12 @@ references: 800-171r2: - 3.1.20 - 3.4.6 - cisv8: - - 4.1 - - 4.8 + cis: + benchmark: + - N/A + v8: + - 4.1 + - 4.8 macOS: - "12.0" tags: diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 3c5ea7b09..da7d6cf58 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -36,9 +36,12 @@ references: - N/A 800-171r2: - N/A - cisv8: - - 4.2 - - 12.6 + cis: + benchmark: + - N/A + v8: + - 4.2 + - 12.6 macOS: - "12.0" tags: From daa02e1cab37ff3ef5bafd58633a94edf9d697fb Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 1 Mar 2022 16:08:27 -0500 Subject: [PATCH 158/193] update cis document --- templates/adoc_additional_docs.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 2776e437b..cb0754999 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -57,5 +57,5 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 11.0]|_CIS Apple macOS 11.0 Benchmark version 1.2.0_ +|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 12.0]|_CIS Apple macOS 12.0 Benchmark version 1.0_ |=== \ No newline at end of file From 169284e103bd1df31a2aff7d4fb6e60061d1d0e2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 1 Mar 2022 16:44:51 -0500 Subject: [PATCH 159/193] updated version.yaml --- VERSION.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION.yaml b/VERSION.yaml index fdc260cb7..da1354390 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,4 +1,4 @@ os: "12.0" -version: "Monterey Guidance, Revision 1" +version: "Monterey Guidance, Revision 2" cpe: o:apple:macos:12.0 -date: "2021-10-20" +date: "XXXX-XX-XX" From 79bcc0e847d931a8488ba63fe0fb7dcf044e4a4e Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 4 Mar 2022 11:35:09 -0500 Subject: [PATCH 160/193] fixed v8 verbiage --- rules/audit/audit_acls_files_configure.yaml | 2 +- rules/audit/audit_acls_folders_configure.yaml | 2 +- rules/audit/audit_auditd_enabled.yaml | 2 +- rules/audit/audit_control_acls_configure.yaml | 2 +- rules/audit/audit_control_group_configure.yaml | 2 +- rules/audit/audit_control_mode_configure.yaml | 2 +- rules/audit/audit_control_owner_configure.yaml | 2 +- rules/audit/audit_files_group_configure.yaml | 2 +- rules/audit/audit_files_mode_configure.yaml | 2 +- rules/audit/audit_files_owner_configure.yaml | 2 +- rules/audit/audit_flags_configure.yaml | 2 +- rules/audit/audit_folder_group_configure.yaml | 2 +- rules/audit/audit_folder_owner_configure.yaml | 2 +- rules/audit/audit_folders_mode_configure.yaml | 2 +- rules/audit/audit_off_load_records.yaml | 2 +- rules/audit/audit_retention_configure.yaml | 2 +- .../audit_retention_configure_sixty_days.yaml | 2 +- rules/auth/auth_pam_login_smartcard_enforce.yaml | 2 +- rules/auth/auth_pam_su_smartcard_enforce.yaml | 2 +- rules/auth/auth_pam_sudo_smartcard_enforce.yaml | 2 +- rules/auth/auth_smartcard_allow.yaml | 2 +- rules/auth/auth_smartcard_enforce.yaml | 2 +- ...auth_ssh_password_authentication_disable.yaml | 2 +- rules/icloud/icloud_addressbook_disable.yaml | 2 +- .../icloud/icloud_appleid_prefpane_disable.yaml | 2 +- rules/icloud/icloud_bookmarks_disable.yaml | 2 +- rules/icloud/icloud_calendar_disable.yaml | 2 +- rules/icloud/icloud_drive_disable.yaml | 2 +- rules/icloud/icloud_keychain_disable.yaml | 2 +- rules/icloud/icloud_mail_disable.yaml | 2 +- rules/icloud/icloud_notes_disable.yaml | 2 +- rules/icloud/icloud_photos_disable.yaml | 2 +- rules/icloud/icloud_private_relay_disable.yaml | 2 +- rules/icloud/icloud_reminders_disable.yaml | 2 +- rules/icloud/icloud_sync_disable.yaml | 2 +- rules/os/os_access_control_mobile_devices.yaml | 2 +- rules/os/os_airdrop_disable.yaml | 2 +- rules/os/os_appleid_prompt_disable.yaml | 2 +- rules/os/os_auth_peripherals.yaml | 2 +- rules/os/os_authenticated_root_enable.yaml | 2 +- rules/os/os_bonjour_disable.yaml | 2 +- rules/os/os_calendar_app_disable.yaml | 2 +- rules/os/os_config_data_install_enforce.yaml | 2 +- rules/os/os_directory_services_configured.yaml | 2 +- rules/os/os_efi_integrity_validated.yaml | 2 +- rules/os/os_facetime_app_disable.yaml | 2 +- rules/os/os_filevault_autologin_disable.yaml | 2 +- rules/os/os_firewall_log_enable.yaml | 2 +- rules/os/os_gatekeeper_enable.yaml | 2 +- rules/os/os_gatekeeper_rearm.yaml | 2 +- rules/os/os_guest_folder_removed.yaml | 2 +- rules/os/os_handoff_disable.yaml | 2 +- ...ernate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/os/os_hibernate_mode_enable.yaml | 2 +- rules/os/os_home_folders_secure.yaml | 2 +- rules/os/os_httpd_disable.yaml | 2 +- rules/os/os_icloud_storage_prompt_disable.yaml | 2 +- rules/os/os_install_log_retention_configure.yaml | 2 +- rules/os/os_ir_support_disable.yaml | 2 +- rules/os/os_library_validation_enabled.yaml | 2 +- rules/os/os_logical_access.yaml | 2 +- rules/os/os_mail_app_disable.yaml | 2 +- rules/os/os_malicious_code_prevention.yaml | 2 +- rules/os/os_mdm_require.yaml | 2 +- rules/os/os_messages_app_disable.yaml | 2 +- rules/os/os_mfa_network_access.yaml | 2 +- rules/os/os_mobile_file_integrity_enable.yaml | 2 +- rules/os/os_nfsd_disable.yaml | 2 +- rules/os/os_obscure_password.yaml | 2 +- rules/os/os_parental_controls_enable.yaml | 2 +- rules/os/os_password_autofill_disable.yaml | 2 +- rules/os/os_password_hint_remove.yaml | 2 +- rules/os/os_password_proximity_disable.yaml | 2 +- rules/os/os_password_sharing_disable.yaml | 2 +- .../os/os_policy_banner_loginwindow_enforce.yaml | 2 +- rules/os/os_privacy_setup_prompt_disable.yaml | 2 +- rules/os/os_root_disable.yaml | 2 +- .../os_safari_open_safe_downloads_disable.yaml | 2 +- rules/os/os_secure_name_resolution.yaml | 2 +- rules/os/os_show_filename_extensions_enable.yaml | 2 +- rules/os/os_sip_enable.yaml | 2 +- rules/os/os_siri_prompt_disable.yaml | 2 +- rules/os/os_skip_unlock_with_watch_enable.yaml | 2 +- rules/os/os_store_encrypted_passwords.yaml | 2 +- rules/os/os_sudo_timeout_configure.yaml | 2 +- .../os/os_sudoers_timestamp_type_configure.yaml | 2 +- rules/os/os_sudoers_tty_configure.yaml | 2 +- .../os/os_system_wide_applications_configure.yml | 2 +- rules/os/os_terminal_secure_keyboard_enable.yaml | 2 +- rules/os/os_tftpd_disable.yaml | 2 +- rules/os/os_time_offset_limit_configure.yaml | 2 +- rules/os/os_time_server_enabled.yaml | 2 +- rules/os/os_touchid_prompt_disable.yaml | 2 +- rules/os/os_unique_identification.yaml | 2 +- .../os_unlock_active_user_session_disable.yaml | 2 +- rules/os/os_uucp_disable.yaml | 2 +- ...s_world_writable_library_folder_configure.yml | 2 +- ...os_world_writable_system_folder_configure.yml | 2 +- rules/pwpolicy/pwpolicy_60_day_enforce.yaml | 2 +- .../pwpolicy_account_inactivity_enforce.yaml | 2 +- .../pwpolicy_account_lockout_enforce.yaml | 2 +- .../pwpolicy_account_lockout_enforce_five.yaml | 2 +- ...pwpolicy_account_lockout_timeout_enforce.yaml | 2 +- .../pwpolicy/pwpolicy_alpha_numeric_enforce.yaml | 2 +- .../pwpolicy/pwpolicy_force_password_change.yaml | 2 +- rules/pwpolicy/pwpolicy_history_enforce.yaml | 2 +- .../pwpolicy_history_enforce_fifteen.yaml | 2 +- .../pwpolicy_lower_case_character_enforce.yaml | 2 +- .../pwpolicy_minimum_length_enforce.yaml | 2 +- .../pwpolicy_minimum_lifetime_enforce.yaml | 2 +- .../pwpolicy_simple_sequence_disable.yaml | 2 +- .../pwpolicy_special_character_enforce.yaml | 2 +- .../pwpolicy_upper_case_character_enforce.yaml | 2 +- rules/supplemental/supplemental_cis_manual.yaml | 16 ++++++++-------- .../sysprefs_airplay_receiver_disable.yaml | 2 +- .../sysprefs_automatic_login_disable.yaml | 2 +- rules/sysprefs/sysprefs_bluetooth_disable.yaml | 2 +- .../sysprefs/sysprefs_bluetooth_menu_enable.yaml | 2 +- .../sysprefs_bluetooth_sharing_disable.yaml | 2 +- .../sysprefs_bluetooth_unpaired_disable.yaml | 2 +- .../sysprefs_cd_dvd_sharing_disable.yaml | 2 +- .../sysprefs_content_caching_disable.yaml | 2 +- ...sysprefs_critical_update_install_enforce.yaml | 2 +- .../sysprefs_diagnostics_reports_disable.yaml | 2 +- rules/sysprefs/sysprefs_filevault_enforce.yaml | 2 +- rules/sysprefs/sysprefs_find_my_disable.yaml | 2 +- rules/sysprefs/sysprefs_firewall_enable.yaml | 2 +- .../sysprefs_firewall_stealth_mode_enable.yaml | 2 +- .../sysprefs_guest_access_smb_disable.yaml | 2 +- .../sysprefs/sysprefs_guest_account_disable.yaml | 2 +- rules/sysprefs/sysprefs_hot_corners_secure.yaml | 2 +- .../sysprefs_improve_siri_dictation_disable.yaml | 2 +- .../sysprefs_install_macos_updates_enforce.yaml | 2 +- ...prefs_internet_accounts_prefpane_disable.yaml | 2 +- .../sysprefs_internet_sharing_disable.yaml | 2 +- .../sysprefs_location_services_audit.yaml | 2 +- .../sysprefs_location_services_enable.yaml | 2 +- ...nwindow_prompt_username_password_enforce.yaml | 2 +- .../sysprefs_media_sharing_disabled.yaml | 2 +- .../sysprefs_password_hints_disable.yaml | 2 +- ...ysprefs_personalized_advertising_disable.yaml | 2 +- rules/sysprefs/sysprefs_power_nap_disable.yaml | 2 +- .../sysprefs_printer_sharing_disable.yaml | 2 +- rules/sysprefs/sysprefs_rae_disable.yaml | 2 +- .../sysprefs_remote_management_disable.yaml | 2 +- .../sysprefs_screen_sharing_disable.yaml | 2 +- ...reensaver_ask_for_password_delay_enforce.yaml | 2 +- .../sysprefs_screensaver_timeout_enforce.yaml | 2 +- rules/sysprefs/sysprefs_siri_disable.yaml | 2 +- rules/sysprefs/sysprefs_smbd_disable.yaml | 2 +- ...prefs_software_update_app_update_enforce.yaml | 2 +- ...ysprefs_software_update_download_enforce.yaml | 2 +- .../sysprefs_software_update_enforce.yaml | 2 +- .../sysprefs_softwareupdate_current.yaml | 2 +- rules/sysprefs/sysprefs_ssh_disable.yaml | 2 +- ...sprefs_system_wide_preferences_configure.yaml | 2 +- ...sysprefs_time_machine_auto_backup_enable.yaml | 2 +- ...ysprefs_time_machine_encrypted_configure.yaml | 2 +- .../sysprefs/sysprefs_time_server_configure.yaml | 2 +- rules/sysprefs/sysprefs_time_server_enforce.yaml | 2 +- .../sysprefs_wake_network_access_disable.yaml | 2 +- rules/sysprefs/sysprefs_wifi_disable.yaml | 2 +- rules/sysprefs/sysprefs_wifi_menu_enable.yaml | 2 +- 163 files changed, 170 insertions(+), 170 deletions(-) diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 81f1a55db..bcee2de66 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 45e2f1ab8..817470d2b 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 94b685e35..bdcc2451e 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -77,7 +77,7 @@ references: cis: benchmark: - 3.1 (level 1) - v8: + controls v8: - 8.2 - 8.5 macOS: diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index afc00bf41..cdfaa003f 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml index 8ca43ca2b..4e4a6b155 100644 --- a/rules/audit/audit_control_group_configure.yaml +++ b/rules/audit/audit_control_group_configure.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index bb3fdf539..6a7be402d 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml index 1af95825f..e19f1d273 100644 --- a/rules/audit/audit_control_owner_configure.yaml +++ b/rules/audit/audit_control_owner_configure.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index e2fcc377c..13f89ca7c 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index 76bca4409..d04328622 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index b4b76801f..256baf097 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_flags_configure.yaml b/rules/audit/audit_flags_configure.yaml index 7bedd24bf..494ad2873 100644 --- a/rules/audit/audit_flags_configure.yaml +++ b/rules/audit/audit_flags_configure.yaml @@ -37,7 +37,7 @@ references: cis: benchmark: - 3.2 (level 2) - v8: + controls v8: - 3.14 - 8.2 - 8.5 diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index dfda178f6..1936ef251 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index c76d84d5d..267f13689 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 5b142865b..82da5877b 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -35,7 +35,7 @@ references: cis: benchmark: - 3.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 8edbfbde6..321f4f461 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -26,7 +26,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 8.9 macOS: - "12.0" diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index 74e349ef0..c81212d23 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 8.3 - 8.1 macOS: diff --git a/rules/audit/audit_retention_configure_sixty_days.yaml b/rules/audit/audit_retention_configure_sixty_days.yaml index c7dcce952..4e4729359 100644 --- a/rules/audit/audit_retention_configure_sixty_days.yaml +++ b/rules/audit/audit_retention_configure_sixty_days.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - 3.4 (level 1) - v8: + controls v8: - 8.3 - 8.1 macOS: diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index bbd678b6c..8663cab4b 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -57,7 +57,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.3 - 6.4 - 6.5 diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 31ea685bb..ac268f909 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -52,7 +52,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.3 - 6.4 - 6.5 diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index e49ee6fa3..1a6510542 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -51,7 +51,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.3 - 6.4 - 6.5 diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 2be296de1..9e8f32c00 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.3 - 6.4 - 6.5 diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index e495dfa23..81816275d 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -57,7 +57,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.3 - 6.4 - 6.5 diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index 9615f636b..943c1808f 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -51,7 +51,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.3 - 6.4 - 6.5 diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index d92ab96e0..b8ff14b6f 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index 0c5f62401..e744305c5 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -35,7 +35,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index b4b6b4ba4..cbf21ff69 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index 1b3a17ead..e992d9ad8 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index c107a4245..1119ce038 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 9dd9c924f..fb4ed6a76 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index d2636a71a..4ac93192e 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 58aa53ebb..e6eadbdc0 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 85613cf70..076d59d16 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index 7f9e761bf..bbbdecd61 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 3e44c5c7e..800f14f0a 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index aa6b6d28a..6cb4ce2bc 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - 2.6.1.4 (level 2) - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index 43411adff..89bbffe53 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -26,7 +26,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.4 macOS: - "12.0" diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index b74213225..d1539aa70 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - 2.4.11 (level 1) - v8: + controls v8: - 4.1 - 4.8 - 6.7 diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index 030e420bf..db4a1e0c6 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index f9ba0b38c..403dcb0eb 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -25,7 +25,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 13.9 macOS: - "12.0" diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index ce80e8b64..83e277d0e 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -45,7 +45,7 @@ references: cis: benchmark: - 5.1.5 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index ac7de9757..7ef39c634 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - 4.1 (level 2) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index bce3f3bc5..3015309ad 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -49,7 +49,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index 69ffca694..19e7a7350 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -36,7 +36,7 @@ references: cis: benchmark: - 1.5 (level 1) - v8: + controls v8: - 10.1 - 10.2 - 10.4 diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index bffc50ec2..2cb596bb0 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -26,7 +26,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.7 macOS: - "12.0" diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml index 8f030c7ce..bca49a9cd 100644 --- a/rules/os/os_efi_integrity_validated.yaml +++ b/rules/os/os_efi_integrity_validated.yaml @@ -22,7 +22,7 @@ references: cis: benchmark: - 2.11 (level 1) - v8: + controls v8: - 2.2 macOS: - "12.0" diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index b9b3feb65..ecb6433ad 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -47,7 +47,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index ebaa5d32e..69e9523a9 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -36,7 +36,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 3.3 - 6.7 macOS: diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index bc2d26cff..c15f9afee 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -48,7 +48,7 @@ references: cis: benchmark: - 3.6 (level 1) - v8: + controls v8: - 4.5 - 8.2 - 8.5 diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index b80152fa6..2374fb123 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -40,7 +40,7 @@ references: cis: benchmark: - 2.5.2.1 (level 1) - v8: + controls v8: - 10.1 - 10.2 - 10.5 diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index f3dc6c172..3cf83f9c2 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -30,7 +30,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 10.5 macOS: - "12.0" diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index 2ff4efa8b..b7ecc309e 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 6.1.5 (level 1) - v8: + controls v8: - N/A macOS: - "12.0" diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 4037b534e..f17cd57a7 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -40,7 +40,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 1d22cc113..6f92a3398 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 5.9 (level 2) - v8: + controls v8: - N/A macOS: - "12.0" diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml index 09051844e..7835ecf61 100644 --- a/rules/os/os_hibernate_mode_enable.yaml +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -50,7 +50,7 @@ references: cis: benchmark: - 5.9 (level 2) - v8: + controls v8: - N/A macOS: - "12.0" diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index a98c389b8..0ecbf8d58 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -36,7 +36,7 @@ references: cis: benchmark: - 5.1.1 (level 1) - v8: + controls v8: - N/A macOS: - "12.0" diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index aa187c611..ebbf38088 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - 4.4 (level 1) - v8: + controls v8: - 3.3 - 6.7 macOS: diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index d428722b4..449673fc3 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index af2d7ecf6..13721e203 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - 3.3 (level 1) - v8: + controls v8: - 8.1 - 8.3 macOS: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index d1dfda343..f92df1eb0 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 12.6 diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index 1037715b6..c614367ed 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - 5.1.4 (level 1) - v8: + controls v8: - 2.3 - 2.6 macOS: diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index ff115f6b5..132edb3bc 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 3.3 - 6.7 macOS: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 215630ad4..120022dd1 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -51,7 +51,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 9f8928006..b57308700 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -48,7 +48,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 10.1 - 10.2 - 10.5 diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 180c7a713..aea55bbc2 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -45,7 +45,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 5.1 macOS: diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index fb62287c9..53d44765a 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -47,7 +47,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index 49f6b261f..657bd1757 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -23,7 +23,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 5.6 macOS: - "12.0" diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index b66df95c6..bc627725e 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 5.1.3 (level 1) - v8: + controls v8: - 2.3 - 2.6 macOS: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 93f9e2900..79c84ff2b 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - 4.5 (level 1) - v8: + controls v8: - 3.3 - 6.7 macOS: diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 07c5386d2..19051d13a 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 macOS: - "12.0" diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 1a8a07954..889993cf7 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.8 macOS: - "12.0" diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 95a3b15d3..919ca9b8b 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 6077fe0ba..69fe80c8d 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -27,7 +27,7 @@ references: cis: benchmark: - 5.14 (level 1) - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index e948e24aa..52b1d5e58 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 39724307b..6111a690e 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -30,7 +30,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 324e4305f..46d0f3c0d 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -50,7 +50,7 @@ references: cis: benchmark: - 5.13 (level 2) - v8: + controls v8: - N/A macOS: - "12.0" diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index daf2e93bf..a7317ed71 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index c57e811db..a9ad05531 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -30,7 +30,7 @@ references: cis: benchmark: - 5.6 (level 1) - v8: + controls v8: - 4.7 macOS: - "12.0" diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index d9ce5e3fc..7127b620c 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -24,7 +24,7 @@ references: cis: benchmark: - 6.3 (level 1) - v8: + controls v8: - 9 macOS: - "12.0" diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 1ed31bbe6..931c6d2c1 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -27,7 +27,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.9 macOS: - "12.0" diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 8074f7fa6..99860e198 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - 6.2 (level 1) - v8: + controls v8: - 2.3 macOS: - "12.0" diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index c9145f9be..cbeeb3912 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -82,7 +82,7 @@ references: cis: benchmark: - 5.18 (level 1) - v8: + controls v8: - 2.6 - 3.3 - 10.5 diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 7d23fa7af..22b19f09b 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index ea8094bb4..d9be6cbe8 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 macOS: - "12.0" diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index d38693306..049a7e733 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 3.11 macOS: - "12.0" diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index f1ec63169..2aee5685e 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -28,7 +28,7 @@ references: cis: benchmark: - 5.3 (level 1) - v8: + controls v8: - 4.3 macOS: - "12.0" diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index 81b405d1e..790abd82c 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -30,7 +30,7 @@ references: cis: benchmark: - 5.4 (level 1) - v8: + controls v8: - 4.3 macOS: - "12.0" diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 1d0ee4b61..f68ce9048 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -30,7 +30,7 @@ references: cis: benchmark: - 5.4 (level 1) - v8: + controls v8: - 4.3 macOS: - "12.0" diff --git a/rules/os/os_system_wide_applications_configure.yml b/rules/os/os_system_wide_applications_configure.yml index 8d89da2eb..a46c8646e 100644 --- a/rules/os/os_system_wide_applications_configure.yml +++ b/rules/os/os_system_wide_applications_configure.yml @@ -32,7 +32,7 @@ references: cis: benchmark: - 5.1.6 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index cc9bd3845..f77f9c29d 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 2.10 (level 1) - v8: + controls v8: - 4.8 macOS: - "12.0" diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 6372afd17..99f5d45e7 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 3.3 - 3.1 - 5.2 diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 6994f7b34..67c22984d 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 2.2.2 (level 1) - v8: + controls v8: - 8.4 macOS: - "12.0" diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 2b023bfef..80f6de1fe 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 8.4 macOS: - "12.0" diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index df470fd3d..b068ba722 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 macOS: - "12.0" diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index 8e9c9c481..c92ee0bed 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -22,7 +22,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 5.1 - 6.1 macOS: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 06b217ca5..b2fc53029 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 5.11 (level 1) - v8: + controls v8: - 4.3 macOS: - "12.0" diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index ccb2286e5..3e71cbe63 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -36,7 +36,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 3.3 - 4.1 - 4.8 diff --git a/rules/os/os_world_writable_library_folder_configure.yml b/rules/os/os_world_writable_library_folder_configure.yml index 5838fcd81..58efb8400 100644 --- a/rules/os/os_world_writable_library_folder_configure.yml +++ b/rules/os/os_world_writable_library_folder_configure.yml @@ -34,7 +34,7 @@ references: cis: benchmark: - 5.1.8 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/os/os_world_writable_system_folder_configure.yml b/rules/os/os_world_writable_system_folder_configure.yml index 1b8367942..2353e494a 100644 --- a/rules/os/os_world_writable_system_folder_configure.yml +++ b/rules/os/os_world_writable_system_folder_configure.yml @@ -32,7 +32,7 @@ references: cis: benchmark: - 5.1.7 (level 1) - v8: + controls v8: - 3.3 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index f20f6cfc6..b1ec3fcba 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.7 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 1d547a529..2cc480494 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -53,7 +53,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 5.3 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 13f27d62b..89a5fd904 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 6.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml index f16a0e60c..0da4ef875 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - 5.2.1 (level 1) - v8: + controls v8: - 6.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index cd63366f4..3af6e544f 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 7f02e63b8..699fca16f 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -40,7 +40,7 @@ references: benchmark: - 5.2.3 (level 2) - 5.2.4 (level 2) - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index 2b45c2703..c5c7918e5 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 8798e6998..4fcf0bd03 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml index 04c02ae84..bfd788059 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml @@ -36,7 +36,7 @@ references: cis: benchmark: - 5.2.8 (level 1) - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 7c0efe3d0..f1f077c00 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -60,7 +60,7 @@ references: cis: benchmark: - 5.2.6 (level 2) - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index f220142e5..247dd2364 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - 5.2.2 (level 1) - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index b50a146c4..dac5c63a8 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -57,7 +57,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.7 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 9021666f0..88f7611b7 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 921432269..d060025d1 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - 5.2.5 (level 2) - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 6a9612530..feb8f16d9 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -60,7 +60,7 @@ references: cis: benchmark: - 5.2.6 (level 2) - v8: + controls v8: - 5.2 macOS: - "12.0" diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index d335598d1..ddee60593 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -1,7 +1,7 @@ id: supplemental_cis_manual -title: "CIS Manual Controls" +title: " CIS Manual Recommendations" discussion: | - List of CIS controls that are manual checks. + List of CIS recommendations that are manual check in the CIS macOS Benchmark. [cols="15%h, 85%a"] |=== @@ -9,7 +9,7 @@ discussion: | |Section |Install Updates, Patches and Additional Security Software - |Controls + |Recommendations |1.7 Audit Computer Name |=== @@ -18,7 +18,7 @@ discussion: | |Section |System Preferences - |Controls + |Recommendations |2.3.3 Audit Lock Screen and Start Screen Saver Tools + 2.5.1.2 Ensure all user storage APFS volumes are encrypted + 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted + @@ -41,7 +41,7 @@ discussion: | |Section |Logging and Auditing - |Controls + |Recommendations |3.7 Audit Software Inventory |=== @@ -50,7 +50,7 @@ discussion: | |Section |Network Configurations - |Controls + |Recommendations |4.3 Audit Network Specific Locations + 4.6 Audit Wi-Fi Settings + |=== @@ -60,7 +60,7 @@ discussion: | |Section |System Access, Authentication and Authorization - |Controls + |Recommendations |5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured + 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured + 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + @@ -73,7 +73,7 @@ discussion: | |Section |Appendix: Additional Considerations - |Controls + |Recommendations |7.1 Extensible Firmware Interface (EFI) password + 7.2 FileVault and Local Account Password Reset using AppleID + |=== diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index 71f27382f..6c8d9bf63 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 2.4.13 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index 0b0ec0837..aa2bec71f 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 5.7 (level 1) - v8: + controls v8: - 4.7 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index a38abecb5..daefdcff1 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.8 - 12.6 - 13.9 diff --git a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml index 280e3c572..4da6a0330 100644 --- a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 2.1.2 (level 1) - v8: + controls v8: - 4.8 - 13.9 macOS: diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 117d533d7..8969ca677 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -49,7 +49,7 @@ references: cis: benchmark: - 2.4.7 (level 1) - v8: + controls v8: - 3.3 - 4.1 - 4.8 diff --git a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml index cda9619af..caa73854f 100644 --- a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - 2.1.1 (level 1) - v8: + controls v8: - 4.8 - 12.6 - 13.9 diff --git a/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml index 4a5feff60..765cecc57 100644 --- a/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - 2.4.6 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index c9b9aee5a..f3913dd9c 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -33,7 +33,7 @@ references: cis: benchmark: - 2.4.10 (level 2) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index 518970fe6..c9503dfaf 100644 --- a/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 1.5 (level 1) - v8: + controls v8: - 7.3 - 7.4 - 7.7 diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index 1c602c14f..5f5973375 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -43,7 +43,7 @@ references: cis: benchmark: - 2.5.5 (level 2) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index 2a0bafc40..cb55a3813 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 2.5.5.1 (level 1) - v8: + controls v8: - 3.6 - 3.11 macOS: diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 853a0c0f4..bdce3e9a7 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -49,7 +49,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 - 15.3 diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 7030b1f0e..ebc10a9b7 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -47,7 +47,7 @@ references: cis: benchmark: - 2.5.2.2 (level 1) - v8: + controls v8: - 4.1 - 4.5 - 13.1 diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 62b715b8a..f737d74fb 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -43,7 +43,7 @@ references: cis: benchmark: - 2.5.2.3 (level 1) - v8: + controls v8: - 4.1 - 4.5 - 4.8 diff --git a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index 489e7171b..59dcf612a 100644 --- a/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 6.1.4 (level 1) - v8: + controls v8: - 5.2 - 6.2 - 6.8 diff --git a/rules/sysprefs/sysprefs_guest_account_disable.yaml b/rules/sysprefs/sysprefs_guest_account_disable.yaml index 998813246..f5a93b6c8 100644 --- a/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 6.1.3 (level 1) - v8: + controls v8: - 5.2 - 5.3 - 6.8 diff --git a/rules/sysprefs/sysprefs_hot_corners_secure.yaml b/rules/sysprefs/sysprefs_hot_corners_secure.yaml index a46209bac..14478efa4 100644 --- a/rules/sysprefs/sysprefs_hot_corners_secure.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_secure.yaml @@ -41,7 +41,7 @@ references: cis: benchmark: - 2.3.2 (level 2) - v8: + controls v8: - 4.3 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 26c78f689..286e0952b 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml index bc7437d75..e9761cc0f 100644 --- a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml +++ b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 1.6 (level 1) - v8: + controls v8: - 7.3 - 7.4 macOS: diff --git a/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml index ba40c3f65..d6273f32c 100644 --- a/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml @@ -35,7 +35,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.8 - 15.2 macOS: diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 5f536f0d7..d45097d22 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 2.4.2 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_location_services_audit.yaml b/rules/sysprefs/sysprefs_location_services_audit.yaml index 3c649512f..563365885 100644 --- a/rules/sysprefs/sysprefs_location_services_audit.yaml +++ b/rules/sysprefs/sysprefs_location_services_audit.yaml @@ -24,7 +24,7 @@ references: cis: benchmark: - 2.5.4 (level 2) - v8: + controls v8: - 2.3 - 4.1 macOS: diff --git a/rules/sysprefs/sysprefs_location_services_enable.yaml b/rules/sysprefs/sysprefs_location_services_enable.yaml index 6ab353f5c..ce3481110 100644 --- a/rules/sysprefs/sysprefs_location_services_enable.yaml +++ b/rules/sysprefs/sysprefs_location_services_enable.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 2.5.3 (level 2) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index b520ee352..a71e9cd30 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - 6.1.1 (level 1) - v8: + controls v8: - 4.1 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index 810f17d75..c81d26596 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -48,7 +48,7 @@ references: cis: benchmark: - 2.4.12 (level 2) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index 592b8221d..e4aa0926e 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - 6.1.2 (level 1) - v8: + controls v8: - 4.1 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index e4fe394f5..84d7f1d36 100644 --- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -37,7 +37,7 @@ references: cis: benchmark: - 2.5.6 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index ad6f90af7..6018ed095 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -42,7 +42,7 @@ references: cis: benchmark: - 2.9 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_printer_sharing_disable.yaml b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml index dcc3b588e..87a99d3f4 100644 --- a/rules/sysprefs/sysprefs_printer_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - 2.4.4 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index 7e5740f15..038780509 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -35,7 +35,7 @@ references: cis: benchmark: - 2.4.1 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_remote_management_disable.yaml b/rules/sysprefs/sysprefs_remote_management_disable.yaml index a33e8eac3..bb1c4aae4 100644 --- a/rules/sysprefs/sysprefs_remote_management_disable.yaml +++ b/rules/sysprefs/sysprefs_remote_management_disable.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - 2.4.3 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index 7e98ae506..5fbe0776d 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -35,7 +35,7 @@ references: cis: benchmark: - 2.4.3 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index 8fa8a1a49..45a83fe57 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -31,7 +31,7 @@ references: cis: benchmark: - 5.8 (level 1) - v8: + controls v8: - 4.7 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 4eada9580..a7186c0e5 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -32,7 +32,7 @@ references: cis: benchmark: - 2.3.1 (level 1) - v8: + controls v8: - 4.3 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index b4f1be6da..c94dd986f 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index 065c90602..acc271b56 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 2.4.8 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml index 42be3ad58..4388b7e87 100644 --- a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 1.4 (level 1) - v8: + controls v8: - 7.3 - 7.4 macOS: diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml index a15327f96..fc663d914 100644 --- a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 1.3 (level 1) - v8: + controls v8: - 7.3 - 7.4 macOS: diff --git a/rules/sysprefs/sysprefs_software_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_enforce.yaml index 64dffcec7..b8a228822 100644 --- a/rules/sysprefs/sysprefs_software_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_enforce.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 1.2 (level 1) - v8: + controls v8: - 7.3 - 7.4 macOS: diff --git a/rules/sysprefs/sysprefs_softwareupdate_current.yaml b/rules/sysprefs/sysprefs_softwareupdate_current.yaml index 2bfe1b782..2195c1e41 100644 --- a/rules/sysprefs/sysprefs_softwareupdate_current.yaml +++ b/rules/sysprefs/sysprefs_softwareupdate_current.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - 1.1 (level 1) - v8: + controls v8: - 7.3 - 7.4 macOS: diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index aa2925f51..6fd2916bc 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -47,7 +47,7 @@ references: cis: benchmark: - 2.4.5 (level 1) - v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index 87d2e1b18..e1139b8cd 100644 --- a/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml +++ b/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 5.10 (level 1) - v8: + controls v8: - 4.1 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml index 6cd1f558e..45c9ac04a 100644 --- a/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml +++ b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 2.7.1 (level 2) - v8: + controls v8: - 11.2 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml index 3de3db6af..3e4843922 100644 --- a/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml +++ b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml @@ -38,7 +38,7 @@ references: cis: benchmark: - 2.7.2 (level 2) - v8: + controls v8: - 3.6 - 3.11 - 11.2 diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 25e5cf35c..2eda90925 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 2.2.1 (level 1) - v8: + controls v8: - 8.4 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index 466b4af0a..1d8341823 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -34,7 +34,7 @@ references: cis: benchmark: - 2.2.1 (level 1) - v8: + controls v8: - 8.4 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml index 3ff01d0c5..6e8dce266 100644 --- a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml +++ b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 2.8 (level 1) - v8: + controls v8: - 4.8 macOS: - "12.0" diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index da7d6cf58..63a2daca6 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -39,7 +39,7 @@ references: cis: benchmark: - N/A - v8: + controls v8: - 4.2 - 12.6 macOS: diff --git a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml index 5ae623ee4..6eba0ee38 100644 --- a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml @@ -29,7 +29,7 @@ references: cis: benchmark: - 4.2 (level 1) - v8: + controls v8: - 4.8 - 12.6 macOS: From 5d1b570d3351383dd126905e642cf074246c92f2 Mon Sep 17 00:00:00 2001 From: Gendler Date: Fri, 4 Mar 2022 14:39:55 -0500 Subject: [PATCH 161/193] updated cis baseline file, modified os_system_wide_applications_configure id and file name --- baselines/cis_lvl1.yaml | 2 ++ baselines/cis_lvl2.yaml | 1 + ...configure.yml => os_system_wide_applications_configure.yaml} | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) rename rules/os/{os_system_wide_applications_configure.yml => os_system_wide_applications_configure.yaml} (95%) diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 1f71237cb..2c5a6ade1 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -45,9 +45,11 @@ profile: - os_root_disable - os_safari_open_safe_downloads_disable - os_show_filename_extensions_enable + - os_sip_enable - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_sudoers_tty_configure + - os_system_wide_applications_configure - os_terminal_secure_keyboard_enable - os_time_offset_limit_configure - os_unlock_active_user_session_disable diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 3d815919c..c4595bce6 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -48,6 +48,7 @@ profile: - os_root_disable - os_safari_open_safe_downloads_disable - os_show_filename_extensions_enable + - os_sip_enable - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_sudoers_tty_configure diff --git a/rules/os/os_system_wide_applications_configure.yml b/rules/os/os_system_wide_applications_configure.yaml similarity index 95% rename from rules/os/os_system_wide_applications_configure.yml rename to rules/os/os_system_wide_applications_configure.yaml index a46c8646e..594b63024 100644 --- a/rules/os/os_system_wide_applications_configure.yml +++ b/rules/os/os_system_wide_applications_configure.yaml @@ -1,4 +1,4 @@ -id: os_system_wide_applications +id: os_system_wide_applications_configure title: "Ensure Appropriate Permissions Are Enabled for System Wide Applications" discussion: | Applications in the System Applications Directory (/Applications) _MUST_ not be world-writable. From a217dc578ea7463e783b83aaa37acef8ae20bb04 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 4 Mar 2022 15:47:46 -0500 Subject: [PATCH 162/193] added cis_lvl2 tag --- ...igure.yml => os_world_writable_library_folder_configure.yaml} | 1 + ...figure.yml => os_world_writable_system_folder_configure.yaml} | 0 2 files changed, 1 insertion(+) rename rules/os/{os_world_writable_library_folder_configure.yml => os_world_writable_library_folder_configure.yaml} (98%) rename rules/os/{os_world_writable_system_folder_configure.yml => os_world_writable_system_folder_configure.yaml} (100%) diff --git a/rules/os/os_world_writable_library_folder_configure.yml b/rules/os/os_world_writable_library_folder_configure.yaml similarity index 98% rename from rules/os/os_world_writable_library_folder_configure.yml rename to rules/os/os_world_writable_library_folder_configure.yaml index 58efb8400..267155c35 100644 --- a/rules/os/os_world_writable_library_folder_configure.yml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -40,6 +40,7 @@ macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_world_writable_system_folder_configure.yml b/rules/os/os_world_writable_system_folder_configure.yaml similarity index 100% rename from rules/os/os_world_writable_system_folder_configure.yml rename to rules/os/os_world_writable_system_folder_configure.yaml From 6e4d206a8bfddd7395e88fbc9dacb2b048714768 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Fri, 4 Mar 2022 15:49:30 -0500 Subject: [PATCH 163/193] updated cis benchmark baseline files --- baselines/cis_lvl1.yaml | 2 ++ baselines/cis_lvl2.yaml | 1 + 2 files changed, 3 insertions(+) diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 2c5a6ade1..a79bc57fd 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -53,6 +53,8 @@ profile: - os_terminal_secure_keyboard_enable - os_time_offset_limit_configure - os_unlock_active_user_session_disable + - os_world_writable_library_folder_configure + - os_world_writable_system_folder_configure - section: "passwordpolicy" rules: - pwpolicy_account_lockout_enforce_five diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index c4595bce6..d1750252f 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -55,6 +55,7 @@ profile: - os_terminal_secure_keyboard_enable - os_time_offset_limit_configure - os_unlock_active_user_session_disable + - os_world_writable_library_folder_configure - section: "passwordpolicy" rules: - pwpolicy_account_lockout_enforce_five From 05307ecbba643c629482bc5141be77170cbc388d Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Mon, 7 Mar 2022 12:06:52 -0500 Subject: [PATCH 164/193] Fix for 5.1.7, 5.1.8 --- baselines/cis_lvl1.yaml | 1 - baselines/cis_lvl2.yaml | 3 ++- rules/os/os_world_writable_library_folder_configure.yaml | 3 +-- rules/os/os_world_writable_system_folder_configure.yaml | 1 + 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index a79bc57fd..69211bb19 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -53,7 +53,6 @@ profile: - os_terminal_secure_keyboard_enable - os_time_offset_limit_configure - os_unlock_active_user_session_disable - - os_world_writable_library_folder_configure - os_world_writable_system_folder_configure - section: "passwordpolicy" rules: diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index d1750252f..6d522da86 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -56,6 +56,7 @@ profile: - os_time_offset_limit_configure - os_unlock_active_user_session_disable - os_world_writable_library_folder_configure + - os_world_writable_system_folder_configure - section: "passwordpolicy" rules: - pwpolicy_account_lockout_enforce_five @@ -121,4 +122,4 @@ profile: - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy - - supplemental_smartcard + - supplemental_smartcard \ No newline at end of file diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index 267155c35..263ea9108 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -33,13 +33,12 @@ references: - N/A cis: benchmark: - - 5.1.8 (level 1) + - 5.1.8 (level 2) controls v8: - 3.3 macOS: - "12.0" tags: - - cis_lvl1 - cis_lvl2 - cisv8 mobileconfig: false diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index 2353e494a..4ad69345f 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -38,6 +38,7 @@ macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: \ No newline at end of file From f444496f702c29c56dde4f9b2a5e7ca5eefa30e8 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Mon, 7 Mar 2022 12:26:27 -0500 Subject: [PATCH 165/193] Fixed 5.1.6 --- baselines/cis_lvl2.yaml | 1 + rules/os/os_system_wide_applications_configure.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index 6d522da86..e1554cb1f 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -52,6 +52,7 @@ profile: - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_sudoers_tty_configure + - os_system_wide_applications_configure - os_terminal_secure_keyboard_enable - os_time_offset_limit_configure - os_unlock_active_user_session_disable diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml index 594b63024..6a597c258 100644 --- a/rules/os/os_system_wide_applications_configure.yaml +++ b/rules/os/os_system_wide_applications_configure.yaml @@ -38,6 +38,7 @@ macOS: - "12.0" tags: - cis_lvl1 + - cis_lvl2 - cisv8 mobileconfig: false mobileconfig_info: From ef88bd0e0d5b13094aa6fabc47e139416d062406 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 8 Mar 2022 10:08:32 -0500 Subject: [PATCH 166/193] new airplay receiver key --- rules/sysprefs/sysprefs_airplay_receiver_disable.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index 6c8d9bf63..60a9300f7 100644 --- a/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -8,8 +8,8 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ - .objectForKey('AirplayRecieverEnabled').js + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowAirPlayIncomingRequests').js EOS result: string: "false" @@ -48,5 +48,5 @@ tags: - cisv8 mobileconfig: true mobileconfig_info: - com.apple.controlcenter: - AirplayRecieverEnabled: false + com.apple.applicationaccess: + allowAirPlayIncomingRequests: false From 7fddcd89c5d5532d09667bbd55d70eecbabcd50c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Mar 2022 10:38:40 -0500 Subject: [PATCH 167/193] baseline tags added and none removed --- rules/os/os_camera_disable.yaml | 1 - rules/os/os_policy_banner_ssh_configure.yaml | 9 ++++++++- rules/os/os_policy_banner_ssh_enforce.yaml | 9 ++++++++- rules/os/os_privacy_setup_prompt_disable.yaml | 1 - rules/os/os_sshd_client_alive_count_max_configure.yaml | 7 ++++++- rules/os/os_sshd_client_alive_interval_configure.yaml | 7 ++++++- rules/os/os_sshd_key_exchange_algorithm_configure.yaml | 8 +++++++- rules/os/os_sshd_login_grace_time_configure.yaml | 1 - rules/os/os_sshd_permit_root_login_configure.yaml | 3 ++- 9 files changed, 37 insertions(+), 9 deletions(-) diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 60e55847b..b421c3673 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -30,7 +30,6 @@ references: macOS: - "12.0" tags: - - none - stig severity: "medium" mobileconfig: true diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index b1f3ef59b..e6e984b5b 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -35,7 +35,14 @@ references: macOS: - "12.0" tags: - - none + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 572e26f3c..d60e6c684 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -37,7 +37,14 @@ references: macOS: - "12.0" tags: - - none + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index a7317ed71..8fedda776 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -37,7 +37,6 @@ references: macOS: - "12.0" tags: - - none - cisv8 - stig severity: "medium" diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 548a27265..31bcd3522 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -31,7 +31,12 @@ references: macOS: - "12.0" tags: - - none + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 66c15b349..df0575a16 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -34,7 +34,12 @@ references: macOS: - "12.0" tags: - - none + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index c613bc0a9..cec03295d 100644 --- a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -50,7 +50,13 @@ references: macOS: - "12.0" tags: - - none + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - cnssi-1253 - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index fa41d557f..1dd0b85ed 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -31,7 +31,6 @@ references: macOS: - "12.0" tags: - - none - stig severity: "medium" mobileconfig: false diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index c2ae676a8..9e7d803eb 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -31,7 +31,8 @@ references: macOS: - "12.0" tags: - - none + - 800-53r5_high + - 800-53r4_high - stig severity: "medium" mobileconfig: false From 4e3e0e1d1d9644149754790e8f3360731993f35a Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Mar 2022 14:13:03 -0500 Subject: [PATCH 168/193] CCEs added --- rules/audit/audit_control_acls_configure.yaml | 2 +- rules/audit/audit_control_group_configure.yaml | 2 +- rules/audit/audit_control_mode_configure.yaml | 2 +- rules/audit/audit_control_owner_configure.yaml | 2 +- rules/audit/audit_flags_configure.yaml | 2 +- rules/audit/audit_retention_configure_sixty_days.yaml | 2 +- rules/os/os_blank_bluray_disable.yaml | 2 +- rules/os/os_blank_cd_disable.yaml | 2 +- rules/os/os_blank_dvd_disable.yaml | 2 +- rules/os/os_bluray_read_only_enforce.yaml | 2 +- rules/os/os_burn_support_disable.yaml | 2 +- rules/os/os_cd_read_only_enforce.yaml | 2 +- rules/os/os_disk_image_disable.yaml | 2 +- rules/os/os_dvdram_disable.yaml | 2 +- rules/os/os_efi_integrity_validated.yaml | 2 +- rules/os/os_erase_content_and_settings_disable.yaml | 2 +- rules/os/os_guest_folder_removed.yaml | 2 +- rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml | 2 +- rules/os/os_hibernate_mode_enable.yaml | 2 +- rules/os/os_install_log_retention_configure.yaml | 2 +- rules/os/os_library_validation_enabled.yaml | 2 +- rules/os/os_mobile_file_integrity_enable.yaml | 2 +- rules/os/os_password_hint_remove.yaml | 2 +- rules/os/os_safari_open_safe_downloads_disable.yaml | 2 +- rules/os/os_show_filename_extensions_enable.yaml | 2 +- rules/os/os_skip_screen_time_prompt_enable.yaml | 2 +- rules/os/os_sshd_fips_140_ciphers.yaml | 2 +- rules/os/os_sshd_fips_140_macs.yaml | 2 +- rules/os/os_sudo_timeout_configure.yaml | 2 +- rules/os/os_system_wide_applications_configure.yaml | 2 +- rules/os/os_terminal_secure_keyboard_enable.yaml | 2 +- rules/os/os_time_offset_limit_configure.yaml | 2 +- rules/os/os_world_writable_library_folder_configure.yaml | 2 +- rules/os/os_world_writable_system_folder_configure.yaml | 2 +- rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml | 2 +- rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml | 2 +- rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml | 2 +- rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml | 2 +- rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml | 2 +- rules/sysprefs/sysprefs_hot_corners_secure.yaml | 2 +- rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml | 2 +- rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_location_services_audit.yaml | 2 +- rules/sysprefs/sysprefs_location_services_enable.yaml | 2 +- rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml | 2 +- rules/sysprefs/sysprefs_printer_sharing_disable.yaml | 2 +- rules/sysprefs/sysprefs_remote_management_disable.yaml | 2 +- rules/sysprefs/sysprefs_siri_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_siri_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml | 2 +- rules/sysprefs/sysprefs_software_update_download_enforce.yaml | 2 +- rules/sysprefs/sysprefs_software_update_enforce.yaml | 2 +- rules/sysprefs/sysprefs_softwareupdate_current.yaml | 2 +- rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml | 2 +- rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml | 2 +- rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_wake_network_access_disable.yaml | 2 +- rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_wifi_menu_enable.yaml | 2 +- 62 files changed, 62 insertions(+), 62 deletions(-) diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index cdfaa003f..6890bd446 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91088-5 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml index 4e4a6b155..b0dab4cc0 100644 --- a/rules/audit/audit_control_group_configure.yaml +++ b/rules/audit/audit_control_group_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91089-3 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index 6a7be402d..a3b32ab77 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91090-1 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml index e19f1d273..7fd10d51b 100644 --- a/rules/audit/audit_control_owner_configure.yaml +++ b/rules/audit/audit_control_owner_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91091-9 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_flags_configure.yaml b/rules/audit/audit_flags_configure.yaml index 494ad2873..c5e1a085a 100644 --- a/rules/audit/audit_flags_configure.yaml +++ b/rules/audit/audit_flags_configure.yaml @@ -15,7 +15,7 @@ fix: | NOTE: NOTE: This fix will replace the contents of the flags: line in `/etc/security/audit_control`, if you have customized the flags, your changes may be overwritten. references: cce: - - N/A + - CCE-91092-7 cci: - N/A 800-53r5: diff --git a/rules/audit/audit_retention_configure_sixty_days.yaml b/rules/audit/audit_retention_configure_sixty_days.yaml index 4e4729359..6b61dd9c8 100644 --- a/rules/audit/audit_retention_configure_sixty_days.yaml +++ b/rules/audit/audit_retention_configure_sixty_days.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91093-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index 1df7c5216..412ec43f5 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91094-3 cci: - CCI-000366 - CCI-001967 diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 53ad31f6b..cb85da2a0 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91095-0 cci: - CCI-000366 - CCI-001967 diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 8d04d5569..9bee117e3 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91096-8 cci: - CCI-000366 - CCI-001967 diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index a4cca50f1..2fa1d7e49 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91097-6 cci: - CCI-000366 - CCI-001967 diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index b570fdc80..529218e64 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91098-4 cci: - CCI-000366 800-53r5: diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index cd81757a8..dde317c2a 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91099-2 cci: - CCI-000366 - CCI-001967 diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index bc1581d26..6c4830259 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91100-8 cci: - CCI-000366 - CCI-001967 diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index 803bdd098..c47735518 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91101-6 cci: - CCI-000366 - CCI-001967 diff --git a/rules/os/os_efi_integrity_validated.yaml b/rules/os/os_efi_integrity_validated.yaml index bca49a9cd..2f4b80f84 100644 --- a/rules/os/os_efi_integrity_validated.yaml +++ b/rules/os/os_efi_integrity_validated.yaml @@ -10,7 +10,7 @@ fix: | Install a known good version of macOS. references: cce: - - N/A + - CCE-91102-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 89e54d1b0..bfffabd60 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91103-2 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index b7ecc309e..4084a907e 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91104-0 cci: - N/A 800-53r5: diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 6f92a3398..c942a9ce1 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91105-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_hibernate_mode_enable.yaml b/rules/os/os_hibernate_mode_enable.yaml index 7835ecf61..271976f96 100644 --- a/rules/os/os_hibernate_mode_enable.yaml +++ b/rules/os/os_hibernate_mode_enable.yaml @@ -34,7 +34,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91106-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index 13721e203..e2be53aa6 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: cce: - - N/A + - CCE-91107-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index c614367ed..a1802e0ea 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91108-1 cci: - N/A 800-53r5: diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index bc627725e..cbb8ab718 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91109-9 cci: - N/A 800-53r5: diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 69fe80c8d..cb7a12272 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91110-7 cci: - N/A 800-53r5: diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index 7127b620c..0e717c339 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91111-5 cci: - N/A 800-53r5: diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 99860e198..d9496a5fe 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -22,7 +22,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91112-3 cci: - N/A 800-53r5: diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index b6e27de3d..541481a11 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91113-1 cci: - CCI-000381 800-53r5: diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml index 64479c236..c7268d117 100644 --- a/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91114-9 cci: - CCI-000803 - CCI-000068 diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml index 69879ec0d..fd7cfafc7 100644 --- a/rules/os/os_sshd_fips_140_macs.yaml +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91115-6 cci: - CCI-000068 - CCI-000803 diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 2aee5685e..8ec1e888c 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91116-4 cci: - N/A 800-53r5: diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml index 6a597c258..568954ef0 100644 --- a/rules/os/os_system_wide_applications_configure.yaml +++ b/rules/os/os_system_wide_applications_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91117-2 cci: - N/A 800-53r5: diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index f77f9c29d..f4a830b0f 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91118-0 800-53r5: - N/A 800-53r4: diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 67c22984d..100ae51db 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91119-8 cci: - N/A 800-53r5: diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index 263ea9108..1f413b299 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91120-6 cci: - N/A 800-53r5: diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml index 4ad69345f..041732799 100644 --- a/rules/os/os_world_writable_system_folder_configure.yaml +++ b/rules/os/os_world_writable_system_folder_configure.yaml @@ -16,7 +16,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91121-4 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml index 0da4ef875..88233d7dc 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91122-2 cci: - N/A 800-53r5: diff --git a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml index bfd788059..19415f1da 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml @@ -17,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91123-0 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml index 4da6a0330..ac7c9ddbb 100644 --- a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91124-8 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml index 1998b55cc..d454a46cc 100644 --- a/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml @@ -11,7 +11,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91125-5 cci: - CCI-002418 800-53r5: diff --git a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml index caa73854f..506437d02 100644 --- a/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml @@ -20,7 +20,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91126-3 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml index 765cecc57..e71c4a7d7 100644 --- a/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91127-1 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_hot_corners_secure.yaml b/rules/sysprefs/sysprefs_hot_corners_secure.yaml index 14478efa4..9b5953315 100644 --- a/rules/sysprefs/sysprefs_hot_corners_secure.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_secure.yaml @@ -25,7 +25,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91128-9 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml index e9761cc0f..a5bf902b1 100644 --- a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml +++ b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91129-7 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml index 6ff69f7bc..9e7cc2e02 100644 --- a/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml @@ -15,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91130-5 cci: - CCI-001774 - CCI-000381 diff --git a/rules/sysprefs/sysprefs_location_services_audit.yaml b/rules/sysprefs/sysprefs_location_services_audit.yaml index 563365885..603a6b3fa 100644 --- a/rules/sysprefs/sysprefs_location_services_audit.yaml +++ b/rules/sysprefs/sysprefs_location_services_audit.yaml @@ -10,7 +10,7 @@ fix: | Review the list of applications and remove any unauthorized applications from System Prefrences->Security & Privacy->Privacy->Location Services. references: cce: - - N/A + - CCE-91131-3 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_location_services_enable.yaml b/rules/sysprefs/sysprefs_location_services_enable.yaml index ce3481110..f99d89361 100644 --- a/rules/sysprefs/sysprefs_location_services_enable.yaml +++ b/rules/sysprefs/sysprefs_location_services_enable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91132-1 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml index 2072084d6..338d03840 100644 --- a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91133-9 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_printer_sharing_disable.yaml b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml index 87a99d3f4..9e10c0942 100644 --- a/rules/sysprefs/sysprefs_printer_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_printer_sharing_disable.yaml @@ -14,7 +14,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91134-7 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_remote_management_disable.yaml b/rules/sysprefs/sysprefs_remote_management_disable.yaml index bb1c4aae4..c99c9448a 100644 --- a/rules/sysprefs/sysprefs_remote_management_disable.yaml +++ b/rules/sysprefs/sysprefs_remote_management_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91135-4 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml index 534db16b0..87f7205d7 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91136-2 cci: - CCI-001774 - CCI-000381 diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml index 140c121cb..d9fb39ea9 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91137-0 cci: - CCI-001774 - CCI-000381 diff --git a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml index 4388b7e87..88c4b3d1e 100644 --- a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91138-8 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml index fc663d914..a550000cd 100644 --- a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91139-6 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_software_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_enforce.yaml index b8a228822..21544a90b 100644 --- a/rules/sysprefs/sysprefs_software_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_enforce.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91140-4 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_softwareupdate_current.yaml b/rules/sysprefs/sysprefs_softwareupdate_current.yaml index 2195c1e41..26803e52f 100644 --- a/rules/sysprefs/sysprefs_softwareupdate_current.yaml +++ b/rules/sysprefs/sysprefs_softwareupdate_current.yaml @@ -22,7 +22,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - N/A + - CCE-91141-2 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml index 45c9ac04a..980179651 100644 --- a/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml +++ b/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91142-0 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml index 3e4843922..f0029d8d1 100644 --- a/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml +++ b/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml @@ -22,7 +22,7 @@ fix: | . Click *Use Disk* references: cce: - - N/A + - CCE-91143-8 cci: - N/A 800-53r5: diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml index a6ba0d516..b1bc65bb3 100644 --- a/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91144-6 cci: - CCI-001774 - CCI-000381 diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml index 4a63171a7..e3fc42789 100644 --- a/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91145-3 cci: - CCI-001774 - CCI-000381 diff --git a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml index 6e8dce266..9155cce77 100644 --- a/rules/sysprefs/sysprefs_wake_network_access_disable.yaml +++ b/rules/sysprefs/sysprefs_wake_network_access_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - N/A + - CCE-91146-1 800-53r5: - N/A 800-53r4: diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml index d41b42b10..0b7f64e3a 100644 --- a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91147-9 cci: - CCI-001774 - CCI-000381 diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml index cdf4e2e4c..89b494ae0 100644 --- a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91148-7 cci: - CCI-001774 - CCI-000381 diff --git a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml index 6eba0ee38..2d4164ee2 100644 --- a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml @@ -13,7 +13,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - N/A + - CCE-91149-5 cci: - N/A 800-53r5: From 71d1310f4fda63c65c7ca9f066368c9793ae2e4c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Mar 2022 16:11:17 -0500 Subject: [PATCH 169/193] fixes for cis --- scripts/generate_mapping.py | 52 ++++++++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index 9547da304..19ce56c7b 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -94,23 +94,45 @@ def dir_path(string): try: rule_yaml['references'] - for yaml_control in rule_yaml['references'][results.framework]: - if duplicate == yaml_control.split("(")[0]: - continue - if csv_duplicate == str(row[other_header]): - continue - - if control.replace(" ",'') == yaml_control: - duplicate = yaml_control.split("(")[0] - csv_duplicate = str(row[other_header]) - row_array = str(row[other_header]).split(",") - for item in row_array: - control_array.append(item) - print(rule_yaml['id'] + " - " + str(results.framework) + " " + yaml_control + " maps to " + other_header + " " + item) + if "/" in str(results.framework): + framework_main = results.framework.split("/")[0] + framework_sub = results.framework.split("/")[1] + + for yaml_control in rule_yaml['references'][framework_main][framework_sub]: + if duplicate == str(yaml_control).split("(")[0]: + continue + if csv_duplicate == str(row[other_header]): + + continue + if control.replace(" ",'') == str(yaml_control): + + duplicate = str(yaml_control).split("(")[0] + csv_duplicate = str(row[other_header]) + + row_array = str(row[other_header]).split(",") + for item in row_array: + control_array.append(item) + print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item) + else: + + for yaml_control in rule_yaml['references'][results.framework]: + if duplicate == str(yaml_control).split("(")[0]: + continue + if csv_duplicate == str(row[other_header]): + continue + + if control.replace(" ",'') == str(yaml_control): + duplicate = str(yaml_control).split("(")[0] + csv_duplicate = str(row[other_header]) + row_array = str(row[other_header]).split(",") + for item in row_array: + control_array.append(item) + print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item) + except: - continue - + continue + if len(control_array) == 0: continue From 970d8d7a01ce3bcc7a4ae13146f2c1529872ffb2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Mar 2022 19:23:28 -0500 Subject: [PATCH 170/193] ^ added to flag check --- rules/audit/audit_flags_fm_configure.yaml | 2 +- rules/audit/audit_flags_lo_configure.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 9e106c89b..c1184b1c6 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -9,7 +9,7 @@ discussion: | Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | - /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\fm' + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm' result: integer: 1 fix: | diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 69842c796..0100645e0 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -7,7 +7,7 @@ discussion: | The information system monitors login and logout events. check: | - /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'lo' + /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^lo' result: integer: 1 fix: | From 799998b93b6e677d9ce2fccd54c7dc07491aebc4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Mar 2022 19:29:03 -0500 Subject: [PATCH 171/193] updated check for remaining profiles command check --- rules/icloud/icloud_appleid_prefpane_disable.yaml | 2 +- rules/os/os_safari_open_safe_downloads_disable.yaml | 2 +- rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_siri_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_siri_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index e744305c5..3f206f751 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents login to Apple ID and iCloud. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.AppleID' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.AppleID' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index 0e717c339..fe9b4062e 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Automatic Opening of Safe Files in Safari" discussion: | Open "safe" files after downloading _MUST_ be disabled in Safari. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml index d454a46cc..c690ea897 100644 --- a/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml @@ -4,7 +4,7 @@ discussion: | The Bluetooth System Preference pane _MUST_ be hidden to prevent access to the bluetooth configuration. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml index d6273f32c..ec53ae59d 100644 --- a/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml @@ -8,7 +8,7 @@ discussion: | Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml index 9e7cc2e02..bcdc8f21f 100644 --- a/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml @@ -8,7 +8,7 @@ discussion: | Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml index 87f7205d7..eb18ed5f0 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml index d9fb39ea9..2d06d867d 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -5,7 +5,7 @@ discussion: | HIding the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml index b1bc65bb3..3f0af4c9f 100644 --- a/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Touch ID. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml index e3fc42789..88d574ca4 100644 --- a/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml @@ -5,7 +5,7 @@ discussion: | Hiding the system preference pane prevents the users from configuring Touch ID. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml index 0b7f64e3a..39f95438d 100644 --- a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Wallet and Apple Pay. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml index 89b494ae0..bf5872a28 100644 --- a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml @@ -5,7 +5,7 @@ discussion: | Hiding the system preference pane prevents the users from configuring Wallet and Apple Pay. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: integer: 1 fix: | From d30917cc45eaad6e50a6d6118b2bf0d4c8bc95fc Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Mar 2022 19:41:35 -0500 Subject: [PATCH 172/193] updated fix text --- rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index aaa16ec69..df59b86b0 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -12,13 +12,7 @@ check: | result: string: "true" fix: | - To implement the prescribed state with a Configuration Profile, create a configuration profile (com.apple.systempolicy.managed) with the following key DisableOverride set to true - [source,xml] - ---- - DisableOverride - - ---- - NOTE - This will apply to the whole system + This is implemented by a Configuration Profile. references: cce: - CCE-91058-8 From a4551ce17cfaec5a21d9cf65ad21ba726017fb87 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 10:06:18 -0400 Subject: [PATCH 173/193] removed unneeded sudo --- rules/os/os_anti_virus_installed.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 2e3b1b5a4..32d7492de 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -9,7 +9,7 @@ check: | result: integer: 1 fix: | - /usr/bin/sudo /bin/launchctl enable system/com.apple.mrt + /bin/launchctl enable system/com.apple.mrt references: cce: - CCE-90900-2 From 343abc935a65b7d1eab9cf94f3fc63f110740b85 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 10:13:53 -0400 Subject: [PATCH 174/193] Added sysprefs_bluetooth_prefpane_disable --- .../sysprefs_bluetooth_prefpane_disable.yaml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml diff --git a/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml new file mode 100644 index 000000000..c9a5fa355 --- /dev/null +++ b/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml @@ -0,0 +1,36 @@ +id: sysprefs_bluetooth_prefpane_disable +title: "Hide the Bluetooth System Preference Pane" +discussion: | + The Bluetooth System Preference pane _MUST_ be disabled to prevent access to the bluetooth configuration. + +check: | + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' +result: + integer: 1 +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-91150-3 + cci: + - CCI-002418 + 800-53r5: + - N/A + 800-53r4: + - SC-8 + srg: + - SRG-OS-000481-GPOS-000481 + disa_stig: + - APPL-12-002062 + 800-171r2: + - N/A +macOS: + - "12.0" +tags: + - stig +severity: "medium" +mobileconfig: true +mobileconfig_info: + com.apple.systempreferences: + DisabledPreferencePanes: + - com.apple.preferences.Bluetooth From 71c2cf48c5ae7c094eace356d45a2de44f000587 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 10:14:27 -0400 Subject: [PATCH 175/193] updated check to count of 2 --- rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_siri_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_siri_prefpane_hide.yaml | 2 +- rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml index c690ea897..e39d31958 100644 --- a/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml @@ -4,7 +4,7 @@ discussion: | The Bluetooth System Preference pane _MUST_ be hidden to prevent access to the bluetooth configuration. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml index ec53ae59d..a71efe32f 100644 --- a/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml @@ -8,7 +8,7 @@ discussion: | Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml index bcdc8f21f..0086cb5cb 100644 --- a/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml @@ -8,7 +8,7 @@ discussion: | Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml index eb18ed5f0..8a53aac41 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml index 2d06d867d..791929ff3 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -5,7 +5,7 @@ discussion: | HIding the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml index 3f0af4c9f..f3e002c99 100644 --- a/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Touch ID. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml index 39f95438d..eea464b9f 100644 --- a/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Wallet and Apple Pay. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | From 2e010e4ca3f58c53a983aaecd906280386ff6b0c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 10:19:16 -0400 Subject: [PATCH 176/193] Updated title --- rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml index c9a5fa355..d44426c83 100644 --- a/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml @@ -1,5 +1,5 @@ id: sysprefs_bluetooth_prefpane_disable -title: "Hide the Bluetooth System Preference Pane" +title: "Disable the Bluetooth System Preference Pane" discussion: | The Bluetooth System Preference pane _MUST_ be disabled to prevent access to the bluetooth configuration. From 53e0d4918a864574e7002081dc5e4cb14f63d8eb Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 10:53:45 -0400 Subject: [PATCH 177/193] updated baseline files --- baselines/800-171.yaml | 7 +++- baselines/800-53r5_high.yaml | 13 +++++- baselines/800-53r5_low.yaml | 10 ++++- baselines/800-53r5_moderate.yaml | 12 +++++- baselines/all_rules.yaml | 70 ++++++++++++++++++++++++++++++-- baselines/cis_lvl1.yaml | 1 - baselines/cis_lvl2.yaml | 1 - baselines/cisv8.yaml | 69 +++++++++++++++++++++++++------ baselines/cnssi-1253.yaml | 11 ++++- 9 files changed, 172 insertions(+), 22 deletions(-) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index f33894b1b..f7627acac 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -14,6 +14,7 @@ profile: - auth_pam_su_smartcard_enforce - auth_pam_sudo_smartcard_enforce - auth_smartcard_enforce + - auth_smartcard_enable - auth_ssh_password_authentication_disable - section: "auditing" rules: @@ -53,7 +54,6 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable - os_ir_support_disable - os_mail_app_disable - os_mdm_require @@ -64,6 +64,8 @@ profile: - os_password_proximity_disable - os_password_sharing_disable - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce - os_recovery_lock_enable - os_removable_media_disable - os_root_disable @@ -74,6 +76,8 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant - os_tftpd_disable - os_time_server_enabled @@ -127,6 +131,7 @@ profile: - sysprefs_guest_account_disable - sysprefs_hot_corners_disable - sysprefs_improve_siri_dictation_disable + - sysprefs_internet_accounts_prefpane_disable - sysprefs_internet_sharing_disable - sysprefs_location_services_disable - sysprefs_loginwindow_prompt_username_password_enforce diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index 76b7edd13..1ac100713 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -63,7 +63,6 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable - os_ir_support_disable - os_mail_app_disable - os_mdm_require @@ -76,6 +75,8 @@ profile: - os_password_proximity_disable - os_password_sharing_disable - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce - os_recovery_lock_enable - os_removable_media_disable - os_root_disable @@ -87,7 +88,13 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant + - os_sshd_key_exchange_algorithm_configure + - os_sshd_permit_root_login_configure + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure - os_sudoers_tty_configure - os_system_read_only - os_tftpd_disable @@ -132,6 +139,7 @@ profile: - sysprefs_automatic_logout_enforce - sysprefs_bluetooth_disable - sysprefs_bluetooth_sharing_disable + - sysprefs_cd_dvd_sharing_disable - sysprefs_content_caching_disable - sysprefs_critical_update_install_enforce - sysprefs_diagnostics_reports_disable @@ -145,6 +153,7 @@ profile: - sysprefs_guest_account_disable - sysprefs_hot_corners_disable - sysprefs_improve_siri_dictation_disable + - sysprefs_internet_accounts_prefpane_disable - sysprefs_internet_sharing_disable - sysprefs_location_services_disable - sysprefs_loginwindow_prompt_username_password_enforce @@ -152,7 +161,9 @@ profile: - sysprefs_password_hints_disable - sysprefs_personalized_advertising_disable - sysprefs_power_nap_disable + - sysprefs_printer_sharing_disable - sysprefs_rae_disable + - sysprefs_remote_management_disable - sysprefs_screen_sharing_disable - sysprefs_screensaver_ask_for_password_delay_enforce - sysprefs_screensaver_password_enforce diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index ca0ef8627..01f29d436 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -54,7 +54,6 @@ profile: - os_handoff_disable - os_httpd_disable - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable - os_ir_support_disable - os_mail_app_disable - os_mdm_require @@ -64,6 +63,8 @@ profile: - os_password_proximity_disable - os_password_sharing_disable - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce - os_removable_media_disable - os_root_disable - os_sip_enable @@ -71,6 +72,9 @@ profile: - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant - os_sshd_fips_compliant + - os_sshd_key_exchange_algorithm_configure + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure - os_sudoers_tty_configure - os_tftpd_disable - os_time_server_enabled @@ -110,6 +114,7 @@ profile: - sysprefs_automatic_login_disable - sysprefs_bluetooth_disable - sysprefs_bluetooth_sharing_disable + - sysprefs_cd_dvd_sharing_disable - sysprefs_content_caching_disable - sysprefs_critical_update_install_enforce - sysprefs_diagnostics_reports_disable @@ -121,6 +126,7 @@ profile: - sysprefs_guest_access_smb_disable - sysprefs_guest_account_disable - sysprefs_improve_siri_dictation_disable + - sysprefs_internet_accounts_prefpane_disable - sysprefs_internet_sharing_disable - sysprefs_location_services_disable - sysprefs_loginwindow_prompt_username_password_enforce @@ -128,7 +134,9 @@ profile: - sysprefs_password_hints_disable - sysprefs_personalized_advertising_disable - sysprefs_power_nap_disable + - sysprefs_printer_sharing_disable - sysprefs_rae_disable + - sysprefs_remote_management_disable - sysprefs_screen_sharing_disable - sysprefs_screensaver_timeout_enforce - sysprefs_siri_disable diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index 69ca00e1c..f57a6661e 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -61,7 +61,6 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable - os_ir_support_disable - os_mail_app_disable - os_mdm_require @@ -74,6 +73,8 @@ profile: - os_password_proximity_disable - os_password_sharing_disable - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce - os_recovery_lock_enable - os_removable_media_disable - os_root_disable @@ -85,7 +86,12 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant + - os_sshd_key_exchange_algorithm_configure + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure - os_sudoers_tty_configure - os_system_read_only - os_tftpd_disable @@ -130,6 +136,7 @@ profile: - sysprefs_automatic_logout_enforce - sysprefs_bluetooth_disable - sysprefs_bluetooth_sharing_disable + - sysprefs_cd_dvd_sharing_disable - sysprefs_content_caching_disable - sysprefs_critical_update_install_enforce - sysprefs_diagnostics_reports_disable @@ -143,6 +150,7 @@ profile: - sysprefs_guest_account_disable - sysprefs_hot_corners_disable - sysprefs_improve_siri_dictation_disable + - sysprefs_internet_accounts_prefpane_disable - sysprefs_internet_sharing_disable - sysprefs_location_services_disable - sysprefs_loginwindow_prompt_username_password_enforce @@ -150,7 +158,9 @@ profile: - sysprefs_password_hints_disable - sysprefs_personalized_advertising_disable - sysprefs_power_nap_disable + - sysprefs_printer_sharing_disable - sysprefs_rae_disable + - sysprefs_remote_management_disable - sysprefs_screen_sharing_disable - sysprefs_screensaver_ask_for_password_delay_enforce - sysprefs_screensaver_password_enforce diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 888d6c139..5e909a0de 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -7,7 +7,6 @@ authors: | |Dan Brodjieski|National Aeronautics and Space Administration |Allen Golbig|Jamf |=== -title: "macOS 12.0: Security Configuration - all_rules" profile: - section: "authentication" rules: @@ -25,12 +24,17 @@ profile: - audit_acls_folders_configure - audit_auditd_enabled - audit_configure_capacity_notify + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure - audit_failure_halt - audit_files_group_configure - audit_files_mode_configure - audit_files_owner_configure - audit_flags_aa_configure - audit_flags_ad_configure + - audit_flags_configure - audit_flags_ex_configure - audit_flags_fd_configure - audit_flags_fm_configure @@ -42,6 +46,7 @@ profile: - audit_folder_owner_configure - audit_folders_mode_configure - audit_retention_configure + - audit_retention_configure_sixty_days - audit_settings_failure_notify - section: "macos" rules: @@ -51,12 +56,23 @@ profile: - os_asl_log_files_owner_group_configure - os_asl_log_files_permissions_configure - os_authenticated_root_enable + - os_blank_bluray_disable + - os_blank_cd_disable + - os_blank_dvd_disable + - os_bluray_read_only_enforce - os_bonjour_disable + - os_burn_support_disable - os_calendar_app_disable - os_camera_disable + - os_cd_read_only_enforce - os_certificate_authority_trust - os_config_data_install_enforce - os_directory_services_configured + - os_disk_image_disable + - os_dvdram_disable + - os_efi_integrity_validated + - os_erase_content_and_settings_disable + - os_ess_installed - os_facetime_app_disable - os_filevault_authorized_users - os_filevault_autologin_disable @@ -65,21 +81,26 @@ profile: - os_firmware_password_require - os_gatekeeper_enable - os_gatekeeper_rearm + - os_guest_folder_removed - os_handoff_disable - - os_ess_installed + - os_hibernate_mode_destroyfvkeyonstandby_enable + - os_hibernate_mode_enable - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable + - os_install_log_retention_configure - os_ir_support_disable + - os_library_validation_enabled - os_mail_app_disable - os_mdm_require - os_messages_app_disable + - os_mobile_file_integrity_enable - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable - os_parental_controls_enable - os_password_autofill_disable + - os_password_hint_remove - os_password_proximity_disable - os_password_sharing_disable - os_policy_banner_loginwindow_enforce @@ -89,36 +110,50 @@ profile: - os_recovery_lock_enable - os_removable_media_disable - os_root_disable + - os_safari_open_safe_downloads_disable - os_screensaver_loginwindow_enforce - os_secure_boot_verify + - os_show_filename_extensions_enable - os_sip_enable - os_siri_prompt_disable + - os_skip_screen_time_prompt_enable - os_skip_unlock_with_watch_enable - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure + - os_sshd_fips_140_ciphers + - os_sshd_fips_140_macs - os_sshd_fips_compliant - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure - os_sudoers_tty_configure - os_system_read_only + - os_system_wide_applications_configure + - os_terminal_secure_keyboard_enable - os_tftpd_disable + - os_time_offset_limit_configure - os_time_server_enabled - os_touchid_prompt_disable - os_unlock_active_user_session_disable - os_user_app_installation_prohibit - os_uucp_disable + - os_world_writable_library_folder_configure + - os_world_writable_system_folder_configure - section: "passwordpolicy" rules: - pwpolicy_60_day_enforce - pwpolicy_account_inactivity_enforce - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_enforce_five - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce - pwpolicy_history_enforce + - pwpolicy_history_enforce_fifteen - pwpolicy_lower_case_character_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce @@ -147,7 +182,12 @@ profile: - sysprefs_automatic_login_disable - sysprefs_automatic_logout_enforce - sysprefs_bluetooth_disable + - sysprefs_bluetooth_menu_enable + - sysprefs_bluetooth_prefpane_disable + - sysprefs_bluetooth_prefpane_hide - sysprefs_bluetooth_sharing_disable + - sysprefs_bluetooth_unpaired_disable + - sysprefs_cd_dvd_sharing_disable - sysprefs_content_caching_disable - sysprefs_critical_update_install_enforce - sysprefs_diagnostics_reports_disable @@ -160,29 +200,52 @@ profile: - sysprefs_guest_access_smb_disable - sysprefs_guest_account_disable - sysprefs_hot_corners_disable + - sysprefs_hot_corners_secure - sysprefs_improve_siri_dictation_disable + - sysprefs_install_macos_updates_enforce + - sysprefs_internet_accounts_prefpane_disable + - sysprefs_internet_accounts_prefpane_hide - sysprefs_internet_sharing_disable + - sysprefs_location_services_audit - sysprefs_location_services_disable + - sysprefs_location_services_enable + - sysprefs_loginwindow_loginwindowtext_enable - sysprefs_loginwindow_prompt_username_password_enforce - sysprefs_media_sharing_disabled - sysprefs_password_hints_disable - sysprefs_personalized_advertising_disable - sysprefs_power_nap_disable + - sysprefs_printer_sharing_disable - sysprefs_rae_disable + - sysprefs_remote_management_disable - sysprefs_screen_sharing_disable - sysprefs_screensaver_ask_for_password_delay_enforce - sysprefs_screensaver_password_enforce - sysprefs_screensaver_timeout_enforce - sysprefs_siri_disable + - sysprefs_siri_prefpane_disable + - sysprefs_siri_prefpane_hide - sysprefs_smbd_disable + - sysprefs_software_update_app_update_enforce + - sysprefs_software_update_download_enforce + - sysprefs_software_update_enforce + - sysprefs_softwareupdate_current - sysprefs_ssh_disable - sysprefs_ssh_enable - sysprefs_system_wide_preferences_configure + - sysprefs_time_machine_auto_backup_enable + - sysprefs_time_machine_encrypted_configure - sysprefs_time_server_configure - sysprefs_time_server_enforce - sysprefs_token_removal_enforce + - sysprefs_touchid_prefpane_disable + - sysprefs_touchid_prefpane_hide - sysprefs_touchid_unlock_disable + - sysprefs_wake_network_access_disable + - sysprefs_wallet_applepay_prefpane_disable + - sysprefs_wallet_applepay_prefpane_hide - sysprefs_wifi_disable + - sysprefs_wifi_menu_enable - section: "Inherent" rules: - audit_record_reduction_report_generation @@ -262,6 +325,7 @@ profile: - os_privacy_principle_minimization - section: "Supplemental" rules: + - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 69211bb19..bebc61305 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -100,7 +100,6 @@ profile: - section: "Supplemental" rules: - supplemental_cis_manual - - supplemental_controls - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index e1554cb1f..c5fc1eb42 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -119,7 +119,6 @@ profile: - section: "Supplemental" rules: - supplemental_cis_manual - - supplemental_controls - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index cbe30f90f..63de51f49 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -20,16 +20,22 @@ profile: - auth_ssh_password_authentication_disable - section: "auditing" rules: + - audit_acls_files_configure + - audit_acls_folders_configure - audit_auditd_enabled - - audit_flags_aa_configure - - audit_flags_ad_configure - - audit_flags_ex_configure - - audit_flags_fd_configure - - audit_flags_fm_configure - - audit_flags_fr_configure - - audit_flags_fw_configure - - audit_flags_lo_configure + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure - audit_retention_configure + - audit_retention_configure_sixty_days - section: "macos" rules: - os_airdrop_disable @@ -39,42 +45,59 @@ profile: - os_calendar_app_disable - os_config_data_install_enforce - os_directory_services_configured + - os_efi_integrity_validated + - os_ess_installed - os_facetime_app_disable - os_filevault_autologin_disable - os_firewall_log_enable - os_gatekeeper_enable - os_gatekeeper_rearm - os_handoff_disable - - os_ess_installed - os_httpd_disable - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable + - os_install_log_retention_configure - os_ir_support_disable + - os_library_validation_enabled - os_mail_app_disable - os_mdm_require - os_messages_app_disable + - os_mobile_file_integrity_enable - os_nfsd_disable - os_parental_controls_enable - os_password_autofill_disable + - os_password_hint_remove - os_password_proximity_disable - os_password_sharing_disable - os_privacy_setup_prompt_disable - os_root_disable + - os_safari_open_safe_downloads_disable + - os_show_filename_extensions_enable - os_sip_enable - os_siri_prompt_disable - os_skip_unlock_with_watch_enable + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_sudoers_tty_configure + - os_system_wide_applications_configure + - os_terminal_secure_keyboard_enable - os_tftpd_disable + - os_time_offset_limit_configure - os_time_server_enabled - os_touchid_prompt_disable + - os_unlock_active_user_session_disable - os_uucp_disable + - os_world_writable_library_folder_configure + - os_world_writable_system_folder_configure - section: "passwordpolicy" rules: - pwpolicy_60_day_enforce - pwpolicy_account_inactivity_enforce - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_enforce_five - pwpolicy_account_lockout_timeout_enforce - pwpolicy_alpha_numeric_enforce - pwpolicy_history_enforce + - pwpolicy_history_enforce_fifteen - pwpolicy_lower_case_character_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce @@ -97,8 +120,12 @@ profile: - section: "systempreferences" rules: - sysprefs_airplay_receiver_disable + - sysprefs_automatic_login_disable - sysprefs_bluetooth_disable + - sysprefs_bluetooth_menu_enable - sysprefs_bluetooth_sharing_disable + - sysprefs_bluetooth_unpaired_disable + - sysprefs_cd_dvd_sharing_disable - sysprefs_content_caching_disable - sysprefs_critical_update_install_enforce - sysprefs_diagnostics_reports_disable @@ -108,21 +135,39 @@ profile: - sysprefs_firewall_stealth_mode_enable - sysprefs_guest_access_smb_disable - sysprefs_guest_account_disable + - sysprefs_hot_corners_secure - sysprefs_improve_siri_dictation_disable + - sysprefs_install_macos_updates_enforce + - sysprefs_internet_accounts_prefpane_disable - sysprefs_internet_sharing_disable - - sysprefs_location_services_disable + - sysprefs_location_services_audit + - sysprefs_location_services_enable + - sysprefs_loginwindow_prompt_username_password_enforce - sysprefs_media_sharing_disabled + - sysprefs_password_hints_disable - sysprefs_personalized_advertising_disable - sysprefs_power_nap_disable + - sysprefs_printer_sharing_disable - sysprefs_rae_disable + - sysprefs_remote_management_disable - sysprefs_screen_sharing_disable + - sysprefs_screensaver_ask_for_password_delay_enforce - sysprefs_screensaver_timeout_enforce - sysprefs_siri_disable - sysprefs_smbd_disable + - sysprefs_software_update_app_update_enforce + - sysprefs_software_update_download_enforce + - sysprefs_software_update_enforce + - sysprefs_softwareupdate_current - sysprefs_ssh_disable + - sysprefs_system_wide_preferences_configure + - sysprefs_time_machine_auto_backup_enable + - sysprefs_time_machine_encrypted_configure - sysprefs_time_server_configure - sysprefs_time_server_enforce + - sysprefs_wake_network_access_disable - sysprefs_wifi_disable + - sysprefs_wifi_menu_enable - section: "Inherent" rules: - os_logical_access @@ -134,6 +179,7 @@ profile: - pwpolicy_force_password_change - section: "Permanent" rules: + - audit_off_load_records - os_auth_peripherals - os_secure_name_resolution - section: "not_applicable" @@ -141,7 +187,6 @@ profile: - os_access_control_mobile_devices - section: "Supplemental" rules: - - supplemental_controls - supplemental_filevault - supplemental_firewall_pf - supplemental_password_policy diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index 43a1cc715..f829733c6 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -56,7 +56,6 @@ profile: - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - - os_internet_accounts_prefpane_disable - os_ir_support_disable - os_mail_app_disable - os_mdm_require @@ -67,6 +66,8 @@ profile: - os_password_proximity_disable - os_password_sharing_disable - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce - os_recovery_lock_enable - os_removable_media_disable - os_root_disable @@ -77,7 +78,12 @@ profile: - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure - os_ssh_server_alive_interval_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure - os_sshd_fips_compliant + - os_sshd_key_exchange_algorithm_configure + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure - os_sudoers_tty_configure - os_tftpd_disable - os_time_server_enabled @@ -119,6 +125,7 @@ profile: - sysprefs_automatic_logout_enforce - sysprefs_bluetooth_disable - sysprefs_bluetooth_sharing_disable + - sysprefs_cd_dvd_sharing_disable - sysprefs_content_caching_disable - sysprefs_diagnostics_reports_disable - sysprefs_filevault_enforce @@ -131,6 +138,7 @@ profile: - sysprefs_guest_account_disable - sysprefs_hot_corners_disable - sysprefs_improve_siri_dictation_disable + - sysprefs_internet_accounts_prefpane_disable - sysprefs_internet_sharing_disable - sysprefs_location_services_disable - sysprefs_loginwindow_prompt_username_password_enforce @@ -138,6 +146,7 @@ profile: - sysprefs_personalized_advertising_disable - sysprefs_power_nap_disable - sysprefs_rae_disable + - sysprefs_remote_management_disable - sysprefs_screen_sharing_disable - sysprefs_screensaver_ask_for_password_delay_enforce - sysprefs_screensaver_password_enforce From 20203269b13289812cdc84db1d7946195eeb06e2 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 11:02:38 -0400 Subject: [PATCH 178/193] updated osascript path --- rules/os/os_filevault_autologin_disable.yaml | 2 +- rules/os/os_firewall_log_enable.yaml | 2 +- rules/os/os_gatekeeper_rearm.yaml | 2 +- rules/os/os_ir_support_disable.yaml | 2 +- rules/sysprefs/sysprefs_bluetooth_disable.yaml | 2 +- rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml | 2 +- rules/sysprefs/sysprefs_media_sharing_disabled.yaml | 2 +- rules/sysprefs/sysprefs_time_server_enforce.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 69e9523a9..f26f1cd3a 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. check: | - osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('DisableFDEAutoLogin').js EOS diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index c15f9afee..7357cfde4 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. check: | - osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableLogging').js diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 3cf83f9c2..089d54616 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -3,7 +3,7 @@ title: "Enforce Gatekeeper 30 Day Automatic Rearm" discussion: | Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled. check: | - osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security')\ .objectForKey('GKAutoRearm').js EOS diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index f92df1eb0..7a8f05fb7 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | - osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.driver.AppleIRController')\ .objectForKey('DeviceEnabled').js EOS diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index daefdcff1..d5f7c6c97 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -8,7 +8,7 @@ discussion: | Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\ .objectForKey('DisableBluetooth').js EOS diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index 5f5973375..0d7df0fb9 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -5,7 +5,7 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. check: | - osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\ .objectForKey('AutoSubmit').js diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index c81d26596..d5b9d2b30 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled. check: | - osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('homeSharingUIStatus')) diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index 1d8341823..bcf33c4f7 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. check: | - osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.timed')\ .objectForKey('TMAutomaticTimeOnlyEnabled').js EOS From e4564ec2477679b922b765feebf27822fd463ab3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 12:01:24 -0400 Subject: [PATCH 179/193] added [source,bash] --- rules/os/os_anti_virus_installed.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 32d7492de..3c7d4aa71 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -9,7 +9,10 @@ check: | result: integer: 1 fix: | + [source,bash] + ---- /bin/launchctl enable system/com.apple.mrt + ---- references: cce: - CCE-90900-2 From 61bac3fc40481454e83f580e5feda37099e57176 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 13:51:50 -0400 Subject: [PATCH 180/193] update to generate cpe to plist511 --- SCAP/generate_cpe.sh | 20 +++++++++----------- SCAP/os.sh | 2 +- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/SCAP/generate_cpe.sh b/SCAP/generate_cpe.sh index e725b66e5..46f9265de 100755 --- a/SCAP/generate_cpe.sh +++ b/SCAP/generate_cpe.sh @@ -6,8 +6,7 @@ CREATIONDATE=$(date -j -f "%a %b %d %T %Z %Y" "$(date)" "+%Y-%m-%dT%TZ") /bin/cat > macos-cpe-oval.xml << EOO - + macOS Security Compliance Project 5.11.2 @@ -35,28 +34,27 @@ CREATIONDATE=$(date -j -f "%a %b %d %T %Z %Y" "$(date)" "+%Y-%m-%dT%TZ") - - + - - ProductVersion + /System/Library/CoreServices/SystemVersion.plist - 1 - + //*[contains(text(), "ProductVersion")]/following-sibling::*[1]/text() + macos - - $OS - + + $OS + diff --git a/SCAP/os.sh b/SCAP/os.sh index 43e334119..b2f1224e9 100755 --- a/SCAP/os.sh +++ b/SCAP/os.sh @@ -2,4 +2,4 @@ OS=$(/usr/bin/awk -F ": " '/os: /{print $2}' ../VERSION.yaml | /usr/bin/tr -d '"') -echo $OS \ No newline at end of file +echo $OS From cf57569ae59162d1ca97812fe313c45f51b71250 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 14 Mar 2022 14:48:37 -0400 Subject: [PATCH 181/193] removed instance datatype from object where not needed --- scripts/generate_oval.py | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index 6e63dba9e..f2268cea9 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -989,7 +989,6 @@ def main(): /Library/Preferences/com.apple.alf.plist //*[contains(text(), "{}")]/following-sibling::*[1]/text() - 1 '''.format(rule_yaml['id'],x,firewall_variable) oval_state = oval_state + ''' From a2ed83a74d486d04e135ef464d13ac485756d75a Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 14 Mar 2022 21:54:49 -0400 Subject: [PATCH 182/193] updated changelog --- CHANGELOG.adoc | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index fe871e501..69b19ed5d 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -1,6 +1,88 @@ = Changelog This document provides a high-level view of the changes to the macOS Security Compliance Project. +== [Monterey, Revision 2] - 2022-03-XX + +* Rules +** Added Rules +*** audit_control_acls_configure +*** audit_control_group_configure +*** audit_control_mode_configure +*** audit_control_owner_configure +*** audit_flags_configure +*** audit_retention_configure_sixty_days +*** os_application_sandbox +*** os_blank_bluray_disable +*** os_blank_cd_disable +*** os_blank_dvd_disable +*** os_bluray_read_only_enforce +*** os_burn_support_disable +*** os_cd_read_only_enforce +*** os_disk_image_disable +*** os_dvdram_disable +*** os_efi_integrity_validated +*** os_erase_content_and_settings_disabled +*** os_guest_folder_removed +*** os_hibernate_mode_destroyfvkeyonstandby_enable +*** os_hibernate_mode_enable +*** os_install_log_retention_configure +*** os_library_validation_enabled +*** os_mobile_file_integrity_enable +*** os_password_hint_remove +*** os_safari_open_safe_downloads +*** os_show_filename_extensions_enable +*** os_skip_screen_time_prompt_enable +*** os_sudo_timeout_configure +*** os_system_wide_applications_configure +*** os_terminal_secure_keyboard_enable +*** os_time_offset_limit_configure +*** os_world_writable_library_folder_configure +*** os_world_writable_system_folder_configure +*** pwpolicy_account_lockout_enforce_five +*** pwpolicy_history_enforce_fifteen +*** supplemental_cis_manual +*** sysprefs_bluetooth_menu_enable +*** sysprefs_bluetooth_unpaired_disable +*** sysprefs_cd_dvd_sharing_disable +*** sysprefs_hot_corners_secure +*** sysprefs_install_macos_updates_enforce +*** sysprefs_location_services_audit +*** sysprefs_location_services_enable +*** sysprefs_loginwindow_loginwindowtext_enable +*** sysprefs_printer_sharing_disable +*** sysprefs_remote_management_disable +*** sysprefs_software_update_app_update_enforce.yaml +*** sysprefs_software_update_download_enforce.yaml +*** sysprefs_software_update_enforce.yaml +*** sysprefs_softwareupdate_current.yaml +*** sysprefs_time_machine_auto_backup_enable.yaml +*** sysprefs_time_machine_encrypted_configure.yaml +*** sysprefs_wake_network_access_disable.yaml +*** sysprefs_wifi_menu_enable.yaml +** Modified Rules +*** sysprefs_airplay_receiver_disable +*** Updated checks for configuration profiles +** Bug Fixes + +* Baselines +** Added CIS Level 1 & 2 +** Added DISA STIG + +* Scripts +** generate_guidance +*** Added support for CIS +*** Bug Fixes +** generate_baseline +*** Bug Fixes +** generate_mappings +*** Bug Fixes +** generate_oval +*** Renamed Script +*** plist510 tests updated to plist511 +*** Bug Fixes + +* SCAP +** Bug Fixes == [Monterey, Revision 1] - 2021-10-20 From d35658c8dcabf1fd646dc1855210ce507a8e1605 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Mon, 14 Mar 2022 21:56:42 -0400 Subject: [PATCH 183/193] newline --- CHANGELOG.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 69b19ed5d..cf1ac38da 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -1,6 +1,7 @@ = Changelog This document provides a high-level view of the changes to the macOS Security Compliance Project. + == [Monterey, Revision 2] - 2022-03-XX * Rules From 2dde5b34fc5b8da19022a822485e1ffa1da1ef48 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 15 Mar 2022 13:01:08 -0400 Subject: [PATCH 184/193] auth_smartcard_allow added to 171 baseline since allow is required for enforce --- baselines/800-171.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index f7627acac..b4b33cd98 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -14,7 +14,7 @@ profile: - auth_pam_su_smartcard_enforce - auth_pam_sudo_smartcard_enforce - auth_smartcard_enforce - - auth_smartcard_enable + - auth_smartcard_allow - auth_ssh_password_authentication_disable - section: "auditing" rules: From cf140bcbdcfff7a578cb324ea7b0bc5726b6f9f4 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 15 Mar 2022 14:49:43 -0400 Subject: [PATCH 185/193] Note added about deprecation --- rules/os/os_blank_bluray_disable.yaml | 5 +++++ rules/os/os_blank_cd_disable.yaml | 5 +++++ rules/os/os_blank_dvd_disable.yaml | 5 +++++ rules/os/os_bluray_read_only_enforce.yaml | 5 +++++ rules/os/os_cd_read_only_enforce.yaml | 5 +++++ rules/os/os_disk_image_disable.yaml | 5 +++++ rules/os/os_dvdram_disable.yaml | 5 +++++ rules/os/os_removable_media_disable.yaml | 12 +++++------- 8 files changed, 40 insertions(+), 7 deletions(-) diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index 412ec43f5..ad2a56c35 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -7,6 +7,11 @@ discussion: | ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index cb85da2a0..0033dd5f0 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -7,6 +7,11 @@ discussion: | ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 9bee117e3..0ab72723a 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -7,6 +7,11 @@ discussion: | ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index 2fa1d7e49..913e22b70 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -7,6 +7,11 @@ discussion: | ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index dde317c2a..fd3cd518e 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -7,6 +7,11 @@ discussion: | ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 6c4830259..16ee61772 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -7,6 +7,11 @@ discussion: | ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index c47735518..c1eb08a85 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -7,6 +7,11 @@ discussion: | ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index f78441659..ac91ee8aa 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -9,6 +9,11 @@ discussion: | ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== + + [IMPORTANT] + ==== + Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. + ==== check: | /usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ @@ -38,13 +43,6 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 - - cnssi-1253 - stig severity: "medium" mobileconfig: true From 391f3838f36db983d156912cf21346e5854b789b Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 15 Mar 2022 14:49:53 -0400 Subject: [PATCH 186/193] updated baselines --- baselines/800-171.yaml | 1 - baselines/800-53r5_high.yaml | 1 - baselines/800-53r5_low.yaml | 1 - baselines/800-53r5_moderate.yaml | 1 - baselines/cnssi-1253.yaml | 1 - 5 files changed, 5 deletions(-) diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index b4b33cd98..845a1bb02 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -67,7 +67,6 @@ profile: - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce - os_recovery_lock_enable - - os_removable_media_disable - os_root_disable - os_screensaver_loginwindow_enforce - os_sip_enable diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index 1ac100713..0cc80b448 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -78,7 +78,6 @@ profile: - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce - os_recovery_lock_enable - - os_removable_media_disable - os_root_disable - os_screensaver_loginwindow_enforce - os_secure_boot_verify diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index 01f29d436..1ccb9a5e0 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -65,7 +65,6 @@ profile: - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce - - os_removable_media_disable - os_root_disable - os_sip_enable - os_siri_prompt_disable diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index f57a6661e..e32d5cb41 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -171,7 +171,6 @@ profile: - sysprefs_system_wide_preferences_configure - sysprefs_time_server_configure - sysprefs_time_server_enforce - - sysprefs_token_removal_enforce - sysprefs_touchid_unlock_disable - sysprefs_wifi_disable - section: "Inherent" diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index f829733c6..bc90875e4 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -69,7 +69,6 @@ profile: - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce - os_recovery_lock_enable - - os_removable_media_disable - os_root_disable - os_screensaver_loginwindow_enforce - os_sip_enable From 167ce129d861bccd890897af0c31c927ccc25d88 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 16 Mar 2022 10:23:10 -0400 Subject: [PATCH 187/193] DISA STIG benchmark added --- baselines/DISA-STIG.yaml | 163 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 baselines/DISA-STIG.yaml diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml new file mode 100644 index 000000000..1ff81c5c3 --- /dev/null +++ b/baselines/DISA-STIG.yaml @@ -0,0 +1,163 @@ +title: "macOS 12.0: Security Configuration - DISA STIG" +description: | + This guide describes the actions to take when securing a macOS 12.0 system against the DISA STIG baseline. +authors: | + |=== + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |Bob Gendler|National Institute of Standards and Technology + |=== +profile: + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_configure_capacity_notify + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "macos" + rules: + - os_airdrop_disable + - os_anti_virus_installed + - os_appleid_prompt_disable + - os_asl_log_files_owner_group_configure + - os_asl_log_files_permissions_configure + - os_blank_bluray_disable + - os_blank_cd_disable + - os_blank_dvd_disable + - os_bluray_read_only_enforce + - os_bonjour_disable + - os_burn_support_disable + - os_camera_disable + - os_cd_read_only_enforce + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_directory_services_configured + - os_disk_image_disable + - os_dvdram_disable + - os_erase_content_and_settings_disable + - os_ess_installed + - os_filevault_authorized_users + - os_filevault_autologin_disable + - os_firmware_password_require + - os_gatekeeper_enable + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_newsyslog_files_owner_group_configure + - os_newsyslog_files_permissions_configure + - os_nfsd_disable + - os_password_proximity_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_privacy_setup_prompt_disable + - os_removable_media_disable + - os_screensaver_loginwindow_enforce + - os_sip_enable + - os_siri_prompt_disable + - os_skip_screen_time_prompt_enable + - os_skip_unlock_with_watch_enable + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_140_ciphers + - os_sshd_fips_140_macs + - os_sshd_key_exchange_algorithm_configure + - os_sshd_login_grace_time_configure + - os_sshd_permit_root_login_configure + - os_sudoers_tty_configure + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_uucp_disable + - section: "passwordpolicy" + rules: + - pwpolicy_60_day_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_history_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_special_character_enforce + - pwpolicy_temporary_or_emergency_accounts_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_appleid_prefpane_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_reminders_disable + - section: "systempreferences" + rules: + - sysprefs_apple_watch_unlock_disable + - sysprefs_automatic_login_disable + - sysprefs_bluetooth_disable + - sysprefs_bluetooth_prefpane_disable + - sysprefs_bluetooth_prefpane_hide + - sysprefs_diagnostics_reports_disable + - sysprefs_filevault_enforce + - sysprefs_firewall_enable + - sysprefs_firewall_stealth_mode_enable + - sysprefs_gatekeeper_identified_developers_allowed + - sysprefs_guest_account_disable + - sysprefs_hot_corners_disable + - sysprefs_internet_accounts_prefpane_disable + - sysprefs_internet_accounts_prefpane_hide + - sysprefs_internet_sharing_disable + - sysprefs_location_services_disable + - sysprefs_loginwindow_prompt_username_password_enforce + - sysprefs_password_hints_disable + - sysprefs_rae_disable + - sysprefs_screen_sharing_disable + - sysprefs_screensaver_ask_for_password_delay_enforce + - sysprefs_screensaver_password_enforce + - sysprefs_screensaver_timeout_enforce + - sysprefs_siri_disable + - sysprefs_siri_prefpane_disable + - sysprefs_siri_prefpane_hide + - sysprefs_smbd_disable + - sysprefs_ssh_disable + - sysprefs_system_wide_preferences_configure + - sysprefs_time_server_configure + - sysprefs_time_server_enforce + - sysprefs_token_removal_enforce + - sysprefs_touchid_prefpane_disable + - sysprefs_touchid_prefpane_hide + - sysprefs_wallet_applepay_prefpane_disable + - sysprefs_wallet_applepay_prefpane_hide + - section: "Supplemental" + rules: + - supplemental_cis_manual + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard From c3b5340962915f62de84a971d5e30b1318b6bc70 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 16 Mar 2022 11:00:57 -0400 Subject: [PATCH 188/193] removed cis manual from DISA STIG --- baselines/DISA-STIG.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml index 1ff81c5c3..1e805e6b3 100644 --- a/baselines/DISA-STIG.yaml +++ b/baselines/DISA-STIG.yaml @@ -155,7 +155,6 @@ profile: - sysprefs_wallet_applepay_prefpane_hide - section: "Supplemental" rules: - - supplemental_cis_manual - supplemental_controls - supplemental_filevault - supplemental_firewall_pf From e24bd23c4f71026e33b89afc950165436536280b Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 16 Mar 2022 11:01:22 -0400 Subject: [PATCH 189/193] updated version.yaml with release date --- VERSION.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION.yaml b/VERSION.yaml index da1354390..28ba2ed9f 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,4 +1,4 @@ os: "12.0" version: "Monterey Guidance, Revision 2" cpe: o:apple:macos:12.0 -date: "XXXX-XX-XX" +date: "2022-03-16" From 52af205a385437989ca295b3370e5ee540ed3a28 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 16 Mar 2022 11:14:18 -0400 Subject: [PATCH 190/193] Updated STIG reference link --- templates/adoc_additional_docs.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index cb0754999..20627c595 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -28,7 +28,7 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_11_V1R2_STIG.zip[STIG Ver 1, Rel 2]|_Apple macOS 11 (Big Sur) STIG_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_12_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 12 (Monterey) STIG_ |=== [%header, cols=2*a] From 14077d5d22869e55d0af644f6abb36a509c3ada8 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 16 Mar 2022 11:21:33 -0400 Subject: [PATCH 191/193] added author --- baselines/cis_lvl1.yaml | 1 + baselines/cis_lvl2.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index bebc61305..30aa40f9f 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -6,6 +6,7 @@ authors: | |=== |Edward Byrd|Center for Internet Security |Ron Colvin|Center for Internet Security + |Allen Golbig|Jamf |=== profile: - section: "auditing" diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index c5fc1eb42..b17fe9898 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -6,6 +6,7 @@ authors: | |=== |Edward Byrd|Center for Internet Security |Ron Colvin|Center for Internet Security + |Allen Golbig|Jamf |=== profile: - section: "auditing" From 1de837253027582d4401ed448974259838c3c25c Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 16 Mar 2022 12:20:45 -0400 Subject: [PATCH 192/193] updated descriptions --- baselines/DISA-STIG.yaml | 2 +- baselines/cis_lvl1.yaml | 2 +- baselines/cis_lvl2.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml index 1e805e6b3..507ac3328 100644 --- a/baselines/DISA-STIG.yaml +++ b/baselines/DISA-STIG.yaml @@ -1,6 +1,6 @@ title: "macOS 12.0: Security Configuration - DISA STIG" description: | - This guide describes the actions to take when securing a macOS 12.0 system against the DISA STIG baseline. + This guide describes the actions to take when securing a macOS system against the Apple macOS 12 (Monterey) STIG - Ver 1, Rel 1. authors: | |=== |Dan Brodjieski|National Aeronautics and Space Administration diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 30aa40f9f..7fc9eb955 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ title: "macOS 12.0: Security Configuration - CIS Benchmarks" description: | - This guide describes the actions to take when securing a macOS 12.0 system against the CIS Benchmarks (Level 1) + This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 12.0 Monterey v1.0.0 Benchmark (Level 1) authors: | The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) |=== diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index b17fe9898..754b198b4 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,6 +1,6 @@ title: "macOS 12.0: Security Configuration - CIS Benchmarks" description: | - This guide describes the actions to take when securing a macOS 12.0 system against the CIS Benchmarks (Level 1 and 2) + This guide describes the actions to take when securing a macOS system against the CIS Apple macOS 12.0 Monterey v1.0.0 Benchmark (Level 1 and 2) authors: | The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) |=== From a6655b046794485fd4971d1a68d66e805d5ed280 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 16 Mar 2022 12:30:23 -0400 Subject: [PATCH 193/193] fixed spacing in title --- baselines/800-53r5_high.yaml | 2 +- baselines/800-53r5_low.yaml | 2 +- baselines/800-53r5_moderate.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index 0cc80b448..511a59ac1 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -1,4 +1,4 @@ -title: "macOS 12 Security Configuration:NIST SP 800-53 Rev 5 High Impact Security Baseline" +title: "macOS 12 Security Configuration: NIST SP 800-53 Rev 5 High Impact Security Baseline" description: | This guide describes the actions to take when securing a macOS 12 system against the NIST SP 800-53 Rev. 5 High-Impact Security Baseline. authors: | diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index 1ccb9a5e0..0022a9d07 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -1,4 +1,4 @@ -title: "macOS 12 Security Configuration:NIST SP 800-53 Rev 5 Low Impact Security Baseline" +title: "macOS 12 Security Configuration: NIST SP 800-53 Rev 5 Low Impact Security Baseline" description: | This guide describes the actions to take when securing a macOS 12 system against the NIST SP 800-53 Rev. 5 Low-Impact Security Baseline. authors: | diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index e32d5cb41..885dec3d3 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -1,4 +1,4 @@ -title: "macOS 12 Security Configuration:NIST SP 800-53 Rev 5 Moderate Impact Security Baseline" +title: "macOS 12 Security Configuration: NIST SP 800-53 Rev 5 Moderate Impact Security Baseline" description: | This guide describes the actions to take when securing a macOS 12 system against the NIST SP 800-53 Rev. 5 Moderate-Impact Security Baseline. authors: |