From 30d4a1af0443332772cd8617d01d7dd3463f8072 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 16 Dec 2024 10:24:59 -0500 Subject: [PATCH] Sequoia Release 1.1 (#457) * refactor[rules] STIG IDs Initial STIG-IDs added to rule files. * refactor[rules]ccis added New CCIs added to rules * refactor[rules] SRGs added New SRGs added to stig rules * refactor[rule] pwpolicy_custom_regex_enforce Remove unneeded SRG * refactor[rules] Added, Removed, Updated rules - os_authenticated_root_enable, updated check - os_directory_services_configured, removed from stig - os_ess_installed, removed from stig - os_firewall_log_enable, removed from 15.x - os_genmoji_disable, added 800-53 and stig - os_image_generation_disable, added 800-53 and sti.yaml - os_iphone_mirroring_disable - os_password_autofill_disable, added 800-53 and sti - os_ssh_fips_compliant, fixed check/fix - os_ssh_server_alive_count_max_configure, fixed fix - os_ssh_server_alive_interval_configure, fixed fix - os_sshd_fips_compliant, fixed fix/check - os_sudo_log_enforce, added 800-53 and stig - os_writing_tools_disable, added 800-53 and sti - pwpolicy_custom_regex_enforce, updated regex - system_settings_ssh_enable, removed from stig * refactor[rules] Removed from STIG Removed CCI, SRG, STIG ID, and STIG tag * refactor[rules]Added new STIG IDs Added STIG ID to - os_genmoji_disable - os_image_generation_disable - os_sudo_log_enforce - os_writing_tools_disable * Added new rule file * Add APPL-15-002023 * added APPL-15-002024 * fix[rules] removed tags for rules removed removed tags from rules removed from cis * added os_time_server_enable back to cis * Update Gitignore * Updating CIS benchmark and tags in missed rules. * refactor[rules]ssh fips and sshd fips Updated check and fix for ssh and sshd for FIPS * refactor[rules]ssh and sshd fips added check into sshd to not fix if proper * Fixed ODV regression for CIS * added missing path to grep * removed [ ] * Fix to not print, and fix multiple entries in .ssh/config * added dev null redirection, prevention of double entries * Fixed bin to dev and case insensitive sed * 800-171 Rev 2 to Rev 3 * Updated media sharing key * Updated STIG ID * merge from sequoia * refactor[rules] ssh fixes Updated ssh fixes to match os_ssh_fips_compliant * slightly simplier fix. removed unneeded loop * slightly simplier fix. removed unneeded loop * Adjusting CIS numbering. * fix[rule] fixed path Fixed path in system_settings_system_wide_preferences_configure * fix[rule] fixed path on line 63 fixed path in system_settings_system_wide_preferences_configure * fix[rule] added reference Added reference to os_sudo_log_enforce * refactor[rules] Added, Modified and deleted rules Added os_mail_summary_disable Added os_photos_enhanced_search_disable Removed system_settings_cd_dvd_sharing_disable Modified system_settings_improve_search_disable - updated title Modified system_settings_improve_siri_dictation_disable - updated title * renamed .yml to .yaml * changes for upcoming cis release * refactor - DISA STIG references updated to sequoia for DISA STIG baseline file created for disa stig * added os_sleep_and_display_sleep_apple_silicon_enable to all_rules * refactor[rules] CNSSI tags added Added CNSSI1253 low, moderate, high tags * refactor[baselines] Updated baseline files Updated cnssi1253 baseline files Updated all_rules baseline file Updated CIS baseline files * udpdated baseline files * [fix]system_settings_sleep_enforce sleep/displaysleep swap * updated title * fix[rule] remove cis tags and reference remove cis ref & tag from system_settings_improve_search_disable issue #443 * Adding arm64 tag to os_sleep_and_display_sleep_apple_silicon_enable * Fixing Sleep/displaysleep numbers based on CIS changes. * Fixing os_sleep_and_display_sleep_apple_silicon_enable * Removing DRAFT status from CIS * [fix]rule world writable library folder os_world_writable_library_folder_configure issue# 445 * refactor[rules] Added missing CCEs Replaced N/A CCEs for os_mail_summary_disable and os_photos_enhanced_search_disable * fix[rule] updated odv hint pwpolicy_custom_regex_enforce odv hint updated * Update system_settings_improve_assistive_voice_disable Issue #450 * refactor[rules]pwpolicy updates Removed 800-53 and 800-171 tags Updated discussion to reflect NIST SP 800-63 and Executive Order M-22-09 * refactor[rules] Added external intelligence rules Added rules to disable external intelligence features for 15.2 * Issue #450 * updated pwpolicy * Added CCEs * Removed double stig tag * updated baseline files * updated changelog * removed rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml * updated changelog * update[supplemental]: added 800-63 guidance fix[supplemental]: update note about filevault unlock * refactor[rule] pwpolicy_special_character_enforce Updated check to allow greater than ODV. Issue #451 * refactor[rules] ssh rules discussion update Added mention of /usr/libexec/reset-ssh-configuration. * updated release date and version * Added uniq to prevent false negatives * updated authors * updated release date --------- Co-authored-by: Allen Golbig Co-authored-by: mahlmanj Co-authored-by: Dan Brodjieski --- CHANGELOG.adoc | 40 +++- README.adoc | 1 + VERSION.yaml | 4 +- baselines/800-171.yaml | 15 +- baselines/800-53r5_high.yaml | 12 +- baselines/800-53r5_low.yaml | 12 +- baselines/800-53r5_moderate.yaml | 12 +- baselines/DISA-STIG.yaml | 193 ++++++++++++++++++ baselines/all_rules.yaml | 7 +- baselines/cis_lvl1.yaml | 9 +- baselines/cis_lvl2.yaml | 15 +- baselines/cisv8.yaml | 11 +- baselines/cmmc_lvl1.yaml | 3 + baselines/cmmc_lvl2.yaml | 5 +- baselines/cnssi-1253_high.yaml | 19 +- baselines/cnssi-1253_low.yaml | 18 +- baselines/cnssi-1253_moderate.yaml | 26 ++- includes/mscp-data.yaml | 8 +- rules/audit/audit_acls_files_configure.yaml | 5 +- rules/audit/audit_acls_folders_configure.yaml | 4 +- rules/audit/audit_auditd_enabled.yaml | 7 +- .../audit_configure_capacity_notify.yaml | 4 +- rules/audit/audit_control_acls_configure.yaml | 4 +- .../audit/audit_control_group_configure.yaml | 4 +- rules/audit/audit_control_mode_configure.yaml | 4 +- .../audit/audit_control_owner_configure.yaml | 4 +- rules/audit/audit_failure_halt.yaml | 4 +- rules/audit/audit_files_group_configure.yaml | 4 +- rules/audit/audit_files_mode_configure.yaml | 2 +- rules/audit/audit_files_owner_configure.yaml | 4 +- rules/audit/audit_flags_aa_configure.yaml | 5 +- rules/audit/audit_flags_ad_configure.yaml | 9 +- rules/audit/audit_flags_ex_configure.yaml | 5 +- rules/audit/audit_flags_fd_configure.yaml | 5 +- rules/audit/audit_flags_fm_configure.yaml | 5 +- .../audit_flags_fm_failed_configure.yaml | 2 +- rules/audit/audit_flags_fr_configure.yaml | 5 +- rules/audit/audit_flags_fw_configure.yaml | 5 +- rules/audit/audit_flags_lo_configure.yaml | 5 +- rules/audit/audit_folder_group_configure.yaml | 4 +- rules/audit/audit_folder_owner_configure.yaml | 4 +- rules/audit/audit_folders_mode_configure.yaml | 4 +- rules/audit/audit_off_load_records.yaml | 2 +- ...it_record_reduction_report_generation.yaml | 2 +- rules/audit/audit_records_processing.yaml | 2 +- rules/audit/audit_retention_configure.yaml | 4 +- .../audit/audit_settings_failure_notify.yaml | 4 +- .../auth_pam_login_smartcard_enforce.yaml | 6 +- rules/auth/auth_pam_su_smartcard_enforce.yaml | 6 +- .../auth/auth_pam_sudo_smartcard_enforce.yaml | 6 +- rules/auth/auth_smartcard_allow.yaml | 4 +- ...rtcard_certificate_trust_enforce_high.yaml | 2 + ...rd_certificate_trust_enforce_moderate.yaml | 6 +- rules/auth/auth_smartcard_enforce.yaml | 6 +- ...h_ssh_password_authentication_disable.yaml | 5 +- rules/icloud/icloud_addressbook_disable.yaml | 4 +- ...cloud_appleid_system_settings_disable.yaml | 2 +- rules/icloud/icloud_bookmarks_disable.yaml | 4 +- rules/icloud/icloud_calendar_disable.yaml | 4 +- rules/icloud/icloud_drive_disable.yaml | 4 +- rules/icloud/icloud_freeform_disable.yaml | 4 +- rules/icloud/icloud_game_center_disable.yaml | 4 +- rules/icloud/icloud_keychain_disable.yaml | 4 +- rules/icloud/icloud_mail_disable.yaml | 4 +- rules/icloud/icloud_notes_disable.yaml | 4 +- rules/icloud/icloud_photos_disable.yaml | 4 +- .../icloud/icloud_private_relay_disable.yaml | 5 +- rules/icloud/icloud_reminders_disable.yaml | 4 +- rules/icloud/icloud_sync_disable.yaml | 4 +- .../os/os_access_control_mobile_devices.yaml | 2 +- rules/os/os_account_modification_disable.yaml | 4 +- rules/os/os_airdrop_disable.yaml | 4 +- rules/os/os_allow_info_passed.yaml | 2 +- rules/os/os_appleid_prompt_disable.yaml | 4 +- rules/os/os_application_sandboxing.yaml | 2 +- ...s_asl_log_files_owner_group_configure.yaml | 4 +- ...s_asl_log_files_permissions_configure.yaml | 4 +- rules/os/os_auth_peripherals.yaml | 2 +- rules/os/os_authenticated_root_enable.yaml | 6 +- rules/os/os_blank_bluray_disable.yaml | 2 +- rules/os/os_blank_cd_disable.yaml | 2 +- rules/os/os_blank_dvd_disable.yaml | 2 +- rules/os/os_bluray_read_only_enforce.yaml | 2 +- rules/os/os_bonjour_disable.yaml | 4 +- rules/os/os_burn_support_disable.yaml | 2 +- rules/os/os_calendar_app_disable.yaml | 2 +- rules/os/os_camera_disable.yaml | 2 +- rules/os/os_cd_read_only_enforce.yaml | 2 +- rules/os/os_certificate_authority_trust.yaml | 6 +- rules/os/os_change_security_attributes.yaml | 2 +- rules/os/os_config_data_install_enforce.yaml | 4 +- .../os_config_profile_ui_install_disable.yaml | 2 +- rules/os/os_continuous_monitoring.yaml | 2 +- rules/os/os_dictation_disable.yaml | 4 +- .../os/os_directory_services_configured.yaml | 5 +- rules/os/os_disk_image_disable.yaml | 2 +- rules/os/os_dvdram_disable.yaml | 2 +- rules/os/os_enforce_access_restrictions.yaml | 2 +- ...os_erase_content_and_settings_disable.yaml | 4 +- .../os_external_storage_access_defined.yaml | 11 +- rules/os/os_facetime_app_disable.yaml | 4 +- rules/os/os_filevault_autologin_disable.yaml | 4 +- .../os/os_firewall_default_deny_require.yaml | 2 +- rules/os/os_firmware_password_require.yaml | 4 +- rules/os/os_gatekeeper_enable.yaml | 6 +- rules/os/os_genmoji_disable.yaml | 11 +- rules/os/os_grant_privs.yaml | 2 +- rules/os/os_handoff_disable.yaml | 4 +- ...s_hibernate_mode_apple_silicon_enable.yaml | 66 ------ ...ate_mode_destroyfvkeyonstandby_enable.yaml | 7 +- rules/os/os_hibernate_mode_intel_enable.yaml | 8 +- rules/os/os_home_folders_default.yaml | 3 + rules/os/os_home_folders_secure.yaml | 5 +- rules/os/os_httpd_disable.yaml | 4 +- .../os/os_icloud_storage_prompt_disable.yaml | 4 +- rules/os/os_identify_non-org_users.yaml | 2 +- rules/os/os_image_generation_disable.yaml | 11 +- rules/os/os_implement_cryptography.yaml | 2 +- rules/os/os_implement_memory_protection.yaml | 2 +- rules/os/os_information_validation.yaml | 2 +- .../os_install_log_retention_configure.yaml | 4 +- rules/os/os_iphone_mirroring_disable.yaml | 54 ++++- rules/os/os_ir_support_disable.yaml | 2 +- rules/os/os_limit_dos_attacks.yaml | 2 +- rules/os/os_limit_gui_sessions.yaml | 2 +- rules/os/os_logical_access.yaml | 2 +- ...s_loginwindow_adminhostinfo_undefined.yaml | 4 +- .../os/os_logoff_capability_and_message.yaml | 2 +- rules/os/os_mail_app_disable.yaml | 2 +- rules/os/os_mail_summary_disable.yaml | 44 ++++ rules/os/os_malicious_code_prevention.yaml | 2 +- .../os/os_managed_access_control_points.yaml | 2 +- rules/os/os_mdm_require.yaml | 4 +- rules/os/os_messages_app_disable.yaml | 2 +- ...newsyslog_files_owner_group_configure.yaml | 4 +- ...newsyslog_files_permissions_configure.yaml | 4 +- rules/os/os_nfsd_disable.yaml | 4 +- rules/os/os_non_repudiation.yaml | 2 +- rules/os/os_nonlocal_maintenance.yaml | 2 +- rules/os/os_obscure_password.yaml | 2 +- rules/os/os_on_device_dictation_enforce.yaml | 4 +- rules/os/os_parental_controls_enable.yaml | 2 +- rules/os/os_password_autofill_disable.yaml | 26 +-- rules/os/os_password_hint_remove.yaml | 4 +- rules/os/os_password_proximity_disable.yaml | 4 +- rules/os/os_password_sharing_disable.yaml | 2 +- .../os/os_photos_enhanced_search_disable.yaml | 46 +++++ .../os_policy_banner_loginwindow_enforce.yaml | 4 +- rules/os/os_policy_banner_ssh_configure.yaml | 4 +- rules/os/os_policy_banner_ssh_enforce.yaml | 4 +- rules/os/os_power_nap_disable.yaml | 2 +- rules/os/os_predictable_behavior.yaml | 2 +- rules/os/os_prevent_priv_execution.yaml | 2 +- rules/os/os_prevent_priv_functions.yaml | 2 +- .../os_prevent_unauthorized_disclosure.yaml | 2 +- rules/os/os_privacy_setup_prompt_disable.yaml | 4 +- ...ibit_remote_activation_collab_devices.yaml | 2 +- rules/os/os_protect_dos_attacks.yaml | 2 +- ..._provide_automated_account_management.yaml | 2 +- .../os_provide_disconnect_remote_access.yaml | 2 +- .../os/os_rapid_security_response_allow.yaml | 2 +- ...pid_security_response_removal_disable.yaml | 2 +- ..._reauth_devices_change_authenticators.yaml | 2 +- rules/os/os_reauth_privilege.yaml | 2 +- ...os_reauth_users_change_authenticators.yaml | 2 +- rules/os/os_recovery_lock_enable.yaml | 4 +- rules/os/os_removable_media_disable.yaml | 2 +- ...ove_software_components_after_updates.yaml | 2 +- rules/os/os_required_crypto_module.yaml | 2 +- rules/os/os_root_disable.yaml | 5 +- .../os/os_safari_show_status_bar_enabled.yaml | 2 +- .../os_screensaver_loginwindow_enforce.yaml | 2 +- ...reensaver_timeout_loginwindow_enforce.yaml | 2 +- rules/os/os_secure_boot_verify.yaml | 4 +- rules/os/os_secure_enclave.yaml | 2 +- rules/os/os_secure_name_resolution.yaml | 2 +- rules/os/os_separate_functionality.yaml | 2 +- .../os_setup_assistant_filevault_enforce.yaml | 3 + rules/os/os_sip_enable.yaml | 6 +- rules/os/os_siri_prompt_disable.yaml | 4 +- .../os/os_skip_screen_time_prompt_enable.yaml | 4 +- .../os/os_skip_unlock_with_watch_enable.yaml | 4 +- ...nd_display_sleep_apple_silicon_enable.yaml | 54 +++++ rules/os/os_ssh_fips_compliant.yaml | 73 +++++-- ..._ssh_server_alive_count_max_configure.yaml | 44 ++-- ...s_ssh_server_alive_interval_configure.yaml | 40 +++- .../os/os_sshd_channel_timeout_configure.yaml | 6 +- ...sshd_client_alive_count_max_configure.yaml | 6 +- ..._sshd_client_alive_interval_configure.yaml | 6 +- rules/os/os_sshd_fips_compliant.yaml | 16 +- .../os_sshd_login_grace_time_configure.yaml | 6 +- .../os_sshd_permit_root_login_configure.yaml | 7 +- ...d_unused_connection_timeout_configure.yaml | 6 +- rules/os/os_store_encrypted_passwords.yaml | 2 +- rules/os/os_sudo_log_enforce.yaml | 7 +- rules/os/os_sudo_timeout_configure.yaml | 2 +- .../os_sudoers_timestamp_type_configure.yaml | 4 +- rules/os/os_system_read_only.yaml | 2 +- rules/os/os_tftpd_disable.yaml | 4 +- rules/os/os_time_offset_limit_configure.yaml | 8 +- rules/os/os_time_server_enabled.yaml | 12 +- rules/os/os_touchid_prompt_disable.yaml | 4 +- rules/os/os_unique_identification.yaml | 2 +- ...os_unlock_active_user_session_disable.yaml | 9 +- .../os/os_user_app_installation_prohibit.yaml | 5 +- rules/os/os_uucp_disable.yaml | 4 +- rules/os/os_verify_remote_disconnection.yaml | 2 +- ...rld_writable_library_folder_configure.yaml | 4 +- rules/os/os_writing_tools_disable.yaml | 11 +- .../pwpolicy_account_inactivity_enforce.yaml | 7 +- .../pwpolicy_account_lockout_enforce.yaml | 6 +- ...olicy_account_lockout_timeout_enforce.yaml | 6 +- .../pwpolicy_alpha_numeric_enforce.yaml | 17 +- .../pwpolicy_custom_regex_enforce.yaml | 25 +-- .../pwpolicy_emergency_accounts_disable.yaml | 2 +- .../pwpolicy_force_password_change.yaml | 2 +- rules/pwpolicy/pwpolicy_history_enforce.yaml | 7 +- ...pwpolicy_lower_case_character_enforce.yaml | 6 +- .../pwpolicy_max_lifetime_enforce.yaml | 17 +- .../pwpolicy_minimum_length_enforce.yaml | 7 +- .../pwpolicy_minimum_lifetime_enforce.yaml | 14 +- .../pwpolicy_prevent_dictionary_words.yaml | 3 +- .../pwpolicy_simple_sequence_disable.yaml | 6 +- .../pwpolicy_special_character_enforce.yaml | 18 +- .../pwpolicy_temporary_accounts_disable.yaml | 2 +- ...mporary_or_emergency_accounts_disable.yaml | 4 +- ...pwpolicy_upper_case_character_enforce.yaml | 5 +- .../supplemental/supplemental_cis_manual.yaml | 9 +- rules/supplemental/supplemental_controls.yaml | 1 - .../supplemental/supplemental_filevault.yaml | 3 +- .../supplemental_firewall_pf.yaml | 1 - .../supplemental_password_policy.yaml | 21 +- .../supplemental/supplemental_smartcard.yaml | 1 - ...tem_settings_airplay_receiver_disable.yaml | 4 +- ...m_settings_apple_watch_unlock_disable.yaml | 4 +- ...stem_settings_automatic_login_disable.yaml | 5 +- ...tem_settings_automatic_logout_enforce.yaml | 4 +- .../system_settings_bluetooth_disable.yaml | 6 +- ...m_settings_bluetooth_settings_disable.yaml | 5 +- ...em_settings_bluetooth_sharing_disable.yaml | 4 +- ...ystem_settings_cd_dvd_sharing_disable.yaml | 59 ------ ...stem_settings_content_caching_disable.yaml | 4 +- ...tings_critical_update_install_enforce.yaml | 2 +- ..._settings_diagnostics_reports_disable.yaml | 5 +- ...ettings_external_intelligence_disable.yaml | 65 ++++++ ...external_intelligence_sign_in_disable.yaml | 65 ++++++ .../system_settings_filevault_enforce.yaml | 4 +- .../system_settings_find_my_disable.yaml | 4 +- .../system_settings_firewall_enable.yaml | 4 +- ...settings_firewall_stealth_mode_enable.yaml | 2 +- ...ekeeper_identified_developers_allowed.yaml | 6 +- ...settings_gatekeeper_override_disallow.yaml | 2 +- ...tem_settings_guest_access_smb_disable.yaml | 1 - ...system_settings_guest_account_disable.yaml | 5 +- .../system_settings_hot_corners_disable.yaml | 4 +- .../system_settings_hot_corners_secure.yaml | 2 +- ...tings_improve_assistive_voice_disable.yaml | 10 +- ...ystem_settings_improve_search_disable.yaml | 9 +- ...ttings_improve_siri_dictation_disable.yaml | 7 +- ...em_settings_internet_accounts_disable.yaml | 2 +- ...tem_settings_internet_sharing_disable.yaml | 4 +- ...em_settings_location_services_disable.yaml | 4 +- ...ndow_prompt_username_password_enforce.yaml | 4 +- ...ystem_settings_media_sharing_disabled.yaml | 22 +- ...ystem_settings_password_hints_disable.yaml | 4 +- ...ings_personalized_advertising_disable.yaml | 4 +- ...stem_settings_printer_sharing_disable.yaml | 4 +- .../system_settings_rae_disable.yaml | 4 +- ...em_settings_remote_management_disable.yaml | 4 +- ...ystem_settings_screen_sharing_disable.yaml | 4 +- ...nsaver_ask_for_password_delay_enforce.yaml | 4 +- ...settings_screensaver_password_enforce.yaml | 4 +- ..._settings_screensaver_timeout_enforce.yaml | 4 +- .../system_settings_siri_disable.yaml | 4 +- ...system_settings_siri_settings_disable.yaml | 5 +- .../system_settings_smbd_disable.yaml | 4 +- .../system_settings_ssh_disable.yaml | 2 +- .../system_settings_ssh_enable.yaml | 13 +- ...ngs_system_wide_preferences_configure.yaml | 9 +- ...system_settings_time_server_configure.yaml | 8 +- .../system_settings_time_server_enforce.yaml | 7 +- ...system_settings_token_removal_enforce.yaml | 4 +- ...em_settings_touch_id_settings_disable.yaml | 9 +- ...ystem_settings_touchid_unlock_disable.yaml | 4 +- .../system_settings_usb_restricted_mode.yaml | 6 +- ...ings_wallet_applepay_settings_disable.yaml | 5 +- .../system_settings_wifi_disable.yaml | 2 +- ...fi_disable_when_connected_to_ethernet.yaml | 2 +- templates/adoc_additional_docs.adoc | 2 +- 289 files changed, 1415 insertions(+), 782 deletions(-) create mode 100644 baselines/DISA-STIG.yaml delete mode 100644 rules/os/os_hibernate_mode_apple_silicon_enable.yaml create mode 100644 rules/os/os_mail_summary_disable.yaml create mode 100644 rules/os/os_photos_enhanced_search_disable.yaml create mode 100644 rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml delete mode 100644 rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml create mode 100644 rules/system_settings/system_settings_external_intelligence_disable.yaml create mode 100644 rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 1b2370026..4f20b0c2a 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,7 +2,41 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -== [Sequoia, Revision 1.0] - 2024-XX-XX +== [Sequoia, Revision 1.1] - 2024-12-16] +* Rules +** Added Rules +*** os_iphone_mirroring_disable +*** os_mail_summary_disable +*** os_photos_enhanced_search_disable +*** system_settings_external_intelligence_disable +*** system_settings_external_intelligence_sign_in_disable +** Modified Rules +*** os_sleep_and_display_sleep_apple_silicon_enable +*** os_sudo_log_enforce +*** os_world_writable_library_folder_configure +*** os_password_autofill_disable +*** pwpolicy_alpha_numeric_enforce +*** pwpolicy_custom_regex_enforce +*** pwpolicy_lower_case_character_enforce.yaml +*** pwpolicy_max_lifetime_enforce +*** pwpolicy_minimum_lifetime_enforce +*** pwpolicy_history_enforce +*** pwpolicy_account_lockout_timeout_enforce +*** pwpolicy_account_lockout_enforce +*** pwpolicy_prevent_dictionary_words +*** pwpolicy_simple_sequence_disable +*** pwpolicy_special_character_enforce +*** pwpolicy_upper_case_character_enforce.yaml +*** system_settings_improve_assistive_voice_disable +** Removed Rules +*** system_settings_cd_dvd_sharing_disable +** Bug Fixes +* Baselines +** Added DISA STIG v1r1 +** Added CIS Level (Draft -> Final) +** Updated CNSSI-1253 + +== [Sequoia, Revision 1.0] - 2024-09-12 * Rules ** Added Rules @@ -44,7 +78,7 @@ This document provides a high-level view of the changes to the macOS Security Co **** pwpolicy_minimum_length_enforce **** pwpolicy_simple_sequence_disable **** pwpolicy_special_character_enforce -** Deleted Rules +** Removed Rules *** os_firewall_log_enable *** os_gatekeeper_rearm *** os_safari_popups_disabled @@ -59,4 +93,4 @@ This document provides a high-level view of the changes to the macOS Security Co ** generate_baseline ** generate_mappings ** generate_scap -*** Added support for severity \ No newline at end of file +*** Added support for severity diff --git a/README.adoc b/README.adoc index 0dd12d0ce..3e48d1eb3 100644 --- a/README.adoc +++ b/README.adoc @@ -53,6 +53,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta |Dan Brodjieski|NASA |John Mahlman IV|Leidos |Aaron Kegerreis|DISA +|Henry Stamerjohann|Zentral Pro Services GmbH |Marco A Piñeryo II|State Department |Jason Blake|NIST |Blair Heiserman|NIST diff --git a/VERSION.yaml b/VERSION.yaml index dadec2869..4dd4983b2 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,5 +1,5 @@ os: "15.0" platform: macOS -version: "Sequoia Guidance, Revision 1.0" +version: "Sequoia Guidance, Revision 1.1" cpe: o:apple:macos:15.0 -date: "2024-09-12" \ No newline at end of file +date: "2024-12-16" diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index c24d5804b..5680832ae 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 2" +title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 3" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 2 security baseline. + This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 3 security baseline. Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. authors: | @@ -79,14 +79,16 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_image_generation_disable + - os_iphone_mirroring_disable - os_ir_support_disable - os_loginwindow_adminhostinfo_undefined + - os_mail_summary_disable - os_mdm_require - os_nfsd_disable - os_on_device_dictation_enforce - - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -121,14 +123,9 @@ profile: - pwpolicy_account_inactivity_enforce - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - section: "systemsettings" rules: - system_settings_apple_watch_unlock_disable @@ -138,6 +135,8 @@ profile: - system_settings_bluetooth_sharing_disable - system_settings_content_caching_disable - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml index ab96b52d0..e64df4b4e 100644 --- a/baselines/800-53r5_high.yaml +++ b/baselines/800-53r5_high.yaml @@ -86,16 +86,18 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_image_generation_disable + - os_iphone_mirroring_disable - os_ir_support_disable - os_loginwindow_adminhostinfo_undefined + - os_mail_summary_disable - os_mdm_require - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable - os_on_device_dictation_enforce - - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -133,14 +135,9 @@ profile: - pwpolicy_account_inactivity_enforce - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - pwpolicy_temporary_or_emergency_accounts_disable - section: "systemsettings" rules: @@ -151,10 +148,11 @@ profile: - system_settings_bluetooth_disable - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml index 69e674d4f..373ba5245 100644 --- a/baselines/800-53r5_low.yaml +++ b/baselines/800-53r5_low.yaml @@ -77,13 +77,15 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_image_generation_disable + - os_iphone_mirroring_disable - os_ir_support_disable + - os_mail_summary_disable - os_mdm_require - os_nfsd_disable - os_on_device_dictation_enforce - - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -107,14 +109,9 @@ profile: rules: - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -122,10 +119,11 @@ profile: - system_settings_bluetooth_disable - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_find_my_disable - system_settings_firewall_enable - system_settings_firewall_stealth_mode_enable diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml index 340d0622c..bc53d8127 100644 --- a/baselines/800-53r5_moderate.yaml +++ b/baselines/800-53r5_moderate.yaml @@ -84,16 +84,18 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_image_generation_disable + - os_iphone_mirroring_disable - os_ir_support_disable - os_loginwindow_adminhostinfo_undefined + - os_mail_summary_disable - os_mdm_require - os_newsyslog_files_owner_group_configure - os_newsyslog_files_permissions_configure - os_nfsd_disable - os_on_device_dictation_enforce - - os_password_autofill_disable - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -130,14 +132,9 @@ profile: - pwpolicy_account_inactivity_enforce - pwpolicy_account_lockout_enforce - pwpolicy_account_lockout_timeout_enforce - - pwpolicy_alpha_numeric_enforce - - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce - - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - - pwpolicy_special_character_enforce - pwpolicy_temporary_or_emergency_accounts_disable - section: "systemsettings" rules: @@ -148,10 +145,11 @@ profile: - system_settings_bluetooth_disable - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml new file mode 100644 index 000000000..6ed401ad2 --- /dev/null +++ b/baselines/DISA-STIG.yaml @@ -0,0 +1,193 @@ +title: "macOS 15.0: Security Configuration - Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 1" +description: | + This guide describes the actions to take when securing a macOS 15.0 system against the Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 1 security baseline. +authors: | + *macOS Security Compliance Project* + + |=== + |Dan Brodjieski|National Aeronautics and Space Administration + |Allen Golbig|Jamf + |Bob Gendler|National Institute of Standards and Technology + |Aaron Kegerreis|Defense Information Systems Agency + |=== +parent_values: "stig" +profile: + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_configure_capacity_notify + - audit_control_acls_configure + - audit_control_group_configure + - audit_control_mode_configure + - audit_control_owner_configure + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fd_configure + - audit_flags_fm_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "authentication" + rules: + - auth_pam_login_smartcard_enforce + - auth_pam_su_smartcard_enforce + - auth_pam_sudo_smartcard_enforce + - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_moderate + - auth_smartcard_enforce + - auth_ssh_password_authentication_disable + - section: "icloud" + rules: + - icloud_addressbook_disable + - icloud_bookmarks_disable + - icloud_calendar_disable + - icloud_drive_disable + - icloud_freeform_disable + - icloud_game_center_disable + - icloud_keychain_disable + - icloud_mail_disable + - icloud_notes_disable + - icloud_photos_disable + - icloud_private_relay_disable + - icloud_reminders_disable + - icloud_sync_disable + - section: "macos" + rules: + - os_account_modification_disable + - os_airdrop_disable + - os_appleid_prompt_disable + - os_asl_log_files_owner_group_configure + - os_asl_log_files_permissions_configure + - os_authenticated_root_enable + - os_bonjour_disable + - os_camera_disable + - os_certificate_authority_trust + - os_config_data_install_enforce + - os_dictation_disable + - os_erase_content_and_settings_disable + - os_ess_installed + - os_facetime_app_disable + - os_filevault_autologin_disable + - os_firmware_password_require + - os_gatekeeper_enable + - os_genmoji_disable + - os_handoff_disable + - os_home_folders_secure + - os_httpd_disable + - os_icloud_storage_prompt_disable + - os_image_generation_disable + - os_install_log_retention_configure + - os_loginwindow_adminhostinfo_undefined + - os_mdm_require + - os_newsyslog_files_owner_group_configure + - os_newsyslog_files_permissions_configure + - os_nfsd_disable + - os_on_device_dictation_enforce + - os_password_hint_remove + - os_password_proximity_disable + - os_policy_banner_loginwindow_enforce + - os_policy_banner_ssh_configure + - os_policy_banner_ssh_enforce + - os_privacy_setup_prompt_disable + - os_recovery_lock_enable + - os_root_disable + - os_secure_boot_verify + - os_sip_enable + - os_siri_prompt_disable + - os_skip_screen_time_prompt_enable + - os_skip_unlock_with_watch_enable + - os_ssh_fips_compliant + - os_ssh_server_alive_count_max_configure + - os_ssh_server_alive_interval_configure + - os_sshd_channel_timeout_configure + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_compliant + - os_sshd_login_grace_time_configure + - os_sshd_permit_root_login_configure + - os_sshd_unused_connection_timeout_configure + - os_sudo_log_enforce + - os_sudo_timeout_configure + - os_sudoers_timestamp_type_configure + - os_tftpd_disable + - os_time_server_enabled + - os_touchid_prompt_disable + - os_unlock_active_user_session_disable + - os_user_app_installation_prohibit + - os_uucp_disable + - os_writing_tools_disable + - section: "passwordpolicy" + rules: + - pwpolicy_account_inactivity_enforce + - pwpolicy_account_lockout_enforce + - pwpolicy_account_lockout_timeout_enforce + - pwpolicy_alpha_numeric_enforce + - pwpolicy_custom_regex_enforce + - pwpolicy_history_enforce + - pwpolicy_max_lifetime_enforce + - pwpolicy_minimum_length_enforce + - pwpolicy_minimum_lifetime_enforce + - pwpolicy_special_character_enforce + - pwpolicy_temporary_or_emergency_accounts_disable + - section: "systemsettings" + rules: + - system_settings_airplay_receiver_disable + - system_settings_apple_watch_unlock_disable + - system_settings_automatic_login_disable + - system_settings_automatic_logout_enforce + - system_settings_bluetooth_disable + - system_settings_bluetooth_settings_disable + - system_settings_bluetooth_sharing_disable + - system_settings_content_caching_disable + - system_settings_diagnostics_reports_disable + - system_settings_filevault_enforce + - system_settings_find_my_disable + - system_settings_firewall_enable + - system_settings_gatekeeper_identified_developers_allowed + - system_settings_guest_account_disable + - system_settings_hot_corners_disable + - system_settings_improve_assistive_voice_disable + - system_settings_improve_search_disable + - system_settings_improve_siri_dictation_disable + - system_settings_internet_sharing_disable + - system_settings_location_services_disable + - system_settings_loginwindow_prompt_username_password_enforce + - system_settings_media_sharing_disabled + - system_settings_password_hints_disable + - system_settings_personalized_advertising_disable + - system_settings_printer_sharing_disable + - system_settings_rae_disable + - system_settings_remote_management_disable + - system_settings_screen_sharing_disable + - system_settings_screensaver_ask_for_password_delay_enforce + - system_settings_screensaver_password_enforce + - system_settings_screensaver_timeout_enforce + - system_settings_siri_disable + - system_settings_siri_settings_disable + - system_settings_smbd_disable + - system_settings_system_wide_preferences_configure + - system_settings_time_server_configure + - system_settings_time_server_enforce + - system_settings_token_removal_enforce + - system_settings_touchid_unlock_disable + - system_settings_usb_restricted_mode + - system_settings_wallet_applepay_settings_disable + - section: "Supplemental" + rules: + - supplemental_controls + - supplemental_filevault + - supplemental_firewall_pf + - supplemental_password_policy + - supplemental_smartcard diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 6dc9d169f..7b98a941e 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -104,7 +104,6 @@ profile: - os_genmoji_disable - os_guest_folder_removed - os_handoff_disable - - os_hibernate_mode_apple_silicon_enable - os_hibernate_mode_destroyfvkeyonstandby_enable - os_hibernate_mode_intel_enable - os_home_folders_default @@ -118,6 +117,7 @@ profile: - os_library_validation_enabled - os_loginwindow_adminhostinfo_undefined - os_mail_app_disable + - os_mail_summary_disable - os_mdm_require - os_messages_app_disable - os_mobile_file_integrity_enable @@ -131,6 +131,7 @@ profile: - os_password_hint_remove - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -157,6 +158,7 @@ profile: - os_siri_prompt_disable - os_skip_screen_time_prompt_enable - os_skip_unlock_with_watch_enable + - os_sleep_and_display_sleep_apple_silicon_enable - os_software_update_deferral - os_ssh_fips_compliant - os_ssh_server_alive_count_max_configure @@ -210,10 +212,11 @@ profile: - system_settings_bluetooth_menu_enable - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index 0182878ce..ea620e9dd 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 1)" +title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 1)" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 1) security baseline. + This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 1) security baseline. authors: | *macOS Security Compliance Project* @@ -39,6 +39,7 @@ profile: - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_iphone_mirroring_disable - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable @@ -60,7 +61,7 @@ profile: - os_sudoers_timestamp_type_configure - os_system_wide_applications_configure - os_terminal_secure_keyboard_enable - - os_time_offset_limit_configure + - os_time_server_enabled - os_unlock_active_user_session_disable - os_world_writable_system_folder_configure - section: "passwordpolicy" @@ -76,7 +77,6 @@ profile: - system_settings_automatic_login_disable - system_settings_bluetooth_menu_enable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable - system_settings_filevault_enforce @@ -85,7 +85,6 @@ profile: - system_settings_guest_access_smb_disable - system_settings_guest_account_disable - system_settings_improve_assistive_voice_disable - - system_settings_improve_search_disable - system_settings_improve_siri_dictation_disable - system_settings_install_macos_updates_enforce - system_settings_internet_sharing_disable diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index e7364c9a5..7c489728f 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -1,6 +1,6 @@ -title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 2)" +title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 2)" description: | - This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 2) security baseline. + This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 2) security baseline. authors: | *macOS Security Compliance Project* @@ -47,12 +47,10 @@ profile: - os_config_data_install_enforce - os_gatekeeper_enable - os_guest_folder_removed - - os_hibernate_mode_apple_silicon_enable - - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_iphone_mirroring_disable - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable @@ -69,13 +67,14 @@ profile: - os_safari_warn_fraudulent_website_enable - os_show_filename_extensions_enable - os_sip_enable + - os_sleep_and_display_sleep_apple_silicon_enable - os_software_update_deferral - os_sudo_log_enforce - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_system_wide_applications_configure - os_terminal_secure_keyboard_enable - - os_time_offset_limit_configure + - os_time_server_enabled - os_unlock_active_user_session_disable - os_world_writable_library_folder_configure - os_world_writable_system_folder_configure @@ -95,15 +94,17 @@ profile: - system_settings_automatic_login_disable - system_settings_bluetooth_menu_enable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce + - system_settings_diagnostics_reports_disable - system_settings_filevault_enforce - system_settings_firewall_enable - system_settings_firewall_stealth_mode_enable - system_settings_guest_access_smb_disable - system_settings_guest_account_disable - system_settings_hot_corners_secure + - system_settings_improve_assistive_voice_disable + - system_settings_improve_siri_dictation_disable - system_settings_install_macos_updates_enforce - system_settings_internet_sharing_disable - system_settings_location_services_enable diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index be010d671..1dd069f59 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -59,6 +59,7 @@ profile: - icloud_mail_disable - icloud_notes_disable - icloud_photos_disable + - icloud_private_relay_disable - icloud_reminders_disable - icloud_sync_disable - section: "macos" @@ -76,20 +77,17 @@ profile: - os_filevault_autologin_disable - os_gatekeeper_enable - os_handoff_disable - - os_hibernate_mode_apple_silicon_enable - - os_hibernate_mode_destroyfvkeyonstandby_enable - - os_hibernate_mode_intel_enable - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable - os_install_log_retention_configure + - os_iphone_mirroring_disable - os_ir_support_disable - os_library_validation_enabled - os_mdm_require - os_mobile_file_integrity_enable - os_nfsd_disable - os_on_device_dictation_enforce - - os_password_autofill_disable - os_password_hint_remove - os_password_proximity_disable - os_password_sharing_disable @@ -107,13 +105,13 @@ profile: - os_sip_enable - os_siri_prompt_disable - os_skip_unlock_with_watch_enable + - os_sleep_and_display_sleep_apple_silicon_enable - os_sudo_log_enforce - os_sudo_timeout_configure - os_sudoers_timestamp_type_configure - os_system_wide_applications_configure - os_terminal_secure_keyboard_enable - os_tftpd_disable - - os_time_offset_limit_configure - os_time_server_enabled - os_touchid_prompt_disable - os_unlock_active_user_session_disable @@ -141,10 +139,11 @@ profile: - system_settings_bluetooth_menu_enable - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml index 6bbcb4fea..9d74a48da 100644 --- a/baselines/cmmc_lvl1.yaml +++ b/baselines/cmmc_lvl1.yaml @@ -52,8 +52,11 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_image_generation_disable + - os_iphone_mirroring_disable + - os_mail_summary_disable - os_nfsd_disable - os_on_device_dictation_enforce + - os_photos_enhanced_search_disable - os_rapid_security_response_allow - os_rapid_security_response_removal_disable - os_recovery_lock_enable diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml index 44494c306..4a33b1863 100644 --- a/baselines/cmmc_lvl2.yaml +++ b/baselines/cmmc_lvl2.yaml @@ -98,14 +98,16 @@ profile: - os_icloud_storage_prompt_disable - os_image_generation_disable - os_install_log_retention_configure + - os_iphone_mirroring_disable - os_ir_support_disable + - os_mail_summary_disable - os_mdm_require - os_nfsd_disable - os_on_device_dictation_enforce - - os_password_autofill_disable - os_password_hint_remove - os_password_proximity_disable - os_password_sharing_disable + - os_photos_enhanced_search_disable - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce @@ -161,7 +163,6 @@ profile: - system_settings_bluetooth_disable - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable diff --git a/baselines/cnssi-1253_high.yaml b/baselines/cnssi-1253_high.yaml index 6a04ee79e..9ea976ce6 100644 --- a/baselines/cnssi-1253_high.yaml +++ b/baselines/cnssi-1253_high.yaml @@ -15,6 +15,7 @@ parent_values: "recommended" profile: - section: "auditing" rules: + - audit_acls_files_configure - audit_acls_folders_configure - audit_auditd_enabled - audit_configure_capacity_notify @@ -47,6 +48,7 @@ profile: - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow - auth_smartcard_certificate_trust_enforce_high + - auth_smartcard_certificate_trust_enforce_moderate - auth_smartcard_enforce - auth_ssh_password_authentication_disable - section: "icloud" @@ -88,17 +90,22 @@ profile: - os_disk_image_disable - os_dvdram_disable - os_erase_content_and_settings_disable + - os_external_storage_access_defined - os_facetime_app_disable - os_filevault_authorized_users - os_filevault_autologin_disable - os_firewall_default_deny_require - os_firmware_password_require - os_gatekeeper_enable + - os_genmoji_disable - os_handoff_disable + - os_home_folders_default - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable + - os_image_generation_disable - os_install_log_retention_configure + - os_iphone_mirroring_disable - os_ir_support_disable - os_loginwindow_adminhostinfo_undefined - os_mail_app_disable @@ -125,6 +132,7 @@ profile: - os_root_disable - os_screensaver_loginwindow_enforce - os_secure_boot_verify + - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable - os_skip_screen_time_prompt_enable @@ -139,6 +147,7 @@ profile: - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure - os_sshd_unused_connection_timeout_configure + - os_sudo_log_enforce - os_sudoers_timestamp_type_configure - os_system_read_only - os_tftpd_disable @@ -147,6 +156,7 @@ profile: - os_unlock_active_user_session_disable - os_user_app_installation_prohibit - os_uucp_disable + - os_writing_tools_disable - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce @@ -155,12 +165,14 @@ profile: - pwpolicy_alpha_numeric_enforce - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce + - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - pwpolicy_temporary_or_emergency_accounts_disable + - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -168,11 +180,13 @@ profile: - system_settings_automatic_login_disable - system_settings_automatic_logout_enforce - system_settings_bluetooth_disable + - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable @@ -201,6 +215,7 @@ profile: - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable + - system_settings_siri_settings_disable - system_settings_smbd_disable - system_settings_ssh_disable - system_settings_ssh_enable @@ -208,8 +223,10 @@ profile: - system_settings_time_server_configure - system_settings_time_server_enforce - system_settings_token_removal_enforce + - system_settings_touch_id_settings_disable - system_settings_touchid_unlock_disable - system_settings_usb_restricted_mode + - system_settings_wallet_applepay_settings_disable - system_settings_wifi_disable - section: "Inherent" rules: diff --git a/baselines/cnssi-1253_low.yaml b/baselines/cnssi-1253_low.yaml index 85c06a5c7..feefbae30 100644 --- a/baselines/cnssi-1253_low.yaml +++ b/baselines/cnssi-1253_low.yaml @@ -47,6 +47,7 @@ profile: - auth_pam_su_smartcard_enforce - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_high - auth_smartcard_certificate_trust_enforce_moderate - auth_smartcard_enforce - auth_ssh_password_authentication_disable @@ -89,16 +90,21 @@ profile: - os_disk_image_disable - os_dvdram_disable - os_erase_content_and_settings_disable + - os_external_storage_access_defined - os_facetime_app_disable - os_filevault_autologin_disable - os_firewall_default_deny_require - os_firmware_password_require - os_gatekeeper_enable + - os_genmoji_disable - os_handoff_disable + - os_home_folders_default - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable + - os_image_generation_disable - os_install_log_retention_configure + - os_iphone_mirroring_disable - os_ir_support_disable - os_loginwindow_adminhostinfo_undefined - os_mail_app_disable @@ -124,6 +130,7 @@ profile: - os_removable_media_disable - os_root_disable - os_screensaver_loginwindow_enforce + - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable - os_skip_screen_time_prompt_enable @@ -138,6 +145,7 @@ profile: - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure - os_sshd_unused_connection_timeout_configure + - os_sudo_log_enforce - os_sudoers_timestamp_type_configure - os_system_read_only - os_tftpd_disable @@ -146,6 +154,7 @@ profile: - os_unlock_active_user_session_disable - os_user_app_installation_prohibit - os_uucp_disable + - os_writing_tools_disable - section: "passwordpolicy" rules: - pwpolicy_account_lockout_enforce @@ -153,11 +162,13 @@ profile: - pwpolicy_alpha_numeric_enforce - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce + - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce + - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -165,11 +176,13 @@ profile: - system_settings_automatic_login_disable - system_settings_automatic_logout_enforce - system_settings_bluetooth_disable + - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable @@ -198,6 +211,7 @@ profile: - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable + - system_settings_siri_settings_disable - system_settings_smbd_disable - system_settings_ssh_disable - system_settings_ssh_enable @@ -205,8 +219,10 @@ profile: - system_settings_time_server_configure - system_settings_time_server_enforce - system_settings_token_removal_enforce + - system_settings_touch_id_settings_disable - system_settings_touchid_unlock_disable - system_settings_usb_restricted_mode + - system_settings_wallet_applepay_settings_disable - system_settings_wifi_disable - section: "Inherent" rules: diff --git a/baselines/cnssi-1253_moderate.yaml b/baselines/cnssi-1253_moderate.yaml index 77490d4b9..1439352fb 100644 --- a/baselines/cnssi-1253_moderate.yaml +++ b/baselines/cnssi-1253_moderate.yaml @@ -47,6 +47,7 @@ profile: - auth_pam_su_smartcard_enforce - auth_pam_sudo_smartcard_enforce - auth_smartcard_allow + - auth_smartcard_certificate_trust_enforce_high - auth_smartcard_certificate_trust_enforce_moderate - auth_smartcard_enforce - auth_ssh_password_authentication_disable @@ -89,15 +90,19 @@ profile: - os_disk_image_disable - os_dvdram_disable - os_erase_content_and_settings_disable + - os_external_storage_access_defined - os_facetime_app_disable - os_filevault_autologin_disable - os_firewall_default_deny_require - os_firmware_password_require - os_gatekeeper_enable + - os_genmoji_disable - os_handoff_disable + - os_home_folders_default - os_home_folders_secure - os_httpd_disable - os_icloud_storage_prompt_disable + - os_image_generation_disable - os_install_log_retention_configure - os_ir_support_disable - os_loginwindow_adminhostinfo_undefined @@ -124,8 +129,8 @@ profile: - os_removable_media_disable - os_root_disable - os_screensaver_loginwindow_enforce - - os_screensaver_timeout_loginwindow_enforce - os_secure_boot_verify + - os_setup_assistant_filevault_enforce - os_sip_enable - os_siri_prompt_disable - os_skip_screen_time_prompt_enable @@ -140,6 +145,7 @@ profile: - os_sshd_login_grace_time_configure - os_sshd_permit_root_login_configure - os_sshd_unused_connection_timeout_configure + - os_sudo_log_enforce - os_sudoers_timestamp_type_configure - os_system_read_only - os_tftpd_disable @@ -148,6 +154,7 @@ profile: - os_unlock_active_user_session_disable - os_user_app_installation_prohibit - os_uucp_disable + - os_writing_tools_disable - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce @@ -156,12 +163,14 @@ profile: - pwpolicy_alpha_numeric_enforce - pwpolicy_custom_regex_enforce - pwpolicy_history_enforce + - pwpolicy_lower_case_character_enforce - pwpolicy_max_lifetime_enforce - pwpolicy_minimum_length_enforce - pwpolicy_minimum_lifetime_enforce - pwpolicy_simple_sequence_disable - pwpolicy_special_character_enforce - pwpolicy_temporary_or_emergency_accounts_disable + - pwpolicy_upper_case_character_enforce - section: "systemsettings" rules: - system_settings_airplay_receiver_disable @@ -169,18 +178,19 @@ profile: - system_settings_automatic_login_disable - system_settings_automatic_logout_enforce - system_settings_bluetooth_disable + - system_settings_bluetooth_settings_disable - system_settings_bluetooth_sharing_disable - - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable + - system_settings_external_intelligence_disable + - system_settings_external_intelligence_sign_in_disable - system_settings_filevault_enforce - system_settings_find_my_disable - system_settings_firewall_enable - system_settings_firewall_stealth_mode_enable - system_settings_gatekeeper_identified_developers_allowed - system_settings_gatekeeper_override_disallow - - system_settings_guest_access_smb_disable - system_settings_guest_account_disable - system_settings_hot_corners_disable - system_settings_hot_corners_secure @@ -202,6 +212,7 @@ profile: - system_settings_screensaver_password_enforce - system_settings_screensaver_timeout_enforce - system_settings_siri_disable + - system_settings_siri_settings_disable - system_settings_smbd_disable - system_settings_ssh_disable - system_settings_ssh_enable @@ -209,8 +220,10 @@ profile: - system_settings_time_server_configure - system_settings_time_server_enforce - system_settings_token_removal_enforce + - system_settings_touch_id_settings_disable - system_settings_touchid_unlock_disable - system_settings_usb_restricted_mode + - system_settings_wallet_applepay_settings_disable - system_settings_wifi_disable - section: "Inherent" rules: @@ -265,10 +278,3 @@ profile: - os_managed_access_control_points - os_non_repudiation - os_nonlocal_maintenance - - section: "Supplemental" - rules: - - supplemental_controls - - supplemental_filevault - - supplemental_firewall_pf - - supplemental_password_policy - - supplemental_smartcard diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index c9aa370b5..234696329 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -82,16 +82,16 @@ titles: 800-53r5_high: NIST SP 800-53 Rev 5 High Impact 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact - 800-171: NIST 800-171 Rev 2 - cis_lvl1: CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 2) + 800-171: NIST 800-171 Rev 3 + cis_lvl1: CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 2) cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low) cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate) cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High) - stig: Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1 + stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 1 ddm: supported_types: - com.apple.configuration.services.configuration-files diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 521f93586..bd4521683 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -36,7 +36,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-000030 800-171r3: - 03.03.08 cis: @@ -59,10 +59,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cmmc_lvl2 - stig + - cnssi-1253_moderate + - cnssi-1253_high severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index 3aeffc046..240a8eb13 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -36,7 +36,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-000031 800-171r3: - 03.03.08 cis: @@ -59,11 +59,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 73308e728..83d059fbd 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -48,6 +48,8 @@ references: - CCI-001890 - CCI-001914 - CCI-002130 + - CCI-003938 + - CCI-004188 800-53r5: - AU-3 - AU-3(1) @@ -100,8 +102,9 @@ references: - SRG-OS-000038-GPOS-00016 - SRG-OS-000462-GPOS-00206 - SRG-OS-000055-GPOS-00026 + - SRG-OS-000755-GPOS-00220 disa_stig: - - N/A + - APPL-15-001003 800-171r3: - 03.03.02 - 03.03.03 @@ -128,11 +131,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 6598765bc..c7d373362 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -27,7 +27,7 @@ references: - SRG-OS-000046-GPOS-00022 - SRG-OS-000343-GPOS-00134 disa_stig: - - N/A + - APPL-15-001030 macOS: - '15.0' odv: @@ -37,10 +37,10 @@ odv: tags: - 800-53r5_high - 800-53r4_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: low mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index 22ee4af04..122f0fe26 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001140 800-171r3: - 03.03.08 cis: @@ -51,11 +51,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml index c69d26219..3dd4ada90 100644 --- a/rules/audit/audit_control_group_configure.yaml +++ b/rules/audit/audit_control_group_configure.yaml @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001110 800-171r3: - 03.03.08 cis: @@ -51,11 +51,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml index f1888919c..6215eb594 100644 --- a/rules/audit/audit_control_mode_configure.yaml +++ b/rules/audit/audit_control_mode_configure.yaml @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001130 800-171r3: - 03.03.08 cis: @@ -51,11 +51,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml index 8bc3492b2..5003bfef0 100644 --- a/rules/audit/audit_control_owner_configure.yaml +++ b/rules/audit/audit_control_owner_configure.yaml @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001120 800-171r3: - 03.03.08 cis: @@ -51,11 +51,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index dc0bd4e37..456954795 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000047-GPOS-00023 disa_stig: - - N/A + - APPL-15-001010 800-171r3: - 03.03.04 cmmc: @@ -40,11 +40,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 0e79c942b..dc7a224cf 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -37,7 +37,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001014 800-171r3: - 03.03.08 cis: @@ -60,11 +60,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index 3d957818a..c4e099dda 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -33,7 +33,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001016 800-171r3: - 03.03.08 cis: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index c7e8cf975..7b6bd997b 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -37,7 +37,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001012 800-171r3: - 03.03.08 cis: @@ -60,11 +60,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 97dcd3a95..d5cbef850 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -22,6 +22,7 @@ references: - CCI-000172 - CCI-001814 - CCI-002884 + - CCI-003938 800-53r5: - AC-2(12) - AU-12 @@ -46,7 +47,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000468-GPOS-00212 disa_stig: - - N/A + - APPL-15-001044 800-171r3: - 03.03.01 - 03.03.03 @@ -74,11 +75,11 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 42bcbbb74..79acf44dd 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -31,6 +31,10 @@ references: - CCI-001814 - CCI-002234 - CCI-002884 + - CCI-000015 + - CCI-000015 + - CCI-003938 + - CCI-004083 800-53r5: - AC-2(12) - AC-6(9) @@ -60,8 +64,9 @@ references: - SRG-OS-000471-GPOS-00215 - SRG-OS-000458-GPOS-00203 - SRG-OS-000303-GPOS-00120 + - SRG-OS-000755-GPOS-00220 disa_stig: - - N/A + - APPL-15-001001 800-171r3: - 03.01.07 - 03.03.01 @@ -90,11 +95,11 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 3f1775718..710512218 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -22,6 +22,7 @@ references: cci: - CCI-000172 - CCI-001814 + - CCI-003938 800-53r5: - AC-2(12) - AU-12 @@ -37,7 +38,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000463-GPOS-00207 disa_stig: - - N/A + - APPL-15-001024 800-171r3: - 03.03.01 - 03.03.03 @@ -65,11 +66,11 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml index 832c52ec9..ee912d63d 100644 --- a/rules/audit/audit_flags_fd_configure.yaml +++ b/rules/audit/audit_flags_fd_configure.yaml @@ -30,6 +30,7 @@ references: - CCI-001495 - CCI-001814 - CCI-002884 + - CCI-003938 800-53r5: - AC-2(12) - AU-12 @@ -60,7 +61,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001020 800-171r3: - 03.03.01 - 03.03.03 @@ -77,11 +78,11 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 923854f2c..fb4222408 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -30,6 +30,7 @@ references: - CCI-001495 - CCI-001814 - CCI-002884 + - CCI-003938 800-53r5: - AC-2(12) - AU-12 @@ -61,7 +62,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001021 800-171r3: - 03.03.01 - 03.03.03 @@ -74,11 +75,11 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index 03f1f54ce..e6c6ec586 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -68,10 +68,10 @@ tags: - 800-53r4_high - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 4a40208b1..200951ca6 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -23,6 +23,7 @@ references: cci: - CCI-000172 - CCI-001814 + - CCI-003938 800-53r5: - AC-2(12) - AU-12 @@ -52,7 +53,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001022 800-171r3: - 03.03.01 - 03.03.03 @@ -82,11 +83,11 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index 6d0049d91..5a5de7764 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -23,6 +23,7 @@ references: cci: - CCI-000172 - CCI-001814 + - CCI-003938 800-53r5: - AC-2(12) - AU-12 @@ -53,7 +54,7 @@ references: - SRG-OS-000458-GPOS-00203 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001023 800-171r3: - 03.03.01 - 03.03.03 @@ -83,11 +84,11 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index 62b18b1ff..f20c38739 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -43,8 +43,9 @@ references: - SRG-OS-000472-GPOS-00217 - SRG-OS-000471-GPOS-00215 - SRG-OS-000458-GPOS-00203 + - SRG-OS-000755-GPOS-00220 disa_stig: - - N/A + - APPL-15-001002 800-171r3: - 03.03.01 - 03.03.03 @@ -73,11 +74,11 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index 96e4e3cff..64ed4fac4 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -37,7 +37,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001015 800-171r3: - 03.03.08 cis: @@ -60,11 +60,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index a8cff947f..0d14e2b62 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -37,7 +37,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001013 800-171r3: - 03.03.08 cis: @@ -60,11 +60,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 4d79d4e43..ca06b1371 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -35,7 +35,7 @@ references: - SRG-OS-000258-GPOS-00099 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-001017 800-171r3: - 03.03.08 cis: @@ -58,11 +58,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 3acb23f1c..f0361611c 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -34,9 +34,9 @@ macOS: tags: - permanent - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index 77bec6716..c382361bf 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -40,9 +40,9 @@ tags: - 800-53r4_high - 800-53r5_moderate - inherent - - cnssi-1253_moderate - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index 760fdd765..a31b1588a 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -33,9 +33,9 @@ tags: - 800-53r4_high - 800-53r5_moderate - permanent - - cnssi-1253_moderate - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index a741e2e2a..4ffc1a1e4 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000341-GPOS-00132 disa_stig: - - N/A + - APPL-15-001029 cis: benchmark: - 3.4 (level 1) @@ -58,11 +58,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: low mobileconfig: false mobileconfig_info: diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 3898b9550..6c244d311 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -29,7 +29,7 @@ references: - SRG-OS-000047-GPOS-00023 - SRG-OS-000344-GPOS-00135 disa_stig: - - N/A + - APPL-15-001031 800-171r3: - 03.03.04 cmmc: @@ -42,11 +42,11 @@ tags: - 800-53r4_high - 800-53r5_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 504aa1036..e65b8e153 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -44,6 +44,7 @@ references: - CCI-000767 - CCI-000768 - CCI-001941 + - CCI-004047 800-53r5: - IA-2(1) - IA-2(2) @@ -58,8 +59,9 @@ references: - SRG-OS-000108-GPOS-00055 - SRG-OS-000106-GPOS-00053 - SRG-OS-000105-GPOS-00052 + - SRG-OS-000705-GPOS-00150 disa_stig: - - N/A + - APPL-15-003050 800-171r3: - 03.05.03 - 03.05.04 @@ -84,11 +86,11 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index d9c291bdb..6b85cac1b 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -39,6 +39,7 @@ references: - CCI-000767 - CCI-000768 - CCI-001941 + - CCI-004047 800-53r5: - IA-2(1) - IA-2(2) @@ -53,8 +54,9 @@ references: - SRG-OS-000108-GPOS-00055 - SRG-OS-000106-GPOS-00053 - SRG-OS-000105-GPOS-00052 + - SRG-OS-000705-GPOS-00150 disa_stig: - - N/A + - APPL-15-003051 800-171r3: - 03.05.03 - 03.05.04 @@ -79,11 +81,11 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index f2f202629..fb5d8a23f 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -38,6 +38,7 @@ references: - CCI-000767 - CCI-000768 - CCI-001941 + - CCI-004047 800-53r5: - IA-2(1) - IA-2(2) @@ -52,8 +53,9 @@ references: - SRG-OS-000108-GPOS-00055 - SRG-OS-000106-GPOS-00053 - SRG-OS-000105-GPOS-00052 + - SRG-OS-000705-GPOS-00150 disa_stig: - - N/A + - APPL-15-003052 800-171r3: - 03.05.03 - 03.05.04 @@ -78,11 +80,11 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 8d37d5c61..ac8fec813 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -42,7 +42,7 @@ references: - SRG-OS-000105-GPOS-00052 - SRG-OS-000068-GPOS-00036 disa_stig: - - N/A + - APPL-15-003030 cis: benchmark: - N/A @@ -67,12 +67,12 @@ tags: - 800-53r4_moderate - 800-53r4_high - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 352c46d4f..fc8e8edeb 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -40,6 +40,8 @@ tags: - 800-53r4_high - 800-53r5_high - cnssi-1253_high + - cnssi-1253_moderate + - cnssi-1253_low mobileconfig: true mobileconfig_info: com.apple.security.smartcard: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 3bf7a1329..f10fbaeb1 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -26,6 +26,7 @@ references: - CCI-001954 - CCI-001991 - CCI-002470 + - CCI-004068 800-53r5: - IA-5(2) - SC-17 @@ -38,7 +39,7 @@ references: - SRG-OS-000377-GPOS-00162 - SRG-OS-000066-GPOS-00034 disa_stig: - - N/A + - APPL-15-001060 cmmc: - SC.L2-3.13.10 macOS: @@ -46,10 +47,11 @@ macOS: tags: - 800-53r4_moderate - 800-53r5_moderate - - cnssi-1253_moderate - cnssi-1253_low - cmmc_lvl2 - stig + - cnssi-1253_moderate + - cnssi-1253_high severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 13e3c6f48..707c6b3fc 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -31,6 +31,7 @@ references: - CCI-001941 - CCI-001948 - CCI-001953 + - CCI-004046 800-53r5: - IA-2(1) - IA-2(2) @@ -58,8 +59,9 @@ references: - SRG-OS-000375-GPOS-00160 - SRG-OS-000376-GPOS-00161 - SRG-OS-000105-GPOS-00052 + - SRG-OS-000705-GPOS-00150 disa_stig: - - N/A + - APPL-15-003020 800-171r3: - 03.05.01 - 03.05.03 @@ -87,12 +89,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index c5706cdda..891be1e26 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -42,6 +42,7 @@ references: - CCI-000877 - CCI-001941 - CCI-001948 + - CCI-004046 800-53r5: - IA-2(1) - IA-2(2) @@ -71,7 +72,7 @@ references: - SRG-OS-000375-GPOS-00160 - SRG-OS-000105-GPOS-00052 disa_stig: - - N/A + - APPL-15-001150 800-171r3: - 03.05.01 - 03.05.03 @@ -101,12 +102,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: high mobileconfig: false mobileconfig_info: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index 9ec79185a..eadbf33df 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002014 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_appleid_system_settings_disable.yaml b/rules/icloud/icloud_appleid_system_settings_disable.yaml index 90d0d396a..1da32ca12 100644 --- a/rules/icloud/icloud_appleid_system_settings_disable.yaml +++ b/rules/icloud/icloud_appleid_system_settings_disable.yaml @@ -53,11 +53,11 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate severity: high mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index dc37b17ce..53aeb381b 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002042 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index ba15ad129..4bbdc27dc 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002012 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 26cc67040..9f99b039a 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002041 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_freeform_disable.yaml b/rules/icloud/icloud_freeform_disable.yaml index 630fe37e6..96ababcbe 100644 --- a/rules/icloud/icloud_freeform_disable.yaml +++ b/rules/icloud/icloud_freeform_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002270 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml index f2b7f4286..3a4c60503 100644 --- a/rules/icloud/icloud_game_center_disable.yaml +++ b/rules/icloud/icloud_game_center_disable.yaml @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002160 800-171r3: - 03.01.20 - 03.04.06 @@ -57,12 +57,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 545211eaa..5ad4faebd 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002040 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index 4a48a5569..7d1f6d78d 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002015 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 7ecc600ce..c5256e7c1 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002016 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index dbcf22af3..4b0890e0c 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002043 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index 019833992..59863f737 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002170 800-171r3: - 03.01.20 - 03.04.06 @@ -57,12 +57,13 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cisv8 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 2c51517ff..34530845e 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002013 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index b4dffd47f..68d00d7c7 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002150 800-171r3: - 03.01.20 - 03.04.06 @@ -59,12 +59,12 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml index 5edaaaa02..3c7531a4c 100644 --- a/rules/os/os_access_control_mobile_devices.yaml +++ b/rules/os/os_access_control_mobile_devices.yaml @@ -41,9 +41,9 @@ tags: - 800-53r5_high - n_a - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml index 80203ba9d..b104b50b7 100644 --- a/rules/os/os_account_modification_disable.yaml +++ b/rules/os/os_account_modification_disable.yaml @@ -39,7 +39,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002120 800-171r3: - 03.01.20 - 03.04.06 @@ -64,12 +64,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index ccd655e3d..299f1bdae 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -34,7 +34,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002009 800-171r3: - 03.01.02 - 03.01.20 @@ -64,12 +64,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index 887309821..d40825e2b 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -27,9 +27,9 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index 2f907331f..6fa1812c2 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002035 800-171r3: - 03.01.20 cis: @@ -47,12 +47,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index aab02186e..acd59d96c 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -30,8 +30,8 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml index c88909c48..1798a5165 100644 --- a/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -27,7 +27,7 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - N/A + - APPL-15-004001 800-171r3: - N/A macOS: @@ -35,10 +35,10 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml index 929ec20e0..ab9ca2378 100644 --- a/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/rules/os/os_asl_log_files_permissions_configure.yaml @@ -25,7 +25,7 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - N/A + - APPL-15-004002 800-171r3: - N/A macOS: @@ -33,10 +33,10 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 97734334b..b147cfe1c 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -38,11 +38,11 @@ tags: - 800-53r4_high - permanent - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index a809c8b07..d5c496d1b 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -9,7 +9,7 @@ discussion: | WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input. check: | - /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' + /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;" result: integer: 1 fix: | @@ -39,7 +39,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - N/A + - APPL-15-005070 800-171r3: - 03.01.02 - 03.04.05 @@ -66,12 +66,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index 2ecde48fa..d73f9d3a9 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -42,10 +42,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index ff4aa0987..6c1e4d316 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -42,10 +42,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index d7dac1c74..14e159f58 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -42,10 +42,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml index 34e725f28..a06433fc2 100644 --- a/rules/os/os_bluray_read_only_enforce.yaml +++ b/rules/os/os_bluray_read_only_enforce.yaml @@ -42,10 +42,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 8aa722a40..32e8aac55 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002005 800-171r3: - 03.04.06 cis: @@ -49,11 +49,11 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 4abe731fc..54df62765 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -35,10 +35,10 @@ macOS: - '15.0' tags: - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: low mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index e5bd75a54..6ea1fe6ff 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -64,9 +64,9 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index e6e46c36e..0dd8f3ebc 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -36,7 +36,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002017 macOS: - '15.0' tags: diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml index d06e82259..59b7e7173 100644 --- a/rules/os/os_cd_read_only_enforce.yaml +++ b/rules/os/os_cd_read_only_enforce.yaml @@ -42,10 +42,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index effa6d771..d4d96c29c 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -15,14 +15,16 @@ references: - CCI-002470 - CCI-000185 - CCI-002450 + - CCI-004909 800-53r5: - SC-17 800-53r4: - SC-17 srg: - SRG-OS-000403-GPOS-00182 + - SRG-OS-000775-GPOS-00230 disa_stig: - - N/A + - APPL-15-003001 cmmc: - SC.L2-3.13.10 macOS: @@ -33,11 +35,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - manual - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: high mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index 5054c6783..a425332a7 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -27,9 +27,9 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml index e243cbd67..2c45b4e1a 100644 --- a/rules/os/os_config_data_install_enforce.yaml +++ b/rules/os/os_config_data_install_enforce.yaml @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-15-005130 800-171r3: - 03.14.02 cis: @@ -53,12 +53,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml index f70bac32e..1757afe9d 100644 --- a/rules/os/os_config_profile_ui_install_disable.yaml +++ b/rules/os/os_config_profile_ui_install_disable.yaml @@ -38,10 +38,10 @@ tags: - 800-53r5_moderate - 800-53r5_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index 4bcabb2de..fe591422c 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -27,9 +27,9 @@ tags: - 800-53r4_moderate - 800-53r4_high - permanent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_dictation_disable.yaml b/rules/os/os_dictation_disable.yaml index 45826e1aa..f7f6f69bf 100644 --- a/rules/os/os_dictation_disable.yaml +++ b/rules/os/os_dictation_disable.yaml @@ -28,7 +28,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002230 800-171r3: - 03.01.20 - 03.04.06 @@ -54,12 +54,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index d8ba14526..2a18b4efe 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -14,13 +14,13 @@ references: cce: - CCE-94181-5 cci: - - CCI-000366 + - N/A 800-53r5: - N/A 800-53r4: - N/A srg: - - SRG-OS-000480-GPOS-00227 + - N/A disa_stig: - N/A cis: @@ -32,7 +32,6 @@ macOS: - '15.0' tags: - cisv8 - - stig severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index a35b9f2ec..c40995229 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -42,10 +42,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index 8e9a8af64..bf78a4f47 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -42,10 +42,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 11dbc04d6..5e4bacc72 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -29,8 +29,8 @@ tags: - 800-53r5_high - 800-53r4_high - inherent - - cnssi-1253_moderate - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 40741d6db..b63adc2c3 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -27,7 +27,7 @@ references: - SRG-OS-000480-GPOS-00227 - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-005061 cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 @@ -37,11 +37,11 @@ macOS: - '15.0' tags: - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_external_storage_access_defined.yaml b/rules/os/os_external_storage_access_defined.yaml index c1007cb4c..eec76c031 100644 --- a/rules/os/os_external_storage_access_defined.yaml +++ b/rules/os/os_external_storage_access_defined.yaml @@ -25,7 +25,10 @@ references: - 03.08.07 cmmc: - MP.L2-3.8.7 - - MP.L2-3.8.8 + - MP.L2-3.8.8 +odv: + hint: Allowed, ReadOnly, or Disallowed + recommended: Allowed macOS: - '15.0' tags: @@ -33,9 +36,9 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high -odv: - hint: Allowed, ReadOnly, or Disallowed - recommended: Allowed + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high mobileconfig: false mobileconfig_info: ddm_info: diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index fe84e89df..c437113b9 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -44,7 +44,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002010 800-171r3: - 03.01.20 - 03.04.06 @@ -61,10 +61,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 22e8bed77..4b3eac65e 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - N/A + - APPL-15-000033 800-171r3: - 03.01.02 cis: @@ -54,12 +54,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 00db0aae9..5e1c75b2e 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -48,9 +48,9 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index 1512c6ba1..a7c6687fb 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-15-003013 800-171r3: - 03.01.05 cmmc: @@ -48,12 +48,12 @@ tags: - 800-53r4_high - 800-171 - i386 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index ad6001090..b8dc0976a 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -20,6 +20,7 @@ references: - CCE-94195-5 cci: - CCI-001749 + - CCI-003992 800-53r5: - CM-14 - CM-5 @@ -33,8 +34,9 @@ references: - SI-7(15) srg: - SRG-OS-000366-GPOS-00153 + - SRG-OS-000480-GPOS-00228 disa_stig: - - N/A + - APPL-15-002064 800-171r3: - 03.14.02 cis: @@ -61,12 +63,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: high mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_genmoji_disable.yaml b/rules/os/os_genmoji_disable.yaml index d7b26ab48..aaf4832b5 100644 --- a/rules/os/os_genmoji_disable.yaml +++ b/rules/os/os_genmoji_disable.yaml @@ -15,7 +15,12 @@ references: cce: - CCE-94196-3 cci: - - N/A + - CCI-000381 + - CCI-001774 + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-15-005140 800-53r5: - AC-20 - AC-20(1) @@ -35,9 +40,13 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cnssi-1253_low + - cnssi-1253_high + - stig - 800-171 - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 9091ada29..9d6c8e377 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -27,9 +27,9 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index 6f28b74ed..00c907f3b 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -35,7 +35,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-005058 800-171r3: - 03.01.02 - 03.01.20 @@ -62,12 +62,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml deleted file mode 100644 index dc15f4e3d..000000000 --- a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml +++ /dev/null @@ -1,66 +0,0 @@ -id: os_hibernate_mode_apple_silicon_enable -title: Enable Hibernate Mode (Apple Silicon) -discussion: | - Hibernate mode _MUST_ be enabled. - - This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. - - Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. - This setting ensures that MacBooks will not hibernate and require FileVault authentication whenever the display goes to sleep for a short period of time. - - NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. -check: | - error_count=0 - if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then - hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') - sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') - displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') - - if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then - ((error_count++)) - fi - if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then - ((error_count++)) - fi - if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then - ((error_count++)) - fi - fi - echo "$error_count" -result: - integer: 0 -fix: | - [source,bash] - ---- - /usr/bin/pmset -a sleep 10 - /usr/bin/pmset -a displaysleep 15 - /usr/bin/pmset -a hibernatemode 25 - ---- -references: - cce: - - CCE-94200-3 - cci: - - N/A - 800-53r5: - - N/A - 800-53r4: - - N/A - srg: - - N/A - disa_stig: - - N/A - 800-171r3: - - N/A - cis: - benchmark: - - 2.9.1.2 (level 2) - controls v8: - - 4.1 -macOS: - - '15.0' -tags: - - cis_lvl2 - - cisv8 - - arm64 -mobileconfig: false -mobileconfig_info: diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 3ec19ea3e..93fcc6702 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -28,14 +28,13 @@ references: - N/A cis: benchmark: - - 2.9.1.3 (level 2) + - N/A controls v8: - - 4.1 + - N/A macOS: - '15.0' tags: - - cis_lvl2 - - cisv8 + - none mobileconfig: true mobileconfig_info: com.apple.MCX: diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml index 18c2449d4..0e1e82567 100644 --- a/rules/os/os_hibernate_mode_intel_enable.yaml +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -53,14 +53,12 @@ references: - N/A cis: benchmark: - - 2.9.1.1 (level 2) + - N/A controls v8: - - 4.1 + - N/A macOS: - '15.0' tags: - - cis_lvl2 - - cisv8 - - i386 + - none mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index 20ee7a509..7ca64f56f 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -55,6 +55,9 @@ macOS: - '15.0' tags: - manual + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 0ac44f4ac..f5656b85c 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -28,8 +28,9 @@ references: - AC-6 srg: - SRG-OS-000480-GPOS-00230 + - SRG-OS-000480-GPOS-00228 disa_stig: - - N/A + - APPL-15-002068 800-171r3: - 03.01.05 cis: @@ -51,12 +52,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 116e6b16b..dce75fc30 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - N/A + - APPL-15-002008 800-171r3: - 03.01.02 - 03.04.06 @@ -51,12 +51,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index dd9e2dd0f..d988a2a31 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002037 800-171r3: - 03.01.20 - 03.04.06 @@ -48,12 +48,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index 2db470ac7..abc51d3b1 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -29,8 +29,8 @@ tags: - 800-53r4_moderate - 800-53r4_high - n_a - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_image_generation_disable.yaml b/rules/os/os_image_generation_disable.yaml index 672d58da0..baff77dbd 100644 --- a/rules/os/os_image_generation_disable.yaml +++ b/rules/os/os_image_generation_disable.yaml @@ -15,7 +15,12 @@ references: cce: - CCE-94208-6 cci: - - N/A + - CCI-000381 + - CCI-001774 + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-15-005150 800-53r5: - AC-20 - AC-20(1) @@ -35,9 +40,13 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high + - cnssi-1253_low + - cnssi-1253_high + - stig - 800-171 - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index b3fedaa11..cd306a125 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -45,10 +45,10 @@ tags: - 800-53r4_high - 800-171 - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 948a00b18..2b4af6b5b 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -38,8 +38,8 @@ tags: - 800-53r4_moderate - 800-53r4_high - inherent - - cnssi-1253_moderate - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index d5d8f2c68..0b6abc9bf 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -29,8 +29,8 @@ tags: - 800-53r5_moderate - 800-53r5_high - n_a - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index e495d6b39..278ea4782 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000341-GPOS-00132 disa_stig: - - N/A + - APPL-15-004050 800-171r3: - 03.03.03 cis: @@ -50,11 +50,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_iphone_mirroring_disable.yaml b/rules/os/os_iphone_mirroring_disable.yaml index 196fb1d61..20e36a4ff 100644 --- a/rules/os/os_iphone_mirroring_disable.yaml +++ b/rules/os/os_iphone_mirroring_disable.yaml @@ -1,7 +1,7 @@ id: os_iphone_mirroring_disable title: Disable iPhone Mirroring discussion: |- - iPhone mirroring _MUST_ be disabled. + iPhone Mirroing _MUST_ be disabled to prevent file transfers to or from unauthorized devices. Disabling iPhone Mirroring also prevents potentially unauthorized applications from appearing as if they are installed on the Mac. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -10,18 +10,64 @@ check: | result: string: 'false' fix: | - This is implemented by a Configuration Profile.references: + This is implemented by a Configuration Profile references: cce: - CCE-94213-6 cci: - - N/A + - CCI-000213 + - CCI-000381 + - CCI-001443 800-53r5: + - AC-3 + - AC-20 + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-3 + - AC-20 + srg: + - SRG-OS-000300-GPOS-00118 + - SRG-OS-000080-GPOS-00048 + - SRG-OS-000095-GPOS-00049 + disa_stig: - N/A + 800-171r3: + - 03.01.02 + - 03.01.20 + - 03.04.06 + cis: + benchmark: + - 2.3.1.1 (level 1) + controls v8: + - 4.1 + - 4.8 + - 6.7 + cmmc: + - AC.L1-3.1.1 + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 macOS: - '15.0' tags: - - none + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cis_lvl1 + - cis_lvl2 + - cisv8 + - cnssi-1253_low + - cnssi-1253_high + - cmmc_lvl2 + - cmmc_lvl1 +severity: medium mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 32b2a9fd1..eca18a801 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -57,10 +57,10 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 9e1e5d4ee..b65e6644c 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -27,8 +27,8 @@ macOS: - '15.0' tags: - permanent - - cnssi-1253_moderate - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index 1801d9bde..b0b3fb9f3 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -27,8 +27,8 @@ tags: - 800-53r5_high - 800-53r4_high - inherent - - cnssi-1253_moderate - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 46cd98993..98cd55132 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -45,11 +45,11 @@ tags: - 800-171 - inherent - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_loginwindow_adminhostinfo_undefined.yaml b/rules/os/os_loginwindow_adminhostinfo_undefined.yaml index 13ffa4d6e..958c9b025 100644 --- a/rules/os/os_loginwindow_adminhostinfo_undefined.yaml +++ b/rules/os/os_loginwindow_adminhostinfo_undefined.yaml @@ -23,7 +23,7 @@ references: srg: - SRG-OS-000031-GPOS-00012 disa_stig: - - N/A + - APPL-15-000009 800-171r3: - 03.01.10 macOS: @@ -34,10 +34,10 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index 69d63ed6e..bfd94aaf5 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -27,9 +27,9 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 5f97e7257..40f9d7421 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -66,9 +66,9 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_mail_summary_disable.yaml b/rules/os/os_mail_summary_disable.yaml new file mode 100644 index 000000000..671d1a944 --- /dev/null +++ b/rules/os/os_mail_summary_disable.yaml @@ -0,0 +1,44 @@ +id: os_mail_summary_disable +title: Disable Apple Intelligence Mail Summary +discussion: |- + Apple Intelligence features such as Apple Mail Summary that use off device AI _MUST_ be disabled. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowMailSummary').js + EOS +result: + string: 'false' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-94521-2 + cci: + - N/A + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) + 800-171r3: + - 03.01.20 + - 03.04.06 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - '15.0' +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cmmc_lvl2 + - cmmc_lvl1 +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowMailSummary: false diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index d88a70d03..ac22d7452 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -67,10 +67,10 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml index d22bfac45..34a786ea7 100644 --- a/rules/os/os_managed_access_control_points.yaml +++ b/rules/os/os_managed_access_control_points.yaml @@ -31,9 +31,9 @@ tags: - 800-53r5_moderate - 800-53r5_high - n_a - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 4f363fbde..7e48c9e78 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -35,7 +35,7 @@ references: - CM-2 - CM-6 disa_stig: - - N/A + - APPL-15-005110 srg: - SRG-OS-000480-GPOS-00227 800-171r3: @@ -62,11 +62,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index 5214f97d1..0b0a654ab 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -61,9 +61,9 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate severity: low mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml index 3fd5a4724..5a90e16d7 100644 --- a/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -27,7 +27,7 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - N/A + - APPL-15-004030 800-171r3: - N/A macOS: @@ -35,10 +35,10 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml index e26af6048..363e407e9 100644 --- a/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -25,7 +25,7 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - N/A + - APPL-15-004040 800-171r3: - N/A macOS: @@ -33,10 +33,10 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index 802bcca23..c2683b375 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - N/A + - APPL-15-002003 800-171r3: - 03.01.02 - 03.04.06 @@ -50,12 +50,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml index 5c5aae8b8..f6aed3fe5 100644 --- a/rules/os/os_non_repudiation.yaml +++ b/rules/os/os_non_repudiation.yaml @@ -28,7 +28,7 @@ macOS: tags: - 800-53r5_high - n_a - - cnssi-1253_moderate - cnssi-1253_high + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 6ea1e36d4..1db522051 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -34,9 +34,9 @@ tags: - 800-53r4_high - 800-171 - n_a - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index 456012596..80fb6a0e8 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -48,10 +48,10 @@ tags: - 800-171 - inherent - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml index 03808cd8e..3820e0ad4 100644 --- a/rules/os/os_on_device_dictation_enforce.yaml +++ b/rules/os/os_on_device_dictation_enforce.yaml @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002220 800-171r3: - 03.01.20 - 03.04.06 @@ -56,7 +56,6 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 @@ -64,6 +63,7 @@ tags: - stig - cis_lvl1 - cis_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index a792be56e..eb23ce6e6 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -38,9 +38,9 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 6b13b503f..80a90f472 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -17,20 +17,8 @@ references: cce: - CCE-94247-4 cci: - - CCI-000381 + - N/A 800-53r5: - - IA-5(13) - - CM-7 - - CM-7(1) - - IA-11 - - IA-5 - 800-53r4: - - IA-5 - - IA-5(13) - - IA-11 - - CM-7 - - CM-7(1) - disa_stig: - N/A srg: - SRG-OS-000095-GPOS-00049 @@ -50,20 +38,10 @@ references: macOS: - '15.0' tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 - - cisv8 + - none - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - - cmmc_lvl2 - - stig -severity: medium mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 5a392c555..948379e69 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -40,18 +40,18 @@ references: srg: - SRG-OS-000079-GPOS-00047 disa_stig: - - N/A + - APPL-15-003014 macOS: - '15.0' tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index b6db354bc..e4e6cd530 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-005060 800-171r3: - 03.05.12 cis: @@ -48,11 +48,11 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index 2fbe08143..e5de68a76 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -48,10 +48,10 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_photos_enhanced_search_disable.yaml b/rules/os/os_photos_enhanced_search_disable.yaml new file mode 100644 index 000000000..7de33ea81 --- /dev/null +++ b/rules/os/os_photos_enhanced_search_disable.yaml @@ -0,0 +1,46 @@ +id: os_photos_enhanced_search_disable +title: Disable Photos Enhanced Visual Search +discussion: |- + Enhanced Visualed Search _MUST_ be disabled in the Photos app. + + The information system _MUST_ be configured to provide only essential capabilities. Disabling Enhanced Visual Search will mitigate the risk of unwanted data being sent to Apple. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.photos.shareddefaults')\ + .objectForKey('IPXDefaultEnhancedVisualSearchEnabled').js + EOS +result: + string: 'false' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-94522-0 + cci: + - N/A + 800-53r5: + - AC-20 + - AC-20(1) + - CM-7 + - CM-7(1) + - SC-7(10) + 800-171r3: + - 03.01.20 + - 03.04.06 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - '15.0' +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 + - cmmc_lvl2 + - cmmc_lvl1 +mobileconfig: true +mobileconfig_info: + com.apple.photos.shareddefaults: + IPXDefaultEnhancedVisualSearchEnabled: false diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 295269697..13c183faf 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -46,7 +46,7 @@ references: - SRG-OS-000228-GPOS-00088 - SRG-OS-000023-GPOS-00006 disa_stig: - - N/A + - APPL-15-000025 800-171r3: - 03.01.09 cis: @@ -84,11 +84,11 @@ tags: - 800-53r4_high - 800-171 - cis_lvl2 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index fb799229d..a94047c67 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -31,7 +31,7 @@ references: - SRG-OS-000024-GPOS-00007 - SRG-OS-000023-GPOS-00006 disa_stig: - - N/A + - APPL-15-000023 800-171r3: - 03.01.09 cmmc: @@ -69,11 +69,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 356db703a..abf104e11 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -47,7 +47,7 @@ references: - SRG-OS-000024-GPOS-00007 - SRG-OS-000023-GPOS-00006 disa_stig: - - N/A + - APPL-15-000024 800-171r3: - 03.01.09 cmmc: @@ -62,11 +62,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index b7fff6be8..3edc79a3f 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -55,9 +55,9 @@ tags: - cis_lvl2 - cisv8 - i386 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index 833ea858b..284c0830c 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -23,9 +23,9 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 2b29ec982..7014eed8f 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -29,9 +29,9 @@ references: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 8a19df039..5e3702013 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -38,10 +38,10 @@ tags: - 800-53r4_high - 800-171 - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index f98497523..3365dfde3 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -36,10 +36,10 @@ tags: - 800-53r4_high - 800-171 - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index 25ce18627..f88a0dd17 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002036 cis: benchmark: - N/A @@ -44,11 +44,11 @@ macOS: tags: - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index a5138f2c7..aa0f22131 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -41,9 +41,9 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index 9bf080c80..2d7f93a80 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -33,9 +33,9 @@ tags: - 800-53r4_moderate - 800-53r4_high - permanent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 9432a106b..ef13da6de 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -31,8 +31,8 @@ tags: - 800-53r4_moderate - 800-53r4_high - permanent - - cnssi-1253_moderate - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index 5c6158826..57bcd8be5 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -23,9 +23,9 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml index 92d7f6269..1fc632261 100644 --- a/rules/os/os_rapid_security_response_allow.yaml +++ b/rules/os/os_rapid_security_response_allow.yaml @@ -43,11 +43,11 @@ tags: - 800-53r5_moderate - 800-53r5_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml index 02846fa91..a9881bfd1 100644 --- a/rules/os/os_rapid_security_response_removal_disable.yaml +++ b/rules/os/os_rapid_security_response_removal_disable.yaml @@ -43,11 +43,11 @@ tags: - 800-53r5_moderate - 800-53r5_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index 7c5b5d16e..9caa0a677 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -31,9 +31,9 @@ tags: - 800-53r5_moderate - 800-53r5_high - permanent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index 9a6b46b21..a9057d76c 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -27,9 +27,9 @@ macOS: tags: - 800-171 - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index d7d751385..d8efa816a 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -29,9 +29,9 @@ tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml index 7dfaf818e..e6de07193 100644 --- a/rules/os/os_recovery_lock_enable.yaml +++ b/rules/os/os_recovery_lock_enable.yaml @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000480-GPOS-00227 disa_stig: - - N/A + - APPL-15-005120 800-171r3: - 03.01.05 cmmc: @@ -39,12 +39,12 @@ tags: - 800-53r4_high - 800-171 - arm64 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 00769ad0b..4b4d53d3d 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -44,10 +44,10 @@ references: macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index 2942a251c..b9a231c58 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -23,9 +23,9 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 0d09eb862..38e579b46 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -38,9 +38,9 @@ tags: - 800-53r4_moderate - 800-53r4_high - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index 72ff96388..6667e1a70 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -20,6 +20,7 @@ references: - CCI-000764 - CCI-000770 - CCI-001813 + - CCI-004045 800-53r5: - IA-2 - IA-2(5) @@ -41,7 +42,7 @@ references: - SRG-OS-000109-GPOS-00056 - SRG-OS-000104-GPOS-00051 disa_stig: - - N/A + - APPL-15-000100 macOS: - '15.0' tags: @@ -55,12 +56,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_safari_show_status_bar_enabled.yaml b/rules/os/os_safari_show_status_bar_enabled.yaml index 6f83fb2f1..693f79e60 100644 --- a/rules/os/os_safari_show_status_bar_enabled.yaml +++ b/rules/os/os_safari_show_status_bar_enabled.yaml @@ -23,7 +23,7 @@ references: - N/A cis: benchmark: - - 6.3.11 (level 1) + - 6.3.10 (level 1) controls v8: - 9.1 macOS: diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 9322d9fcd..4fb36deb0 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -36,10 +36,10 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml index 3367e3920..675dfd650 100644 --- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml @@ -46,7 +46,7 @@ odv: hint: Number of seconds. recommended: 1200 tags: - - cnssi-1253_moderate + - none severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 12216fc08..d041dad28 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -31,16 +31,16 @@ references: - SRG-OS-000445-GPOS-00199 - SRG-OS-000446-GPOS-00200 disa_stig: - - N/A + - APPL-15-005100 macOS: - '15.0' tags: - 800-53r5_high - 800-53r5_moderate - 800-53r4_high - - cnssi-1253_moderate - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 254cb4a4d..0cc3757f2 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -34,10 +34,10 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml index 5388e9c2f..2ebeeb61b 100644 --- a/rules/os/os_secure_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -37,8 +37,8 @@ tags: - 800-53r4_high - permanent - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 2721ce1d5..64f983ab0 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -39,10 +39,10 @@ tags: - 800-53r4_high - 800-171 - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_setup_assistant_filevault_enforce.yaml b/rules/os/os_setup_assistant_filevault_enforce.yaml index c2cd50510..472ec3644 100644 --- a/rules/os/os_setup_assistant_filevault_enforce.yaml +++ b/rules/os/os_setup_assistant_filevault_enforce.yaml @@ -45,6 +45,9 @@ tags: - 800-53r5_high - cisv8 - cmmc_lvl2 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high severity: high mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index dea895b03..7f8fe88d2 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -35,6 +35,8 @@ references: - CCI-001880 - CCI-001881 - CCI-001882 + - CCI-001090 + - CCI-001496 800-53r5: - AC-3 - AU-9 @@ -70,7 +72,7 @@ references: - SRG-OS-000122-GPOS-00063 - SRG-OS-000058-GPOS-00028 disa_stig: - - N/A + - APPL-15-005001 800-171r3: - 03.01.02 - 03.03.08 @@ -103,12 +105,12 @@ tags: - cisv8 - cis_lvl1 - cis_lvl2 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: high mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index d8c9aa439..5135cdb61 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002039 800-171r3: - 03.01.20 - 03.04.06 @@ -55,12 +55,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index 2bcc5df96..281dca3a9 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-005055 cmmc: - CM.L2-3.4.6 - CM.L2-3.4.7 @@ -34,11 +34,11 @@ macOS: - '15.0' tags: - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: low mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml index 3983e343e..a38ed5d6f 100644 --- a/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-005056 800-171r3: - 03.01.20 - 03.04.06 @@ -47,12 +47,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml b/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml new file mode 100644 index 000000000..a78b3d211 --- /dev/null +++ b/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml @@ -0,0 +1,54 @@ +id: os_sleep_and_display_sleep_apple_silicon_enable +title: Ensure Sleep and Display Sleep Is Enabled on Apple Silicon Devices +discussion: | + Apple Silicon MacBooks should set sleep timeout to 15 minutes (900 seconds) or less and the display sleep timeout should be 10 minutes (600 seconds) or less but less than the sleep setting. +check: | + error_count=0 + if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then + sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') + displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') + + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then + ((error_count++)) + fi + if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -gt "$sleepMode" ]]; then + ((error_count++)) + fi + fi + echo "$error_count" +result: + integer: 0 +fix: | + [source,bash] + ---- + /usr/bin/pmset -a sleep 15 + /usr/bin/pmset -a displaysleep 10 + ---- +references: + cce: + - CCE-94200-3 + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + 800-171r3: + - N/A + cis: + benchmark: + - 2.9.1.2 (level 2) + controls v8: + - 4.1 +macOS: + - '15.0' +tags: + - cis_lvl2 + - cisv8 + - arm64 +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index 1973306f4..a01d508ce 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -8,29 +8,62 @@ discussion: | Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information. + + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | - fips_ssh_config="Ciphers aes128-gcm@openssh.com - HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com - HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com - KexAlgorithms ecdh-sha2-nistp256 - MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256 - PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com - CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" - /usr/bin/grep -c "$fips_ssh_config" /etc/ssh/ssh_config.d/fips_ssh_config + fips_ssh_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com") + total=0 + ret="pass" + for config in $fips_ssh_config; do + if [[ "$ret" == "fail" ]]; then + break + fi + for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do + sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -ci "$config") + if [[ "$sshCheck" == "0" ]]; then + ret="fail" + break + fi + done + done + echo $ret result: - integer: 7 + string: "pass" fix: | [source,bash] ---- - fips_ssh_config="Ciphers aes128-gcm@openssh.com - HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com - HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com - KexAlgorithms ecdh-sha2-nistp256 - MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256 - PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com - CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" - /bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config - ---- + if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/ssh_config.d/100-macos.conf 2>/dev/null; then + /bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf + fi + include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*') + + fips_ssh_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com") + for ssh_config in $fips_ssh_config; do + ssh_setting=$(echo $ssh_config | /usr/bin/cut -d " " -f1) + /usr/bin/grep -qEi "^$ssh_setting" "${include_dir}01-mscp-ssh.conf" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/" "${include_dir}01-mscp-ssh.conf" || echo "$ssh_config" >> "${include_dir}01-mscp-ssh.conf" + for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1) + configfiles=$(echo "$config" | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') + configarray=( ${(f)configfiles} ) + if ! echo $config | /usr/bin/grep -q -i "$ssh_config" ; then + for c in $configarray; do + if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then + continue + fi + + /usr/bin/sudo -u $u /usr/bin/grep -qEi "^$ssh_setting" "$c" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/I" "$c" + if [[ "$c" =~ ".ssh/config" ]]; then + if /usr/bin/grep -qEi "$ssh_setting" "$c" 2> /dev/null; then + old_file=$(cat ~$u/.ssh/config) + echo "$ssh_config" > ~$u/.ssh/config + echo "$old_file" >> ~$u/.ssh/config + fi + fi + done + fi + done + done + ---- references: cce: - CCE-94299-5 @@ -58,7 +91,7 @@ references: - SRG-OS-000033-GPOS-00014 - SRG-OS-000396-GPOS-00176 disa_stig: - - N/A + - APPL-15-000057 800-171r3: - 03.13.08 - 03.13.11 @@ -77,11 +110,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: high mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index a6e6f9c52..c2fdfd963 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -4,6 +4,8 @@ discussion: | SSH _MUST_ be configured with an Active Server Alive Maximum Count set to $ODV. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. + + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | ret="pass" for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do @@ -19,17 +21,35 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do - config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') - configarray=( ${(f)config} ) - for c in $configarray; do - if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then - continue - fi - /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax $ODV/' "$c" || /bin/echo 'ServerAliveCountMax $ODV' >> "$c" - done + include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*') + + ssh_config=("ServerAliveCountMax $ODV") + + ssh_setting=$(echo $ssh_config | /usr/bin/cut -d " " -f1) + /usr/bin/grep -qEi "^$ssh_setting" "${include_dir}01-mscp-ssh.conf" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/" "${include_dir}01-mscp-ssh.conf" || echo "$ssh_config" >> "${include_dir}01-mscp-ssh.conf" + for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1) + configfiles=$(echo "$config" | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') + configarray=( ${(f)configfiles} ) + if ! echo $config | /usr/bin/grep -q -i "$ssh_config" ; then + for c in $configarray; do + if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then + continue + fi + + /usr/bin/sudo -u $u /usr/bin/grep -qEi "^$ssh_setting" "$c" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/I" "$c" + if [[ "$c" =~ ".ssh/config" ]]; then + if /usr/bin/grep -qEi "$ssh_setting" "$c" 2> /dev/null; then + old_file=$(cat ~$u/.ssh/config) + echo "$ssh_config" > ~$u/.ssh/config + echo "$old_file" >> ~$u/.ssh/config + fi + fi + done + fi done - ---- + + ---- references: cce: - CCE-94300-1 @@ -42,7 +62,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - N/A + - APPL-15-000140 800-171r3: - 03.13.09 cmmc: @@ -59,11 +79,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index e7c052833..c33ae3b90 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -6,6 +6,8 @@ discussion: | Setting the Active Server Alive Maximum Count to $ODV will log users out after a $ODV seconds interval of inactivity. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. + + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | ret="pass" for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do @@ -21,17 +23,35 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do - config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') - configarray=( ${(f)config} ) - for c in $configarray; do - if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then - continue + include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*') + + ssh_config_string=("ServerAliveInterval $ODV") + for ssh_config in $ssh_config_string; do + ssh_setting=$(echo $ssh_config | /usr/bin/cut -d " " -f1) + /usr/bin/grep -qEi "^$ssh_setting" "${include_dir}01-mscp-ssh.conf" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/" "${include_dir}01-mscp-ssh.conf" || echo "$ssh_config" >> "${include_dir}01-mscp-ssh.conf" + for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1) + configfiles=$(echo "$config" | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') + configarray=( ${(f)configfiles} ) + if ! echo $config | /usr/bin/grep -q -i "$ssh_config" ; then + for c in $configarray; do + if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then + continue + fi + + /usr/bin/sudo -u $u /usr/bin/grep -qEi "^$ssh_setting" "$c" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/I" "$c" + if [[ "$c" =~ ".ssh/config" ]]; then + if /usr/bin/grep -qEi "$ssh_setting" "$c" 2> /dev/null; then + old_file=$(cat ~$u/.ssh/config) + echo "$ssh_config" > ~$u/.ssh/config + echo "$old_file" >> ~$u/.ssh/config + fi + fi + done fi - /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval $ODV/' "$c" || /bin/echo 'ServerAliveInterval $ODV' >> "$c" done done - ---- + ---- references: cce: - CCE-94301-9 @@ -45,7 +65,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - N/A + - APPL-15-000110 800-171r3: - 03.01.11 - 03.13.09 @@ -64,11 +84,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sshd_channel_timeout_configure.yaml b/rules/os/os_sshd_channel_timeout_configure.yaml index f187be1d0..a120972b5 100644 --- a/rules/os/os_sshd_channel_timeout_configure.yaml +++ b/rules/os/os_sshd_channel_timeout_configure.yaml @@ -6,6 +6,8 @@ discussion: | This will set the time out when the session is inactive. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | /usr/sbin/sshd -G | /usr/bin/awk '/channeltimeout/{print $2}' result: @@ -46,7 +48,7 @@ references: - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 disa_stig: - - N/A + - APPL-15-000120 800-171r3: - 03.01.11 - 03.13.09 @@ -65,11 +67,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 37d1c7fee..601c17fe2 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | /usr/sbin/sshd -G | /usr/bin/awk '/clientalivecountmax/{print $2}' result: @@ -45,7 +45,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - N/A + - APPL-15-000052 800-171r3: - 03.13.09 cmmc: @@ -62,11 +62,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 76c08ad18..8377fc096 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | /usr/sbin/sshd -G | /usr/bin/awk '/clientaliveinterval/{print $2}' result: @@ -48,7 +48,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - N/A + - APPL-15-000051 800-171r3: - 03.01.11 - 03.13.09 @@ -67,11 +67,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index aa7b31bac..ee8bddd9c 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -8,6 +8,8 @@ discussion: | Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information. + + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com") total=0 @@ -21,6 +23,10 @@ result: fix: | [source,bash] ---- + if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/sshd_config.d/100-macos.conf 2>/bin/null; then + /bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf + fi + include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then @@ -28,9 +34,11 @@ fix: | fi fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com") - + sshd_config=$(/usr/sbin/sshd -G) for config in $fips_sshd_config; do - /usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf" + if ! echo $sshd_config | /usr/bin/grep -q -i "$config" 2>/dev/null; then + /usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf" + fi done for file in $(ls ${include_dir}); do @@ -75,7 +83,7 @@ references: - SRG-OS-000393-GPOS-00173 - SRG-OS-000396-GPOS-00176 disa_stig: - - N/A + - APPL-15-000054 800-171r3: - 03.13.08 - 03.13.11 @@ -94,11 +102,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: high mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml index 7d959c8ed..de90f60db 100644 --- a/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -3,7 +3,7 @@ title: Set Login Grace Time to $ODV discussion: | If SSHD is enabled then it _MUST_ be configured to wait only $ODV seconds before timing out logon attempts. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | /usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}' result: @@ -41,7 +41,7 @@ references: srg: - SRG-OS-000163-GPOS-00072 disa_stig: - - N/A + - APPL-15-000053 800-171r3: - 03.13.09 cmmc: @@ -53,11 +53,11 @@ odv: recommended: 30 stig: 30 tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml index 6988e1551..d083934aa 100644 --- a/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -5,7 +5,7 @@ discussion: | The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | /usr/sbin/sshd -G | /usr/bin/awk '/permitrootlogin/{print $2}' result: @@ -37,6 +37,7 @@ references: cci: - CCI-000770 - CCI-001813 + - CCI-004045 800-53r5: - IA-2(5) 800-53r4: @@ -45,16 +46,16 @@ references: - SRG-OS-000364-GPOS-00151 - SRG-OS-000109-GPOS-00056 disa_stig: - - N/A + - APPL-15-001100 macOS: - '15.0' tags: - 800-53r5_high - 800-53r4_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml index 8b30f215b..1956bbb16 100644 --- a/rules/os/os_sshd_unused_connection_timeout_configure.yaml +++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml @@ -5,7 +5,7 @@ discussion: | This will set the time out when there are no open channels within an session. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration. check: | /usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectiontimeout/{print $2}' result: @@ -46,7 +46,7 @@ references: - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 disa_stig: - - N/A + - APPL-15-000130 800-171r3: - 03.01.11 - 03.13.09 @@ -65,11 +65,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index 722ee3d53..097dec644 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -48,10 +48,10 @@ tags: - 800-171 - inherent - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sudo_log_enforce.yaml b/rules/os/os_sudo_log_enforce.yaml index 3c7045419..e69d319c5 100644 --- a/rules/os/os_sudo_log_enforce.yaml +++ b/rules/os/os_sudo_log_enforce.yaml @@ -29,7 +29,7 @@ references: - APPL-15-000190 cis: benchmark: - - N/A + - 5.11 (level 1) controls v8: - N/A cmmc: @@ -41,12 +41,15 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high + - stig - cis_lvl1 - cis_lvl2 - cisv8 - cmmc_lvl2 - - stig - 800-171 + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 023d5ee67..f9f20fbc7 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000373-GPOS-00156 disa_stig: - - N/A + - APPL-15-004022 cis: benchmark: - 5.4 (level 1) diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index c9598084c..1a939c5ca 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -27,7 +27,7 @@ references: - SRG-OS-000373-GPOS-00157 - SRG-OS-000373-GPOS-00156 disa_stig: - - N/A + - APPL-15-004060 cis: benchmark: - 5.5 (level 1) @@ -45,10 +45,10 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 28707d5e6..3d4732fa1 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -33,8 +33,8 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index b659bcd7f..7557a36b9 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -33,7 +33,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000074-GPOS-00042 disa_stig: - - N/A + - APPL-15-002038 800-171r3: - 03.01.02 - 03.04.06 @@ -61,12 +61,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: high mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 89184051e..792472edf 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -28,14 +28,12 @@ references: - N/A cis: benchmark: - - 2.3.2.2 (level 1) + - N/A controls v8: - - 8.4 + - N/A macOS: - '15.0' tags: - - cis_lvl1 - - cis_lvl2 - - cisv8 + - none mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 17824f79c..e4eec1d86 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -21,6 +21,9 @@ references: cci: - CCI-002046 - CCI-001891 + - CCI-004923 + - CCI-004926 + - CCI-004922 800-53r5: - AU-12(1) - SC-45(1) @@ -29,13 +32,14 @@ references: srg: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 + - SRG-OS-000785-GPOS-00250 disa_stig: - - N/A + - APPL-15-000180 800-171r3: - 3.3.7 cis: benchmark: - - N/A + - 2.3.2.2 (level 1) controls v8: - 8.4 cmmc: @@ -49,12 +53,14 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high + - cis_lvl1 + - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 8929ca7c8..52201acaa 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-005054 800-171r3: - 03.04.02 cis: @@ -46,11 +46,11 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index 758ca2471..03a150db1 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -38,9 +38,9 @@ tags: - 800-53r5_high - inherent - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index d0767bdaf..6d264be38 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -21,6 +21,7 @@ references: cci: - CCI-000764 - CCI-000770 + - CCI-004045 800-53r5: - IA-2 - IA-2(5) @@ -28,7 +29,7 @@ references: - IA-2 - IA-2(5) disa_stig: - - N/A + - APPL-15-000090 srg: - SRG-OS-000109-GPOS-00056 - SRG-OS-000104-GPOS-00051 @@ -47,8 +48,8 @@ macOS: odv: hint: "Review the /System/Library/Security/authorization.plist file for more information." recommended: "authenticate-session-owner" - cis_lvl1: "use-login-window-ui" - cis_lvl2: "use-login-window-ui" + cis_lvl1: "authenticate-session-owner" + cis_lvl2: "authenticate-session-owner" stig: "authenticate-session-owner" tags: - 800-53r5_low @@ -61,12 +62,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 16795cec6..51a1e4cc0 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -33,6 +33,7 @@ references: - CCE-94323-3 cci: - CCI-001812 + - CCI-003980 800-53r5: - CM-11(2) 800-53r4: @@ -40,17 +41,17 @@ references: srg: - SRG-OS-000362-GPOS-00149 disa_stig: - - N/A + - APPL-15-005080 cmmc: - CM.L2-3.4.9 macOS: - '15.0' tags: - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index c51ff04ef..02947a235 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -29,7 +29,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - N/A + - APPL-15-002006 800-171r3: - 03.01.02 - 03.04.06 @@ -53,12 +53,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index 1c9eec31d..30a823af1 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -23,9 +23,9 @@ macOS: - '15.0' tags: - inherent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index efde86cc8..f1dda0098 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -5,14 +5,14 @@ discussion: | NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment. check: | - /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls 2>&1 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | [source,bash] ---- IFS=$'\n' - for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data ); do + for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 2>&1 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data ); do /bin/chmod -R o-w "$libPermissions" done ---- diff --git a/rules/os/os_writing_tools_disable.yaml b/rules/os/os_writing_tools_disable.yaml index 301d85c12..507201112 100644 --- a/rules/os/os_writing_tools_disable.yaml +++ b/rules/os/os_writing_tools_disable.yaml @@ -15,7 +15,12 @@ references: cce: - CCE-94328-2 cci: - - N/A + - CCI-000381 + - CCI-001774 + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - APPL-15-005160 800-53r5: - AC-20 - AC-20(1) @@ -36,8 +41,12 @@ tags: - 800-53r5_moderate - 800-53r5_high - 800-171 + - cnssi-1253_low + - cnssi-1253_high + - stig - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index ff83692ab..2fc3e1c5b 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -39,14 +39,17 @@ references: - CCE-94330-8 cci: - CCI-000795 + - CCI-003627 + - CCI-003628 800-53r5: - AC-2(3) 800-53r4: - IA-4 srg: - SRG-OS-000118-GPOS-00060 + - SRG-OS-000590-GPOS-00110 disa_stig: - - N/A + - APPL-15-003080 800-171r3: - 03.01.01 cis: @@ -70,10 +73,10 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 - - cnssi-1253_moderate - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 80453e508..2ed9799fb 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= $ODV) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= $ODV) {print "yes"} else {print "no"}}' | /usr/bin/uniq result: string: 'yes' fix: | @@ -24,7 +24,7 @@ references: - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 disa_stig: - - N/A + - APPL-15-000022 800-171r3: - 03.01.08 cis: @@ -53,11 +53,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 09ea301b6..93dae9d9b 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= $ODV ) {print "yes"} else {print "no"}}' | /usr/bin/uniq result: string: 'yes' fix: | @@ -24,7 +24,7 @@ references: - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 disa_stig: - - N/A + - APPL-15-000060 800-171r3: - 03.01.08 cis: @@ -53,11 +53,11 @@ tags: - cisv8 - cis_lvl1 - cis_lvl2 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index dc812c266..945d3c393 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -4,8 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyIdentifier"]/following-sibling::*[1]/text()' - | /usr/bin/grep "requireAlphanumeric" -c result: @@ -17,6 +17,7 @@ references: - CCE-94333-2 cci: - CCI-000194 + - CCI-004066 800-53r5: - IA-5(1) 800-53r4: @@ -24,8 +25,9 @@ references: - IA-5(1) srg: - SRG-OS-000071-GPOS-00039 + - SRG-OS-000775-GPOS-00230 disa_stig: - - N/A + - APPL-15-003007 800-171r3: - 03.05.07 cis: @@ -41,20 +43,13 @@ references: macOS: - '15.0' tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml index 9435e8cd2..002dd25f5 100644 --- a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. NOTE: The configuration profile generated must be installed from an MDM server. check: | @@ -20,13 +20,17 @@ references: cci: - CCI-000192 - CCI-000193 + - CCI-004066 + - CCI-004066 + - CCI-004064 + - CCI-004065 800-53r5: - IA-5(1) 800-53r4: - IA-5 - IA-5(1) disa_stig: - - N/A + - APPL-15-003060 srg: - SRG-OS-000070-GPOS-00038 - SRG-OS-000069-GPOS-00037 @@ -44,25 +48,18 @@ references: macOS: - '15.0' odv: - hint: Custom regex (recommended is 1 upper and 1 lowercase) - recommended: ^(?=.*[A-Z])(?=.*[a-z]).*$ - cis_lvl2: ^(?=.*[A-Z])(?=.*[a-z]).*$ - stig: ^(?=.*[A-Z])(?=.*[a-z]).*$ + hint: Custom regex (recommended is 1 upper, 1 lowercase, and 1 numeric digit) + recommended: ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$ + cis_lvl2: ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$ + stig: ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$ tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index b91006e07..f58a46072 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -36,8 +36,8 @@ tags: - 800-53r4_moderate - 800-53r4_high - inherent - - cnssi-1253_moderate - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml index d9fac7943..fc57942fa 100644 --- a/rules/pwpolicy/pwpolicy_force_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml @@ -52,10 +52,10 @@ tags: - 800-53r5_high - inherent - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 4f9189975..98fbc215d 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -9,7 +9,7 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' | /usr/bin/uniq result: string: 'yes' fix: | @@ -25,8 +25,9 @@ references: - IA-5(1) srg: - SRG-OS-000077-GPOS-00045 + - SRG-OS-000775-GPOS-00230 disa_stig: - - N/A + - APPL-15-003009 800-171r3: - 03.05.07 cis: @@ -57,11 +58,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index da54c9d45..3407f5d0a 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*. check: | @@ -69,6 +69,8 @@ odv: hint: Number of lowercase characters. recommended: 1 tags: - - none + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml index 39c0dc10c..66c527bbf 100644 --- a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml @@ -5,9 +5,7 @@ discussion: | This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system. - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. - - NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require use of special characters or regular rotation. + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeExpiresEveryNDays"]/following-sibling::*[1]/text()' - result: @@ -19,6 +17,7 @@ references: - CCE-94339-9 cci: - CCI-000199 + - CCI-004066 800-53r5: - IA-5 800-53r4: @@ -26,8 +25,9 @@ references: - IA-5(1) srg: - SRG-OS-000076-GPOS-00044 + - SRG-OS-000775-GPOS-00230 disa_stig: - - N/A + - APPL-15-003008 800-171r3: - 03.05.12 cis: @@ -47,21 +47,14 @@ odv: cis_lvl2: 365 stig: 60 tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index ae0de6f03..bcbf271dc 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{$ODV,}'\''")])' - result: @@ -17,6 +17,7 @@ references: - CCE-94340-7 cci: - CCI-000205 + - CCI-004066 800-53r5: - IA-5(1) 800-53r4: @@ -25,7 +26,7 @@ references: srg: - SRG-OS-000078-GPOS-00046 disa_stig: - - N/A + - APPL-15-003010 800-171r3: - 03.05.07 cis: @@ -56,11 +57,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index dea2b05e3..2a3db1e69 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule discourages users from cycling through their previous passwords to get back to a preferred one. - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: @@ -41,12 +41,13 @@ references: - CCE-94341-5 cci: - CCI-000198 + - CCI-004066 800-53r5: - IA-5 800-53r4: - IA-5(1) disa_stig: - - N/A + - APPL-15-003070 srg: - SRG-OS-000075-GPOS-00043 800-171r3: @@ -66,19 +67,12 @@ odv: recommended: 24 stig: 24 tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 9c8810009..f1f78d19e 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -6,6 +6,8 @@ discussion: | If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. To prevent users from using dictionary words for passwords, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. + + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | For systems not requiring mandatory smart card authentication or those that are not bound to a directory, the technology does not support this requirement. This is an applicable-does not meet finding. fix: | @@ -27,6 +29,5 @@ macOS: - '15.0' tags: - permanent - - srg mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index ae699c5d2..02296536f 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -5,7 +5,9 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. + + NOTE: pwpolicy_simple_sequence_disable prevents use of passwords which are regularly found in compromised password lists. check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyIdentifier"]/following-sibling::*[1]/text()' - | /usr/bin/grep "allowSimple" -c result: @@ -48,10 +50,10 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.mobiledevice.passwordpolicy: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 4195600c7..81afa0ab7 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -7,11 +7,9 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. - - NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require use of special characters or regular rotation. + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){$ODV,}'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2>/dev/null | /usr/bin/tail -n +2 | /usr/bin/xmllint --xpath "//string[contains(text(), \"policyAttributePassword matches '(.*[^a-zA-Z0-9].*){\")]" - 2>/dev/null | /usr/bin/awk -F"{|}" '{if ($2 >= $ODV) {print "true"} else {print "false"}}' result: string: 'true' fix: | @@ -21,6 +19,7 @@ references: - CCE-94344-9 cci: - CCI-001619 + - CCI-004066 800-53r5: - IA-5(1) 800-53r4: @@ -29,7 +28,7 @@ references: srg: - SRG-OS-000266-GPOS-00101 disa_stig: - - N/A + - APPL-15-003011 800-171r3: - 03.05.07 cis: @@ -49,20 +48,13 @@ odv: cis_lvl2: 1 stig: 1 tags: - - 800-171 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index a74d3dadd..477f5cd57 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -34,8 +34,8 @@ tags: - 800-53r4_moderate - 800-53r4_high - inherent - - cnssi-1253_moderate - cnssi-1253_high - srg + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 9d09fb156..21b6a232f 100644 --- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -68,7 +68,7 @@ references: - SRG-OS-000002-GPOS-00002 - SRG-OS-000123-GPOS-00064 disa_stig: - - N/A + - APPL-15-000012 macOS: - '15.0' tags: @@ -77,9 +77,9 @@ tags: - 800-53r4_moderate - 800-53r4_high - manual - - cnssi-1253_moderate - cnssi-1253_high - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 5ff6c1421..0bade369c 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -5,7 +5,7 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. + NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible. NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*. check: | @@ -70,5 +70,8 @@ odv: recommended: 1 tags: - none + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high mobileconfig: false mobileconfig_info: diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index b87f61bf4..1d440739b 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -12,14 +12,18 @@ discussion: | |2.1.1.1 Audit iCloud Keychain + 2.1.1.2 Audit iCloud Drive + 2.1.1.4 Audit Security Keys Used With AppleIDs + + 2.1.1.5 Audit Freeform Sync to iCloud + + 2.1.1.6 Audit Find My Mac + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + 2.5.1 Audit Siri Settings + 2.6.1.3 Audit Location Services Access + 2.6.2.1 Audit Full Disk Access for Applications + - 2.6.3.5 Audit Share iCloud Analytics + + 2.6.3.5 Ensure Share iCloud Analytics Is Disabled + 2.6.7 Audit Lockdown Mode + + 2.7.2 Audit iPhone Mirroring + 2.8.1 Audit Universal Control Settings + + 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby (Intel) + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + 2.14.1 Audit Game Center Settings + @@ -34,7 +38,7 @@ discussion: | |Logging and Auditing |Recommendations - |3.7 Audit Software Inventory + |3.6 Audit Software Inventory |=== [cols="15%h, 85%a"] @@ -61,7 +65,6 @@ discussion: | 6.3.2 Audit History and Remove History Items + 6.3.5 Audit Hide IP Address in Safari Setting + 6.3.8 Audit Autofill + - 6.3.10 Ensure JavaScript is Enabled in Safari + 6.3.9 Audit Pop-up Windows + |=== check: | diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index f67ad7031..3a35e59af 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -206,7 +206,6 @@ tags: - cmmc_lvl2 - cnssi-1253_high - cnssi-1253_low - - cnssi-1253_moderate - stig - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index db149ef99..7e4f9a25a 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -51,7 +51,7 @@ discussion: | It's recommended that you use a Personal Recovery key instead of an Institutional key as it will generate a specific key for each device. You can find more guidance on choosing a recover key here: link:https://docs.jamf.com/technical-papers/jamf-pro/administering-filevault-macos/10.7.1/Choosing_a_Recovery_Key.html[]. - NOTE: FileVault currently only uses password-based authentication and cannot be done using a smartcard or any other type of multi-factor authentication. + NOTE: On Intel Macs, FileVault only supports password-based unlock and cannot be done using a smartcard. Smartcard unlock for FileVault is supported on Apple Silicon Macs. check: | fix: | references: @@ -85,7 +85,6 @@ tags: - cmmc_lvl2 - cnssi-1253_high - cnssi-1253_low - - cnssi-1253_moderate - stig - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 66faaca28..a6936147c 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -131,7 +131,6 @@ tags: - cmmc_lvl2 - cnssi-1253_high - cnssi-1253_low - - cnssi-1253_moderate - stig - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index c3842d0c9..087cc28ea 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -1,7 +1,24 @@ id: supplemental_password_policy title: "Password Policy Supplemental" discussion: | - The supplemental guidance found in this section is applicable for the following rules: + To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings: + + * Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. + * Password policies must also not require the use of regular rotation. + + In accordance with these requirements, the following rules, while they remain on specific benchmarks, have been removed from any of the NIST 800-53r5 baselines as recommendations. + + * pwpolicy_alpha_numeric_enforce + * pwpolicy_custom_regex_enforce + * pwpolicy_lower_case_character_enforce.yaml + * pwpolicy_max_lifetime_enforce + * pwpolicy_minimum_lifetime_enforce + * pwpolicy_prevent_dictionary_words + * pwpolicy_simple_sequence_disable + * pwpolicy_special_character_enforce + * pwpolicy_upper_case_character_enforce.yaml + + If an organization has requirements to implement additional password policies, the remainder of this supplemental discusses the following password policy rules: * pwpolicy_lower_case_character_enforce * pwpolicy_upper_case_character_enforce @@ -33,6 +50,7 @@ discussion: | ==== If directory services is being utilized, password policies should come from the domain. ==== + check: | fix: | references: @@ -66,7 +84,6 @@ tags: - cmmc_lvl2 - cnssi-1253_high - cnssi-1253_low - - cnssi-1253_moderate - stig - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index c1cdea902..7e689dafb 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -316,7 +316,6 @@ tags: - cmmc_lvl2 - cnssi-1253_high - cnssi-1253_low - - cnssi-1253_moderate - stig - supplemental mobileconfig: false diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml index 801174d04..5fd54a235 100644 --- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml +++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml @@ -30,7 +30,7 @@ references: - SRG-OS-000300-GPOS-00118 - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002080 800-171r3: - 03.04.06 cis: @@ -51,11 +51,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 1812362e7..5d921e76e 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - N/A + - APPL-15-000001 800-171r3: - 03.05.12 cmmc: @@ -40,11 +40,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_automatic_login_disable.yaml b/rules/system_settings/system_settings_automatic_login_disable.yaml index 12f867d6e..1d79105a7 100644 --- a/rules/system_settings/system_settings_automatic_login_disable.yaml +++ b/rules/system_settings/system_settings_automatic_login_disable.yaml @@ -27,8 +27,9 @@ references: srg: - SRG-OS-000480-GPOS-00229 - SRG-OS-000104-GPOS-00051 + - SRG-OS-000480-GPOS-00228 disa_stig: - - N/A + - APPL-15-002066 800-171r3: - 03.05.01 cis: @@ -52,12 +53,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml index 230476bf8..423679875 100644 --- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml +++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml @@ -29,7 +29,7 @@ references: 800-53r4: - AC-12 disa_stig: - - N/A + - APPL-15-000160 srg: - SRG-OS-000279-GPOS-00109 800-171r3: @@ -50,11 +50,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_bluetooth_disable.yaml b/rules/system_settings/system_settings_bluetooth_disable.yaml index addf18d6f..2022d990a 100644 --- a/rules/system_settings/system_settings_bluetooth_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_disable.yaml @@ -32,7 +32,11 @@ references: srg: - SRG-OS-000423-GPOS-00187 - SRG-OS-000481-GPOS-00481 + - SRG-OS-000480-GPOS-00228 disa_stig: + - APPL-15-002062 + 800-171r2: + - 3.13.8 - N/A 800-171r3: - 03.01.16 @@ -56,11 +60,11 @@ tags: - 800-53r5_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: high mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_bluetooth_settings_disable.yaml b/rules/system_settings/system_settings_bluetooth_settings_disable.yaml index 5e049191e..455effaec 100644 --- a/rules/system_settings/system_settings_bluetooth_settings_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_settings_disable.yaml @@ -21,7 +21,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002260 800-171r3: - 03.04.06 cis: @@ -42,6 +42,9 @@ tags: - cisv8 - cmmc_lvl2 - stig + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml index 17820d28a..492293e35 100644 --- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml @@ -42,7 +42,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002110 800-171r3: - 03.04.06 cis: @@ -68,12 +68,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml deleted file mode 100644 index 0e65bcc7c..000000000 --- a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml +++ /dev/null @@ -1,59 +0,0 @@ -id: system_settings_cd_dvd_sharing_disable -title: Disable CD/DVD Sharing -discussion: | - CD/DVD Sharing _MUST_ be disabled. -check: | - /usr/bin/pgrep -q ODSAgent; /bin/echo $? -result: - integer: 1 -fix: | - [source,bash] - ---- - /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.ODSAgent.plist - ---- -references: - cce: - - CCE-94356-3 - cci: - - CCI-000381 - 800-53r5: - - CM-7 - - CM-7(1) - 800-53r4: - - CM-7 - - CM-7(1) - srg: - - SRG-OS-000095-GPOS-00049 - disa_stig: - - N/A - 800-171r3: - - 03.04.06 - cis: - benchmark: - - 2.3.3.1 (level 1) - controls v8: - - 4.1 - - 4.8 - cmmc: - - CM.L2-3.4.6 - - CM.L2-3.4.7 -macOS: - - '15.0' -tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - cis_lvl1 - - cis_lvl2 - - cisv8 - - cnssi-1253_moderate - - cnssi-1253_low - - cnssi-1253_high - - cmmc_lvl2 - - stig -severity: medium -mobileconfig: false -mobileconfig_info: diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml index f9275de0e..86d0284a8 100644 --- a/rules/system_settings/system_settings_content_caching_disable.yaml +++ b/rules/system_settings/system_settings_content_caching_disable.yaml @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002140 800-171r3: - 03.04.06 cis: @@ -50,11 +50,11 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml index 2239979ea..d570cefcf 100644 --- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml +++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml @@ -45,11 +45,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate mobileconfig: true mobileconfig_info: com.apple.SoftwareUpdate: diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index f2a619c7b..043099ad9 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -39,7 +39,7 @@ references: - SRG-OS-000206-GPOS-00084 - SRG-OS-000205-GPOS-00083 disa_stig: - - N/A + - APPL-15-002021 800-171r3: - 03.01.20 cis: @@ -62,13 +62,14 @@ tags: - 800-53r5_high - 800-171 - cis_lvl1 + - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_external_intelligence_disable.yaml b/rules/system_settings/system_settings_external_intelligence_disable.yaml new file mode 100644 index 000000000..ae1009a96 --- /dev/null +++ b/rules/system_settings/system_settings_external_intelligence_disable.yaml @@ -0,0 +1,65 @@ +id: system_settings_external_intelligence_disable +title: Disable External Intelligence Integrations +discussion: | + Integration with external intelligence systems _MUST_ be disabled unless approved by the organiztion. Disabling external intelligence integration will mitigate the risk of data being sent to unapproved third party. + + The information system _MUST_ be configured to provide only essential capabilities. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowExternalIntelligenceIntegrations').js + EOS +result: + string: 'false' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-94523-8 + cci: + - CCI-000381 + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - N/A + 800-171r3: + - 03.01.20 + - 03.04.06 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + - 4.8 + - 15.3 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - '15.2' +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_low + - cnssi-1253_high + - cnssi-1253_moderate +severity: medium +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowExternalIntelligenceIntegrations: false \ No newline at end of file diff --git a/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml b/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml new file mode 100644 index 000000000..e635ee0d2 --- /dev/null +++ b/rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml @@ -0,0 +1,65 @@ +id: system_settings_external_intelligence_sign_in_disable +title: Disable External Intelligence Integration Sign In +discussion: | + The ability to sign into an external intelligence systems _MUST_ be disabled unless approved by the organiztion. Disabling external intelligence integration will mitigate the risk of data being sent to unapproved third party. + + The information system _MUST_ be configured to provide only essential capabilities. +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowExternalIntelligenceIntegrationsSignIn').js + EOS +result: + string: 'true' +fix: | + This is implemented by a Configuration Profile. +references: + cce: + - CCE-94524-6 + cci: + - CCI-000381 + 800-53r5: + - AC-20 + - CM-7 + - CM-7(1) + 800-53r4: + - CM-7 + - CM-7(1) + - AC-20 + srg: + - SRG-OS-000095-GPOS-00049 + disa_stig: + - N/A + 800-171r3: + - 03.01.20 + - 03.04.06 + cis: + benchmark: + - N/A + controls v8: + - 4.1 + - 4.8 + - 15.3 + cmmc: + - AC.L1-3.1.20 + - CM.L2-3.4.6 + - CM.L2-3.4.7 +macOS: + - '15.2' +tags: + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cisv8 + - cnssi-1253_low + - cnssi-1253_high + - cnssi-1253_moderate +severity: medium +mobileconfig: true +mobileconfig_info: + com.apple.applicationaccess: + allowExternalIntelligenceIntegrationsSignIn: false \ No newline at end of file diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml index 2b7c1d280..3b220be7e 100644 --- a/rules/system_settings/system_settings_filevault_enforce.yaml +++ b/rules/system_settings/system_settings_filevault_enforce.yaml @@ -38,7 +38,7 @@ references: - SRG-OS-000405-GPOS-00184 - SRG-OS-000404-GPOS-00183 disa_stig: - - N/A + - APPL-15-005020 800-171r3: - 03.13.08 cis: @@ -60,11 +60,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: high mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml index 06837dd02..ea0832b1e 100644 --- a/rules/system_settings/system_settings_find_my_disable.yaml +++ b/rules/system_settings/system_settings_find_my_disable.yaml @@ -42,7 +42,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002180 800-171r3: - 03.01.20 - 03.04.06 @@ -68,12 +68,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 7a61c0cda..25a217fa1 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -35,7 +35,7 @@ references: srg: - SRG-OS-000480-GPOS-00232 disa_stig: - - N/A + - APPL-15-005050 800-171r3: - 03.01.03 - 03.04.06 @@ -65,12 +65,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index dbf5bccc4..ce0679dd8 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -64,11 +64,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index e247c4892..ec9096f8b 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -27,6 +27,7 @@ references: - CCE-94364-7 cci: - CCI-001749 + - CCI-003992 800-53r5: - CM-14 - CM-5 @@ -38,8 +39,9 @@ references: - SI-7(15) srg: - SRG-OS-000366-GPOS-00153 + - SRG-OS-000480-GPOS-00228 disa_stig: - - N/A + - APPL-15-002060 800-171r3: - 03.14.02 cmmc: @@ -53,11 +55,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: high mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml index 4d02c28be..a769f5304 100644 --- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml +++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml @@ -41,10 +41,10 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index 74c6aa9a0..8c18b0b4d 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -50,7 +50,6 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 diff --git a/rules/system_settings/system_settings_guest_account_disable.yaml b/rules/system_settings/system_settings_guest_account_disable.yaml index 47c4dd660..ab8080018 100644 --- a/rules/system_settings/system_settings_guest_account_disable.yaml +++ b/rules/system_settings/system_settings_guest_account_disable.yaml @@ -35,8 +35,9 @@ references: - AC-2(9) srg: - SRG-OS-000364-GPOS-00151 + - SRG-OS-000480-GPOS-00228 disa_stig: - - N/A + - APPL-15-002063 800-171r3: - 03.01.01 cis: @@ -61,12 +62,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index 9829aa4b6..680dfc220 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000031-GPOS-00012 disa_stig: - - N/A + - APPL-15-000007 800-171r3: - 03.01.10 cmmc: @@ -35,11 +35,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - stig - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index d4c1dcffc..9730d2382 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -50,9 +50,9 @@ macOS: tags: - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml b/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml index 97f262db4..ee036f14b 100644 --- a/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml +++ b/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml @@ -32,12 +32,12 @@ references: - 03.01.20 - 03.04.06 srg: - - N/A + - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002023 cis: benchmark: - - 2.6.3.2 (level 1) + - 2.6.3.3 (level 1) controls v8: - 4.1 - 4.8 @@ -56,12 +56,14 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - cis_lvl1 + - cis_lvl2 + - cnssi-1253_moderate + - stig severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_improve_search_disable.yaml b/rules/system_settings/system_settings_improve_search_disable.yaml index 920ba3c8f..7aa9d9846 100644 --- a/rules/system_settings/system_settings_improve_search_disable.yaml +++ b/rules/system_settings/system_settings_improve_search_disable.yaml @@ -1,5 +1,5 @@ id: system_settings_improve_search_disable -title: Disable Sending Spotlight Search Information to Apple +title: Disable Improve Search Information to Apple discussion: | Sending data to Apple to help improve search _MUST_ be disabled. @@ -34,10 +34,10 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002024 cis: benchmark: - - 2.19.1 + - N/A controls v8: - 4.1 - 4.8 @@ -56,13 +56,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig - - cis_lvl1 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml index c0074f499..9052ef249 100644 --- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml +++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml @@ -1,5 +1,5 @@ id: system_settings_improve_siri_dictation_disable -title: Disable Sending Siri and Dictation Information to Apple +title: Disable Improve Siri and Dictation Information to Apple discussion: | The ability for Apple to store and review audio of your Siri and Dictation interactions _MUST_ be disabled. @@ -34,7 +34,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002210 cis: benchmark: - 2.6.3.2 (level 1) @@ -56,13 +56,14 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig - cis_lvl1 + - cis_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_internet_accounts_disable.yaml b/rules/system_settings/system_settings_internet_accounts_disable.yaml index e76d66e5d..28daf313f 100644 --- a/rules/system_settings/system_settings_internet_accounts_disable.yaml +++ b/rules/system_settings/system_settings_internet_accounts_disable.yaml @@ -54,11 +54,11 @@ tags: - 800-53r5_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_internet_sharing_disable.yaml b/rules/system_settings/system_settings_internet_sharing_disable.yaml index d46318601..645c38300 100644 --- a/rules/system_settings/system_settings_internet_sharing_disable.yaml +++ b/rules/system_settings/system_settings_internet_sharing_disable.yaml @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002007 800-171r3: - 03.01.03 - 03.01.20 @@ -53,12 +53,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index 801497e77..e6ec9f2bb 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002004 800-171r3: - 03.04.06 cmmc: @@ -49,11 +49,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml index c0db3c5f6..715094943 100644 --- a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000104-GPOS-00051 disa_stig: - - N/A + - APPL-15-005052 800-171r3: - 03.05.01 cis: @@ -49,12 +49,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml index bae8031a5..b7bca7151 100644 --- a/rules/system_settings/system_settings_media_sharing_disabled.yaml +++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml @@ -6,15 +6,22 @@ discussion: | When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. - - NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ - .objectForKey('allowMediaSharing').js + function run() { + let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowMediaSharing')) + let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowMediaSharingModification')) + if ( pref1 == false && pref2 == false ) { + return("true") + } else { + return("false") + } + } EOS result: - string: 'false' + string: 'true' fix: | This is implemented by a Configuration Profile. references: @@ -30,7 +37,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - N/A + - APPL-15-002100 800-171r3: - 03.01.02 - 03.04.06 @@ -54,14 +61,15 @@ tags: - 800-171 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: com.apple.applicationaccess: allowMediaSharing: false + allowMediaSharingModification: false diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index 9d1bbd509..c0843ae0a 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000079-GPOS-00047 disa_stig: - - N/A + - APPL-15-003012 800-171r3: - 03.05.11 cis: @@ -48,11 +48,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index 71ffe62ba..7b30cecca 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -30,7 +30,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002200 800-171r3: - 03.01.20 - 03.04.06 @@ -56,12 +56,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml index 272193b91..e59e0291a 100644 --- a/rules/system_settings/system_settings_printer_sharing_disable.yaml +++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml @@ -26,7 +26,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002240 800-171r3: - 03.04.06 cis: @@ -50,11 +50,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index 7baaae95c..1af15d28a 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -30,7 +30,7 @@ references: - SRG-OS-000080-GPOS-00048 - SRG-OS-000096-GPOS-00050 disa_stig: - - N/A + - APPL-15-002022 800-171r3: - 03.01.02 - 03.04.06 @@ -55,12 +55,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index e1f029d44..2680cf3dc 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002250 800-171r3: - 03.01.02 - 03.04.06 @@ -51,11 +51,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml index 52f51776c..e3106a42f 100644 --- a/rules/system_settings/system_settings_screen_sharing_disable.yaml +++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml @@ -28,7 +28,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - N/A + - APPL-15-002050 800-171r3: - 03.01.02 - 03.04.06 @@ -53,12 +53,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml index 1cde1489e..59c78f8d7 100644 --- a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml @@ -32,7 +32,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - N/A + - APPL-15-000003 800-171r3: - 03.01.10 cis: @@ -59,11 +59,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index b07b15b14..65e2e56c8 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - N/A + - APPL-15-000002 800-171r3: - 03.01.10 - 03.05.01 @@ -39,11 +39,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml index dc9cb34cc..02ad3acb8 100644 --- a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml @@ -33,7 +33,7 @@ references: srg: - SRG-OS-000029-GPOS-00010 disa_stig: - - N/A + - APPL-15-000070 800-171r3: - 03.01.10 - 03.05.01 @@ -62,11 +62,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml index 67eb4c0d9..ad8dd15a0 100644 --- a/rules/system_settings/system_settings_siri_disable.yaml +++ b/rules/system_settings/system_settings_siri_disable.yaml @@ -31,7 +31,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002020 800-171r3: - 03.01.20 - 03.04.06 @@ -57,12 +57,12 @@ tags: - 800-53r4_high - 800-171 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_siri_settings_disable.yaml b/rules/system_settings/system_settings_siri_settings_disable.yaml index e797768b4..49f6ec38a 100644 --- a/rules/system_settings/system_settings_siri_settings_disable.yaml +++ b/rules/system_settings/system_settings_siri_settings_disable.yaml @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002053 800-171r3: - 03.04.06 - 03.04.08 @@ -49,6 +49,9 @@ tags: - cisv8 - cmmc_lvl2 - stig + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml index 34a829a86..fec477ffe 100644 --- a/rules/system_settings/system_settings_smbd_disable.yaml +++ b/rules/system_settings/system_settings_smbd_disable.yaml @@ -27,7 +27,7 @@ references: srg: - SRG-OS-000080-GPOS-00048 disa_stig: - - N/A + - APPL-15-002001 800-171r3: - 03.01.02 - 03.04.06 @@ -53,12 +53,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index 1df810fbb..e9e325846 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -49,11 +49,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 + - cnssi-1253_moderate severity: high mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml index 9f2b7f647..d96334c34 100644 --- a/rules/system_settings/system_settings_ssh_enable.yaml +++ b/rules/system_settings/system_settings_ssh_enable.yaml @@ -15,10 +15,7 @@ references: cce: - CCE-94400-9 cci: - - CCI-000213 - - CCI-001942 - - CCI-002420 - - CCI-002422 + - N/A 800-53r5: - IA-2(8) - AC-3 @@ -32,10 +29,7 @@ references: - IA-2(8) - IA-2(9) srg: - - SRG-OS-000080-GPOS-00048 - - SRG-OS-000113-GPOS-00058 - - SRG-OS-000425-GPOS-00189 - - SRG-OS-000426-GPOS-00190 + - N/A disa_stig: - N/A 800-171r3: @@ -56,12 +50,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - - stig + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index a4c1fd0c6..726447f44 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -32,7 +32,7 @@ fix: | for section in ${authDBs[@]}; do /usr/bin/security -q authorizationdb read "$section" > "/tmp/$section.plist" - class_key_value=$(usr/libexec/PlistBuddy -c "Print :class" "/tmp/$section.plist" 2>&1) + class_key_value=$(/usr/libexec/PlistBuddy -c "Print :class" "/tmp/$section.plist" 2>&1) if [[ "$class_key_value" == *"Does Not Exist"* ]]; then /usr/libexec/PlistBuddy -c "Add :class string user" "/tmp/$section.plist" else @@ -60,7 +60,7 @@ fix: | /usr/libexec/PlistBuddy -c "Set :session-owner false" "/tmp/$section.plist" fi - group_key=$(usr/libexec/PlistBuddy -c "Print :group" "/tmp/$section.plist" 2>&1) + group_key=$(/usr/libexec/PlistBuddy -c "Print :group" "/tmp/$section.plist" 2>&1) if [[ "$group_key" == *"Does Not Exist"* ]]; then /usr/libexec/PlistBuddy -c "Add :group string admin" "/tmp/$section.plist" else @@ -85,8 +85,9 @@ references: - AC-6(2) srg: - SRG-OS-000324-GPOS-00125 + - SRG-OS-000480-GPOS-00228 disa_stig: - - N/A + - APPL-15-002069 800-171r3: - 03.01.07 cis: @@ -109,12 +110,12 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - cmmc_lvl1 - stig + - cnssi-1253_moderate severity: high mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml index 9c2a2e02a..d8e7e33d9 100644 --- a/rules/system_settings/system_settings_time_server_configure.yaml +++ b/rules/system_settings/system_settings_time_server_configure.yaml @@ -19,6 +19,10 @@ references: cci: - CCI-001891 - CCI-002046 + - CCI-004923 + - CCI-004923 + - CCI-004926 + - CCI-004926 800-53r5: - AU-12(1) - SC-45(1) @@ -28,7 +32,7 @@ references: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 disa_stig: - - N/A + - APPL-15-000170 800-171r3: - 3.3.7 cis: @@ -56,11 +60,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index 862d38b80..eed566369 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -19,6 +19,9 @@ references: cci: - CCI-001891 - CCI-002046 + - CCI-004923 + - CCI-004926 + - CCI-004922 800-53r5: - AU-12(1) - SC-45(1) @@ -28,7 +31,7 @@ references: - SRG-OS-000355-GPOS-00143 - SRG-OS-000356-GPOS-00144 disa_stig: - - N/A + - APPL-15-000014 800-171r3: - 3.3.7 cis: @@ -50,11 +53,11 @@ tags: - cis_lvl1 - cis_lvl2 - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index 6d85daab3..2fc6fd6e8 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -29,7 +29,7 @@ references: srg: - SRG-OS-000030-GPOS-00011 disa_stig: - - N/A + - APPL-15-000005 800-171r3: - 03.01.10 cmmc: @@ -42,11 +42,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_touch_id_settings_disable.yaml b/rules/system_settings/system_settings_touch_id_settings_disable.yaml index 72eb87947..24c34c867 100644 --- a/rules/system_settings/system_settings_touch_id_settings_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_settings_disable.yaml @@ -14,7 +14,7 @@ references: cce: - CCE-94407-4 cci: - - CCI-000381 + - N/A 800-53r5: - CM-7 - CM-7(1) @@ -23,7 +23,7 @@ references: - CM-7 - CM-7(5) srg: - - SRG-OS-000095-GPOS-00049 + - N/A disa_stig: - N/A 800-171r3: @@ -46,8 +46,9 @@ tags: - 800-53r5_high - cisv8 - cmmc_lvl2 - - stig -severity: medium + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high mobileconfig: true mobileconfig_info: com.apple.systempreferences: diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml index 38f13977c..5e90ae08c 100644 --- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml +++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml @@ -29,7 +29,7 @@ references: srg: - SRG-OS-000028-GPOS-00009 disa_stig: - - N/A + - APPL-15-002090 800-171r3: - 03.05.12 cmmc: @@ -42,11 +42,11 @@ tags: - 800-53r4_moderate - 800-53r4_high - 800-171 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml index ccc89d90f..6643fa086 100644 --- a/rules/system_settings/system_settings_usb_restricted_mode.yaml +++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml @@ -28,6 +28,7 @@ references: - CCE-94409-0 cci: - CCI-001958 + - CCI-003959 800-53r5: - MP-7 - SC-41 @@ -43,19 +44,20 @@ references: - MP.L2-3.8.8 srg: - SRG-OS-000378-GPOS-00163 + - SRG-OS-000690-GPOS-00140 disa_stig: - - N/A + - APPL-15-005090 macOS: - '15.0' tags: - 800-53r5_low - 800-53r5_moderate - 800-53r5_high - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 - stig + - cnssi-1253_moderate severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml index e1da2119f..939e39e1c 100644 --- a/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml @@ -25,7 +25,7 @@ references: srg: - SRG-OS-000095-GPOS-00049 disa_stig: - - N/A + - APPL-15-002052 800-171r3: - 03.04.06 - 03.04.08 @@ -47,6 +47,9 @@ tags: - cisv8 - cmmc_lvl2 - stig + - cnssi-1253_moderate + - cnssi-1253_low + - cnssi-1253_high severity: medium mobileconfig: true mobileconfig_info: diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml index a0cd0e8b2..409a8cba9 100644 --- a/rules/system_settings/system_settings_wifi_disable.yaml +++ b/rules/system_settings/system_settings_wifi_disable.yaml @@ -58,10 +58,10 @@ tags: - 800-53r5_moderate - 800-53r5_high - cisv8 - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate severity: medium mobileconfig: false mobileconfig_info: diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml index 1fd3474ed..d82b6ff33 100644 --- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml @@ -42,9 +42,9 @@ tags: - 800-53r4_high - 800-171 - permanent - - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high - cmmc_lvl2 + - cnssi-1253_moderate mobileconfig: false mobileconfig_info: diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc index 578c7be67..bdfb5144f 100644 --- a/templates/adoc_additional_docs.adoc +++ b/templates/adoc_additional_docs.adoc @@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS |=== |Document Number or Descriptor |Document Title -|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 14 (Sonoma) STIG_ +|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 15 (Sequoia) STIG_ |=== [%header, cols=2*a]