From dd9c578ea32646495da3d75d9307b3ecd3d346a7 Mon Sep 17 00:00:00 2001
From: qharouff <qharouff@nebraska.edu>
Date: Mon, 10 Oct 2022 14:24:50 -0500
Subject: [PATCH] Delete values.js
---
values.js | 1559 -----------------------------------------------------
1 file changed, 1559 deletions(-)
delete mode 100644 values.js
diff --git a/values.js b/values.js
deleted file mode 100644
index 817e434..0000000
--- a/values.js
+++ /dev/null
@@ -1,1559 +0,0 @@
-var values = [
- {
- "ruleid": "audit_acls_files_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Log Files to Not Contain Access Control Lists",
- "discussion": "The audit log files _MUST_ not contain access control lists (ACLs).\n\nThis rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_acls_folders_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Log Folder to Not Contain Access Control Lists",
- "discussion": "The audit log folder _MUST_ not contain access control lists (ACLs).\n\nAudit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_auditd_enabled",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable Security Auditing",
- "discussion": "The information system _MUST_ be configured to generate audit records. \n\nAudit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.\n\nThe content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success\/fail indications, filenames involved, and access or flow control rules invoked.\n\nThe information system initiates session audits at system start-up.\n\nNOTE: Security auditing is enabled by default on macOS.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_configure_capacity_notify",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Capacity Warning",
- "discussion": "The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. \n\nThis rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_control_acls_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit_Control to Not Contain Access Control Lists",
- "discussion": "\/etc\/security\/audit_control _MUST_ not contain Access Control Lists (ACLs).\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_control_group_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit_Control Group to Wheel",
- "discussion": "\/etc\/security\/audit_control _MUST_ have the group set to wheel.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_control_mode_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit_Control Owner to Mode 440 or Less Permissive",
- "discussion": "\/etc\/security\/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_control_owner_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit_Control Owner to Root",
- "discussion": "\/etc\/security\/audit_control _MUST_ have the owner set to root.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_failure_halt",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Shut Down Upon Audit Failure",
- "discussion": "The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. \n\nOnce audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software\/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_files_group_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Log Files Group to Wheel",
- "discussion": "Audit log files _MUST_ have the group set to wheel.\n\nThe audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. \n\nAudit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_files_mode_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Log Files to Mode 440 or Less Permissive",
- "discussion": "The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_files_owner_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Log Files to be Owned by Root",
- "discussion": "Audit log files _MUST_ be owned by root.\n\nThe audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.\n\nAudit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_aa_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Authorization and Authentication Events",
- "discussion": "The auditing system _MUST_ be configured to flag authorization and authentication (aa) events.\n\nAuthentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. \n\nAudit records can be generated from various components within the information system (e.g., via a module or policy filter).\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_ad_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Administrative Action Events",
- "discussion": "The auditing system _MUST_ be configured to flag administrative action (ad) events.\n\nAdministrative action events include changes made to the system (e.g. modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events. \n\nAudit records can be generated from various components within the information system (e.g., via a module or policy filter). \n\nThe information system audits the execution of privileged functions.\n\nNOTE: We recommend changing the line \"43127:AUE_MAC_SYSCALL:mac_syscall(2):ad\" to \"43127:AUE_MAC_SYSCALL:mac_syscall(2):zz\" in the file \/etc\/security\/audit_event. This will prevent sandbox violations from being audited by the ad flag. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Flags",
- "discussion": "The auditing system _MUST_ be configured with at least the minimal flags of fm, ad, -ex, aa, -fr, lo, and -fw.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_ex_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Failed Program Execution on the System",
- "discussion": "The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.\n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized access and\/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). \n\nThis configuration ensures that audit lists include events in which program execution has failed. \nWithout auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_fd_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Deletions of Object Attributes",
- "discussion": "The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd). \n\n***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). \n\nThis configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file. \n\nWithout auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_fm_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Changes of Object Attributes",
- "discussion": "The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions). \n\nThis configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. \n\nWithout auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_fm_failed_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Failed Change of Object Attributes",
- "discussion": "The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). \n\nThis configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. \n\nWithout auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_fr_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Failed Read Actions on the System",
- "discussion": "The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized access and\/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions). \n\nThis configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file. \n\nWithout auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_fw_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Failed Write Actions on the System",
- "discussion": "The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.\n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized access and\/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions). \n\nThis configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file. \n\nWithout auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_flags_lo_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System to Audit All Log In and Log Out Events",
- "discussion": "The audit system _MUST_ be configured to record all attempts to log in and out of the system (lo). \n\nFrequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring login and logout events) mitigates this risk.\n\nThe information system monitors login and logout events.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_folder_group_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Log Folders Group to Wheel",
- "discussion": "Audit log files _MUST_ have the group set to wheel.\n\nThe audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. \n\nAudit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_folder_owner_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Log Folders to be Owned by Root",
- "discussion": "Audit log files _MUST_ be owned by root.\n\nThe audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.\n\nAudit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_folders_mode_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Log Folders to Mode 700 or Less Permissive",
- "discussion": "The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. \n\nBecause audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_retention_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Retention to 7d",
- "discussion": "The audit service _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. \n\nWhen \"expire-after\" is set to \"7d\", the audit service will not delete audit logs until the log data criteria is met.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "audit_settings_failure_notify",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Audit Failure Notification",
- "discussion": "The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. \n\nIt is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_airdrop_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable AirDrop",
- "discussion": "AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.\nAirDrop allows users to share and receive files from other nearby Apple devices.",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_anti_virus_installed",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Must Use an Approved Antivirus Program",
- "discussion": "An approved antivirus product _MUST_ be installed and configured to run.\n\nMalicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_appleid_prompt_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Apple ID Setup during Setup Assistant",
- "discussion": "The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. \n\nmacOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_asl_log_files_owner_group_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Apple System Log Files Owned by Root and Group to Wheel",
- "discussion": "The Apple System Logs (ASL) _MUST_ be owned by root.\n\nASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_asl_log_files_permissions_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Apple System Log Files To Mode 640 or Less Permissive",
- "discussion": "The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_authenticated_root_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable Authenticated Root",
- "discussion": "Authenticated Root _MUST_ be enabled. \n\nWhen Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.\n\nNOTE: Authenticated Root is enabled by default on macOS systems.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_bonjour_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Bonjour Multicast",
- "discussion": "Bonjour multicast advertising _MUST_ be disabled to prevent the system from broadcasting its presence and available services over network interfaces.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_burn_support_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Burn Support",
- "discussion": "Burn support _MUST_ be disabled.\n[IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ====",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_cd_read_only_enforce",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Enforce CD Read Only",
- "discussion": "CD media _MUST_ be set to read only.\n\n[IMPORTANT]\n====\nSome organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.\n====\n\n[IMPORTANT]\n====\nApple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.\n====\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_certificate_authority_trust",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Issue or Obtain Public Key Certificates from an Approved Service Provider",
- "discussion": "The organization _MUST_ issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_config_data_install_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Installation of XProtect and Gatekeeper Updates Automatically",
- "discussion": "Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically.\n\nThis setting enforces definition updates for XProtect and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.\n\nlink:https:\/\/support.apple.com\/en-us\/HT207005[]\n\nNOTE: Software update will automatically update XProtect and Gatekeeper by default in the macOS.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_directory_services_configured",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Integrate System into a Directory Services Infrastructure",
- "discussion": "The macOS system _MUST_ be integrated into a directory services infrastructure. \n\nA directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_dvdram_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Blank CD",
- "discussion": "Blank CD media _MUST_ be disabled.\n\n[IMPORTANT]\n====\nSome organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.\n====\n\n[IMPORTANT]\n====\nApple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.\n====\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_efi_integrity_validated",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Ensure Extensible Firmware Interface Version is Valid",
- "discussion": "The macOS Extensible Firmware Interface (EFI) _MUST_ be checked to ensure it is a known good version from Apple.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_erase_content_and_settings_disable",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Disable Erase Content and Settings",
- "discussion": "Erase Content and Settings _MUST_ be disabled.",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_ess_installed",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Must Use ESS",
- "discussion": "The approved ESS solution _MUST_ be installed and configured to run. \n\nThe macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNET.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_filevault_authorized_users",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "FileVault Authorized Users",
- "discussion": "macOS _MUST_ be configured to only allow authorized users to unlock FileVault upon startup.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_filevault_autologin_disable",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Disable FileVault Automatic Login",
- "discussion": "If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required.\n\nThe default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. \n\nNOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_firewall_log_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable Firewall Logging",
- "discussion": "Firewall logging _MUST_ be enabled. \n\nFirewall logging ensures that malicious network activity will be logged to the system. \n\nNOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_gatekeeper_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable Gatekeeper",
- "discussion": "Gatekeeper _MUST_ be enabled. \n\nGatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.\n\nAdministrator users will still have the option to override these settings on a case-by-case basis.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_gatekeeper_rearm",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Gatekeeper 30 Day Automatic Rearm",
- "discussion": "Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_home_folders_secure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Secure User's Home Folders",
- "discussion": "The system _MUST_ be configured to prevent access to other user's home folders.\n\nThe default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_httpd_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable the Built-in Web Server",
- "discussion": "The built-in web server is a non-essential service built into macOS and _MUST_ be disabled.\n\nNOTE: The built in web server service is disabled at startup by default macOS.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_icloud_storage_prompt_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable iCloud Storage Setup during Setup Assistant",
- "discussion": "The prompt to set up iCloud storage services during Setup Assistant _MUST_ be disabled.\n\nThe default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_install_log_retention_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Install.log Retention to 365",
- "discussion": "The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_ir_support_disable",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Disable Infrared (IR) support",
- "discussion": "Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. \n\nBy default, if IR is enabled, the system will accept IR control from any remote device. \n\nNOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_mdm_require",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Enrollment in Mobile Device Management",
- "discussion": "You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software.\n\nUser Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)\/Apple School Manager (ASM) is required to manage certain security settings. Currently these include:\n\n* Allowed Kernel Extensions\n* Allowed Approved System Extensions\n* Privacy Preferences Policy Control Payload\n* ExtensibleSingleSignOn\n* FDEFileVault\n\nIn macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM:\n\n* Activation Lock Bypass\n* Access to Bootstrap Tokens\n* Scheduling Software Updates\n* Query list and delete local users\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_newsyslog_files_owner_group_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System Log Files Owned by Root and Group to Wheel",
- "discussion": "The system log files _MUST_ be owned by root.\n\nSystem logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_newsyslog_files_permissions_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure System Log Files to Mode 640 or Less Permissive",
- "discussion": "The system logs _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_nfsd_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Network File System Service",
- "discussion": "Support for Network File Systems (NFS) services is non-essential and, therefore, _MUST_ be disabled.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_password_hint_remove",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Remove Password Hint From User Accounts",
- "discussion": "User accounts _MUST_ not contain password hints.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_password_proximity_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Proximity Based Password Sharing Requests",
- "discussion": "Proximity based password sharing requests _MUST_ be disabled. \n\nThe default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_password_sharing_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Password Sharing",
- "discussion": "Password Sharing _MUST_ be disabled. \n\nThe default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_policy_banner_loginwindow_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Display Policy Banner at Login Window",
- "discussion": "Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n\nThe policy banner will show if a \"PolicyBanner.rtf\" or \"PolicyBanner.rtfd\" exists in the \"\/Library\/Security\" folder.\nNOTE:\n The banner text of the document _MUST_ read:\n\n \"University of Nebraska Privacy and Security Notice\n\nThese technology services, including all related equipment, network, and data systems, are provided solely for use authorized by the University of Nebraska. The use of these technology services constitutes consent to abide by the University of Nebraska's Policy for Responsible Use of University Computers and Information Systems. The University of Nebraska may monitor the use of these technology services in compliance with the Policy for Responsible Use of University Computers and Information Systems. Failure to comply with University IT policies may result in sanctions related to the individual’s use of IT resources or other appropriate sanctions via University personnel and student policies.\"\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_policy_banner_ssh_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Display Policy Banner at Remote Login",
- "discussion": "Remote login service _MUST_ be configured to display a policy banner at login.\n\nDisplaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_policy_banner_ssh_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce SSH to Display Policy Banner",
- "discussion": "SSH _MUST_ be configured to display a policy banner. \n\nDisplaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist\n\nNOTE: \/etc\/ssh\/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_privacy_setup_prompt_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Privacy Setup Services During Setup Assistant",
- "discussion": "The prompt for Privacy Setup services during Setup Assistant _MUST_ be disabled.\n\nOrganizations _MUST_ apply organization-wide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organization-wide settings.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_removable_media_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Removable Storage Devices",
- "discussion": "Removable media, such as USB connected external hard drives, thumb drives, and optical media, _MUST_ be disabled for users.\n\nDisabling removable storage devices reduces the risks and known vulnerabilities of such devices (e.g., malicious code insertion)\n\n[IMPORTANT]\n====\nSome organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.\n====\n\n[IMPORTANT]\n====\nApple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements.\n====\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_root_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Root Login",
- "discussion": "To assure individual accountability and prevent unauthorized access, logging in as root at the login window _MUST_ be disabled.\n\nThe macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_safari_open_safe_downloads_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Automatic Opening of Safe Files in Safari",
- "discussion": "Open \"safe\" files after downloading _MUST_ be disabled in Safari. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_screensaver_loginwindow_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Screen Saver at Login Window",
- "discussion": "A default screen saver _MUST_ be configured to display at the login window and _MUST_ not display any sensitive information.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_secure_boot_verify",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Ensure Secure Boot Level Set to Full",
- "discussion": "The Secure Boot security setting _MUST_ be set to full.\n\nFull security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. \n\nNOTE: This will only return a proper result on a T2 or Apple Silicon Macs.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_show_filename_extensions_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable Show All Filename Extensions",
- "discussion": "Show all filename extensions _MUST_ be enabled in the Finder.\n\n[NOTE] \n====\nThe check and fix are for the currently logged in user. To get the currently logged in user, run the following.\n[source,bash]\n----\nCURRENT_USER=$( \/usr\/sbin\/scutil <<< \"show State:\/Users\/ConsoleUser\" \\| \/usr\/bin\/awk '\/Name :\/ && ! \/loginwindow\/ { print $3 }' )\n----\n====\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sip_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Ensure System Integrity Protection is Enabled",
- "discussion": "System Integrity Protection (SIP) _MUST_ be enabled. \n\nSIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and\/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders.\n\nNOTE: SIP is enabled by default in macOS.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_siri_prompt_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Siri Setup during Setup Assistant",
- "discussion": "The prompt for Siri during Setup Assistant _MUST_ be disabled.\n\nOrganizations _MUST_ apply organization-wide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organization-wide settings.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_skip_screen_time_prompt_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Screen Time Prompt During Setup Assistant",
- "discussion": "The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled.",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_skip_unlock_with_watch_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Unlock with Apple Watch During Setup Assistant",
- "discussion": "The prompt for Apple Watch unlock setup during Setup Assistant _MUST_ be disabled. \n\nDisabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_ssh_fips_compliant",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Limit SSH to FIPS Compliant Connections",
- "discussion": "SSH _MUST_ be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.\n\nOperating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. \n\nNOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_ssh_server_alive_count_max_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Set SSH Active Server Alive Maximum to 0",
- "discussion": "SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.\n\nNOTE: \/etc\/ssh\/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_ssh_server_alive_interval_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure SSH ServerAliveInterval option set to 900",
- "discussion": "SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900. \n\nSetting the Active Server Alive Maximum Count to 900 will log users out after a 900 seconds interval of inactivity.\n\nNOTE: \/etc\/ssh\/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sshd_client_alive_count_max_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Set SSHD Active Client Alive Maximum to 0",
- "discussion": "If SSHD is enabled it _MUST_ be configured with an Active Client Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.\n\nNOTE: \/etc\/ssh\/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sshd_client_alive_interval_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure SSHD ClientAliveInterval option set to 900",
- "discussion": "If SSHD is enabled then it _MUST_ be configured with an Active Client Alive Maximum Count set to 900. \n\nSetting the Active Client Alive Maximum Count to 900 (seconds) will log users out after an organizational defined interval of inactivity.\n\nNOTE: \/etc\/ssh\/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sshd_fips_140_ciphers",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Limit SSHD to FIPS 140 Validated Ciphers",
- "discussion": "If SSHD is enabled then it _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.\n\nOperating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. \n\nNOTE: \/etc\/ssh\/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sshd_fips_140_macs",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms",
- "discussion": "If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements.\n\nOperating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. \n\nNOTE: \/etc\/ssh\/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sshd_fips_compliant",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Limit SSHD to FIPS Compliant Connections",
- "discussion": "If SSHD is enabled then it _MUST_ be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.\n\nOperating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. \n\nNOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sshd_key_exchange_algorithm_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure SSHD to Use Secure Key Exchange Algorithms",
- "discussion": "Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data.\n\nOperating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nThe implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are FIPS 140-2 approved, the module implementing them has not been validated.\n\nBy specifying a Key Exchange Algorithm list with the order of hashes being in a \"strongest to weakest\" orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections.\n\nNOTE: \/etc\/ssh\/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sshd_login_grace_time_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Set Login Grace Time to 30",
- "discussion": "If SSHD is enabled then it _MUST_ be configured to wait only 30 seconds before timing out logon attempts.\n\nNOTE: \/etc\/ssh\/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sshd_permit_root_login_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Root Login for SSH",
- "discussion": "If SSH is enabled to assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled. \n\nThe macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. \n\nNOTE: \/etc\/ssh\/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sudo_timeout_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Sudo Timeout Period to 0",
- "discussion": "The file \/etc\/sudoers _MUST_ include a timestamp_timout of 0.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sudoers_timestamp_type_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Sudoers Timestamp Type",
- "discussion": "The file \/etc\/sudoers _MUST_ be configured to not include a timestamp_type of global or ppid.\n\nThis rule ensures that the \"sudo\" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_sudoers_tty_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Sudoers to Authenticate Users on a Per -tty Basis",
- "discussion": "The file \/etc\/sudoers _MUST_ be configured to include tty_tickets.\n\nThis rule ensures that the \"sudo\" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Without the \"tty_tickets\" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_system_read_only",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Ensure System Volume is Read Only",
- "discussion": "The System volume _MUST_ be mounted as read-only in order to ensure that configurations critical to the integrity of the macOS have not been compromised. System Integrity Protection (SIP) will prevent the system volume from being mounted as writable.\n\nNOTE: The system volume is read only by default in macOS.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_system_wide_applications_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Ensure Appropriate Permissions Are Enabled for System Wide Applications",
- "discussion": "Applications in the System Applications Directory (\/Applications) _MUST_ not be world-writable.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_terminal_secure_keyboard_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Ensure Secure Keyboard Entry Terminal.app is Enabled",
- "discussion": "Secure keyboard entry _MUST_ be enabled in Terminal.app. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_tftpd_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Trivial File Tansfer Protocol Service",
- "discussion": "If the system does not require Trivial File Tansfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. \n\nNOTE: TFTP service is disabled at startup by default macOS.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_time_offset_limit_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Ensure Time Offset Within Limits",
- "discussion": "The macOS system time _MUST_ be monitored to not drift more than four minutes and thirty seconds.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_time_server_enabled",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable Time Synchronization Daemon",
- "discussion": "The macOS time synchronization daemon (timed) _MUST_ be enabled for proper time synchronization to an authorized time server.\n\nNOTE: The time synchronization daemon is enabled by default on macOS.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_touchid_prompt_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable TouchID Prompt during Setup Assistant",
- "discussion": "The prompt for TouchID during Setup Assistant _MUST_ be disabled.\n\nmacOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_unlock_active_user_session_disable",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Disable Login to Other User's Active and Locked Sessions",
- "discussion": "The ability to log in to another user's active or locked session _MUST_ be disabled. \n\nmacOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and\/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and\/or personal information.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_uucp_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Unix-to-Unix Copy Protocol Service",
- "discussion": "The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active.\n\nUUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. \n\nNOTE: UUCP service is disabled at startup by default macOS.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "pwpolicy_account_lockout_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Limit Consecutive Failed Login Attempts to Three",
- "discussion": "The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after.\n\nThis rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "pwpolicy_account_lockout_timeout_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Set Account Lockout Time to 15 Minutes",
- "discussion": "The macOS _MUST_ be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached.\n\nThis rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "pwpolicy_alpha_numeric_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Require Passwords Contain a Minimum of One Numeric Character",
- "discussion": "The macOS _MUST_ be configured to require at least one numeric character be used when a password is created.\n\nThis rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.\n\nNOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "pwpolicy_minimum_length_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Require a Minimum Password Length of 10 Characters",
- "discussion": "The macOS _MUST_ be configured to require a minimum of 10 characters be used when a password is created.\n\nThis rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.\n\nNOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "pwpolicy_special_character_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Require Passwords Contain a Minimum of One Special Character",
- "discussion": "The macOS _MUST_ be configured to require at least one special character be used when a password is created.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.\n\nThis rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.\n\nNOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_airplay_receiver_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Airplay Receiver",
- "discussion": "Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. \n\nSupport for Airplay Receiver is non-essential and _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_apple_watch_unlock_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Prevent Apple Watch from Terminating a Session Lock",
- "discussion": "Apple Watches are not an approved authenticator and their use _MUST_ be disabled.\n\nDisabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_automatic_login_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Unattended or Automatic Logon to the System",
- "discussion": "Automatic logon _MUST_ be disabled.\n\nWhen automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_bluetooth_menu_enable",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Enable Bluetooth Menu",
- "discussion": "The bluetooth menu _MUST_ be enabled.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_bluetooth_sharing_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Bluetooth Sharing",
- "discussion": "Bluetooth Sharing _MUST_ be disabled. \n\nBluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. \n\n[NOTE] \n====\nThe check and fix are for the currently logged in user. To get the currently logged in user, run the following.\n[source,bash]\n----\nCURRENT_USER=$( \/usr\/sbin\/scutil <<< \"show State:\/Users\/ConsoleUser\" \\| \/usr\/bin\/awk '\/Name :\/ && ! \/loginwindow\/ { print $3 }' )\n----\n====\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_cd_dvd_sharing_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable CD\/DVD Sharing",
- "discussion": "CD\/DVD Sharing _MUST_ be disabled. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_content_caching_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Content Caching Service",
- "discussion": "Content caching _MUST_ be disabled. \n\nContent caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_critical_update_install_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Critical Security Updates to be Installed",
- "discussion": "Ensure that security updates are installed as soon as they are available from Apple. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_diagnostics_reports_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Sending Diagnostic and Usage Data to Apple",
- "discussion": "The ability to submit diagnostic data to Apple _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_filevault_enforce",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Enforce FileVault",
- "discussion": "FileVault _MUST_ be enforced.\n\nThe information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_find_my_disable",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Disable Find My Service",
- "discussion": "The Find My service _MUST_ be disabled.\n\nA Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service.\n\nApple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_firewall_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable macOS Application Firewall",
- "discussion": "The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. \n\nWhen the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_firewall_stealth_mode_enable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Enable Firewall Stealth Mode",
- "discussion": "Firewall Stealth Mode _MUST_ be enabled. \n\nWhen stealth mode is enabled, the Mac will not respond to any probing requests, and only requests from authorized applications will still be authorized.\n\n[IMPORTANT]\n====\nEnabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode.\n====\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_gatekeeper_identified_developers_allowed",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Apply Gatekeeper Settings to Block Applications from Unidentified Developers",
- "discussion": "The information system implements cryptographic mechanisms to authenticate software prior to installation.\n\nGatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_gatekeeper_override_disallow",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Configure Gatekeeper to Disallow End User Override",
- "discussion": "Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. \n\nIf users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_guest_access_smb_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Guest Access to Shared SMB Folders",
- "discussion": "Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. \n\nTurning off guest access prevents anonymous users from accessing files shared via SMB.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_guest_account_disable",
- "nulevel": "Medium",
- "status": "Implemented",
- "title": "Disable the Guest Account",
- "discussion": "Guest access _MUST_ be disabled. \n\nTurning off guest access prevents anonymous users from accessing files.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_improve_siri_dictation_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Sending Siri and Dictation Information to Apple",
- "discussion": "The ability for Apple to store and review audio of your Siri and Dictation interactions _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_install_macos_updates_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce macOS Updates are Automatically Installed",
- "discussion": "Software Update _MUST_ be configured to enforce automatic installation of macOS updates is enabled.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_internet_sharing_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Internet Sharing",
- "discussion": "If the system does not require Internet sharing, support for it is non-essential and _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities. Disabling Internet sharing helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_location_services_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable Location Services",
- "discussion": "Location Services _MUST_ be enabled. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_loginwindow_loginwindowtext_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Login Window to Show A Custom Message",
- "discussion": "The login window _MUST_ be configured to show a custom access warning message.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_loginwindow_prompt_username_password_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure Login Window to Prompt for Username and Password",
- "discussion": "The login window _MUST_ be configured to prompt all users for both a username and a password. \n\nBy default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_media_sharing_disabled",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Media Sharing",
- "discussion": "Media sharing _MUST_ be disabled.\n\nWhen Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. \n\nThe information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk.\n\nNOTE: The Media Sharing preference panel will still allow \"Home Sharing\" and \"Share media with guests\" to be checked but the service will not be enabled.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_password_hints_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Password Hints",
- "discussion": "Password hints _MUST_ be disabled.\n\nPassword hints leak information about passwords that are currently in use and can lead to loss of confidentiality. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_personalized_advertising_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Personalized Advertising",
- "discussion": "Ad tracking and targeted ads _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_power_nap_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Power Nap",
- "discussion": "Power Nap _MUST_ be disabled.\n\nPower Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices to stop functioning until a reboot and must therefore be disabled on all applicable systems. \n\nThe following Macs support Power Nap:\n\n* MacBook (Early 2015 and later)\n* MacBook Air (Late 2010 and later)\n* MacBook Pro (all models with Retina display)\n* Mac mini (Late 2012 and later)\n* iMac (Late 2012 and later)\n* Mac Pro (Late 2013 and later)\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_printer_sharing_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Printer Sharing",
- "discussion": "Printer Sharing _MUST_ be disabled. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_rae_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Remote Apple Events",
- "discussion": "If the system does not require Remote Apple Events, support for Apple Remote Events is non-essential and _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_remote_management_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Remote Management",
- "discussion": "Remote Management _MUST_ be disabled. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_screen_sharing_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Screen Sharing and Apple Remote Desktop",
- "discussion": "Support for both Screen Sharing and Apple Remote Desktop (ARD) is non-essential and _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_screensaver_ask_for_password_delay_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Session Lock After Screen Saver is Started",
- "discussion": "A screen saver _MUST_ be enabled and the system _MUST_ be configured to require a password to unlock once the screensaver has been on for a maximum of 5 seconds. \n\nAn unattended system with an excessive grace period is vulnerable to a malicious user. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_screensaver_password_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Screen Saver Password",
- "discussion": "Users _MUST_ authenticate when unlocking the screen saver. \n\nThe screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_screensaver_timeout_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Screen Saver Timeout",
- "discussion": "The screen saver timeout _MUST_ be set to 1200 seconds or a shorter length of time. \n\nThis rule ensures that a full session lock is triggered within no more than 1200 seconds of inactivity.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_siri_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable Siri",
- "discussion": "Support for Siri is non-essential and _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_smbd_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable Server Message Block Sharing",
- "discussion": "Support for Server Message Block (SMB) file sharing is non-essential and _MUST_ be disabled.\n\nThe information system _MUST_ be configured to provide only essential capabilities.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_software_update_app_update_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Software Update App Update Updates Automatically",
- "discussion": "Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_software_update_download_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Software Update Downloads Updates Automatically",
- "discussion": "Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_software_update_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enforce Software Update Automatically",
- "discussion": "Software Update _MUST_ be configured to enforce automatic update is enabled.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_softwareupdate_current",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Ensure Software Update is Updated and Current",
- "discussion": "Make sure Software Update is updated and current.\n\nNOTE: Automatic fix can cause unplanned restarts and may lose work.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_ssh_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Disable SSH Server for Remote Access Sessions",
- "discussion": "SSH service _MUST_ be disabled for remote access.\n\nRemote access sessions _MUST_ use FIPS validated encrypted methods to protect unauthorized individuals from gaining access. \n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_system_wide_preferences_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Require Administrator Password to Modify System-Wide Preferences",
- "discussion": "The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. \n\nSome Preference Panes in System Preferences contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_time_server_configure",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Configure macOS to Use an Authorized Time Server",
- "discussion": "Approved time servers _MUST_ be the only servers configured for use.\n\nThis rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_time_server_enforce",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable macOS Time Synchronization Daemon (timed)",
- "discussion": "The timed service _MUST_ be enabled on all networked systems and configured to set time automatically from the approved time server.\n\nThis rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_wake_network_access_disable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Ensure Wake for Network Access Is Disabled",
- "discussion": "Wake for network access _MUST_ be disabled.\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_wallet_applepay_prefpane_disable",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Disable the System Preference Pane for Wallet and Apple Pay",
- "discussion": "The system preference pane for Wallet and Apple Pay _MUST_ be disabled.\n\nDisabling the system preference pane prevents the users from configuring Wallet and Apple Pay. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_wallet_applepay_prefpane_hide",
- "nulevel": "High",
- "status": "Implemented",
- "title": "Hide the System Preference Pane for Wallet and Apple Pay",
- "discussion": "The system preference pane for Wallet and Apple Pay _MUST_ be hidden.\n\nHiding the system preference pane prevents the users from configuring Wallet and Apple Pay. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "sysprefs_wifi_menu_enable",
- "nulevel": "Low",
- "status": "Implemented",
- "title": "Enable Wifi Menu",
- "discussion": "The WiFi menu _MUST_ be enabled.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_password_autofill_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable Password Autofill",
- "discussion": "Password Autofill _MUST_ be disabled. \n\nmacOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_notes_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Notes",
- "discussion": "The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. \n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_sync_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Desktop and Document Folder Sync",
- "discussion": "The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_messages_app_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable Messages App",
- "discussion": "The macOS built-in Messages.app _MUST_ be disabled. \n\nThe Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_handoff_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable Handoff",
- "discussion": "Handoff _MUST_ be disabled. \n\nHandoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_mail_app_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable Mail App",
- "discussion": "The macOS built-in Mail.app _MUST_ be disabled. \n\nThe Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place.\n\n[IMPORTANT]\n====\nSome organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.\n====\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_facetime_app_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable FaceTime.app",
- "discussion": "The macOS built-in FaceTime.app _MUST_ be disabled. \n\nThe FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_drive_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Document Sync",
- "discussion": "The macOS built-in iCloud document synchronization service _MUST_ be disabled to prevent organizational data from being synchronized to personal or non-approved storage. \n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_user_app_installation_prohibit",
- "nulevel": "Low",
- "status": "Not Implemented",
- "title": "Prohibit User Installation of Software into \/Users\/",
- "discussion": "Users _MUST_ not be allowed to install software into \/Users\/. \n\nAllowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_firewall_default_deny_require",
- "nulevel": "Low",
- "status": "Not Implemented",
- "title": "Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy",
- "discussion": "A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems.\n\nOrganizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule.\n\nFailure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data.\n\nIf you are using a third-party firewall solution, this setting does not apply.\n\n[IMPORTANT]\n====\nConfiguring the built-in packet filter firewall to employ the default deny rule has the potential to interfere with applications on the system in an unpredictable manner. Information System Security Officers (ISSOs) may make the risk-based decision not to configure the built-in packet filter firewall to employ the default deny rule to avoid losing functionality, but they are advised to first fully weigh the potential risks posed to their organization.\n====\n",
- "mechanism": "Script",
- "os": "macOS"
- },
- {
- "ruleid": "os_calendar_app_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable Calendar.app",
- "discussion": "The macOS built-in Calendar.app _MUST_ be disabled as this application can establish a connection to non-approved services. This rule is in place to prevent inadvertent data transfers.\n\n[IMPORTANT]\n====\nSome organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.\n====\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_addressbook_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Address Book",
- "discussion": "The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. \n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_appleid_prefpane_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable the System Preference Pane for Apple ID",
- "discussion": "The system preference pane for Apple ID _MUST_ be disabled.\n\nDisabling the system preference pane prevents login to Apple ID and iCloud. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_bookmarks_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Bookmarks",
- "discussion": "The macOS built-in Safari.app bookmark synchronization via the iCloud service _MUST_ be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_calendar_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable the iCloud Calendar Services",
- "discussion": "The macOS built-in Calendar.app connection to Apple's iCloud service _MUST_ be disabled. \n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_keychain_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Keychain Sync",
- "discussion": "The macOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled. \n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_mail_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Mail",
- "discussion": "The macOS built-in Mail.app connection to Apple's iCloud service _MUST_ be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_photos_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Photo Library",
- "discussion": "The macOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled. \n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. \n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_private_relay_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Private Relay",
- "discussion": "Enterprise networks may be required to audit all network traffic by policy, therefore, iCloud Private Relay _MUST_ be disabled.\n\nNetwork administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "icloud_reminders_disable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Disable iCloud Reminders",
- "discussion": "The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. \n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service.\n",
- "mechanism": "Configuration Profile",
- "os": "macOS"
- },
- {
- "ruleid": "os_firmware_password_require",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Enable Firmware Password",
- "discussion": "A firmware password _MUST_ be enabled and set. \n\nSingle user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the \"Option\" key down during startup. Setting a firmware password restricts access to these tools.\n\nTo set a firmware passcode use the following command:\n\n[source,bash]\n----\n\/usr\/sbin\/firmwarepasswd -setpasswd\n----\n\nNOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated.\n\nNOTE: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_recovery_lock_enable",
- "nulevel": "High",
- "status": "Not Implemented",
- "title": "Enable Recovery Lock",
- "discussion": "A recovery lock password _MUST_ be enabled and set. \n\nSingle user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools.\n\nNOTE: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices.\n",
- "mechanism": "Manual",
- "os": "macOS"
- },
- {
- "ruleid": "os_access_control_mobile_devices",
- "nulevel": "Medium",
- "status": "Not Implemented",
- "title": "Access Control for Mobile Devices",
- "discussion": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system.\n",
- "mechanism": "Manual",
- "os": "macOS"
- }
- ]
--
GitLab