diff --git a/.gitignore b/.gitignore index 5ca0973f8..daab1a745 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .DS_Store - +.vscode +*.lock \ No newline at end of file diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index b4156b48b..eeda8b142 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -2,29 +2,31 @@ This document provides a high-level view of the changes to the macOS Security Compliance Project. -== [Catalina, Revision 1] - 2020-10-06 +== [Big Sur, Revision 1] - 2020-11-10 * Rules -** Added new rules -** Better categorization -** Added new supplementals +** Added Rules +*** os_authenticated_root_enable.yaml +*** os_ssh_server_alive_count_max_configure.yaml +*** os_ssh_server_alive_interval_configure.yaml +*** sysprefs_personalized_advertising_disable.yaml +*** sysprefs_ssh_disable.yaml +** Deleted Rules +*** sysprefs_ad_tracking_disable.yaml +** Updated existing rules to reflect 11.0 +** Updated CCEs to existing rules * Baselines -** Added 800-171 +** Added Big Sur rules to baseline yaml files * Scripts -** Added generate_guidance.py (consolidates older scripts) -** Added generate_baseline.py -** Added yaml-to-oval.py -** Removed baseline_identify.py -** Added debug support to generate_guidance.py +** generate_baseline +*** Bug fixes +** generate_guidance +*** Added --check/--fix flags +*** Added $pwpolicy_file variable +** yaml-to-oval +*** Bug Fixes * Miscellaneous -** Additional customizations -** Cleaned up rule language -** Added SCAP artifacts -** Added logo - -== [0.9.0] - 2020-06-19 - -Initial Public release (PRE-RELEASE) \ No newline at end of file +** Added SCAP generation scripts \ No newline at end of file diff --git a/README.adoc b/README.adoc index e32787b6a..036b91294 100644 --- a/README.adoc +++ b/README.adoc @@ -17,8 +17,8 @@ endif::[] ifdef::status[] -image:https://badgen.net/badge/icon/apple?icon=apple&label, link=[https://www.apple.com/] -image:https://badgen.net/badge/icon/10.15?icon=apple&label, link=[https://www.apple.com/macos] +image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.apple.com/"] +image:https://badgen.net/badge/icon/11.0?icon=apple&label[link="https://www.apple.com/macos"] endif::[] The macOS Security Compliance Project is an link:LICENSE.md[open source] effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Recommended Security Controls for Federal Information Systems and Organizations_, Revision 4. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL). diff --git a/SCAP/Makefile b/SCAP/Makefile index 61a6b3cbb..b40cdf534 100644 --- a/SCAP/Makefile +++ b/SCAP/Makefile @@ -1,5 +1,5 @@ -XSLT = java -jar ~/saxon/saxon-he-10.1.jar -TIDY = /usr/bin/tidy +XSLT = /usr/local/bin/saxon +TIDY = /usr/local/bin/tidy VAL = java -Djava.protocol.handler.pkgs=sun.net.www.protocol -jar ~/Projects/scapval/scapval-1.3.5.jar DIR = ../build/All_rules @@ -34,7 +34,7 @@ XCCDF: -o:${DIR}/xccdf.xml \ SCAP-version=1.3 \ id-namespace=content.mscp.nist.gov \ - benchmark-id-suffix=macOS_10.15 \ + benchmark-id-suffix=macOS_11.0 \ OVAL-URI=${DIR}/All_rules.xml \ include-CPE=1 # the input OVAL document will be copied to a companion of the XCCDF document named 'oval.xml' @@ -50,7 +50,7 @@ datastream: -o:${DIR}/datastream.xml \ SCAP-version=1.3 \ id-namespace=content.mscp.nist.gov \ - datastream-id-suffix=macOS_10.15 \ + datastream-id-suffix=macOS_11.0 \ include-CPE=1 report: diff --git a/SCAP/html-to-xccdf.xsl b/SCAP/html-to-xccdf.xsl index e829a2295..4b3020b19 100644 --- a/SCAP/html-to-xccdf.xsl +++ b/SCAP/html-to-xccdf.xsl @@ -303,12 +303,12 @@ - cpe:2.3:o:apple:mac_os_x:10.15:*:*:*:*:*:*:* + cpe:2.3:o:apple:macos:11.0:*:*:*:*:*:*:* diff --git a/SCAP/macos-cpe-dictionary.xml b/SCAP/macos-cpe-dictionary.xml index 0b262b84f..4133ceae4 100644 --- a/SCAP/macos-cpe-dictionary.xml +++ b/SCAP/macos-cpe-dictionary.xml @@ -11,12 +11,12 @@ 2.3 2020-10-15T15:35:10Z - - Apple Mac OS 10.15 + + Apple macOS 11.0 - This CPE Name represents macOS 10.15 + This CPE Name represents macOS 11.0 oval:gov.nist.mscp.content.cpe.oval:def:1 - + diff --git a/SCAP/macos-cpe-oval.xml b/SCAP/macos-cpe-oval.xml index 7e9c9d551..ed2813467 100644 --- a/SCAP/macos-cpe-oval.xml +++ b/SCAP/macos-cpe-oval.xml @@ -9,26 +9,26 @@ - Apple macOS 10.15 is installed + Apple macOS 11.0 is installed macOS - - The operating system installed on the system is Apple macOS Catalina (10.15). + + The operating system installed on the system is Apple macOS Big Sur (11.0). - + + comment="The Installed Operating System is Part of the macOS Family" id="oval:gov.nist.mscp.content.cpe:tst:1" version="1"> - @@ -37,7 +37,7 @@ - + ProductVersion /System/Library/CoreServices/SystemVersion.plist 1 @@ -47,8 +47,8 @@ macos - - 10.14 + + 11.0 diff --git a/VERSION.yaml b/VERSION.yaml index a8fb0c0c7..6abdd0fd0 100644 --- a/VERSION.yaml +++ b/VERSION.yaml @@ -1,2 +1,3 @@ -version: "Catalina, Revision 1" -date: "2020-10-06" \ No newline at end of file +os: "11.0" +version: "Big Sur, Revision 1" +date: "2020-11-10" \ No newline at end of file diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index a186e3fc5..42c81f92e 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -1,12 +1,11 @@ -title: "macOS 10.15: Security Configuration - 800-171" +title: "macOS 11.0: Security Configuration - 800-171" description: | - This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-171. + This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-171. profile: - section: "authentication" rules: - auth_pam_login_smartcard_enforce - auth_pam_sudo_smartcard_enforce - - auth_ssh_smartcard_enforce - auth_smartcard_enforce - auth_pam_su_smartcard_enforce - section: "auditing" @@ -32,12 +31,11 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable - os_guest_account_disable - - os_policy_banner_ssh_enforce - os_password_proximity_disable - os_mdm_require - os_screensaver_loginwindow_enforce @@ -48,7 +46,6 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -60,9 +57,9 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - - os_policy_banner_ssh_configure - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable @@ -75,7 +72,7 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" @@ -109,10 +106,10 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - - sysprefs_ssh_enable + - sysprefs_ssh_disable - sysprefs_media_sharing_disabled - sysprefs_screensaver_password_enforce - sysprefs_gatekeeper_identified_developers_allowed @@ -155,6 +152,9 @@ profile: rules: - pwpolicy_50_percent - sysprefs_wifi_disable + - section: "not_applicable" + rules: + - os_nonlocal_maintenance - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index 7ad0d376f..6d62223f6 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -1,13 +1,12 @@ -title: "macOS 10.15: Security Configuration - 800-53 High" +title: "macOS 11.0: Security Configuration - 800-53 High" description: | - This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 HIGH baseline. + This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 HIGH baseline. profile: - section: "authentication" rules: - auth_pam_login_smartcard_enforce - auth_smartcard_allow - auth_pam_sudo_smartcard_enforce - - auth_ssh_smartcard_enforce - auth_smartcard_certificate_trust_enforce_high - auth_smartcard_enforce - auth_pam_su_smartcard_enforce @@ -36,12 +35,11 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable - os_guest_account_disable - - os_policy_banner_ssh_enforce - os_password_proximity_disable - os_mdm_require - os_screensaver_loginwindow_enforce @@ -52,7 +50,6 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure - os_secure_boot_verify - os_uucp_disable - os_policy_banner_loginwindow_enforce @@ -66,9 +63,9 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - - os_policy_banner_ssh_configure - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable @@ -82,7 +79,7 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" @@ -116,10 +113,10 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - - sysprefs_ssh_enable + - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow @@ -168,7 +165,7 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_request_verification_name_resolution + - os_secure_name_resolution - os_notify_account_enable - os_provide_automated_account_management - os_notify_account_created @@ -183,6 +180,7 @@ profile: - section: "not_applicable" rules: - os_identify_non-org_users + - os_nonlocal_maintenance - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml index ce025ac3b..1bc88f731 100644 --- a/baselines/800-53_low.yaml +++ b/baselines/800-53_low.yaml @@ -1,13 +1,12 @@ -title: "macOS 10.15: Security Configuration - 800-53 Low" +title: "macOS 11.0: Security Configuration - 800-53 Low" description: | - This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 LOW baseline. + This guide describes the actions to take when securing a macOS 11.0 system against the NIST SP 800-53 LOW baseline. profile: - section: "authentication" rules: - auth_pam_login_smartcard_enforce - auth_smartcard_allow - auth_pam_sudo_smartcard_enforce - - auth_ssh_smartcard_enforce - auth_smartcard_enforce - auth_pam_su_smartcard_enforce - section: "auditing" @@ -33,7 +32,6 @@ profile: - section: "macos" rules: - os_root_disable - - os_policy_banner_ssh_enforce - os_password_proximity_disable - os_mdm_require - os_handoff_disable @@ -51,8 +49,8 @@ profile: - os_nfsd_disable - os_httpd_disable - os_sip_enable + - os_authenticated_root_enable - os_guest_access_smb_disable - - os_policy_banner_ssh_configure - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable - os_siri_prompt_disable @@ -96,7 +94,7 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_firewall_enable @@ -113,6 +111,7 @@ profile: - sysprefs_password_hints_disable - sysprefs_bluetooth_sharing_disable - sysprefs_improve_siri_dictation_disable + - sysprefs_ssh_disable - section: "Inherent" rules: - os_logical_access @@ -123,12 +122,13 @@ profile: - pwpolicy_force_change_password_change - section: "Permanent" rules: - - os_request_verification_name_resolution + - os_secure_name_resolution - os_protect_dos_attacks - pwpolicy_50_percent - section: "not_applicable" rules: - os_identify_non-org_users + - os_nonlocal_maintenance - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml index ff61770db..b1905440d 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53_moderate.yaml @@ -1,13 +1,12 @@ -title: "macOS 10.15: Security Configuration - 800-53 Moderate" +title: "macOS 11.0: Security Configuration - 800-53 Moderate" description: | - This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 MODERATE baseline. + This guide describes the actions to take when securing a 11.0 system against the NIST SP 800-53 MODERATE baseline. profile: - section: "authentication" rules: - auth_pam_login_smartcard_enforce - auth_smartcard_allow - auth_pam_sudo_smartcard_enforce - - auth_ssh_smartcard_enforce - auth_smartcard_certificate_trust_enforce_moderate - auth_smartcard_enforce - auth_pam_su_smartcard_enforce @@ -34,11 +33,10 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable - - os_policy_banner_ssh_enforce - os_password_proximity_disable - os_mdm_require - os_screensaver_loginwindow_enforce @@ -49,7 +47,6 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -62,9 +59,9 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - - os_policy_banner_ssh_configure - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable @@ -78,7 +75,7 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" @@ -112,10 +109,10 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - - sysprefs_ssh_enable + - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow @@ -159,7 +156,7 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_request_verification_name_resolution + - os_secure_name_resolution - os_notify_account_enable - os_provide_automated_account_management - os_notify_account_created @@ -174,6 +171,7 @@ profile: - section: "not_applicable" rules: - os_identify_non-org_users + - os_nonlocal_maintenance - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 2c756ae3e..5f6eec9b6 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -1,6 +1,6 @@ -title: "macOS 10.15: Security Configuration - All Rules" +title: "macOS 11.0: Security Configuration - All Rules" description: | - This guide describes the actions to take when securing a macOS 10.15 system using every available rule. + This guide describes the actions to take when securing a macOS 11.0 system using every available rule. profile: - section: "authentication" rules: @@ -37,7 +37,7 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable @@ -53,7 +53,7 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure + - os_sshd_login_grace_time_configure - os_privacy_setup_prompt_disable - os_secure_boot_verify - os_sudoers_tty_configure @@ -70,6 +70,7 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - os_policy_banner_ssh_configure @@ -85,12 +86,16 @@ profile: - os_camera_disable - os_guest_access_afp_disable - os_icloud_storage_prompt_disable - - os_ssh_permit_root_login_configure + - os_sshd_permit_root_login_configure - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_140_ciphers + - os_sshd_fips_140_macs - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce @@ -122,10 +127,11 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_ssh_enable + - sysprefs_ssh_disable - sysprefs_media_sharing_disabled - sysprefs_screensaver_password_enforce - sysprefs_gatekeeper_identified_developers_allowed @@ -199,7 +205,7 @@ profile: - audit_off_load_records - audit_enforce_dual_auth - audit_alert_processing_fail - - os_request_verification_name_resolution + - os_secure_name_resolution - os_reauth_devices_change_authenticators - os_notify_account_enable - os_provide_automated_account_management @@ -218,6 +224,7 @@ profile: - section: "not_applicable" rules: - os_identify_non-org_users + - os_nonlocal_maintenance - section: "srg" rules: - os_filevault_user_account diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index adf967392..498631dfd 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -1,13 +1,12 @@ -title: "macOS 10.15: Security Configuration - 800-53 Moderate" +title: "macOS 11.0: Security Configuration - CNSSI-1253" description: | - This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-53 MODERATE baseline. + This guide describes the actions to take when securing a macOS 11.0 system against the CNSSI-1253 baseline. profile: - section: "authentication" rules: - auth_pam_login_smartcard_enforce - auth_smartcard_allow - auth_pam_sudo_smartcard_enforce - - auth_ssh_smartcard_enforce - auth_smartcard_certificate_trust_enforce_moderate - auth_smartcard_enforce - auth_pam_su_smartcard_enforce @@ -34,11 +33,10 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable - - os_policy_banner_ssh_enforce - os_password_proximity_disable - os_mdm_require - os_screensaver_loginwindow_enforce @@ -49,7 +47,6 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce @@ -62,9 +59,9 @@ profile: - os_httpd_disable - os_gatekeeper_enable - os_sip_enable + - os_authenticated_root_enable - os_removable_media_disable - os_guest_access_smb_disable - - os_policy_banner_ssh_configure - os_time_server_enabled - os_unlock_active_user_session_disable - os_internet_accounts_prefpane_disable @@ -78,7 +75,7 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" @@ -112,10 +109,10 @@ profile: rules: - sysprefs_smbd_disable - sysprefs_firewall_stealth_mode_enable - - sysprefs_ad_tracking_disable + - sysprefs_personalized_advertising_disable - sysprefs_internet_sharing_disable - sysprefs_rae_disable - - sysprefs_ssh_enable + - sysprefs_ssh_disable - sysprefs_screensaver_password_enforce - sysprefs_gatekeeper_identified_developers_allowed - sysprefs_gatekeeper_override_disallow @@ -160,7 +157,7 @@ profile: - pwpolicy_emergency_accounts_disable - section: "Permanent" rules: - - os_request_verification_name_resolution + - os_secure_name_resolution - os_notify_account_enable - os_provide_automated_account_management - os_notify_account_created @@ -175,6 +172,7 @@ profile: - section: "not_applicable" rules: - os_identify_non-org_users + - os_nonlocal_maintenance - section: "Supplemental" rules: - supplemental_firewall_pf diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml index 0847a7a5a..26c84ebac 100644 --- a/rules/audit/audit_acls_files_configure.yaml +++ b/rules/audit/audit_acls_files_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84701-2 + - CCE-85251-7 cci: - CCI-000162 - CCI-001314 @@ -30,7 +30,7 @@ references: 800-171r2: - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml index bc67aaec4..bef3c8df3 100644 --- a/rules/audit/audit_acls_folders_configure.yaml +++ b/rules/audit/audit_acls_folders_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84704-6 + - CCE-85252-5 cci: - CCI-000162 - CCI-001314 @@ -30,7 +30,7 @@ references: 800-171r2: - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml index c0b624606..a0e8f5b25 100644 --- a/rules/audit/audit_alert_processing_fail.yaml +++ b/rules/audit/audit_alert_processing_fail.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84908-3 + - CCE-85253-3 cci: - CCI-000139 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000046-GPOS-00022 macOS: - - "10.15" + - "11.0" tags: - STIG - permanent diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 585378bde..5a103e79d 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-84706-1 + - CCE-85254-1 cci: - CCI-000130 - CCI-000131 @@ -63,7 +63,7 @@ references: - 3.3.2 - 3.3.7 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index 166d77da2..c55bd0900 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84707-9 + - CCE-85255-8 cci: - CCI-001855 800-53r4: @@ -25,7 +25,7 @@ references: disa_stig: - AOSX-15-001030 macOS: - - "10.15" + - "11.0" tags: - 800-53r4_high - STIG diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index a6b4ca248..e37d62696 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84906-7 + - CCE-85256-6 cci: - CCI-000366 - CCI-001896 @@ -23,7 +23,7 @@ references: srg: - SRG-OS-000360-GPOS-00147 macOS: - - "10.15" + - "11.0" tags: - STIG - permanent diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 8042dba99..f7e93597c 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84708-7 + - CCE-85257-4 cci: - CCI-000140 800-53r4: @@ -27,7 +27,7 @@ references: 800-171r2: - 3.3.4 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 34ae3477a..4ca2796b7 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84709-5 + - CCE-85258-2 cci: - CCI-000162 800-53r4: @@ -29,7 +29,7 @@ references: 800-171r2: - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index 88b745ccf..20bbcd5b2 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-84702-0 + - CCE-85259-0 cci: - CCI-000162 800-53r4: @@ -25,7 +25,7 @@ references: 800-171r2: - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index fe5db4db4..e7e5264d5 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84710-3 + - CCE-85260-8 cci: - CCI-000162 800-53r4: @@ -29,7 +29,7 @@ references: 800-171r2: - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index d31e6720c..c52db3ba4 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -16,10 +16,10 @@ fix: | /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: + cce: + - CCE-85261-6 cci: - N/A - cce: - - CCE-84711-1 800-53r4: - AU-2 - AU-12 @@ -35,7 +35,7 @@ references: - 3.3.1 - 3.3.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml index 818dd1f06..5d4d215b9 100644 --- a/rules/audit/audit_flags_ad_configure.yaml +++ b/rules/audit/audit_flags_ad_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-84712-9 + - CCE-85262-4 cci: - CCI-000018 - CCI-000172 @@ -57,7 +57,7 @@ references: - 3.3.1 - 3.3.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index 93567a696..28e918caa 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -17,10 +17,10 @@ fix: | /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: - cci: - - N/A cce: - - CCE-84913-3 + - CCE-85263-2 + cci: + - N/A 800-53r4: - AU-2 - AU-12 @@ -33,7 +33,7 @@ references: - 3.3.1 - 3.3.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 094ceeb91..35c53e622 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-84715-2 + - CCE-85264-0 cci: - CCI-000162 800-53r4: @@ -46,7 +46,7 @@ references: - 3.3.2 - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml index 093953cb7..7098aba14 100644 --- a/rules/audit/audit_flags_fr_configure.yaml +++ b/rules/audit/audit_flags_fr_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-84713-7 + - CCE-85265-7 cci: - CCI-000162 800-53r4: @@ -46,7 +46,7 @@ references: - 3.3.2 - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml index dc76facf0..972b1981d 100644 --- a/rules/audit/audit_flags_fw_configure.yaml +++ b/rules/audit/audit_flags_fw_configure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-84714-5 + - CCE-85266-5 cci: - CCI-000162 800-53r4: @@ -46,7 +46,7 @@ references: - 3.3.2 - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml index d347802aa..f536f17f8 100644 --- a/rules/audit/audit_flags_lo_configure.yaml +++ b/rules/audit/audit_flags_lo_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84716-0 + - CCE-85267-3 cci: - CCI-000067 - CCI-000172 @@ -37,7 +37,7 @@ references: - 3.3.1 - 3.3.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index e07106af1..addc35eac 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84717-8 + - CCE-85268-1 cci: - CCI-000162 800-53r4: @@ -29,7 +29,7 @@ references: 800-171r2: - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index a8e2147af..61bb3f0de 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84718-6 + - CCE-85269-9 cci: - CCI-000162 800-53r4: @@ -29,7 +29,7 @@ references: 800-171r2: - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index 5a46800e4..9acbb7287 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84705-3 + - CCE-85270-7 cci: - CCI-000162 - CCI-000163 @@ -31,7 +31,7 @@ references: 800-171r2: - 3.3.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index c5b2ce090..a852d496c 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84895-2 + - CCE-85271-5 cci: - CCI-001851 800-53r4: @@ -23,7 +23,7 @@ references: - SRG-OS-000479-GPOS-00224 - SRG-OS-000342-GPOS-00133 macOS: - - "10.15" + - "11.0" tags: - STIG - permanent diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index d4aa1d04a..a20dc34ee 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84719-4 + - CCE-85272-3 cci: - CCI-001849 800-53r4: @@ -26,7 +26,7 @@ references: disa_stig: - AOSX-15-001029 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_low diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml index 1b05d0e52..a67d3ce9e 100644 --- a/rules/audit/audit_settings_failure_notify.yaml +++ b/rules/audit/audit_settings_failure_notify.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84720-2 + - CCE-85273-1 cci: - CCI-001858 800-53r4: @@ -28,7 +28,7 @@ references: 800-171r2: - 3.3.4 macOS: - - "10.15" + - "11.0" tags: - 800-171 - 800-53r4_high diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml index 75f51adfe..6c4eab69c 100644 --- a/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -35,7 +35,7 @@ fix: | ---- references: cce: - - CCE-84721-0 + - CCE-85274-9 cci: - CCI-000366 800-53r4: @@ -52,7 +52,7 @@ references: 800-171r2: - 3.5.3 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml index 50a8cce3d..6655f5b6e 100644 --- a/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -30,7 +30,7 @@ fix: | ---- references: cce: - - CCE-84722-8 + - CCE-85275-6 cci: - CCI-000366 800-53r4: @@ -47,7 +47,7 @@ references: 800-171r2: - 3.5.3 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 97a6bd7a3..238f344d8 100644 --- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -29,7 +29,7 @@ fix: | ---- references: cce: - - CCE-84723-6 + - CCE-85276-4 cci: - CCI-000366 800-53r4: @@ -46,7 +46,7 @@ references: 800-171r2: - 3.5.3 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index e8e050037..d334a8e5c 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84724-4 + - CCE-85277-2 cci: - N/A 800-53r4: @@ -25,7 +25,7 @@ references: disa_stig: - N/A macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_low diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index 29b3c2c8c..978011b79 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84725-1 + - CCE-85278-0 cci: - CCI-000186 800-53r4: @@ -27,7 +27,7 @@ references: disa_stig: - AOSX-15-003002 macOS: - - "10.15" + - "11.0" tags: - 800-53r4_high - STIG diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index af1faf221..f710d3727 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -16,7 +16,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84726-9 + - CCE-85279-8 cci: - CCI-000186 800-53r4: @@ -27,7 +27,7 @@ references: disa_stig: - AOSX-15-003002 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml index 44d4d37aa..30afa17b4 100644 --- a/rules/auth/auth_smartcard_enforce.yaml +++ b/rules/auth/auth_smartcard_enforce.yaml @@ -18,7 +18,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84727-7 + - CCE-85280-6 cci: - CCI-000187 - CCI-000765 @@ -55,7 +55,7 @@ references: - 3.5.2 - 3.5.3 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_smartcard_enforce.yaml index bc73f1937..6a30d3668 100644 --- a/rules/auth/auth_ssh_smartcard_enforce.yaml +++ b/rules/auth/auth_ssh_smartcard_enforce.yaml @@ -1,7 +1,7 @@ id: auth_ssh_smartcard_enforce title: "Enforce Smartcard Authentication for SSH" discussion: | - Smartcard Authentication _MUST_ be enforced for user login via Secure Shell (SSH). + If remote login through SSH is enabled, smartcard authentication _MUST_ be enforced for user login. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-84729-3 + - CCE-85281-4 cci: - CCI-000187 - CCI-000765 @@ -57,13 +57,8 @@ references: - 3.5.3 - 3.7.5 macOS: - - "10.15" + - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index bf8b84563..cb41ac30d 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84730-1 + - CCE-85282-2 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml index a8540d546..4d4b0afc1 100644 --- a/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84731-9 + - CCE-85283-0 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml index 89a0510ec..2d4b3b1ab 100644 --- a/rules/icloud/icloud_bookmarks_disable.yaml +++ b/rules/icloud/icloud_bookmarks_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84732-7 + - CCE-85284-8 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml index badb3d4b4..1f4ddf889 100644 --- a/rules/icloud/icloud_calendar_disable.yaml +++ b/rules/icloud/icloud_calendar_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84733-5 + - CCE-85285-5 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml index 29ba1ec0c..a6d0fed8a 100644 --- a/rules/icloud/icloud_drive_disable.yaml +++ b/rules/icloud/icloud_drive_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84734-3 + - CCE-85286-3 cci: - CCI-000381 - CCI-001774 @@ -30,7 +30,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml index 9f40b6621..326654bb3 100644 --- a/rules/icloud/icloud_keychain_disable.yaml +++ b/rules/icloud/icloud_keychain_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84735-0 + - CCE-85287-1 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml index fd2dd0150..ab1c16486 100644 --- a/rules/icloud/icloud_mail_disable.yaml +++ b/rules/icloud/icloud_mail_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84736-8 + - CCE-85288-9 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index 4e229cb68..f10b793d8 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84737-6 + - CCE-85289-7 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml index 1cfd5a9eb..f212762f7 100644 --- a/rules/icloud/icloud_photos_disable.yaml +++ b/rules/icloud/icloud_photos_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84738-4 + - CCE-85290-5 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 894520f0c..72370526d 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84739-2 + - CCE-85291-3 cci: - CCI-000381 - CCI-001774 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index def985e3c..1dfeb7a18 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84740-0 + - CCE-85292-1 cci: - N/A 800-53r4: @@ -28,7 +28,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index ea8a356a2..8b8a65115 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84747-5 + - CCE-85293-9 cci: - CCI-000381 800-53r4: @@ -31,7 +31,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 @@ -41,5 +41,5 @@ tags: - STIG mobileconfig: true mobileconfig_info: - com.apple.NetworkBrowser: - DisableAirDrop: true + com.apple.applicationaccess: + allowAirDrop: false diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml index 4587aa355..74823fb40 100644 --- a/rules/os/os_allow_info_passed.yaml +++ b/rules/os/os_allow_info_passed.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84863-0 + - CCE-85294-7 cci: - CCI-002165 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000312-GPOS-00122 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml index 0d206b196..3025cd23f 100644 --- a/rules/os/os_anti_virus_installed.yaml +++ b/rules/os/os_anti_virus_installed.yaml @@ -11,7 +11,7 @@ fix: | Install an approved antivirus solution onto the system. references: cce: - - CCE-84894-5 + - CCE-85295-4 cci: - CCI-000366 800-53r4: @@ -21,7 +21,7 @@ references: disa_stig: - AOSX-15-002070 macOS: - - "10.15" + - "11.0" tags: - STIG mobileconfig: false diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index c4fb7b12a..dd74e8184 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Apple ID Setup during Setup Assistant" discussion: | The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. - MacOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. + macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipCloudSetup = 1' result: @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84748-3 + - CCE-85296-2 cci: - CCI-000381 800-53r4: @@ -25,7 +25,7 @@ references: 800-171r2: - 3.1.20 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 7c6ecc916..a2b88b475 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and can be fixed by implementing a third party solution. references: cce: - - CCE-84741-8 + - CCE-85297-0 cci: - CCI-001958 800-53r4: @@ -21,7 +21,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml new file mode 100644 index 000000000..4cfa15b51 --- /dev/null +++ b/rules/os/os_authenticated_root_enable.yaml @@ -0,0 +1,46 @@ +id: os_authenticated_root_enable +title: "Enable Authenticated Root" +discussion: + Authenticated Root _MUST_ be enabled. + + When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. +check: | + /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/csrutil authenticated-root enable + ---- + NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. +references: + cce: + - CCE-85298-8 + cci: + - N/A + 800-53r4: + - AC-3 + - CM-5 + - SC-34 + - SI-7 + - SI-7(6) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.1.1 + - 3.1.2 + - 3.4.5 +macOS: + - "11.0" +tags: + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - STIG +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml index 4daf16905..5e3a9067c 100644 --- a/rules/os/os_bonjour_disable.yaml +++ b/rules/os/os_bonjour_disable.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84749-1 + - CCE-85299-6 cci: - CCI-000381 800-53r4: @@ -22,7 +22,7 @@ references: 800-171r2: - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index b2b6e323f..bf7d16e8e 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -2,6 +2,11 @@ id: os_calendar_app_disable title: "Disable Calendar.app" discussion: | The macOS built-in Calendar.app _MUST_ be disabled as this application can establish a connection to non-approved services. This rule is in place to prevent inadvertent data transfers. + + [IMPORTANT] + ==== + Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== check: /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Calendar.app" result: @@ -10,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84750-9 + - CCE-85300-2 cci: - CCI-000381 - CCI-001774 @@ -26,7 +31,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml index 837537933..be5a215e8 100644 --- a/rules/os/os_camera_disable.yaml +++ b/rules/os/os_camera_disable.yaml @@ -1,7 +1,7 @@ id: os_camera_disable title: "Disable Camera" discussion: | - MacOS _MUST_ be configured to disable the camera. + macOS _MUST_ be configured to disable the camera. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCamera = 0' result: @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84751-7 + - CCE-85301-0 cci: - CCI-000381 - CCI-001774 @@ -22,7 +22,7 @@ references: disa_stig: - AOSX-15-002017 macOS: - - "10.15" + - "11.0" tags: - STIG mobileconfig: true diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml index cdb58023d..22b4a204f 100644 --- a/rules/os/os_certificate_authority_trust.yaml +++ b/rules/os/os_certificate_authority_trust.yaml @@ -10,7 +10,7 @@ fix: | Obtain the approved certificates from the appropriate authority and install them to the System Keychain. references: cce: - - CCE-84752-5 + - CCE-85302-8 cci: - CCI-000185 - CCI-002450 @@ -22,7 +22,7 @@ references: - SRG-OS-000066-GPOS-00034 - SRG-OS-000478-GPOS-00223 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index 50c78c7e3..4f84869e9 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84882-0 + - CCE-85303-6 cci: - CCI-002165 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000312-GPOS-00124 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index e04e1359b..6ef90ed6f 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -8,7 +8,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84892-9 + - CCE-85304-4 cci: - CCI-001233 800-53r4: @@ -18,7 +18,7 @@ references: disa_stig: - AOSX-15-000015 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index 423fd869f..5bd7ea32d 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84889-5 + - CCE-85305-1 cci: - CCI-001496 800-53r4: @@ -24,7 +24,7 @@ references: srg: - SRG-OS-000278-GPOS-00108 macOS: - - "10.15" + - "11.0" tags: - 800-53r4_high - STIG diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index 7ca1fddd4..f6771c5e1 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84854-9 + - CCE-85306-9 cci: - CCI-001813 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000364-GPOS-00151 macOS: - - "10.15" + - "11.0" tags: - 800-53r4_high - STIG diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml index e1df2d153..924cc026b 100644 --- a/rules/os/os_error_message.yaml +++ b/rules/os/os_error_message.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84887-9 + - CCE-85307-7 cci: - CCI-001312 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000205-GPOS-00083 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 7f9698429..922d76864 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84753-3 + - CCE-85308-5 cci: - CCI-000381 - CCI-001774 @@ -28,7 +28,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index 743a0d5ec..ef3e19c0d 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84860-6 + - CCE-85309-3 cci: - CCI-001190 - CCI-001665 @@ -26,7 +26,7 @@ references: - SRG-OS-000184-GPOS-00078 - SRG-OS-000269-GPOS-00103 macOS: - - "10.15" + - "11.0" tags: - 800-53r4_high - STIG diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index aca1f4052..ab628a734 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84754-1 + - CCE-85310-1 800-53r4: - AC-3 - IA-5(13) @@ -26,7 +26,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_filevault_user_account.yaml b/rules/os/os_filevault_user_account.yaml index 794ae27ef..d946b2c86 100644 --- a/rules/os/os_filevault_user_account.yaml +++ b/rules/os/os_filevault_user_account.yaml @@ -44,7 +44,7 @@ fix: | # sudo fdesetup remove -user references: cce: - - CCE-84893-7 + - CCE-85311-9 cci: - CCI-000014 800-53r4: @@ -54,7 +54,7 @@ references: disa_stig: - AOSX-15-000032 macOS: - - "10.15" + - "11.0" tags: - STIG mobileconfig: false diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index ea0b4278d..930e9a5dc 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -8,6 +8,11 @@ discussion: | Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data. If you are using a third-party firewall solution, this setting does not apply. + + [IMPORTANT] + ==== + Configuring the built-in packet filter firewall to employ the default deny rule has the potential to interfere with applications on the system in an unpredictable manner. Information System Security Officers (ISSOs) may make the risk-based decision not to configure the built-in packet filter firewall to employ the default deny rule to avoid losing functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== check: | /sbin/pfctl -a '*' -sr &> /dev/null | /usr/bin/grep -c "block drop in all" result: @@ -16,7 +21,7 @@ fix: | NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule. references: cce: - - CCE-84756-6 + - CCE-85312-7 cci: - CCI-000366 - CCI-002080 @@ -31,7 +36,7 @@ references: - 3.1.3 - 3.13.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 8c73b99e6..007b19904 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84757-4 + - CCE-85313-5 cci: - CCI-000366 800-53r4: @@ -34,7 +34,7 @@ references: - 3.13.2 - 3.13.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml index 4fa0a2399..1d87c3aea 100644 --- a/rules/os/os_firmware_password_require.yaml +++ b/rules/os/os_firmware_password_require.yaml @@ -22,7 +22,7 @@ fix: | NOTE: See discussion on remediation and how to enable firmware password. references: cce: - - CCE-84758-2 + - CCE-85314-3 cci: - CCI-000366 800-53r4: @@ -34,7 +34,7 @@ references: 800-171r2: - 3.1.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml index ddd7b76ed..4395dcce8 100644 --- a/rules/os/os_gatekeeper_enable.yaml +++ b/rules/os/os_gatekeeper_enable.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84759-0 + - CCE-85315-0 cci: - CCI-001749 800-53r4: @@ -32,7 +32,7 @@ references: 800-171r2: - 3.4.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 5f82f3986..dfb01ec95 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84852-3 + - CCE-85316-8 cci: - N/A 800-53r4: @@ -23,7 +23,7 @@ references: 800-171r2: - 3.4.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 5231cf574..048037ded 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84878-8 + - CCE-85317-6 cci: - CCI-002165 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000312-GPOS-00123 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_guest_access_afp_disable.yaml b/rules/os/os_guest_access_afp_disable.yaml index d9d164e99..0eff08ec4 100644 --- a/rules/os/os_guest_access_afp_disable.yaml +++ b/rules/os/os_guest_access_afp_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84760-8 + - CCE-85318-4 800-53r4: - IA-2 disa_stig: @@ -25,7 +25,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_guest_access_smb_disable.yaml b/rules/os/os_guest_access_smb_disable.yaml index 3c3fd7f0b..d837a3c5e 100644 --- a/rules/os/os_guest_access_smb_disable.yaml +++ b/rules/os/os_guest_access_smb_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84761-6 + - CCE-85319-2 800-53r4: - IA-2 disa_stig: @@ -25,7 +25,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_guest_account_disable.yaml b/rules/os/os_guest_account_disable.yaml index 0bbc268e9..e99b7cf29 100644 --- a/rules/os/os_guest_account_disable.yaml +++ b/rules/os/os_guest_account_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84762-4 + - CCE-85320-0 cci: - CCI-001813 800-53r4: @@ -26,7 +26,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - 800-53r4_high diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml index b7472f2b0..1a00905e5 100644 --- a/rules/os/os_handoff_disable.yaml +++ b/rules/os/os_handoff_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84763-2 + - CCE-85321-8 800-53r4: - AC-3 - AC-20 @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index 303d58b4d..23a85a16a 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-84764-0 + - CCE-85322-6 cci: - CCI-000366 800-53r4: @@ -32,7 +32,7 @@ references: 800-171r2: - 3.1.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 21711baca..3bb70c09f 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-84765-7 + - CCE-85323-4 cci: - CCI-000381 800-53r4: @@ -26,7 +26,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml index f3f33eb5e..c9dc41a3a 100644 --- a/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/rules/os/os_icloud_storage_prompt_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84766-5 + - CCE-85324-2 cci: - CCI-000381 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.1.20 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml index 1f45e9c5c..f38a273e0 100644 --- a/rules/os/os_identify_non-org_users.yaml +++ b/rules/os/os_identify_non-org_users.yaml @@ -8,7 +8,7 @@ fix: | The requirement is NA. No fix is required. references: cce: - - CCE-84742-6 + - CCE-85325-9 cci: - CCI-000804 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000121-GPOS-00062 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_low diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index bc089f5ed..3689ad9ea 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -5,9 +5,9 @@ discussion: | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. - macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST). + macOS Big Sur has been submitted to an accredited laboratory for testing of the cryptographic module for FIPS 140-3 validation. Once complete the test will be submitted to the National Institute of Standards and Technology (NIST) for validation. - link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[] + link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[] link:https://support.apple.com/en-us/HT201159[] check: | @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84867-1 + - CCE-85326-7 cci: - CCI-002450 800-53r4: @@ -28,7 +28,7 @@ references: 800-171r2: - 3.13.11 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 9c31ea8f7..c38c23365 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -19,7 +19,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84866-3 + - CCE-85327-5 cci: - CCI-002824 800-53r4: @@ -30,7 +30,7 @@ references: - SRG-OS-000433-GPOS-00192 - SRG-OS-000433-GPOS-00193 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml index 7b12d1485..400888b77 100644 --- a/rules/os/os_internet_accounts_prefpane_disable.yaml +++ b/rules/os/os_internet_accounts_prefpane_disable.yaml @@ -2,6 +2,11 @@ id: os_internet_accounts_prefpane_disable title: "Disable the Internet Accounts System Preference Pane" discussion: | The Internet Accounts System Preference pane _MUST_ be disabled to prevent the addition of unauthorized internet accounts. + + [IMPORTANT] + ==== + Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' result: @@ -10,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84767-3 + - CCE-85328-3 cci: - CCI-001774 800-53r4: @@ -23,7 +28,7 @@ references: 800-171r2: - 3.1.20 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index a2474034e..7afd5b1cf 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84768-1 + - CCE-85329-1 cci: - CCI-000366 800-53r4: @@ -28,7 +28,7 @@ references: - 3.1.16 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index f45b06673..7ee763479 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84876-2 + - CCE-85330-9 cci: - CCI-001084 800-53r4: @@ -20,7 +20,7 @@ references: srg: - SRG-OS-000134-GPOS-00068 macOS: - - "10.15" + - "11.0" tags: - 800-53r4_high - STIG diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml index 01cbf955b..9fe1bd48f 100644 --- a/rules/os/os_limit_auditable_events.yaml +++ b/rules/os/os_limit_auditable_events.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84861-4 + - CCE-85331-7 cci: - CCI-000171 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000063-GPOS-00032 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 3403fa406..2a2e9aba6 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84904-2 + - CCE-85332-5 cci: - CCI-001095 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000142-GPOS-00071 macOS: - - "10.15" + - "11.0" tags: - STIG - permanent diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index d3bf6a1f9..28813fd06 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84855-6 + - CCE-85333-3 cci: - CCI-000054 800-53r4: @@ -20,7 +20,7 @@ references: srg: - SRG-OS-000027-GPOS-00008 macOS: - - "10.15" + - "11.0" tags: - 800-53r4_high - STIG diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 23da522bf..a1cb318d7 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84857-2 + - CCE-85334-1 cci: - CCI-000213 800-53r4: @@ -25,7 +25,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml index c17b70b97..a7cb712e4 100644 --- a/rules/os/os_logoff_capability_and_message.yaml +++ b/rules/os/os_logoff_capability_and_message.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84859-8 + - CCE-85335-8 cci: - CCI-002363 - CCI-002364 @@ -22,7 +22,7 @@ references: - SRG-OS-000280-GPOS-00110 - SRG-OS-000281-GPOS-00111 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index f75e6a47c..d8bb23e5a 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -4,6 +4,11 @@ discussion: | The macOS built-in Mail.app _MUST_ be disabled. The Mail.app contains functionality that can establish connections to Apple’s iCloud, even when security controls to disable iCloud access have been put in place. + + [IMPORTANT] + ==== + Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Mail.app" result: @@ -12,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84769-9 + - CCE-85336-6 cci: - CCI-000381 - CCI-001774 @@ -28,7 +33,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml index cd88679bf..6e78439eb 100644 --- a/rules/os/os_map_pki_identity.yaml +++ b/rules/os/os_map_pki_identity.yaml @@ -8,7 +8,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84873-9 + - CCE-85337-4 cci: - CCI-000187 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000068-GPOS-00036 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - STIG diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index 353f70a17..4970689d6 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -15,7 +15,7 @@ fix: | Ensure that system is enrolled via UAMDM. references: cce: - - CCE-84803-6 + - CCE-85338-2 800-53r4: - CM-2 - CM-6 @@ -29,7 +29,7 @@ references: - 3.4.1 - 3.4.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index df8a6c2b3..6a2bce522 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84770-7 + - CCE-85339-0 cci: - CCI-000381 - CCI-001774 @@ -28,7 +28,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml index 7c534e6bd..971d25625 100644 --- a/rules/os/os_mfa_network_access.yaml +++ b/rules/os/os_mfa_network_access.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84883-8 + - CCE-85340-8 cci: - CCI-000765 800-53r4: @@ -19,7 +19,7 @@ references: srg: - SRG-OS-000105-GPOS-00052 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml index 47badf391..2ab85dbce 100644 --- a/rules/os/os_mfa_network_non-priv.yaml +++ b/rules/os/os_mfa_network_non-priv.yaml @@ -9,7 +9,7 @@ fix: | For directory bound systems, the technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84864-8 + - CCE-85341-6 cci: - CCI-000766 800-53r4: @@ -19,7 +19,7 @@ references: srg: - SRG-OS-000106-GPOS-00053 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index b062f40b6..2e08fb8f1 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -14,7 +14,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-84772-3 + - CCE-85342-4 cci: - CCI-000381 800-53r4: @@ -27,7 +27,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml new file mode 100644 index 000000000..50348c8bb --- /dev/null +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -0,0 +1,32 @@ +id: os_nonlocal_maintenance +title: "Configure the System for Nonlocal Maintenance" +discussion: | + Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. +check: | + This requirement is NA for this technology. +fix: | + The requirement is NA. No fix is required. +references: + cce: + - CCE-85458-8 + cci: + - N/A + 800-53r4: + - MA-4 + 800-171r2: + - 3.7.5 + disa_stig: + - N/A + srg: + - N/A +macOS: + - "11.0" +tags: + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - n_a +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index 3859b3639..05e0bf674 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84900-0 + - CCE-85343-2 cci: - CCI-001683 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000274-GPOS-00104 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 6f86dc27f..04b52103f 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84905-9 + - CCE-85344-0 cci: - CCI-001685 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000276-GPOS-00106 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index c5b7483ba..06e5c6bc8 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84897-8 + - CCE-85345-7 cci: - CCI-002132 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000304-GPOS-00121 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index 1f9e56f79..91e33d7a9 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84901-8 + - CCE-85346-5 cci: - CCI-001684 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000275-GPOS-00105 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index 6b52da00f..1ea39b163 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84902-6 + - CCE-85347-3 cci: - CCI-001686 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000277-GPOS-00107 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index dd11979c2..f36f4275c 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84911-7 + - CCE-85348-1 cci: - CCI-001744 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000363-GPOS-00150 macOS: - - "10.15" + - "11.0" tags: - STIG - permanent diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml index ea83ac443..e2168e6e5 100644 --- a/rules/os/os_obscure_password.yaml +++ b/rules/os/os_obscure_password.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84869-7 + - CCE-85349-9 cci: - CCI-000206 800-53r4: @@ -27,7 +27,7 @@ references: - 3.5.2 - 3.5.11 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index 86fe7ca3b..61a9a2392 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84773-1 + - CCE-85350-7 cci: - CCI-001812 - CCI-001764 @@ -28,7 +28,7 @@ references: 800-171r2: - 3.4.7 macOS: - - "10.15" + - "11.0" tags: - STIG - 800-171 diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index 9ae4c9931..fb424bed0 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Password Autofill" discussion: | Password Autofill _MUST_ be disabled. - MacOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. + macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowPasswordAutoFill = 0' result: @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84774-9 + - CCE-85351-5 800-53r4: - IA-5 - IA-5(13) @@ -29,7 +29,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 67d0d92ef..ef22e29da 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -12,7 +12,9 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84775-6 + - CCE-85352-3 + cci: + - N/A 800-53r4: - IA-5 srg: @@ -28,7 +30,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index dda00b5c8..04a61d85c 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84776-4 + - CCE-85353-1 800-53r4: - IA-5 srg: @@ -27,7 +27,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index abef414c4..984f51c74 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -10,7 +10,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84885-3 + - CCE-85354-9 cci: - CCI-000778 800-53r4: @@ -22,7 +22,7 @@ references: 800-171r2: - N/A macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index bf5f1f493..1afb8f666 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -26,7 +26,7 @@ fix: | ---- references: cce: - - CCE-84777-2 + - CCE-85355-6 cci: - CCI-000048 - CCI-000050 @@ -36,7 +36,7 @@ references: - CCI-001387 - CCI-001388 800-53r4: - - AC-8 + - N/A srg: - SRG-OS-000023-GPOS-00006 - SRG-OS-000024-GPOS-00007 @@ -44,15 +44,10 @@ references: disa_stig: - AOSX-15-000025 800-171r2: - - 3.1.9 + - N/A macOS: - - "10.15" + - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 6c88c3923..6791bf131 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -19,25 +19,21 @@ fix: | ---- references: cce: - - CCE-84778-0 + - CCE-85356-4 cci: - CCI-000048 800-53r4: - AC-8 srg: - SRG-OS-000023-GPOS-00006 + - SRG-OS-000024-GPOS-00007 disa_stig: - - AOSX-15-000023 + - AOSX-15-000024 800-171r2: - 3.1.9 macOS: - - "10.15" + - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index a904c127e..9f3621192 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -19,7 +19,7 @@ fix: | ---- references: cce: - - CCE-84779-8 + - CCE-85357-2 cci: - CCI-000048 - CCI-000050 @@ -27,20 +27,13 @@ references: - AC-8 srg: - SRG-OS-000023-GPOS-00006 - - SRG-OS-000024-GPOS-00007 disa_stig: - - AOSX-15-000024 + - AOSX-15-000023 800-171r2: - 3.1.9 macOS: - - "10.15" - - "10.14" + - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml index d909acf5a..0a1ba91af 100644 --- a/rules/os/os_predictable_behavior.yaml +++ b/rules/os/os_predictable_behavior.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84871-3 + - CCE-85358-0 cci: - CCI-002754 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000432-GPOS-00191 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index 7185dac41..53096e6bb 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84862-2 + - CCE-85359-8 cci: - CCI-002233 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.1.7 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 4b896782e..a5d7e9593 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84856-4 + - CCE-85360-6 cci: - CCI-002235 800-53r4: @@ -26,7 +26,7 @@ references: 800-171r2: - 3.1.7 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index 28d01c2b1..1acc939dc 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84880-4 + - CCE-85361-4 cci: - CCI-001090 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.13.4 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml index c7339df42..fccf62feb 100644 --- a/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/rules/os/os_privacy_setup_prompt_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84781-4 + - CCE-85362-2 cci: - CCI-000381 800-53r4: @@ -23,7 +23,7 @@ references: disa_stig: - AOSX-15-002036 macOS: - - "10.15" + - "11.0" tags: - STIG mobileconfig: true diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index 266e6f479..f7526367b 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84909-1 + - CCE-85363-0 cci: - CCI-002385 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000420-GPOS-00186 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_low diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index 8a2c85339..22a322e41 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84899-4 + - CCE-85364-8 cci: - CCI-000015 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000001-GPOS-00001 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml index ca1edbe08..afe5f7ee6 100644 --- a/rules/os/os_provide_disconnect_remote_access.yaml +++ b/rules/os/os_provide_disconnect_remote_access.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84875-4 + - CCE-85365-5 cci: - CCI-002322 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000298-GPOS-00116 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index fcb2b508b..11117c694 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -10,7 +10,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84896-0 + - CCE-85366-3 cci: - CCI-002039 800-53r4: @@ -20,7 +20,7 @@ references: srg: - SRG-OS-000374-GPOS-00159 macOS: - - "10.15" + - "11.0" tags: - STIG - permanent diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml index c5ecefa50..f02025126 100644 --- a/rules/os/os_reauth_privilege.yaml +++ b/rules/os/os_reauth_privilege.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84890-3 + - CCE-85367-1 cci: - CCI-002038 800-53r4: @@ -19,7 +19,7 @@ references: - SRG-OS-000373-GPOS-00156 - SRG-OS-000373-GPOS-00157 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml index f1155816d..ef2535073 100644 --- a/rules/os/os_reauth_users_change_authenticators.yaml +++ b/rules/os/os_reauth_users_change_authenticators.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84872-1 + - CCE-85368-9 cci: - CCI-002038 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000373-GPOS-00158 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml index 451009ba3..968f36885 100644 --- a/rules/os/os_remote_access_methods.yaml +++ b/rules/os/os_remote_access_methods.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84868-9 + - CCE-85369-7 cci: - CCI-002314 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000297-GPOS-00115 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index 06dc90a5a..f1ece2f2e 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -1,9 +1,14 @@ id: os_removable_media_disable title: "Disable Removable Storage Devices" discussion: | - External hard drives, such as USB, _MUST_ be disabled for users. - - Disabling removable storage devices reduces the risks and known vulnerabilities of such devices (e.g., malicious code insertion). + Removable media, such as USB connected external hard drives, thumb drives, and optical media, _MUST_ be disabled for users. + + Disabling removable storage devices reduces the risks and known vulnerabilities of such devices (e.g., malicious code insertion) + + [IMPORTANT] + ==== + Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep 'harddisk-external' -A3 | /usr/bin/grep -Ec "eject|alert" result: @@ -12,7 +17,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84782-2 + - CCE-85370-5 cci: - N/A 800-53r4: @@ -24,7 +29,7 @@ references: 800-171r2: - 3.8.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml index 9d8104240..01f06d9a4 100644 --- a/rules/os/os_remove_software_components_after_updates.yaml +++ b/rules/os/os_remove_software_components_after_updates.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84865-5 + - CCE-85371-3 cci: - CCI-002617 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000437-GPOS-00194 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 8d9d091d3..3cc751bc2 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -2,10 +2,12 @@ id: os_required_crypto_module title: "Ensure all Federal Laws, Executive Orders, Directives, Policies, Regulations, Standards, and Guidance for Authentication to a Cryptographic Module are Met" discussion: | The inherent configuration of the macOS _IS_ in compliance by implementing mechanisms for authentication to a cryptographic module that meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication + + macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. - macOS Catalina is in process of receiving FIPS validation from the National Institute of Standards and Technology (NIST). + macOS Big Sur is in process of testing from an accredited laboratory to submit the National Institute of Standards and Technology (NIST) for FIPS validation. - link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[] + link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[] link:https://support.apple.com/en-us/HT201159[] check: | @@ -14,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84877-0 + - CCE-85373-9 cci: - CCI-000803 800-53r4: @@ -24,7 +26,7 @@ references: srg: - SRG-OS-000120-GPOS-00061 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_low diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index cd4256f4f..cc41e762c 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -15,20 +15,17 @@ fix: | ---- references: cce: - - CCE-84783-0 - 800-53r4: - - IA-2 - disa_stig: - - N/A - srg: - - N/A + - CCE-85374-7 cci: - N/A + 800-53r4: + - IA-2 + - IA-2(5) 800-171r2: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index 3d1ed80ba..e14f634c8 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -10,7 +10,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84786-3 + - CCE-85375-4 cci: - CCI-000060 800-53r4: @@ -22,7 +22,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 55812793d..c61443c7b 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -14,7 +14,7 @@ fix: | NOTE: Boot into Recovery Mode and enable Full Secure Boot references: cce: - - CCE-84789-7 + - CCE-85376-2 800-53r4: - SI-6 srg: @@ -24,7 +24,7 @@ references: cci: - N/A macOS: - - "10.15" + - "11.0" tags: - 800-53r4_high mobileconfig: false diff --git a/rules/os/os_request_verification_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml similarity index 63% rename from rules/os/os_request_verification_name_resolution.yaml rename to rules/os/os_secure_name_resolution.yaml index d6aaae5db..a3f190c38 100644 --- a/rules/os/os_request_verification_name_resolution.yaml +++ b/rules/os/os_secure_name_resolution.yaml @@ -1,14 +1,14 @@ -id: os_request_verification_name_resolution -title: "Must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources" +id: os_secure_name_resolution +title: "Secure Name Address Resolution Service" discussion: | The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. check: | - This requirement is NA for this technology. + The technology does not support this requirement. This is an applicable-does not meet finding. fix: | - The requirement is NA. No fix is required. + This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84745-9 + - CCE-85372-1 cci: - CCI-002465 - CCI-002466 @@ -24,7 +24,7 @@ references: - SRG-OS-000401-GPOS-00180 - SRG-OS-000402-GPOS-00181 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_low diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index 04aaf825e..fd35bdc0c 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84888-7 + - CCE-85377-0 cci: - CCI-001082 800-53r4: @@ -26,7 +26,7 @@ references: 800-171r2: - 3.13.3 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml index a3c551fc9..7d58cca99 100644 --- a/rules/os/os_sip_enable.yaml +++ b/rules/os/os_sip_enable.yaml @@ -16,7 +16,7 @@ fix: | NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. references: cce: - - CCE-84790-5 + - CCE-85378-8 cci: - CCI-000154 - CCI-000158 @@ -72,7 +72,7 @@ references: - 3.4.5 - 3.13.4 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml index 82998cbdd..7aee63b5e 100644 --- a/rules/os/os_siri_prompt_disable.yaml +++ b/rules/os/os_siri_prompt_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84791-3 + - CCE-85379-6 cci: - CCI-000381 - CCI-001774 @@ -30,7 +30,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml index 32b44ac52..63ffed567 100644 --- a/rules/os/os_ssh_fips_140_ciphers.yaml +++ b/rules/os/os_ssh_fips_140_ciphers.yaml @@ -9,34 +9,34 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config + /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/ssh_config result: integer: 1 fix: | [source,bash] ---- - /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/grep -q '^Ciphers' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/ssh_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/ssh_config ---- references: cce: - - CCE-84794-7 + - CCE-85382-0 cci: - - CCI-001133 + - N/A 800-53r4: - AC-17(2) - IA-7 - SC-8(1) - SC-13 srg: - - SRG-OS-000163-GPOS-00072 + - N/A disa_stig: - - AOSX-15-000053 + - N/A 800-171r2: - 3.1.13 - 3.13.8 - 3.13.11 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml index cf8ea8514..490c1e02f 100644 --- a/rules/os/os_ssh_fips_140_macs.yaml +++ b/rules/os/os_ssh_fips_140_macs.yaml @@ -7,36 +7,36 @@ discussion: | Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config + /usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/ssh_config result: integer: 1 fix: | [source,bash] ---- - /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/grep -q '^MACs' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/ssh_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/ssh_config ---- references: cce: - - CCE-84795-4 + - CCE-85383-8 cci: - - CCI-001133 + - N/A 800-53r4: - AC-17(2) - IA-7 - SC-8(1) - SC-13 srg: - - SRG-OS-000163-GPOS-00072 + - N/A disa_stig: - - AOSX-15-000053 + - N/A 800-171r2: - 3.1.13 - 3.13.8 - 3.13.11 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_ssh_client_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml similarity index 53% rename from rules/os/os_ssh_client_alive_count_max_configure.yaml rename to rules/os/os_ssh_server_alive_count_max_configure.yaml index 7b0045d46..e7ab01665 100644 --- a/rules/os/os_ssh_client_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -1,33 +1,33 @@ -id: os_ssh_client_alive_count_max_configure -title: "Set SSH Active Client Alive Maximum to Zero" +id: os_ssh_server_alive_count_max_configure +title: "Set SSH Active Server Alive Maximum to Zero" discussion: | - SSH _MUST_ be configured with an Active Client Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. + SSH _MUST_ be configured with an Active Server Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^ClientAliveCountMax 0" /etc/ssh/sshd_config + /usr/bin/grep -c "^ServerAliveCountMax 0" /etc/ssh/ssh_config result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config ---- references: cce: - - CCE-84792-1 + - CCE-85380-4 cci: - - CCI-001133 + - N/A 800-53r4: - SC-10 srg: - - SRG-OS-000163-GPOS-00072 + - N/A disa_stig: - - AOSX-15-000052 + - N/A 800-171r2: - 3.13.9 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml new file mode 100644 index 000000000..031b1674c --- /dev/null +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -0,0 +1,40 @@ +id: os_ssh_server_alive_interval_configure +title: "Configure SSH ServerAliveInterval option set to 900 or less" +discussion: | + SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900 or less. + + Setting the Active Server Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. + + NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^ServerAliveInterval 900" /etc/ssh/ssh_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config + ---- +references: + cce: + - CCE-85381-2 + cci: + - N/A + 800-53r4: + - SC-10 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.13.9 +macOS: + - "11.0" +tags: + - 800-171 + - cnssi-1253 + - 800-53r4_moderate + - 800-53r4_high + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml new file mode 100644 index 000000000..8f9b95771 --- /dev/null +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -0,0 +1,34 @@ +id: os_sshd_client_alive_count_max_configure +title: "Set SSHD Active Client Alive Maximum to Zero" +discussion: | + If SSHD is enabled it _MUST_ be configured with an Active Client Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^ClientAliveCountMax 0" /etc/ssh/sshd_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + ---- +references: + cce: + - CCE-85456-2 + cci: + - CCI-001133 + 800-53r4: + - SC-10 + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - AOSX-15-000052 + 800-171r2: + - 3.13.9 +macOS: + - "11.0" +tags: + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml similarity index 72% rename from rules/os/os_ssh_client_alive_interval_configure.yaml rename to rules/os/os_sshd_client_alive_interval_configure.yaml index 0c46f3e46..4e5aae71e 100644 --- a/rules/os/os_ssh_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -1,7 +1,7 @@ -id: os_ssh_client_alive_interval_configure -title: "Configure SSH ClientAliveInterval option set to 900 or less" +id: os_sshd_client_alive_interval_configure +title: "Configure SSHD ClientAliveInterval option set to 900 or less" discussion: | - SSH _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less. + If SSHD is enabled then it _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less. Setting the Active Client Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84793-9 + - CCE-85457-0 cci: - CCI-001133 800-53r4: @@ -29,12 +29,8 @@ references: 800-171r2: - 3.13.9 macOS: - - "10.15" + - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml new file mode 100644 index 000000000..a134c573f --- /dev/null +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -0,0 +1,43 @@ +id: os_sshd_fips_140_ciphers +title: "Limit SSHD to FIPS 140 Validated Ciphers" +discussion: | + If SSHD is enabled then it _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. + + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. + + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + + NOTE: /etc/ssh/sshd_config will be a +check: | + /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + ---- +references: + cce: + - CCE-85454-7 + cci: + - CCI-001133 + 800-53r4: + - AC-17(2) + - IA-7 + - SC-8(1) + - SC-13 + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - AOSX-15-000053 + 800-171r2: + - 3.1.13 + - 3.13.8 + - 3.13.11 +macOS: + - "11.0" +tags: + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml new file mode 100644 index 000000000..524a3898b --- /dev/null +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -0,0 +1,43 @@ +id: os_sshd_fips_140_macs +title: "Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms" +discussion: | + If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. + + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. + + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + ---- +references: + cce: + - CCE-85453-9 + cci: + - CCI-001133 + 800-53r4: + - AC-17(2) + - IA-7 + - SC-8(1) + - SC-13 + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - AOSX-15-000053 + 800-171r2: + - 3.1.13 + - 3.13.8 + - 3.13.11 +macOS: + - "11.0" +tags: + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml similarity index 76% rename from rules/os/os_ssh_login_grace_time_configure.yaml rename to rules/os/os_sshd_login_grace_time_configure.yaml index 815ca3e23..f8a11627f 100644 --- a/rules/os/os_ssh_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -1,7 +1,7 @@ -id: os_ssh_login_grace_time_configure +id: os_sshd_login_grace_time_configure title: "Set Login Grace Time to 30 or Less" discussion: | - SSH _MUST_ be configured to wait only 30 seconds before timing out logon attempts. + If SSHD is enabled then it _MUST_ be configured to wait only 30 seconds before timing out logon attempts. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84796-2 + - CCE-85384-6 cci: - CCI-001133 800-53r4: @@ -27,12 +27,8 @@ references: 800-171r2: - 3.13.9 macOS: - - "10.15" + - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml similarity index 82% rename from rules/os/os_ssh_permit_root_login_configure.yaml rename to rules/os/os_sshd_permit_root_login_configure.yaml index ec5e3a4e6..02d931ae6 100644 --- a/rules/os/os_ssh_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -1,7 +1,7 @@ -id: os_ssh_permit_root_login_configure +id: os_sshd_permit_root_login_configure title: "Disable Root Login for SSH" discussion: | - To assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled. + If SSH is enabled to assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled. The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. @@ -18,7 +18,7 @@ fix: | ---- references: cce: - - CCE-84798-8 + - CCE-85385-3 cci: - CCI-000770 800-53r4: @@ -28,7 +28,7 @@ references: disa_stig: - AOSX-15-001100 macOS: - - "10.15" + - "11.0" tags: - STIG mobileconfig: false diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml index b251cf98f..e11c2c88b 100644 --- a/rules/os/os_store_encrypted_passwords.yaml +++ b/rules/os/os_store_encrypted_passwords.yaml @@ -12,7 +12,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84879-6 + - CCE-85386-1 cci: - CCI-000196 800-53r4: @@ -28,7 +28,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml index 2ca51c04f..94baf99bd 100644 --- a/rules/os/os_sudoers_tty_configure.yaml +++ b/rules/os/os_sudoers_tty_configure.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84799-6 + - CCE-85387-9 cci: - CCI-000366 800-53r4: @@ -25,7 +25,7 @@ references: disa_stig: - AOSX-15-004021 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - STIG diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 94f4cf31e..622617ae5 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -3,14 +3,16 @@ title: "Ensure System Volume is Read Only" discussion: | The System volume _MUST_ be mounted as read-only in order to ensure that configurations critical to the integrity of the macOS have not been compromised. System Integrity Protection (SIP) will prevent the system volume from being mounted as writable. check: | - /usr/sbin/system_profiler SPStorageDataType | /usr/bin/grep "Mount Point: /$" -A2 | /usr/bin/awk -F ": " '/Writable/{print $2}' + /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' result: - string: No + string: "No" fix: | NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. references: cce: - - CCE-84851-5 + - CCE-85388-7 + cci: + - N/A 800-53r4: - SC-34 - SI-7 @@ -19,7 +21,7 @@ references: disa_stig: - N/A macOS: - - "10.15" + - "11.0" tags: - 800-53r4_moderate - 800-53r4_high diff --git a/rules/os/os_system_wide_preferences_configure.yaml b/rules/os/os_system_wide_preferences_configure.yaml index 19a3865ed..cdb872315 100644 --- a/rules/os/os_system_wide_preferences_configure.yaml +++ b/rules/os/os_system_wide_preferences_configure.yaml @@ -17,7 +17,7 @@ fix: | ---- references: cce: - - CCE-84800-2 + - CCE-85389-5 800-53r4: - AC-6 - AC-6(1) @@ -32,7 +32,7 @@ references: - 3.1.5 - 3.1.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml index dfbee4eb0..b4c01dfd4 100644 --- a/rules/os/os_terminate_session.yaml +++ b/rules/os/os_terminate_session.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84881-2 + - CCE-85390-3 cci: - CCI-000879 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000126-GPOS-00066 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 0c9576f0e..afb19aa65 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -16,7 +16,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-84853-1 + - CCE-85391-1 cci: - N/A 800-53r4: @@ -29,7 +29,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml index 8c298a375..8094d2e13 100644 --- a/rules/os/os_time_server_enabled.yaml +++ b/rules/os/os_time_server_enabled.yaml @@ -13,7 +13,7 @@ fix: | ---- references: cce: - - CCE-84801-0 + - CCE-85392-9 cci: - CCI-001891 - CCI-002046 @@ -27,7 +27,7 @@ references: 800-171r2: - 3.3.7 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml index 3c67f2c88..41c2825d0 100644 --- a/rules/os/os_touchid_prompt_disable.yaml +++ b/rules/os/os_touchid_prompt_disable.yaml @@ -3,7 +3,7 @@ title: "Disable TouchID Prompt during Setup Assistant" discussion: | The prompt for TouchID during Setup Assistant _MUST_ be disabled. - MacOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings. + macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipTouchIDSetup = 1' result: @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84802-8 + - CCE-85393-7 cci: - N/A 800-53r4: @@ -25,7 +25,7 @@ references: - 3.4.1 - 3.4.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml index 0cdf711d9..c000d01e5 100644 --- a/rules/os/os_unique_identification.yaml +++ b/rules/os/os_unique_identification.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84874-7 + - CCE-85394-5 cci: - CCI-000764 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000104-GPOS-00051 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index ef2816c2d..6626ce648 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Login to Other User’s Active and Locked Sessions" discussion: | The ability to log in to another user’s active or locked session _MUST_ be disabled. - MacOS has a privilege that can be granted to any user that will allow that user to unlock active user’s sessions. Disabling the admins and/or user’s ability to log into another user’s active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. + macOS has a privilege that can be granted to any user that will allow that user to unlock active user’s sessions. Disabling the admins and/or user’s ability to log into another user’s active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. check: | /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui' result: @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84804-4 + - CCE-85395-2 cci: - N/A 800-53r4: @@ -31,7 +31,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 6814b8944..38c2b8e58 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84805-1 + - CCE-85396-0 cci: - CCI-001812 800-53r4: @@ -22,7 +22,7 @@ references: disa_stig: - AOSX-15-002067 macOS: - - "10.15" + - "11.0" tags: - STIG mobileconfig: true diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index c50385bbe..b70c2089b 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -16,7 +16,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-84806-9 + - CCE-85397-8 cci: - CCI-000381 800-53r4: @@ -29,7 +29,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml index 04a1a2c32..9174fe4d2 100644 --- a/rules/os/os_verify_remote_disconnection.yaml +++ b/rules/os/os_verify_remote_disconnection.yaml @@ -8,7 +8,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84858-0 + - CCE-85398-6 cci: - CCI-002891 800-53r4: @@ -18,7 +18,7 @@ references: srg: - SRG-OS-000395-GPOS-00175 macOS: - - "10.15" + - "11.0" tags: - STIG - inherent diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index cdba04bcb..71fe03fda 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84898-6 + - CCE-85399-4 cci: - CCI-000195 800-53r4: @@ -31,7 +31,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index e5e29b718..28f2ba824 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84807-7 + - CCE-85400-0 cci: - CCI-000199 800-53r4: @@ -30,7 +30,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 1663f69f5..66a7d8695 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -11,7 +11,7 @@ result: fix: | This setting may be enforced using local policy or by a directory service. - To set local policy to disable an inactive user after 35 days, edit the current password policy to contiain the followind within the "policyCategoryAuthentication": + To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following within the "policyCategoryAuthentication": [source,xml] ---- @@ -27,16 +27,16 @@ fix: | ---- - After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "/path/to/file". + After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- - /usr/bin/pwpolicy setaccountpolicies /path/to/file + /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-84808-5 + - CCE-85401-8 cci: - CCI-000795 800-53r4: @@ -49,7 +49,7 @@ references: - 3.5.5 - 3.5.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 524f9d0ea..9cd62d20d 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84809-3 + - CCE-85402-6 cci: - CCI-000044 - CCI-002238 @@ -27,7 +27,7 @@ references: 800-171r2: - 3.1.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 8ed25b330..7ccff98fc 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84810-1 + - CCE-85403-4 cci: - CCI-002238 - CCI-000366 @@ -26,7 +26,7 @@ references: 800-171r2: - 3.1.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 643e09863..4997d6277 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84811-9 + - CCE-85404-2 cci: - CCI-000194 800-53r4: @@ -30,7 +30,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index b6697eb67..134ca09f3 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -16,7 +16,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84812-7 + - CCE-85405-9 cci: - CCI-001682 800-53r4: @@ -26,7 +26,7 @@ references: disa_stig: - AOSX-15-000013 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/pwpolicy/pwpolicy_force_change_password_change.yaml b/rules/pwpolicy/pwpolicy_force_change_password_change.yaml index a54a4db38..d3b756cfd 100644 --- a/rules/pwpolicy/pwpolicy_force_change_password_change.yaml +++ b/rules/pwpolicy/pwpolicy_force_change_password_change.yaml @@ -17,7 +17,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84813-5 + - CCE-85406-7 cci: - CCI-002041 800-53r4: @@ -35,7 +35,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index 1a3afb587..62071e405 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84814-3 + - CCE-85407-5 cci: - CCI-000200 800-53r4: @@ -29,7 +29,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 4ca83fa4c..2b3f140b2 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -11,7 +11,7 @@ result: fix: | This setting may be enforced using local policy or by a directory service. - To set local policy to require at least 1 lowercase letter, edit the current password policy to contiain the following within the "policyCategoryPasswordContent": + To set local policy to require at least 1 lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": [source,xml] ---- @@ -27,16 +27,16 @@ fix: | ---- - After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "/path/to/file". + After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- - /usr/bin/pwpolicy setaccountpolicies /path/to/file + /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-84815-0 + - CCE-85408-3 cci: - CCI-000193 800-53r4: @@ -54,7 +54,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index c6845fd6e..2ec566738 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84816-8 + - CCE-85409-1 cci: - CCI-000205 800-53r4: @@ -30,7 +30,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index dc863d590..3de4451d7 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -11,7 +11,7 @@ result: fix: | This setting may be enforced using local policy or by a directory service. - To set local policy to require a minimum password lifetime, edit the current password policy to contiain the following within the "policyCategoryPasswordContent": + To set local policy to require a minimum password lifetime, edit the current password policy to contain the following within the "policyCategoryPasswordContent": [source,xml] ---- @@ -27,16 +27,16 @@ fix: | ---- - After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "/path/to/file". + After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- - /usr/bin/pwpolicy setaccountpolicies /path/to/file + /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-84817-6 + - CCE-85410-9 cci: - N/A 800-53r4: @@ -51,7 +51,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 9f0ab7af8..69d2869c3 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84910-9 + - CCE-85411-7 cci: - CCI-000366 800-53r4: @@ -22,7 +22,7 @@ references: srg: - SRG-OS-000480-GPOS-00225 macOS: - - "10.15" + - "11.0" tags: - STIG - permanent diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 9462103ad..54d072510 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84818-4 + - CCE-85412-5 cci: - N/A 800-53r4: @@ -30,7 +30,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 7cb6a682c..7c44e7fcc 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84819-2 + - CCE-85413-3 cci: - CCI-001619 800-53r4: @@ -32,7 +32,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index cb70d0a3d..8699bd7ef 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -14,7 +14,7 @@ fix: | The technology inherently meets this requirement. No fix is required. references: cce: - - CCE-84820-0 + - CCE-85414-1 cci: - CCI-000016 800-53r4: @@ -24,7 +24,7 @@ references: disa_stig: - AOSX-15-000012 macOS: - - "10.15" + - "11.0" tags: - cnssi-1253 - 800-53r4_moderate diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 59f3131d4..05f30e8f5 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -11,7 +11,7 @@ result: fix: | This setting may be enforced using local policy or by a directory service. - To set local policy to require at least 1 lowercase letter, edit the current password policy to contiain the following within the "policyCategoryPasswordContent": + To set local policy to require at least 1 lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": [source,xml] ---- @@ -27,10 +27,16 @@ fix: | ---- + After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". + + [source,bash] + ---- + /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file + ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. references: cce: - - CCE-84821-8 + - CCE-85415-8 cci: - CCI-000192 800-53r4: @@ -48,7 +54,7 @@ references: - 3.5.9 - 3.5.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index a67c6da9c..ba0a2a8f8 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -1,7 +1,7 @@ id: supplemental_controls title: "Out of Scope Supplemental" discussion: | - There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 4 can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 4) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 4) are not applicable. + There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 4 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 4) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 4) are not applicable. This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 4) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. @@ -12,7 +12,7 @@ discussion: | |Access Control (AC) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/AC-1[AC-1], link:https://nvd.nist.gov/800-53/Rev4/control/AC-2[AC-2], link:https://nvd.nist.gov/800-53/Rev4/control/AC-14[AC-14], link:https://nvd.nist.gov/800-53/Rev4/control/AC-22[AC-22] + |link:https://nvd.nist.gov/800-53/Rev4/control/AC-1[AC-1], link:https://nvd.nist.gov/800-53/Rev4/control/AC-2[AC-2], link:https://nvd.nist.gov/800-53/Rev4/control/AC-14[AC-14], link:https://nvd.nist.gov/800-53/Rev4/control/AC-17?#enhancement-4[AC-17(4)], link:https://nvd.nist.gov/800-53/Rev4/control/AC-22[AC-22] |=== @@ -73,7 +73,7 @@ discussion: | |Identification and Authentication (IA) |Controls - |link:https://nvd.nist.gov/800-53/Rev4/control/IA-1[IA-1], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?baseline=low#enhancement-1[IA-8(1)],link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?baseline=low#enhancement-2[IA-8(2)],link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?baseline=low#enhancement-3[IA-8(3)],link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?baseline=low#enhancement-4[IA-8(4)] + |link:https://nvd.nist.gov/800-53/Rev4/control/IA-1[IA-1], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-1[IA-8(1)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-2[IA-8(2)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-3[IA-8(3)], link:https://nvd.nist.gov/800-53/Rev4/control/IA-8?#enhancement-4[IA-8(4)] |=== [cols="15%h, 85%a"] @@ -188,7 +188,7 @@ references: disa_stig: - N/A macOS: - - "10.15" + - "11.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index ad1212f42..0ecb02706 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -4,7 +4,7 @@ discussion: | The supplemental guidance found in this section is applicable for the following rules: * sysprefs_filevault_enforce - In macOS 10.15 the internal Apple File System (APFS) volume (including both system and data storage) can be protected by FileVault. + In macOS 11 the internal Apple File System (APFS) volume (including both system and data storage) can be protected by FileVault. NOTE: On non-T2 hardware, FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with the T2 chip utilize the hardware security features of the chip. FileVault is described in detail here: link:https://support.apple.com/guide/security/when-filevault-is-turned-on-sec4c6dc1b6e/1/web/1[]. @@ -63,7 +63,7 @@ references: disa_stig: - N/A macOS: - - "10.15" + - "11.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 2661b7aa0..9fe2f03a1 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -113,7 +113,7 @@ references: disa_stig: - N/A macOS: - - "10.15" + - "11.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index d4539241a..3b1011d8b 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -22,11 +22,11 @@ discussion: | include::../../includes/pwpolicy.xml[] ---- - Run the following command to load the new policy file, substituting the path to the file in place of "/path/to/file". + Run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- - /usr/bin/pwpolicy setaccountpolicies /path/to/file + /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- [NOTE] @@ -45,7 +45,7 @@ references: disa_stig: - N/A macOS: - - "10.15" + - "11.0" tags: - supplemental mobileconfig: false diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml index 4f8152d54..a13fc1207 100644 --- a/rules/supplemental/supplemental_smartcard.yaml +++ b/rules/supplemental/supplemental_smartcard.yaml @@ -231,7 +231,7 @@ references: disa_stig: - N/A macOS: - - "10.15" + - "11.0" tags: - supplemental mobileconfig: false diff --git a/rules/sysprefs/sysprefs_afp_disable.yaml b/rules/sysprefs/sysprefs_afp_disable.yaml index b62298a54..9a8d56d56 100644 --- a/rules/sysprefs/sysprefs_afp_disable.yaml +++ b/rules/sysprefs/sysprefs_afp_disable.yaml @@ -16,7 +16,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-84823-4 + - CCE-85416-6 cci: - CCI-000381 800-53r4: @@ -29,7 +29,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index b46a415aa..783207a36 100644 --- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84824-2 + - CCE-85418-2 cci: - CCI-000056 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml index e9316b34a..3e08d526e 100644 --- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84825-9 + - CCE-85419-0 cci: - CCI-000366 800-53r4: @@ -26,7 +26,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml index 2a3f1ad66..d84e61177 100644 --- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -2,6 +2,11 @@ id: sysprefs_bluetooth_disable title: "Disable Bluetooth When no Approved Device is Connected" discussion: | The macOS system _MUST_ be configured to disable Bluetooth unless there is an approved device connected. + + [IMPORTANT] + ==== + Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. + ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableBluetooth = 1' result: @@ -10,7 +15,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84826-7 + - CCE-85420-8 cci: - CCI-002418 800-53r4: @@ -23,7 +28,7 @@ references: 800-171r2: - 3.13.8 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 167f35c4f..1047d9bbf 100644 --- a/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-84827-5 + - CCE-85421-6 cci: - N/A 800-53r4: @@ -42,7 +42,7 @@ references: - 3.1.16 - 3.4.7 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_content_caching_disable.yaml b/rules/sysprefs/sysprefs_content_caching_disable.yaml index 52d2127a5..76cc3d9b7 100644 --- a/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84828-3 + - CCE-85422-4 cci: - N/A 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index 871db45b2..c29fe813a 100644 --- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84829-1 + - CCE-85423-2 cci: - CCI-000382 800-53r4: @@ -25,7 +25,7 @@ references: 800-171r2: - 3.1.20 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_enforce_auto_logout.yaml b/rules/sysprefs/sysprefs_enforce_auto_logout.yaml index a97489fdd..c3e6f9790 100644 --- a/rules/sysprefs/sysprefs_enforce_auto_logout.yaml +++ b/rules/sysprefs/sysprefs_enforce_auto_logout.yaml @@ -4,13 +4,18 @@ discussion: | Auto logout _MUST_ be configured to automatically terminate a user session and log out the after 86400 seconds (24 hours) of inactivity. NOTE:The maximum that macOS can be configured for autologoff is 86400 seconds (24 hours). + + [IMPORTANT] + ==== + The 24-hour automatic logout may cause disruptions to an organization’s workflow and/or loss of data. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the 24-hour automatic logout setting. + ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"com.apple.autologout.AutoLogOutDelay" = 86400' fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84870-5 + - CCE-85424-0 cci: - CCI-002361 800-53r4: @@ -22,7 +27,7 @@ references: 800-171r2: - 3.1.11 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml index feb423dfa..4cf02c3f2 100644 --- a/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -12,7 +12,7 @@ fix: | NOTE: See the FileVault supplemental to implement this rule. references: cce: - - CCE-84830-9 + - CCE-85425-7 cci: - CCI-001199 - CCI-002475 @@ -29,7 +29,7 @@ references: 800-171r2: - 3.13.16 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_find_my_disable.yaml b/rules/sysprefs/sysprefs_find_my_disable.yaml index 72ef5c5ec..490f79e1f 100644 --- a/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84831-7 + - CCE-85426-5 cci: - N/A 800-53r4: @@ -29,7 +29,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index 578d792d4..81fc892a7 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84832-5 + - CCE-85427-3 cci: - CCI-000366 800-53r4: @@ -38,7 +38,7 @@ references: - 3.13.2 - 3.13.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index 618c6c27a..af9a342fb 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -4,6 +4,11 @@ discussion: | Firewall Stealth Mode _MUST_ be enabled. When stealth mode is enabled, the Mac will not respond to any probing requests, and only requests from authorized applications will still be authorized. + + [IMPORTANT] + ==== + Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. + ==== check: | /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | /usr/bin/grep -c "Stealth mode enabled" result: @@ -15,7 +20,7 @@ fix: | ---- references: cce: - - CCE-84833-3 + - CCE-85428-1 800-53r4: - SC-7 - CM-7 @@ -32,7 +37,7 @@ references: - 3.13.2 - 3.13.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index fdd93994a..620ed0b60 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84834-1 + - CCE-85429-9 cci: - CCI-000366 800-53r4: @@ -30,7 +30,7 @@ references: 800-171r2: - 3.4.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index 97d0035ee..3460cdfed 100644 --- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -18,7 +18,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - CCE-84835-8 + - CCE-85430-7 cci: - CCI-000366 800-53r4: @@ -31,7 +31,7 @@ references: 800-171r2: - 3.4.5 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 695c5e9ef..d72b471eb 100644 --- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84836-6 + - CCE-85431-5 cci: - CCI-000060 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index edcd0d927..f1595b3d5 100644 --- a/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -12,7 +12,9 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84912-5 + - CCE-85432-3 + cci: + - N/A 800-53r4: - CM-7 - AC-20 @@ -21,7 +23,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index 3ccc366b9..9b2b2a9ed 100644 --- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84837-4 + - CCE-85433-1 cci: - CCI-000381 800-53r4: @@ -26,7 +26,7 @@ references: - 3.1.3 - 3.1.20 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml index 7abd5bfbb..d327a9c0f 100644 --- a/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -15,7 +15,7 @@ fix: | ---- references: cce: - - CCE-84838-2 + - CCE-85434-9 cci: - CCI-000381 800-53r4: @@ -27,7 +27,7 @@ references: 800-171r2: - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index 7fc68605d..d984852b0 100644 --- a/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84839-0 + - CCE-85435-6 cci: - N/A 800-53r4: @@ -25,7 +25,7 @@ references: - 3.5.1 - 3.5.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index df117c6a3..7c00e6dd4 100644 --- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -14,7 +14,7 @@ fix: | NOTE: Even if the user enables this service, the firewall is configured to block access to it. See Firewall Supplemental which includes a script that has an example policy to implement this rule. references: cce: - - CCE-84771-5 + - CCE-85436-4 800-53r4: - AC-3 srg: @@ -27,7 +27,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - STIG diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml index e59337ebd..018791ac2 100644 --- a/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84840-8 + - CCE-85437-2 cci: - CCI-000366 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.5.11 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_ad_tracking_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml similarity index 73% rename from rules/sysprefs/sysprefs_ad_tracking_disable.yaml rename to rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index b2153aa26..98a6d89ed 100644 --- a/rules/sysprefs/sysprefs_ad_tracking_disable.yaml +++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -1,18 +1,18 @@ -id: sysprefs_ad_tracking_disable -title: "Disable Ad Tracking" +id: sysprefs_personalized_advertising_disable +title: "Disable Personalized Advertising" discussion: | Ad tracking and targeted ads _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users’ interests and deliver targeted advertisements. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'forceLimitAdTracking = 1;' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowApplePersonalizedAdvertising = 0;' result: integer: 1 fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84822-6 + - CCE-85438-0 cci: - N/A 800-53r4: @@ -26,7 +26,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 @@ -37,4 +37,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.AdLib: - forceLimitAdTracking: true + allowApplePersonalizedAdvertising: false diff --git a/rules/sysprefs/sysprefs_power_nap_disable.yaml b/rules/sysprefs/sysprefs_power_nap_disable.yaml index 2f18cca62..e55981610 100644 --- a/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -24,7 +24,7 @@ fix: | ---- references: cce: - - CCE-84780-6 + - CCE-85439-8 800-53r4: - CM-7 disa_stig: @@ -36,7 +36,7 @@ references: 800-171r2: - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml index d79008f78..4bf44156c 100644 --- a/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/rules/sysprefs/sysprefs_rae_disable.yaml @@ -17,7 +17,7 @@ fix: | NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires UAMDM. references: cce: - - CCE-84841-6 + - CCE-85440-6 cci: - CCI-000382 800-53r4: @@ -30,7 +30,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index e89cdad96..3c28586da 100644 --- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -16,7 +16,7 @@ fix: | NOTE - This will apply to the whole system references: cce: - - CCE-84842-4 + - CCE-85441-4 cci: - CCI-000366 800-53r4: @@ -30,7 +30,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index 8f3825355..87aebdd33 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84785-5 + - CCE-85442-2 cci: - CCI-000056 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 3534142f0..665153154 100644 --- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84787-1 + - CCE-85443-0 cci: - CCI-000056 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index e930bcf22..79b923f61 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84788-9 + - CCE-85444-8 cci: - CCI-000057 800-53r4: @@ -24,7 +24,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml index 1f56c559b..d1eec4feb 100644 --- a/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_disable.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84843-2 + - CCE-85445-5 cci: - CCI-000381 - CCI-001774 @@ -28,7 +28,7 @@ references: - 3.1.20 - 3.4.6 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml index b56688c3b..51c182ae4 100644 --- a/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -16,7 +16,7 @@ fix: | The system may need to be restarted for the update to take effect. references: cce: - - CCE-84844-0 + - CCE-85446-3 cci: - CCI-000381 800-53r4: @@ -29,7 +29,7 @@ references: - 3.1.1 - 3.1.2 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml new file mode 100644 index 000000000..5ee9d5a3a --- /dev/null +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -0,0 +1,45 @@ +id: sysprefs_ssh_disable +title: "Disable SSH Server for Remote Access Sessions" +discussion: | + SSH service _MUST_ be disabled for remote access. + + Remote access sessions _MUST_ use FIPS validated encrypted methods to protect unauthorized individuals from gaining access. +check: | + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' +result: + integer: 1 +fix: | + [source,bash] + ---- + /bin/launchctl disable system/com.openssh.sshd + ---- +references: + cce: + - CCE-85447-1 + cci: + - N/A + 800-53r4: + - AC-3 + - CM-7 + - IA-2(8) + - IA-2(9) + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.1.1 + - 3.1.2 + - 3.4.6 + - 3.5.4 +macOS: + - "11.0" +tags: + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml index 0c1e36671..18535156b 100644 --- a/rules/sysprefs/sysprefs_ssh_enable.yaml +++ b/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -1,21 +1,19 @@ id: sysprefs_ssh_enable -title: "Enable SSH for Remote Access Sessions" +title: "Enable SSH Server for Remote Access Sessions" discussion: | - SSH service _MUST_ be enabled for remote access. - Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => false' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' result: integer: 1 fix: | [source,bash] ---- - /bin/launchctl enable system/com.openssh.sshd + /bin/launchctl disable system/com.openssh.sshd ---- references: cce: - - CCE-84845-7 + - CCE-85447-1 cci: - CCI-001941 - CCI-001942 @@ -28,15 +26,7 @@ references: - CCI-000068 - CCI-002418 800-53r4: - - AC-17(2) - - AC-17(4) - - IA-2(8) - - IA-2(9) - - MA-4(6) - - MA-4 - - SC-8 - - SC-8(1) - - SC-8(2) + - N/A srg: - SRG-OS-000393-GPOS-00173 - SRG-OS-000394-GPOS-00174 @@ -56,18 +46,10 @@ references: - AOSX-15-000011 - AOSX-15-000010 800-171r2: - - 3.1.13 - - 3.1.15 - - 3.5.4 - - 3.7.5 - - 3.13.8 + - N/A macOS: - - "10.15" + - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml index 7977aa7e1..091954118 100644 --- a/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -5,14 +5,14 @@ discussion: | This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk -F "= " '/timeServer/{print $2}' | /usr/bin/tr -d ';' + /usr/bin/profiles -P -o stdout | /usr/bin/awk -F "= " '/timeServer/{print $2}' | /usr/bin/tr -d ';' | /usr/bin/tr -d '"' result: string: "time-a.nist.gov,time-b.nist.gov" fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84846-5 + - CCE-85448-9 cci: - CCI-001891 - CCI-002046 @@ -26,7 +26,7 @@ references: 800-171r2: - 3.3.7 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml index 2e0203baf..7b2da625e 100644 --- a/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -12,7 +12,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84847-3 + - CCE-85449-7 cci: - CCI-001891 - CCI-002046 @@ -26,7 +26,7 @@ references: 800-171r2: - 3.3.7 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml index b8bcfffbb..2feb6b232 100644 --- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -4,6 +4,11 @@ discussion: | The screen lock _MUST_ be configured to initiate automatically when the smart token is removed from the system. Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absences. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token. + + [IMPORTANT] + ==== + Information System Security Officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed, so as to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization. + ==== check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'tokenRemovalAction = 1' result: @@ -12,7 +17,7 @@ fix: This is implemented by a Configuration Profile. references: cce: - - CCE-84848-1 + - CCE-85450-5 cci: - CCI-000058 800-53r4: @@ -24,7 +29,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index c0594882c..57bb545cf 100644 --- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -14,7 +14,7 @@ fix: | This is implemented by a Configuration Profile. references: cce: - - CCE-84849-9 + - CCE-85451-3 cci: - CCI-000056 800-53r4: @@ -26,7 +26,7 @@ references: 800-171r2: - 3.1.10 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml index 1532c65c2..099672dd9 100644 --- a/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -12,7 +12,7 @@ fix: | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. references: cce: - - CCE-84850-7 + - CCE-85452-1 cci: - CCI-001967 - CCI-001443 @@ -33,7 +33,7 @@ references: - 3.1.3 - 3.1.17 macOS: - - "10.15" + - "11.0" tags: - 800-171 - cnssi-1253 diff --git a/scripts/KNOWN_ISSUES b/scripts/KNOWN_ISSUES index 8b1378917..db1da8a2b 100644 --- a/scripts/KNOWN_ISSUES +++ b/scripts/KNOWN_ISSUES @@ -1 +1,3 @@ +Known Issues: +Automation of the password policy remediation is not currently implemented in the compliance script. The path to your pwpolicy.xml must be defined in the compliance script in the variables section, line 433. \ No newline at end of file diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index f2cdf78a9..995ce68c6 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # filename: generate_guidance.py -# description: Process a given baseline, and output guidance files +# description: Process a given keyword, and output a baseline file import os.path import glob @@ -120,7 +120,7 @@ def collect_rules(): return all_rules def create_args(): - """configure the arguments used in the script, returns the parsed arguements + """configure the arguments used in the script, returns the parsed arguments """ parser = argparse.ArgumentParser( description='Given a keyword tag, generate a generic baseline.yaml file containing rules with the tag.') @@ -181,7 +181,7 @@ def available_tags(all_rules): print(tag) return -def output_baseline(rules, keyword): +def output_baseline(rules, os, keyword): inherent_rules = [] permanent_rules = [] na_rules = [] @@ -205,8 +205,8 @@ def output_baseline(rules, keyword): if section_name not in sections: sections.append(section_name) - output_text = f'title: "macOS 10.15: Security Configuration - {keyword}"\n' - output_text += f'description: |\n This guide describes the actions to take when securing a macOS 10.15 system against the {keyword} baseline.\n' + output_text = f'title: "macOS {os}: Security Configuration - {keyword}"\n' + output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the {keyword} baseline.\n' output_text += 'profile:\n' if len(other_rules) > 0: @@ -257,9 +257,10 @@ def main(): # stash current working directory original_working_directory = os.getcwd() - all_rules = collect_rules() # switch to the scripts directory os.chdir(file_dir) + + all_rules = collect_rules() if args.list_tags: available_tags(all_rules) @@ -292,11 +293,14 @@ def main(): os.makedirs(build_path) except OSError: print(f"Creation of the directory {build_path} failed") - baseline_output_file = open(f"{build_path}/{args.keyword}.yaml", 'w') except IOError as msg: parser.error(str(msg)) - + + version_file = os.path.join(parent_dir, "VERSION.yaml") + with open(version_file) as r: + version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + found_rules = [] for rule in all_rules: if args.keyword in rule.rule_tags or args.keyword == "all": @@ -310,7 +314,8 @@ def main(): print("No rules found for the keyword provided, please verify from the following list:") available_tags(all_rules) else: - baseline_output_file.write(output_baseline(found_rules, args.keyword)) + baseline_output_file = open(f"{build_path}/{args.keyword}.yaml", 'w') + baseline_output_file.write(output_baseline(found_rules, version_yaml["os"], args.keyword)) # finally revert back to the prior directory os.chdir(original_working_directory) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index bb0fa67aa..c402a8e3e 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -428,6 +428,10 @@ def generate_script(baseline_name, build_path, baseline_yaml): ## This script is provided as-is and should be fully tested on a system that is not in a production environment. +################### Variables ################### + +pwpolicy_file="" + ################### COMMANDS START BELOW THIS LINE ################### ## Must be run as root @@ -461,6 +465,11 @@ def generate_script(baseline_name, build_path, baseline_yaml): }} ask() {{ + # if fix flag is passed, assume YES for everything + if [[ $fix ]]; then + return 0 + fi + while true; do if [ "${{2:-}}" = "Y" ]; then @@ -580,6 +589,29 @@ def generate_script(baseline_name, build_path, baseline_yaml): nist_80053r4 = 'N/A' else: nist_80053r4 = rule_yaml['references']['800-53r4'] + + try: + rule_yaml['references']['disa_stig'] + except KeyError: + stig_ref = rule_yaml['id'] + else: + if rule_yaml['references']['disa_stig'][0] == "N/A": + stig_ref = [rule_yaml['id']] + else: + stig_ref = rule_yaml['references']['disa_stig'] + + try: + rule_yaml['references']['ASCS'] + except KeyError: + ascs_ref = '' + else: + ascs_ref = rule_yaml['references']['ASCS'] + + if "STIG" in baseline_yaml['title']: + logging.debug(f'Setting STIG reference for logging: {stig_ref}') + log_reference_id = stig_ref + else: + log_reference_id = [rule_yaml['id']] # group the controls nist_80053r4.sort() @@ -614,18 +646,19 @@ def generate_script(baseline_name, build_path, baseline_yaml): zsh_check_text = """ #####----- Rule: {0} -----##### ## Addresses the following NIST 800-53 controls: {1} -echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log" +#echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log" +unset result_value result_value=$({2}) # expected result {3} if [[ $result_value == "{4}" ]]; then - echo "{0} passed..." | tee -a "$audit_log" + echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log" defaults write "$audit_plist" {0} -bool NO else - echo "{0} FAILED..." | tee -a "$audit_log" + echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log" defaults write "$audit_plist" {0} -bool YES fi - """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value) + """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ','.join(log_reference_id)) check_function_string = check_function_string + zsh_check_text @@ -664,24 +697,33 @@ def generate_script(baseline_name, build_path, baseline_yaml): lastComplianceScan=$(defaults read "$audit_plist" lastComplianceCheck) echo "Results written to $audit_plist" -pause +if [[ ! $check ]];then + pause +fi + } run_fix(){ if [[ ! -e "$audit_plist" ]]; then echo "Audit plist doesn't exist, please run Audit Check First" | tee -a "$audit_log" - pause - show_menus - read_options -fi + if [[ ! $fix ]]; then + pause + show_menus + read_options + else + exit 1 + fi +fi -ask 'THE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER. WOULD YOU LIKE TO CONTINUE? ' N +if [[ ! $fix ]]; then + ask 'THE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER. WOULD YOU LIKE TO CONTINUE? ' N -if [[ $? != 0 ]]; then - show_menus - read_options + if [[ $? != 0 ]]; then + show_menus + read_options + fi fi # append to existing logfile @@ -693,10 +735,25 @@ def generate_script(baseline_name, build_path, baseline_yaml): # write the footer for the script zsh_fix_footer = """ } -while true; do - show_menus - read_options -done + +# check for command line arguments, if --check or --fix, then just do them. +if (( # >= 2));then + echo "Too many arguments. Usage: $0 [--check| --fix]" + exit 1 +fi + +zparseopts -D -E -check=check -fix=fix + +if [[ $check ]];then + run_scan +elif [[ $fix ]];then + run_fix +else + while true; do + show_menus + read_options + done +fi """ #write out the compliance script @@ -795,7 +852,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(counter, 4, mechanism, top) sheet1.col(4).width = 256 * 25 - sheet1.write(counter, 5, rule.rule_check, topWrap) + sheet1.write(counter, 5, rule.rule_check.replace("\|", "|"), topWrap) sheet1.col(5).width = 750 * 50 sheet1.write(counter, 6, str(rule.rule_result_value), topWrap) @@ -834,7 +891,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.col(10).width = 500 * 15 disa_refs = (str(rule.rule_disa_stig)).strip('[]\'') - disa_refs = srg_refs.replace(", ", "\n").replace("\'", "") + disa_refs = disa_refs.replace(", ", "\n").replace("\'", "") sheet1.write(counter, 11, disa_refs, topWrap) sheet1.col(11).width = 500 * 15 @@ -924,7 +981,7 @@ def create_args(): parser.add_argument("-d", "--debug", default=None, help=argparse.SUPPRESS, action="store_true") parser.add_argument("-l", "--logo", default=None, - help="Full path to logo file to be inlcuded in the guide.", action="store") + help="Full path to logo file to be included in the guide.", action="store") parser.add_argument("-p", "--profiles", default=None, help="Generate configuration profiles for the rules.", action="store_true") parser.add_argument("-s", "--script", default=None, @@ -1084,6 +1141,7 @@ def main(): stig_attribute=adoc_STIG_show, srg_attribute=adoc_SRG_show, version=version_yaml['version'], + os_version=version_yaml['os'], release_date=version_yaml['date'] ) diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py index 6bcbbb7e2..b4ca01986 100755 --- a/scripts/yaml-to-oval.py +++ b/scripts/yaml-to-oval.py @@ -8,12 +8,14 @@ import re import warnings from pathlib import Path +from datetime import datetime warnings.filterwarnings("ignore", category=DeprecationWarning) def main(): - + now = datetime.now() + date_time_string = now.strftime("%Y-%m-%dT%H:%M:%S") output = "" parser = argparse.ArgumentParser(description='Given a profile, create oval checks.') parser.add_argument("baseline", default=None, help="Baseline YAML file used to create the oval.", type=argparse.FileType('rt')) @@ -62,11 +64,11 @@ def main(): xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"> 5.11.2 - 2020-05-01T17:05:02-05:00 - Copyright (c) 2020, Bob. + {} + Copyright (c) 2020, NIST. macOS Security Compliance Project - ''' + '''.format(date_time_string) oval_definition = "" oval_test = "" oval_object = "" @@ -541,6 +543,9 @@ def main(): x += 1 continue if "csrutil" in command[3]: + if "authenticated-root" in command[3]: + print(rule_yaml['id'] + " - No relevant oval test") + continue oval_definition = oval_definition + ''' diff --git a/templates/adoc_header.adoc b/templates/adoc_header.adoc index 815d6cf9a..f21e5734f 100644 --- a/templates/adoc_header.adoc +++ b/templates/adoc_header.adoc @@ -30,6 +30,7 @@ ifdef::backend-html5[] :document-title: $html_title :document-subtitle: $html_subtitle :version: $version ($release_date) +:os: $os_version $tag_attribute [cols="55s"] @@ -39,7 +40,7 @@ $tag_attribute [cols="^.^1s",width="100%"] |====== -|+++














+|+++














+++{document-title}+++
+++{document-subtitle}+++
+++{version}+++



























+++ |======