Skip to content

Commit

Permalink
big_sur merged to main
Browse files Browse the repository at this point in the history
  • Loading branch information
robertgendler committed Nov 10, 2020
2 parents d019c12 + 099a133 commit 3de0557
Show file tree
Hide file tree
Showing 231 changed files with 1,042 additions and 674 deletions.
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
.DS_Store

.vscode
*.lock
38 changes: 20 additions & 18 deletions CHANGELOG.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,31 @@

This document provides a high-level view of the changes to the macOS Security Compliance Project.

== [Catalina, Revision 1] - 2020-10-06
== [Big Sur, Revision 1] - 2020-11-10

* Rules
** Added new rules
** Better categorization
** Added new supplementals
** Added Rules
*** os_authenticated_root_enable.yaml
*** os_ssh_server_alive_count_max_configure.yaml
*** os_ssh_server_alive_interval_configure.yaml
*** sysprefs_personalized_advertising_disable.yaml
*** sysprefs_ssh_disable.yaml
** Deleted Rules
*** sysprefs_ad_tracking_disable.yaml
** Updated existing rules to reflect 11.0
** Updated CCEs to existing rules

* Baselines
** Added 800-171
** Added Big Sur rules to baseline yaml files

* Scripts
** Added generate_guidance.py (consolidates older scripts)
** Added generate_baseline.py
** Added yaml-to-oval.py
** Removed baseline_identify.py
** Added debug support to generate_guidance.py
** generate_baseline
*** Bug fixes
** generate_guidance
*** Added --check/--fix flags
*** Added $pwpolicy_file variable
** yaml-to-oval
*** Bug Fixes

* Miscellaneous
** Additional customizations
** Cleaned up rule language
** Added SCAP artifacts
** Added logo

== [0.9.0] - 2020-06-19

Initial Public release (PRE-RELEASE)
** Added SCAP generation scripts
4 changes: 2 additions & 2 deletions README.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ endif::[]


ifdef::status[]
image:https://badgen.net/badge/icon/apple?icon=apple&label, link=[https://www.apple.com/]
image:https://badgen.net/badge/icon/10.15?icon=apple&label, link=[https://www.apple.com/macos]
image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.apple.com/"]
image:https://badgen.net/badge/icon/11.0?icon=apple&label[link="https://www.apple.com/macos"]
endif::[]

The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Recommended Security Controls for Federal Information Systems and Organizations_, Revision 4. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
Expand Down
8 changes: 4 additions & 4 deletions SCAP/Makefile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
XSLT = java -jar ~/saxon/saxon-he-10.1.jar
TIDY = /usr/bin/tidy
XSLT = /usr/local/bin/saxon
TIDY = /usr/local/bin/tidy
VAL = java -Djava.protocol.handler.pkgs=sun.net.www.protocol -jar ~/Projects/scapval/scapval-1.3.5.jar

DIR = ../build/All_rules
Expand Down Expand Up @@ -34,7 +34,7 @@ XCCDF:
-o:${DIR}/xccdf.xml \
SCAP-version=1.3 \
id-namespace=content.mscp.nist.gov \
benchmark-id-suffix=macOS_10.15 \
benchmark-id-suffix=macOS_11.0 \
OVAL-URI=${DIR}/All_rules.xml \
include-CPE=1
# the input OVAL document will be copied to a companion of the XCCDF document named 'oval.xml'
Expand All @@ -50,7 +50,7 @@ datastream:
-o:${DIR}/datastream.xml \
SCAP-version=1.3 \
id-namespace=content.mscp.nist.gov \
datastream-id-suffix=macOS_10.15 \
datastream-id-suffix=macOS_11.0 \
include-CPE=1

report:
Expand Down
4 changes: 2 additions & 2 deletions SCAP/html-to-xccdf.xsl
Original file line number Diff line number Diff line change
Expand Up @@ -303,12 +303,12 @@
<!-- See NIST IR7215 §6.2.5 ¶3-->
<xsl:element name="platform" namespace="http://checklists.nist.gov/xccdf/1.2">
<xsl:attribute name="idref">
<xsl:text>cpe:2.3:o:apple:mac_os_x:10.15:*:*:*:*:*:*:*</xsl:text>
<xsl:text>cpe:2.3:o:apple:macos:11.0:*:*:*:*:*:*:*</xsl:text>
</xsl:attribute>
</xsl:element>
</xsl:if>
<!--<xsl:element name="platform" namespace="http://checklists.nist.gov/xccdf/1.2">
<xsl:attribute name="idref"><xsl:text>cpe:/o:apple:mac_os_x:10.15</xsl:text></xsl:attribute>
<xsl:attribute name="idref"><xsl:text>cpe:/o:apple:macos:11.0</xsl:text></xsl:attribute>
</xsl:element>-->
<xsl:analyze-string select="normalize-space(//div[@class = 'docver'])" regex="^(.+)\s\(([0-9-]+)\)$">
<xsl:matching-substring>
Expand Down
8 changes: 4 additions & 4 deletions SCAP/macos-cpe-dictionary.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@
<schema_version>2.3</schema_version>
<timestamp>2020-10-15T15:35:10Z</timestamp>
</generator>
<cpe-item name="cpe:/o:apple:mac_os_x:10.15">
<title xml:lang="en-US">Apple Mac OS 10.15</title>
<cpe-item name="cpe:/o:apple:macos:11.0">
<title xml:lang="en-US">Apple macOS 11.0</title>
<notes xml:lang="en-US">
<note>This CPE Name represents macOS 10.15</note>
<note>This CPE Name represents macOS 11.0</note>
</notes>
<check href="macos-cpe-oval.xml" system="http://oval.mitre.org/XMLSchema/oval-definitions-5">oval:gov.nist.mscp.content.cpe.oval:def:1</check>
<cpe-23:cpe23-item name="cpe:2.3:o:apple:mac_os_x:10.15:*:*:*:*:*:*:*"/>
<cpe-23:cpe23-item name="cpe:2.3:o:apple:macos:11.0:*:*:*:*:*:*:*"/>
</cpe-item>
</cpe-list>
18 changes: 9 additions & 9 deletions SCAP/macos-cpe-oval.xml
Original file line number Diff line number Diff line change
Expand Up @@ -9,26 +9,26 @@
<definitions>
<definition id="oval:gov.nist.mscp.content.cpe.oval:def:1" version="1" class="inventory">
<metadata>
<title>Apple macOS 10.15 is installed</title>
<title>Apple macOS 11.0 is installed</title>
<affected family="macos">
<platform>macOS</platform>
</affected>
<reference source="CPE" ref_id="cpe:/o:apple:mac_os_x:10.15"/>
<description>The operating system installed on the system is Apple macOS Catalina (10.15).</description>
<reference source="CPE" ref_id="cpe:/o:apple:macos:11.0"/>
<description>The operating system installed on the system is Apple macOS Big Sur (11.0).</description>
</metadata>
<criteria operator="AND">
<criterion comment="The Installed Operating System is Part of the Mac OS Family" test_ref="oval:gov.nist.mscp.content.cpe:tst:1"/>
<criterion comment="Apple Mac OS X version is greater than 10.14" test_ref="oval:gov.nist.mscp.content.cpe:tst:2"/>
<criterion comment="Apple macOS version is greater than or equal to 11.0" test_ref="oval:gov.nist.mscp.content.cpe:tst:2"/>
</criteria>
</definition>
</definitions>
<tests>
<family_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="only_one_exists"
comment="The Installed Operating System is Part of the Mac OS Family" id="oval:gov.nist.mscp.content.cpe:tst:1" version="1">
comment="The Installed Operating System is Part of the macOS Family" id="oval:gov.nist.mscp.content.cpe:tst:1" version="1">
<object object_ref="oval:gov.nist.mscp.content.cpe:obj:1"/>
<state state_ref="oval:gov.nist.mscp.content.cpe:ste:1"/>
</family_test>
<plist510_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="Apple Mac OS X version is greater than 10.14"
<plist510_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" check="all" check_existence="only_one_exists" comment="Apple macOS version is greater than 11.0"
id="oval:gov.nist.mscp.content.cpe:tst:2" version="2">
<object object_ref="oval:gov.nist.mscp.content.cpe:obj:2"/>
<state state_ref="oval:gov.nist.mscp.content.cpe:ste:2"/>
Expand All @@ -37,7 +37,7 @@
<objects>
<family_object id="oval:gov.nist.mscp.content.cpe:obj:1" version="1" comment="This variable_object represents the family that the operating system belongs to."
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/>
<plist510_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="The OSX product version plist object." id="oval:gov.nist.mscp.content.cpe:obj:2" version="1">
<plist510_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="The macOS product version plist object." id="oval:gov.nist.mscp.content.cpe:obj:2" version="1">
<key>ProductVersion</key>
<filepath>/System/Library/CoreServices/SystemVersion.plist</filepath>
<instance datatype="int" operation="equals">1</instance>
Expand All @@ -47,8 +47,8 @@
<family_state id="oval:gov.nist.mscp.content.cpe:ste:1" version="1" comment="The OS is part of the macOS Family." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<family>macos</family>
</family_state>
<plist510_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="Is the value greater than 10.14" id="oval:gov.nist.mscp.content.cpe:ste:2" version="1">
<value datatype="version" operation="greater than">10.14</value>
<plist510_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#macos" comment="Is the value is greater than or equal to 11.0" id="oval:gov.nist.mscp.content.cpe:ste:2" version="1">
<value datatype="version" operation="greater than or equal">11.0</value>
</plist510_state>
</states>
</oval_definitions>
5 changes: 3 additions & 2 deletions VERSION.yaml
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
version: "Catalina, Revision 1"
date: "2020-10-06"
os: "11.0"
version: "Big Sur, Revision 1"
date: "2020-11-10"
20 changes: 10 additions & 10 deletions baselines/800-171.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
title: "macOS 10.15: Security Configuration - 800-171"
title: "macOS 11.0: Security Configuration - 800-171"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-171.
This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-171.
profile:
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "auditing"
Expand All @@ -32,12 +31,11 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_client_alive_count_max_configure
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
Expand All @@ -48,7 +46,6 @@ profile:
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
Expand All @@ -60,9 +57,9 @@ profile:
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
Expand All @@ -75,7 +72,7 @@ profile:
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
Expand Down Expand Up @@ -109,10 +106,10 @@ profile:
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
- sysprefs_ssh_disable
- sysprefs_media_sharing_disabled
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
Expand Down Expand Up @@ -155,6 +152,9 @@ profile:
rules:
- pwpolicy_50_percent
- sysprefs_wifi_disable
- section: "not_applicable"
rules:
- os_nonlocal_maintenance
- section: "Supplemental"
rules:
- supplemental_firewall_pf
Expand Down
20 changes: 9 additions & 11 deletions baselines/800-53_high.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
title: "macOS 10.15: Security Configuration - 800-53 High"
title: "macOS 11.0: Security Configuration - 800-53 High"
description: |
This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 HIGH baseline.
This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 HIGH baseline.
profile:
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_smartcard_allow
- auth_pam_sudo_smartcard_enforce
- auth_ssh_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_high
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
Expand Down Expand Up @@ -36,12 +35,11 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_client_alive_count_max_configure
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_password_proximity_disable
- os_mdm_require
- os_screensaver_loginwindow_enforce
Expand All @@ -52,7 +50,6 @@ profile:
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_secure_boot_verify
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
Expand All @@ -66,9 +63,9 @@ profile:
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_access_smb_disable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
Expand All @@ -82,7 +79,7 @@ profile:
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
Expand Down Expand Up @@ -116,10 +113,10 @@ profile:
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_ad_tracking_disable
- sysprefs_personalized_advertising_disable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
Expand Down Expand Up @@ -168,7 +165,7 @@ profile:
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
- os_request_verification_name_resolution
- os_secure_name_resolution
- os_notify_account_enable
- os_provide_automated_account_management
- os_notify_account_created
Expand All @@ -183,6 +180,7 @@ profile:
- section: "not_applicable"
rules:
- os_identify_non-org_users
- os_nonlocal_maintenance
- section: "Supplemental"
rules:
- supplemental_firewall_pf
Expand Down
Loading

0 comments on commit 3de0557

Please sign in to comment.