Skip to content

Commit

Permalink
Merge branch 'big_sur' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
robertgendler committed Mar 18, 2021
2 parents 3de0557 + 9156125 commit ebca093
Show file tree
Hide file tree
Showing 210 changed files with 1,707 additions and 696 deletions.
24 changes: 24 additions & 0 deletions CHANGELOG.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,30 @@

This document provides a high-level view of the changes to the macOS Security Compliance Project.

== [Big Sur, Revision 2] - 2021-03-18

* Rules
** Fixed Rules

* Baselines
** Added DISA-STIG

* Scripts
** generate_guidance
*** Bug fixes
*** Custom rules support added
*** Added ability to signed configuration profiles
*** Added plist generation for rules
*** Generates preferences files for compliance script
*** Compliance script enhancements
**** Exemption support
**** Modified plist behavior
**** Log rotation
*** Added Custom References
** yaml-to-oval
*** Bug fixes


== [Big Sur, Revision 1] - 2020-11-10

* Rules
Expand Down
3 changes: 1 addition & 2 deletions README.adoc
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
image::templates/images/mscp_banner.png[]
image::templates/images/mscp_banner_outline.png[]
// settings:
:idprefix:
:idseparator: -
Expand Down Expand Up @@ -50,7 +50,6 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
|Joshua Glemza|National Aeronautics and Space Administration
|Elyse Anderson|National Aeronautics and Space Administration
|Gary Gapinski|National Aeronautics and Space Administration
|Paige Ramsey|Los Alamos National Laboratory
|===

== Changelog
Expand Down
4 changes: 2 additions & 2 deletions VERSION.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
os: "11.0"
version: "Big Sur, Revision 1"
date: "2020-11-10"
version: "Big Sur, Revision 2"
date: "2021-03-18"
5 changes: 2 additions & 3 deletions baselines/800-171.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
Expand Down Expand Up @@ -138,7 +137,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
Expand All @@ -147,7 +146,7 @@ profile:
- os_obscure_password
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- section: "Permanent"
rules:
- pwpolicy_50_percent
Expand Down
6 changes: 3 additions & 3 deletions baselines/800-53_high.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
Expand Down Expand Up @@ -111,6 +110,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
Expand Down Expand Up @@ -144,7 +144,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_enforce_access_restrictions
Expand All @@ -161,7 +161,7 @@ profile:
- os_prevent_unauthorized_disclosure
- os_crypto_audit
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
Expand Down
5 changes: 3 additions & 2 deletions baselines/800-53_low.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,14 +50,14 @@ profile:
- os_httpd_disable
- os_sip_enable
- os_authenticated_root_enable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_ssh_fips_140_macs
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
Expand Down Expand Up @@ -92,6 +92,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
Expand Down Expand Up @@ -119,7 +120,7 @@ profile:
- os_obscure_password
- os_required_crypto_module
- os_store_encrypted_passwords
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- section: "Permanent"
rules:
- os_secure_name_resolution
Expand Down
7 changes: 4 additions & 3 deletions baselines/800-53_moderate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ profile:
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
Expand All @@ -71,7 +72,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
Expand Down Expand Up @@ -107,6 +107,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
Expand Down Expand Up @@ -140,7 +141,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
Expand All @@ -152,7 +153,7 @@ profile:
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
Expand Down
135 changes: 135 additions & 0 deletions baselines/DISA-STIG.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
title: "macOS 11.0: Security Configuration - DISA STIG"
description: |
This guide describes the actions to take when securing a macOS 11.0 system against the DISA STIG.
profile:
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_pam_su_smartcard_enforce
- section: "auditing"
rules:
- audit_flags_fd_configure
- audit_folder_group_configure
- audit_failure_halt
- audit_acls_folders_configure
- audit_flags_fm_configure
- audit_auditd_enabled
- audit_flags_ad_configure
- audit_files_mode_configure
- audit_flags_aa_configure
- audit_files_owner_configure
- audit_retention_configure
- audit_flags_fr_configure
- audit_settings_failure_notify
- audit_folder_owner_configure
- audit_flags_lo_configure
- audit_flags_fw_configure
- audit_folders_mode_configure
- audit_configure_capacity_notify
- audit_files_group_configure
- audit_acls_files_configure
- section: "macos"
rules:
- os_sshd_login_grace_time_configure
- os_firmware_password_require
- os_filevault_user_account
- os_guest_account_disable
- os_policy_banner_ssh_enforce
- os_anti_virus_installed
- os_screensaver_loginwindow_enforce
- os_sshd_key_exchange_algorithm_configure
- os_system_wide_preferences_configure
- os_tftpd_disable
- os_sshd_client_alive_interval_configure
- os_system_log_files_owner_group_configure
- os_sshd_client_alive_count_max_configure
- os_privacy_setup_prompt_disable
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_user_app_installation_prohibit
- os_system_log_files_permissions_configure
- os_hbss_installed
- os_filevault_autologin_disable
- os_messages_app_disable
- os_airdrop_disable
- os_nfsd_disable
- os_sshd_permit_root_login_configure
- os_httpd_disable
- os_gatekeeper_enable
- os_sip_enable
- os_policy_banner_ssh_configure
- os_time_server_enabled
- os_internet_accounts_prefpane_disable
- os_siri_prompt_disable
- os_appleid_prompt_disable
- os_directory_services_configured
- os_sshd_fips_140_ciphers
- os_sshd_fips_140_macs
- os_certificate_authority_trust
- os_home_folders_secure
- os_facetime_app_disable
- os_camera_disable
- os_icloud_storage_prompt_disable
- os_mail_app_disable
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"
rules:
- pwpolicy_history_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_special_character_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_60_day_enforce
- section: "icloud"
rules:
- icloud_photos_disable
- icloud_reminders_disable
- icloud_appleid_prefpane_disable
- icloud_keychain_disable
- icloud_notes_disable
- icloud_drive_disable
- icloud_bookmarks_disable
- icloud_mail_disable
- icloud_calendar_disable
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_disable
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed
- sysprefs_gatekeeper_override_disallow
- sysprefs_screensaver_timeout_enforce
- sysprefs_firewall_enable
- sysprefs_location_services_disable
- sysprefs_time_server_configure
- sysprefs_diagnostics_reports_disable
- sysprefs_bluetooth_disable
- sysprefs_automatic_login_disable
- sysprefs_apple_watch_unlock_disable
- sysprefs_token_removal_enforce
- sysprefs_screensaver_ask_for_password_delay_enforce
- sysprefs_wifi_disable
- sysprefs_time_server_enforce
- sysprefs_screen_sharing_disable
- sysprefs_hot_corners_disable
- sysprefs_siri_disable
- sysprefs_filevault_enforce
- sysprefs_password_hints_disable
- section: "Supplemental"
rules:
- supplemental_firewall_pf
- supplemental_filevault
- supplemental_password_policy
- supplemental_controls
- supplemental_smartcard
5 changes: 2 additions & 3 deletions baselines/all_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,6 @@ profile:
- os_home_folders_secure
- os_facetime_app_disable
- os_camera_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_sshd_permit_root_login_configure
- os_ir_support_disable
Expand Down Expand Up @@ -160,7 +159,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_enforce_access_restrictions
Expand Down Expand Up @@ -198,7 +197,7 @@ profile:
- os_crypto_audit
- os_reauth_privilege
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
Expand Down
7 changes: 4 additions & 3 deletions baselines/cnssi-1253.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ profile:
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
- os_guest_account_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
Expand All @@ -71,7 +72,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
Expand Down Expand Up @@ -107,6 +107,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
- sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
Expand Down Expand Up @@ -140,7 +141,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- sysprefs_enforce_auto_logout
- sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
Expand All @@ -153,7 +154,7 @@ profile:
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_temporary_accounts_disable
- pwpolicy_force_change_password_change
- pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
Expand Down
1 change: 1 addition & 0 deletions includes/supported_payloads.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -111,3 +111,4 @@ payloads_types:
- com.apple.AppleFileServer
- com.apple.AdLib
- .GlobalPreferences
- com.apple.preferences.sharing.SharingPrefsExtension
Loading

0 comments on commit ebca093

Please sign in to comment.