diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
index eeda8b142..ee58e8cac 100644
--- a/CHANGELOG.adoc
+++ b/CHANGELOG.adoc
@@ -2,6 +2,30 @@
This document provides a high-level view of the changes to the macOS Security Compliance Project.
+== [Big Sur, Revision 2] - 2021-03-18
+
+* Rules
+** Fixed Rules
+
+* Baselines
+** Added DISA-STIG
+
+* Scripts
+** generate_guidance
+*** Bug fixes
+*** Custom rules support added
+*** Added ability to signed configuration profiles
+*** Added plist generation for rules
+*** Generates preferences files for compliance script
+*** Compliance script enhancements
+**** Exemption support
+**** Modified plist behavior
+**** Log rotation
+*** Added Custom References
+** yaml-to-oval
+*** Bug fixes
+
+
== [Big Sur, Revision 1] - 2020-11-10
* Rules
diff --git a/README.adoc b/README.adoc
index 036b91294..4a06ca244 100644
--- a/README.adoc
+++ b/README.adoc
@@ -1,4 +1,4 @@
-image::templates/images/mscp_banner.png[]
+image::templates/images/mscp_banner_outline.png[]
// settings:
:idprefix:
:idseparator: -
@@ -50,7 +50,6 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
|Joshua Glemza|National Aeronautics and Space Administration
|Elyse Anderson|National Aeronautics and Space Administration
|Gary Gapinski|National Aeronautics and Space Administration
-|Paige Ramsey|Los Alamos National Laboratory
|===
== Changelog
diff --git a/VERSION.yaml b/VERSION.yaml
index 6abdd0fd0..deef3d4e8 100644
--- a/VERSION.yaml
+++ b/VERSION.yaml
@@ -1,3 +1,3 @@
os: "11.0"
-version: "Big Sur, Revision 1"
-date: "2020-11-10"
\ No newline at end of file
+version: "Big Sur, Revision 2"
+date: "2021-03-18"
\ No newline at end of file
diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml
index 42c81f92e..79ab9cc25 100644
--- a/baselines/800-171.yaml
+++ b/baselines/800-171.yaml
@@ -68,7 +68,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- - os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -138,7 +137,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- - sysprefs_enforce_auto_logout
+ - sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -147,7 +146,7 @@ profile:
- os_obscure_password
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- - pwpolicy_force_change_password_change
+ - pwpolicy_force_password_change
- section: "Permanent"
rules:
- pwpolicy_50_percent
diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml
index 6d62223f6..bed411632 100644
--- a/baselines/800-53_high.yaml
+++ b/baselines/800-53_high.yaml
@@ -75,7 +75,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- - os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -111,6 +110,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
+ - sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
@@ -144,7 +144,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- - sysprefs_enforce_auto_logout
+ - sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_enforce_access_restrictions
@@ -161,7 +161,7 @@ profile:
- os_prevent_unauthorized_disclosure
- os_crypto_audit
- pwpolicy_temporary_accounts_disable
- - pwpolicy_force_change_password_change
+ - pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
diff --git a/baselines/800-53_low.yaml b/baselines/800-53_low.yaml
index 1bc88f731..8e029c621 100644
--- a/baselines/800-53_low.yaml
+++ b/baselines/800-53_low.yaml
@@ -50,6 +50,7 @@ profile:
- os_httpd_disable
- os_sip_enable
- os_authenticated_root_enable
+ - os_guest_account_disable
- os_guest_access_smb_disable
- os_unlock_active_user_session_disable
- os_internet_accounts_prefpane_disable
@@ -57,7 +58,6 @@ profile:
- os_appleid_prompt_disable
- os_ssh_fips_140_macs
- os_facetime_app_disable
- - os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -92,6 +92,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
+ - sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
@@ -119,7 +120,7 @@ profile:
- os_obscure_password
- os_required_crypto_module
- os_store_encrypted_passwords
- - pwpolicy_force_change_password_change
+ - pwpolicy_force_password_change
- section: "Permanent"
rules:
- os_secure_name_resolution
diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml
index b1905440d..8216e699d 100644
--- a/baselines/800-53_moderate.yaml
+++ b/baselines/800-53_moderate.yaml
@@ -61,6 +61,7 @@ profile:
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
+ - os_guest_account_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
@@ -71,7 +72,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- - os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -107,6 +107,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
+ - sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
@@ -140,7 +141,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- - sysprefs_enforce_auto_logout
+ - sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -152,7 +153,7 @@ profile:
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_temporary_accounts_disable
- - pwpolicy_force_change_password_change
+ - pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml
new file mode 100644
index 000000000..ce2d81c37
--- /dev/null
+++ b/baselines/DISA-STIG.yaml
@@ -0,0 +1,135 @@
+title: "macOS 11.0: Security Configuration - DISA STIG"
+description: |
+ This guide describes the actions to take when securing a macOS 11.0 system against the DISA STIG.
+profile:
+ - section: "authentication"
+ rules:
+ - auth_pam_login_smartcard_enforce
+ - auth_pam_sudo_smartcard_enforce
+ - auth_smartcard_certificate_trust_enforce_moderate
+ - auth_smartcard_enforce
+ - auth_pam_su_smartcard_enforce
+ - section: "auditing"
+ rules:
+ - audit_flags_fd_configure
+ - audit_folder_group_configure
+ - audit_failure_halt
+ - audit_acls_folders_configure
+ - audit_flags_fm_configure
+ - audit_auditd_enabled
+ - audit_flags_ad_configure
+ - audit_files_mode_configure
+ - audit_flags_aa_configure
+ - audit_files_owner_configure
+ - audit_retention_configure
+ - audit_flags_fr_configure
+ - audit_settings_failure_notify
+ - audit_folder_owner_configure
+ - audit_flags_lo_configure
+ - audit_flags_fw_configure
+ - audit_folders_mode_configure
+ - audit_configure_capacity_notify
+ - audit_files_group_configure
+ - audit_acls_files_configure
+ - section: "macos"
+ rules:
+ - os_sshd_login_grace_time_configure
+ - os_firmware_password_require
+ - os_filevault_user_account
+ - os_guest_account_disable
+ - os_policy_banner_ssh_enforce
+ - os_anti_virus_installed
+ - os_screensaver_loginwindow_enforce
+ - os_sshd_key_exchange_algorithm_configure
+ - os_system_wide_preferences_configure
+ - os_tftpd_disable
+ - os_sshd_client_alive_interval_configure
+ - os_system_log_files_owner_group_configure
+ - os_sshd_client_alive_count_max_configure
+ - os_privacy_setup_prompt_disable
+ - os_sudoers_tty_configure
+ - os_uucp_disable
+ - os_policy_banner_loginwindow_enforce
+ - os_user_app_installation_prohibit
+ - os_system_log_files_permissions_configure
+ - os_hbss_installed
+ - os_filevault_autologin_disable
+ - os_messages_app_disable
+ - os_airdrop_disable
+ - os_nfsd_disable
+ - os_sshd_permit_root_login_configure
+ - os_httpd_disable
+ - os_gatekeeper_enable
+ - os_sip_enable
+ - os_policy_banner_ssh_configure
+ - os_time_server_enabled
+ - os_internet_accounts_prefpane_disable
+ - os_siri_prompt_disable
+ - os_appleid_prompt_disable
+ - os_directory_services_configured
+ - os_sshd_fips_140_ciphers
+ - os_sshd_fips_140_macs
+ - os_certificate_authority_trust
+ - os_home_folders_secure
+ - os_facetime_app_disable
+ - os_camera_disable
+ - os_icloud_storage_prompt_disable
+ - os_mail_app_disable
+ - os_bonjour_disable
+ - os_calendar_app_disable
+ - section: "passwordpolicy"
+ rules:
+ - pwpolicy_history_enforce
+ - pwpolicy_temporary_or_emergency_accounts_disable
+ - pwpolicy_account_lockout_enforce
+ - pwpolicy_account_lockout_timeout_enforce
+ - pwpolicy_special_character_enforce
+ - pwpolicy_alpha_numeric_enforce
+ - pwpolicy_minimum_length_enforce
+ - pwpolicy_60_day_enforce
+ - section: "icloud"
+ rules:
+ - icloud_photos_disable
+ - icloud_reminders_disable
+ - icloud_appleid_prefpane_disable
+ - icloud_keychain_disable
+ - icloud_notes_disable
+ - icloud_drive_disable
+ - icloud_bookmarks_disable
+ - icloud_mail_disable
+ - icloud_calendar_disable
+ - icloud_addressbook_disable
+ - section: "systempreferences"
+ rules:
+ - sysprefs_smbd_disable
+ - sysprefs_firewall_stealth_mode_enable
+ - sysprefs_internet_sharing_disable
+ - sysprefs_rae_disable
+ - sysprefs_ssh_disable
+ - sysprefs_screensaver_password_enforce
+ - sysprefs_gatekeeper_identified_developers_allowed
+ - sysprefs_gatekeeper_override_disallow
+ - sysprefs_screensaver_timeout_enforce
+ - sysprefs_firewall_enable
+ - sysprefs_location_services_disable
+ - sysprefs_time_server_configure
+ - sysprefs_diagnostics_reports_disable
+ - sysprefs_bluetooth_disable
+ - sysprefs_automatic_login_disable
+ - sysprefs_apple_watch_unlock_disable
+ - sysprefs_token_removal_enforce
+ - sysprefs_screensaver_ask_for_password_delay_enforce
+ - sysprefs_wifi_disable
+ - sysprefs_time_server_enforce
+ - sysprefs_screen_sharing_disable
+ - sysprefs_hot_corners_disable
+ - sysprefs_siri_disable
+ - sysprefs_filevault_enforce
+ - sysprefs_password_hints_disable
+ - section: "Supplemental"
+ rules:
+ - supplemental_firewall_pf
+ - supplemental_filevault
+ - supplemental_password_policy
+ - supplemental_controls
+ - supplemental_smartcard
diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml
index 5f6eec9b6..e9e962c3d 100644
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -84,7 +84,6 @@ profile:
- os_home_folders_secure
- os_facetime_app_disable
- os_camera_disable
- - os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_sshd_permit_root_login_configure
- os_ir_support_disable
@@ -160,7 +159,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- - sysprefs_enforce_auto_logout
+ - sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_enforce_access_restrictions
@@ -198,7 +197,7 @@ profile:
- os_crypto_audit
- os_reauth_privilege
- pwpolicy_temporary_accounts_disable
- - pwpolicy_force_change_password_change
+ - pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml
index 498631dfd..ff74ab85c 100644
--- a/baselines/cnssi-1253.yaml
+++ b/baselines/cnssi-1253.yaml
@@ -61,6 +61,7 @@ profile:
- os_sip_enable
- os_authenticated_root_enable
- os_removable_media_disable
+ - os_guest_account_disable
- os_guest_access_smb_disable
- os_time_server_enabled
- os_unlock_active_user_session_disable
@@ -71,7 +72,6 @@ profile:
- os_ssh_fips_140_macs
- os_home_folders_secure
- os_facetime_app_disable
- - os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
@@ -107,6 +107,7 @@ profile:
- icloud_addressbook_disable
- section: "systempreferences"
rules:
+ - sysprefs_media_sharing_disabled
- sysprefs_smbd_disable
- sysprefs_firewall_stealth_mode_enable
- sysprefs_personalized_advertising_disable
@@ -140,7 +141,7 @@ profile:
- sysprefs_password_hints_disable
- sysprefs_bluetooth_sharing_disable
- sysprefs_improve_siri_dictation_disable
- - sysprefs_enforce_auto_logout
+ - sysprefs_automatic_logout_enforce
- section: "Inherent"
rules:
- os_prevent_priv_functions
@@ -153,7 +154,7 @@ profile:
- os_store_encrypted_passwords
- os_prevent_unauthorized_disclosure
- pwpolicy_temporary_accounts_disable
- - pwpolicy_force_change_password_change
+ - pwpolicy_force_password_change
- pwpolicy_emergency_accounts_disable
- section: "Permanent"
rules:
diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml
index be2730823..9054f0df1 100644
--- a/includes/supported_payloads.yaml
+++ b/includes/supported_payloads.yaml
@@ -111,3 +111,4 @@ payloads_types:
- com.apple.AppleFileServer
- com.apple.AdLib
- .GlobalPreferences
+ - com.apple.preferences.sharing.SharingPrefsExtension
diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml
index 26c84ebac..8e0a74a8c 100644
--- a/rules/audit/audit_acls_files_configure.yaml
+++ b/rules/audit/audit_acls_files_configure.yaml
@@ -26,7 +26,7 @@ references:
- SRG-OS-000057-GPOS-00027
- SRG-OS-000206-GPOS-00084
disa_stig:
- - AOSX-15-000030
+ - APPL-11-000030
800-171r2:
- 3.3.8
macOS:
@@ -37,6 +37,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml
index bef3c8df3..03129bf09 100644
--- a/rules/audit/audit_acls_folders_configure.yaml
+++ b/rules/audit/audit_acls_folders_configure.yaml
@@ -18,15 +18,12 @@ references:
- CCE-85252-5
cci:
- CCI-000162
- - CCI-001314
800-53r4:
- AU-9
- - SI-11
srg:
- SRG-OS-000057-GPOS-00027
- - SRG-OS-000206-GPOS-00084
disa_stig:
- - AOSX-15-000030
+ - APPL-11-000031
800-171r2:
- 3.3.8
macOS:
@@ -37,6 +34,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml
index a0e8f5b25..70f7f3615 100644
--- a/rules/audit/audit_alert_processing_fail.yaml
+++ b/rules/audit/audit_alert_processing_fail.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml
index 5a103e79d..4c2c4b103 100644
--- a/rules/audit/audit_auditd_enabled.yaml
+++ b/rules/audit/audit_auditd_enabled.yaml
@@ -57,7 +57,7 @@ references:
- SRG-OS-000358-GPOS-00145
- SRG-OS-000359-GPOS-00146
disa_stig:
- - AOSX-15-001003
+ - APPL-11-001003
800-171r2:
- 3.3.1
- 3.3.2
@@ -70,6 +70,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml
index c55bd0900..83826ecc9 100644
--- a/rules/audit/audit_configure_capacity_notify.yaml
+++ b/rules/audit/audit_configure_capacity_notify.yaml
@@ -23,11 +23,12 @@ references:
srg:
- SRG-OS-000343-GPOS-00134
disa_stig:
- - AOSX-15-001030
+ - APPL-11-001030
macOS:
- "11.0"
tags:
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml
index e37d62696..6391654d7 100644
--- a/rules/audit/audit_enforce_dual_auth.yaml
+++ b/rules/audit/audit_enforce_dual_auth.yaml
@@ -25,7 +25,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml
index f7e93597c..3f48f3c92 100644
--- a/rules/audit/audit_failure_halt.yaml
+++ b/rules/audit/audit_failure_halt.yaml
@@ -23,7 +23,7 @@ references:
srg:
- SRG-OS-000047-GPOS-00023
disa_stig:
- - AOSX-15-001010
+ - APPL-11-001010
800-171r2:
- 3.3.4
macOS:
@@ -34,6 +34,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml
index 4ca2796b7..7086bd8d9 100644
--- a/rules/audit/audit_files_group_configure.yaml
+++ b/rules/audit/audit_files_group_configure.yaml
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- - AOSX-15-001014
+ - APPL-11-001014
800-171r2:
- 3.3.8
macOS:
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml
index 20bbcd5b2..af56b699a 100644
--- a/rules/audit/audit_files_mode_configure.yaml
+++ b/rules/audit/audit_files_mode_configure.yaml
@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- - AOSX-15-001016
+ - APPL-11-001016
800-171r2:
- 3.3.8
macOS:
@@ -32,6 +32,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml
index e7e5264d5..26659c2dc 100644
--- a/rules/audit/audit_files_owner_configure.yaml
+++ b/rules/audit/audit_files_owner_configure.yaml
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- - AOSX-15-001012
+ - APPL-11-001012
800-171r2:
- 3.3.8
macOS:
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml
index c52db3ba4..cb993d8e6 100644
--- a/rules/audit/audit_flags_aa_configure.yaml
+++ b/rules/audit/audit_flags_aa_configure.yaml
@@ -19,7 +19,7 @@ references:
cce:
- CCE-85261-6
cci:
- - N/A
+ - CCI-000172
800-53r4:
- AU-2
- AU-12
@@ -30,7 +30,7 @@ references:
- SRG-OS-000473-GPOS-00218
- SRG-OS-000475-GPOS-00220
disa_stig:
- - AOSX-15-001044
+ - APPL-11-001044
800-171r2:
- 3.3.1
- 3.3.2
@@ -42,6 +42,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml
index 5d4d215b9..5301dd451 100644
--- a/rules/audit/audit_flags_ad_configure.yaml
+++ b/rules/audit/audit_flags_ad_configure.yaml
@@ -40,18 +40,13 @@ references:
- SRG-OS-000240-GPOS-00090
- SRG-OS-000241-GPOS-00091
- SRG-OS-000327-GPOS-00127
- - SRG-OS-000392-GPOS-00172
+ - SRG-OS-000392-GPOS-00172
- SRG-OS-000471-GPOS-00215
- SRG-OS-000471-GPOS-00216
- SRG-OS-000476-GPOS-00221
- SRG-OS-000477-GPOS-00222
- - SRG-OS-000304-GPOS-00121
- - SRG-OS-000277-GPOS-00107
- - SRG-OS-000275-GPOS-00105
- - SRG-OS-000276-GPOS-00106
- - SRG-OS-000274-GPOS-00104
disa_stig:
- - AOSX-15-001001
+ - APPL-11-001001
800-171r2:
- 3.1.7
- 3.3.1
@@ -64,6 +59,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml
index 28e918caa..25095593e 100644
--- a/rules/audit/audit_flags_ex_configure.yaml
+++ b/rules/audit/audit_flags_ex_configure.yaml
@@ -40,6 +40,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml
new file mode 100644
index 000000000..02d4b9486
--- /dev/null
+++ b/rules/audit/audit_flags_fd_configure.yaml
@@ -0,0 +1,53 @@
+id: audit_flags_fd_configure
+title: "Configure System to Audit All Deletions of Object Attributes"
+discussion: |
+ The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd).
+
+ ***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
+
+ This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file.
+
+ Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
+check: |
+ /usr/bin/grep -Ec "^flags.*-fd" /etc/security/audit_control
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s
+ ----
+references:
+ cce:
+ - CCE-85264-0
+ cci:
+ - CCI-000172
+ - CCI-001814
+ 800-53r4:
+ - AU-2
+ - AU-12
+ - AU-9
+ - CM-5(1)
+ - MA-4(1)
+ srg:
+ - SRG-OS-000365-GPOS-00152
+ - SRG-OS-000458-GPOS-00203
+ - SRG-OS-000461-GPOS-00205
+ - SRG-OS-000463-GPOS-00207
+ - SRG-OS-000465-GPOS-00209
+ - SRG-OS-000466-GPOS-00210
+ - SRG-OS-000467-GPOS-00211
+ - SRG-OS-000468-GPOS-00212
+ - SRG-OS-000474-GPOS-00219
+ - SRG-OS-000057-GPOS-00027
+ disa_stig:
+ - APPL-11-001020
+ 800-171r2:
+ - N/A
+macOS:
+ - "11.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml
index 35c53e622..e3e8b9127 100644
--- a/rules/audit/audit_flags_fm_configure.yaml
+++ b/rules/audit/audit_flags_fm_configure.yaml
@@ -21,7 +21,8 @@ references:
cce:
- CCE-85264-0
cci:
- - CCI-000162
+ - CCI-000172
+ - CCI-001814
800-53r4:
- AU-2
- AU-12
@@ -40,7 +41,7 @@ references:
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- - AOSX-15-001016
+ - APPL-11-001020
800-171r2:
- 3.3.1
- 3.3.2
@@ -53,6 +54,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml
index 7098aba14..561d294fc 100644
--- a/rules/audit/audit_flags_fr_configure.yaml
+++ b/rules/audit/audit_flags_fr_configure.yaml
@@ -21,7 +21,8 @@ references:
cce:
- CCE-85265-7
cci:
- - CCI-000162
+ - CCI-000172
+ - CCI-001814
800-53r4:
- AU-2
- AU-12
@@ -40,7 +41,7 @@ references:
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- - AOSX-15-001016
+ - APPL-11-001020
800-171r2:
- 3.3.1
- 3.3.2
@@ -53,6 +54,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml
index 972b1981d..6dded9fe5 100644
--- a/rules/audit/audit_flags_fw_configure.yaml
+++ b/rules/audit/audit_flags_fw_configure.yaml
@@ -40,7 +40,7 @@ references:
- SRG-OS-000474-GPOS-00219
- SRG-OS-000057-GPOS-00027
disa_stig:
- - AOSX-15-001016
+ - APPL-11-001020
800-171r2:
- 3.3.1
- 3.3.2
@@ -53,6 +53,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml
index f536f17f8..ceb373e5a 100644
--- a/rules/audit/audit_flags_lo_configure.yaml
+++ b/rules/audit/audit_flags_lo_configure.yaml
@@ -5,7 +5,7 @@ discussion: |
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring login and logout events) mitigates this risk.
- The information system monitors and login and logout events.
+ The information system monitors login and logout events.
check: |
/usr/bin/grep -Ec "^flags*.lo" /etc/security/audit_control
result:
@@ -28,10 +28,9 @@ references:
- MA-4(1)
srg:
- SRG-OS-000032-GPOS-00013
- - SRG-OS-000064-GPOS-00033
- SRG-OS-000462-GPOS-00206
disa_stig:
- - AOSX-15-001002
+ - APPL-11-001002
800-171r2:
- 3.1.12
- 3.3.1
@@ -44,6 +43,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml
index addc35eac..9f7eddc1a 100644
--- a/rules/audit/audit_folder_group_configure.yaml
+++ b/rules/audit/audit_folder_group_configure.yaml
@@ -13,7 +13,7 @@ result:
fix: |
[source,bash]
----
- /usr/sbin/chgrp wheel $(/usr/bin/awk -F : '/^dir/{print $2}' /etc/security/audit_control)
+ /usr/bin/chgrp wheel $(/usr/bin/awk -F : '/^dir/{print $2}' /etc/security/audit_control)
----
references:
cce:
@@ -23,9 +23,9 @@ references:
800-53r4:
- AU-9
srg:
- - SRG-OS-000057-GPOS-00027
+ - SRG-OS-000033-GPOS-00014
disa_stig:
- - AOSX-15-001015
+ - APPL-11-001015
800-171r2:
- 3.3.8
macOS:
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml
index 61bb3f0de..7db1de932 100644
--- a/rules/audit/audit_folder_owner_configure.yaml
+++ b/rules/audit/audit_folder_owner_configure.yaml
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000057-GPOS-00027
disa_stig:
- - AOSX-15-001013
+ - APPL-11-001013
800-171r2:
- 3.3.8
macOS:
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml
index 9acbb7287..18cbda049 100644
--- a/rules/audit/audit_folders_mode_configure.yaml
+++ b/rules/audit/audit_folders_mode_configure.yaml
@@ -27,7 +27,7 @@ references:
- SRG-OS-000059-GPOS-00029
- SRG-OS-000057-GPOS-00027
disa_stig:
- - AOSX-15-001017
+ - APPL-11-001017
800-171r2:
- 3.3.8
macOS:
@@ -38,6 +38,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml
index a852d496c..ce101e2d8 100644
--- a/rules/audit/audit_off_load_records.yaml
+++ b/rules/audit/audit_off_load_records.yaml
@@ -25,7 +25,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml
index a20dc34ee..68fc74cf1 100644
--- a/rules/audit/audit_retention_configure.yaml
+++ b/rules/audit/audit_retention_configure.yaml
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000341-GPOS-00132
disa_stig:
- - AOSX-15-001029
+ - APPL-11-001029
macOS:
- "11.0"
tags:
@@ -32,6 +32,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml
index a67d3ce9e..7ac711bc6 100644
--- a/rules/audit/audit_settings_failure_notify.yaml
+++ b/rules/audit/audit_settings_failure_notify.yaml
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000344-GPOS-00135
disa_stig:
- - AOSX-15-001031
+ - APPL-11-001031
800-171r2:
- 3.3.4
macOS:
@@ -32,6 +32,7 @@ macOS:
tags:
- 800-171
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml
index 6c4eab69c..600d1ef3b 100644
--- a/rules/auth/auth_pam_login_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml
@@ -43,12 +43,9 @@ references:
- IA-2(4)
- IA-5(11)
srg:
- - SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-003050
- - AOSX-15-003051
- - AOSX-15-003052
+ - APPL-11-003050
800-171r2:
- 3.5.3
macOS:
@@ -59,6 +56,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml
index 6655f5b6e..417c8d66a 100644
--- a/rules/auth/auth_pam_su_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml
@@ -38,12 +38,9 @@ references:
- IA-2(4)
- IA-5(11)
srg:
- - SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-003050
- - AOSX-15-003051
- - AOSX-15-003052
+ - APPL-11-003051
800-171r2:
- 3.5.3
macOS:
@@ -54,6 +51,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
index 238f344d8..2204504d8 100644
--- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
@@ -40,9 +40,7 @@ references:
- SRG-OS-000107-GPOS-00054
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-003050
- - AOSX-15-003051
- - AOSX-15-003052
+ - APPL-11-003052
800-171r2:
- 3.5.3
macOS:
@@ -53,6 +51,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
index 978011b79..71371c722 100644
--- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
+++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
@@ -25,12 +25,11 @@ references:
srg:
- SRG-OS-000067-GPOS-00035
disa_stig:
- - AOSX-15-003002
+ - APPL-11-003002
macOS:
- "11.0"
tags:
- 800-53r4_high
- - STIG
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
index f710d3727..eeec375ef 100644
--- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
+++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
@@ -19,18 +19,28 @@ references:
- CCE-85279-8
cci:
- CCI-000186
+ - CCI-002470
+ - CCI-001991
+ - CCI-001953
+ - CCI-001954
800-53r4:
- IA-2(12)
- IA-5(2)
srg:
- - SRG-OS-000067-GPOS-00035
+ - SRG-OS-000376-GPOS-00161
+ - SRG-OS-000377-GPOS-00162
+ - SRG-OS-000384-GPOS-00167
+ - SRG-OS-000403-GPOS-00182
+ - SRG-OS-000067-GPOS-00035
disa_stig:
- - AOSX-15-003002
+ - APPL-11-001060
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r4_moderate
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml
index 30afa17b4..99314c070 100644
--- a/rules/auth/auth_smartcard_enforce.yaml
+++ b/rules/auth/auth_smartcard_enforce.yaml
@@ -21,12 +21,8 @@ references:
- CCE-85280-6
cci:
- CCI-000187
- - CCI-000765
- - CCI-000766
- CCI-000767
- CCI-000768
- - CCI-000877
- - CCI-001948
800-53r4:
- IA-2
- IA-2(1)
@@ -39,17 +35,10 @@ references:
- IA-5(11)
srg:
- SRG-OS-000068-GPOS-00036
- - SRG-OS-000105-GPOS-00052
- - SRG-OS-000106-GPOS-00053
- SRG-OS-000107-GPOS-00054
- SRG-OS-000108-GPOS-00055
- - SRG-OS-000125-GPOS-00065
- - SRG-OS-000375-GPOS-00160
disa_stig:
- - AOSX-15-003020
- - AOSX-15-003024
- - AOSX-15-003005
- - AOSX-15-003025
+ - APPL-11-003020
800-171r2:
- 3.5.1
- 3.5.2
@@ -62,7 +51,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
diff --git a/rules/auth/auth_ssh_smartcard_enforce.yaml b/rules/auth/auth_ssh_smartcard_enforce.yaml
index 6a30d3668..ce66f8514 100644
--- a/rules/auth/auth_ssh_smartcard_enforce.yaml
+++ b/rules/auth/auth_ssh_smartcard_enforce.yaml
@@ -20,13 +20,7 @@ references:
cce:
- CCE-85281-4
cci:
- - CCI-000187
- - CCI-000765
- - CCI-000766
- - CCI-000767
- - CCI-000768
- - CCI-000877
- - CCI-001948
+ - N/A
800-53r4:
- IA-2
- IA-2(1)
@@ -39,18 +33,9 @@ references:
- IA-5(11)
- MA-4
srg:
- - SRG-OS-000068-GPOS-00036
- - SRG-OS-000105-GPOS-00052
- - SRG-OS-000106-GPOS-00053
- - SRG-OS-000107-GPOS-00054
- - SRG-OS-000108-GPOS-00055
- - SRG-OS-000125-GPOS-00065
- - SRG-OS-000375-GPOS-00160
+ - N/A
disa_stig:
- - AOSX-15-003020
- - AOSX-15-003024
- - AOSX-15-003005
- - AOSX-15-003025
+ - N/A
800-171r2:
- 3.5.1
- 3.5.2
@@ -59,6 +44,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
+ - none
mobileconfig: false
mobileconfig_info:
diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml
index cb41ac30d..9c0d2efe1 100644
--- a/rules/icloud/icloud_addressbook_disable.yaml
+++ b/rules/icloud/icloud_addressbook_disable.yaml
@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002014
+ - APPL-11-002014
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/icloud/icloud_appleid_prefpane_disable.yaml b/rules/icloud/icloud_appleid_prefpane_disable.yaml
index 4d4b0afc1..af99bc005 100644
--- a/rules/icloud/icloud_appleid_prefpane_disable.yaml
+++ b/rules/icloud/icloud_appleid_prefpane_disable.yaml
@@ -14,17 +14,15 @@ references:
cce:
- CCE-85283-0
cci:
- - CCI-000381
- CCI-001774
800-53r4:
- CM-7
- AC-20
- AC-20(1)
srg:
- - SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002018
+ - APPL-11-002031
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,6 +34,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
+ - stig
+severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.systempreferences:
diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml
index 2d4b3b1ab..878193824 100644
--- a/rules/icloud/icloud_bookmarks_disable.yaml
+++ b/rules/icloud/icloud_bookmarks_disable.yaml
@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002042
+ - APPL-11-002042
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml
index 1f4ddf889..25c178de9 100644
--- a/rules/icloud/icloud_calendar_disable.yaml
+++ b/rules/icloud/icloud_calendar_disable.yaml
@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002012
+ - APPL-11-002012
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml
index a6d0fed8a..4454a9eda 100644
--- a/rules/icloud/icloud_drive_disable.yaml
+++ b/rules/icloud/icloud_drive_disable.yaml
@@ -24,8 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002041
- - AOSX-15-002049
+ - APPL-11-002041
800-171r2:
- 3.1.20
- 3.4.6
@@ -37,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml
index 326654bb3..17f5016cb 100644
--- a/rules/icloud/icloud_keychain_disable.yaml
+++ b/rules/icloud/icloud_keychain_disable.yaml
@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002040
+ - APPL-11-002040
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml
index ab1c16486..ecdd7a5ee 100644
--- a/rules/icloud/icloud_mail_disable.yaml
+++ b/rules/icloud/icloud_mail_disable.yaml
@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002015
+ - APPL-11-002015
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml
index f10b793d8..908eb428b 100644
--- a/rules/icloud/icloud_notes_disable.yaml
+++ b/rules/icloud/icloud_notes_disable.yaml
@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002016
+ - APPL-11-002016
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml
index f212762f7..ca081cda5 100644
--- a/rules/icloud/icloud_photos_disable.yaml
+++ b/rules/icloud/icloud_photos_disable.yaml
@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002043
+ - APPL-11-002043
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml
index 72370526d..f1d6063f2 100644
--- a/rules/icloud/icloud_reminders_disable.yaml
+++ b/rules/icloud/icloud_reminders_disable.yaml
@@ -24,7 +24,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002013
+ - APPL-11-002013
800-171r2:
- 3.1.20
- 3.4.6
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml
index 8b8a65115..609470d27 100644
--- a/rules/os/os_airdrop_disable.yaml
+++ b/rules/os/os_airdrop_disable.yaml
@@ -23,7 +23,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002009
+ - APPL-11-002009
800-171r2:
- 3.1.1
- 3.1.2
@@ -38,7 +38,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml
index 74823fb40..e1715c9fa 100644
--- a/rules/os/os_allow_info_passed.yaml
+++ b/rules/os/os_allow_info_passed.yaml
@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml
index 3025cd23f..a1b28be7b 100644
--- a/rules/os/os_anti_virus_installed.yaml
+++ b/rules/os/os_anti_virus_installed.yaml
@@ -19,10 +19,12 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-002070
+ - APPL-11-002070
macOS:
- "11.0"
tags:
- - STIG
+ - manual
+ - stig
+severity: "high"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml
index dd74e8184..c8d355724 100644
--- a/rules/os/os_appleid_prompt_disable.yaml
+++ b/rules/os/os_appleid_prompt_disable.yaml
@@ -18,10 +18,9 @@ references:
800-53r4:
- AC-20
srg:
- - SRG-OS-000480-GPOS-00227
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002035
+ - APPL-11-002035
800-171r2:
- 3.1.20
macOS:
@@ -32,7 +31,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.SetupAssistant.managed:
diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml
index a2b88b475..4deb51eb7 100644
--- a/rules/os/os_auth_peripherals.yaml
+++ b/rules/os/os_auth_peripherals.yaml
@@ -26,7 +26,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml
index 4cfa15b51..7be373f8e 100644
--- a/rules/os/os_authenticated_root_enable.yaml
+++ b/rules/os/os_authenticated_root_enable.yaml
@@ -41,6 +41,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml
index 5e3a9067c..7b2d73d3c 100644
--- a/rules/os/os_bonjour_disable.yaml
+++ b/rules/os/os_bonjour_disable.yaml
@@ -18,7 +18,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002005
+ - APPL-11-002005
800-171r2:
- 3.4.6
macOS:
@@ -29,7 +29,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mDNSResponder:
diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml
index bf7d16e8e..3dd033d99 100644
--- a/rules/os/os_calendar_app_disable.yaml
+++ b/rules/os/os_calendar_app_disable.yaml
@@ -18,15 +18,13 @@ references:
- CCE-85300-2
cci:
- CCI-000381
- - CCI-001774
800-53r4:
- CM-7
- AC-20
srg:
- SRG-OS-000095-GPOS-00049
- - SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002023
+ - APPL-11-002023
800-171r2:
- 3.1.20
- 3.4.6
@@ -38,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml
index be5a215e8..acf3546b0 100644
--- a/rules/os/os_camera_disable.yaml
+++ b/rules/os/os_camera_disable.yaml
@@ -13,18 +13,20 @@ references:
- CCE-85301-0
cci:
- CCI-000381
- - CCI-001774
+ - CCI-001150
+ - CCI-001153
800-53r4:
- N/A
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002017
+ - APPL-11-002017
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml
index 22b4a204f..dd00a9ffc 100644
--- a/rules/os/os_certificate_authority_trust.yaml
+++ b/rules/os/os_certificate_authority_trust.yaml
@@ -5,7 +5,7 @@ discussion: |
check: |
/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/grep labl | awk -F'"' '{ print $4 }'
result:
- string: "If this list does not contain approved root certificates, this is a finding."
+ string: "a list containing approved root certificates"
fix: |
Obtain the approved certificates from the appropriate authority and install them to the System Keychain.
references:
@@ -17,7 +17,7 @@ references:
800-53r4:
- SC-17
disa_stig:
- - AOSX-15-003001
+ - APPL-11-003001
srg:
- SRG-OS-000066-GPOS-00034
- SRG-OS-000478-GPOS-00223
@@ -27,7 +27,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
- manual
+severity: "high"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml
index 4f84869e9..ffd92f1e5 100644
--- a/rules/os/os_change_security_attributes.yaml
+++ b/rules/os/os_change_security_attributes.yaml
@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml
index 6ef90ed6f..fc2fe655a 100644
--- a/rules/os/os_continuous_monitoring.yaml
+++ b/rules/os/os_continuous_monitoring.yaml
@@ -16,7 +16,7 @@ references:
srg:
- SRG-OS-000191-GPOS-00080
disa_stig:
- - AOSX-15-000015
+ - APPL-11-000015
macOS:
- "11.0"
tags:
@@ -24,6 +24,6 @@ tags:
- 800-53r4_moderate
- 800-53r4_high
- permanent
- - STIG
+
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml
index 5bd7ea32d..e6e7a3ec2 100644
--- a/rules/os/os_crypto_audit.yaml
+++ b/rules/os/os_crypto_audit.yaml
@@ -27,7 +27,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml
new file mode 100644
index 000000000..93fda98cf
--- /dev/null
+++ b/rules/os/os_directory_services_configured.yaml
@@ -0,0 +1,31 @@
+id: os_directory_services_configured
+title: The macOS system must be integrated into a directory services infrastructure.
+discussion: |
+ Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions allow centralized management of users and passwords.
+check: |
+ If the system is using a mandatory Smart Card Policy, this is Not Applicable.
+
+ To determine if the system is integrated to a directory service, ask the System Administrator (SA) or Information System Security Officer (ISSO) or run the following command:
+
+ /usr/bin/sudo dscl localhost -list . | /usr/bin/grep -vE '(Contact | Search | Local)'
+
+ If nothing is returned, or if the system is not integrated into a directory service infrastructure, this is a finding.
+fix: |
+ Integrate the system into an existing directory services infrastructure.
+references:
+ cci:
+ - CCI-000366
+ 800-53r4:
+ - CM-6(b)
+ srg:
+ - SRG-OS-000480-GPOS-00227
+ disa_stig:
+ - APPL-11-000016
+macOS:
+ - 11.0
+tags:
+ - manual
+ - stig
+severity: "high"
+mobileconfig:
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml
index f6771c5e1..08d918b64 100644
--- a/rules/os/os_enforce_access_restrictions.yaml
+++ b/rules/os/os_enforce_access_restrictions.yaml
@@ -25,7 +25,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml
index 924cc026b..0569456a0 100644
--- a/rules/os/os_error_message.yaml
+++ b/rules/os/os_error_message.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml
index 922d76864..87d1cbf44 100644
--- a/rules/os/os_facetime_app_disable.yaml
+++ b/rules/os/os_facetime_app_disable.yaml
@@ -35,7 +35,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml
index ef3e19c0d..39f2cf472 100644
--- a/rules/os/os_fail_secure_state.yaml
+++ b/rules/os/os_fail_secure_state.yaml
@@ -29,7 +29,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml
index ab628a734..02dd58fa2 100644
--- a/rules/os/os_filevault_autologin_disable.yaml
+++ b/rules/os/os_filevault_autologin_disable.yaml
@@ -14,14 +14,15 @@ references:
cce:
- CCE-85310-1
800-53r4:
+ - AC-2(11)
- AC-3
- IA-5(13)
srg:
- - SRG-OS-000480-GPOS-00229
+ - SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-002066
+ - APPL-11-000033
cci:
- - CCI-000366
+ - CCI-002143
800-171r2:
- 3.1.1
- 3.1.2
@@ -33,6 +34,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.loginwindow:
diff --git a/rules/os/os_filevault_user_account.yaml b/rules/os/os_filevault_user_account.yaml
index d946b2c86..7cb2628cd 100644
--- a/rules/os/os_filevault_user_account.yaml
+++ b/rules/os/os_filevault_user_account.yaml
@@ -46,16 +46,17 @@ references:
cce:
- CCE-85311-9
cci:
- - CCI-000014
+ - CCI-002143
800-53r4:
- - N/A
+ - AC-2(11)
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-000032
+ - APPL-11-000032
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml
index 930e9a5dc..c650f3406 100644
--- a/rules/os/os_firewall_default_deny_require.yaml
+++ b/rules/os/os_firewall_default_deny_require.yaml
@@ -31,7 +31,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00231
disa_stig:
- - AOSX-15-005051
+ - APPL-11-005051
800-171r2:
- 3.1.3
- 3.13.6
@@ -42,6 +42,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml
index 007b19904..1a870d0b8 100644
--- a/rules/os/os_firewall_log_enable.yaml
+++ b/rules/os/os_firewall_log_enable.yaml
@@ -19,14 +19,14 @@ references:
cce:
- CCE-85313-5
cci:
- - CCI-000366
+ - N/A
800-53r4:
- SC-7
- AU-12
srg:
- - SRG-OS-000480-GPOS-00232
+ - N/A
disa_stig:
- - AOSX-15-005050
+ - N/A
800-171r2:
- 3.3.1
- 3.3.2
@@ -41,6 +41,5 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml
index 1d87c3aea..b64347262 100644
--- a/rules/os/os_firmware_password_require.yaml
+++ b/rules/os/os_firmware_password_require.yaml
@@ -30,7 +30,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-003013
+ - APPL-11-003013
800-171r2:
- 3.1.5
macOS:
@@ -40,6 +40,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml
index 4395dcce8..1192eefa0 100644
--- a/rules/os/os_gatekeeper_enable.yaml
+++ b/rules/os/os_gatekeeper_enable.yaml
@@ -28,7 +28,7 @@ references:
srg:
- SRG-OS-000366-GPOS-00153
disa_stig:
- - AOSX-15-002064
+ - APPL-11-002064
800-171r2:
- 3.4.5
macOS:
@@ -38,7 +38,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "high"
mobileconfig: true
mobileconfig_info:
com.apple.systempolicy.control:
diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml
index 048037ded..41754f656 100644
--- a/rules/os/os_grant_privs.yaml
+++ b/rules/os/os_grant_privs.yaml
@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_guest_access_afp_disable.yaml b/rules/os/os_guest_access_afp_disable.yaml
deleted file mode 100644
index 0eff08ec4..000000000
--- a/rules/os/os_guest_access_afp_disable.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-id: os_guest_access_afp_disable
-title: "Disable Guest Access to Shared Apple File Protocol Folders"
-discussion: |
- Guest access to shared Apple File Protocol (AFP) folders _MUST_ be disabled.
-
- Turning off guest access prevents anonymous users from accessing files shared via AFP.
-check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'guestAccess = 0'
-result:
- integer: 1
-fix: |
- This is implemented by a Configuration Profile.
-references:
- cce:
- - CCE-85318-4
- 800-53r4:
- - IA-2
- disa_stig:
- - N/A
- srg:
- - N/A
- cci:
- - N/A
- 800-171r2:
- - 3.5.1
- - 3.5.2
-macOS:
- - "11.0"
-tags:
- - 800-171
- - cnssi-1253
- - 800-53r4_low
- - 800-53r4_moderate
- - 800-53r4_high
-mobileconfig: true
-mobileconfig_info:
- com.apple.AppleFileServer:
- guestAccess: false
\ No newline at end of file
diff --git a/rules/os/os_guest_access_smb_disable.yaml b/rules/os/os_guest_access_smb_disable.yaml
index d837a3c5e..134674693 100644
--- a/rules/os/os_guest_access_smb_disable.yaml
+++ b/rules/os/os_guest_access_smb_disable.yaml
@@ -14,7 +14,8 @@ references:
cce:
- CCE-85319-2
800-53r4:
- - IA-2
+ - AC-2
+ - AC-2(9)
disa_stig:
- N/A
srg:
diff --git a/rules/os/os_guest_account_disable.yaml b/rules/os/os_guest_account_disable.yaml
index e99b7cf29..7142c1697 100644
--- a/rules/os/os_guest_account_disable.yaml
+++ b/rules/os/os_guest_account_disable.yaml
@@ -16,12 +16,12 @@ references:
cci:
- CCI-001813
800-53r4:
- - CM-5(1)
- - IA-2
+ - AC-2
+ - AC-2(9)
srg:
- SRG-OS-000364-GPOS-00151
disa_stig:
- - AOSX-15-002063
+ - APPL-11-002063
800-171r2:
- 3.5.1
- 3.5.2
@@ -29,10 +29,13 @@ macOS:
- "11.0"
tags:
- 800-171
+ - cnssi-1253
+ - 800-53r4_low
+ - 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "high"
mobileconfig: true
mobileconfig_info:
- com.apple.ManagedClient.preferences:
- com.apple.MCX:
- DisableGuestAccount: true
\ No newline at end of file
+ com.apple.MCX:
+ DisableGuestAccount: true
\ No newline at end of file
diff --git a/rules/os/os_hbss_installed.yaml b/rules/os/os_hbss_installed.yaml
new file mode 100644
index 000000000..5c22ba079
--- /dev/null
+++ b/rules/os/os_hbss_installed.yaml
@@ -0,0 +1,30 @@
+id: os_hbss_installed
+title: "Must Use HBSS"
+discussion: |
+ The approved HBSS solution _MUST_ be installed and configured to run.
+
+ The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved HBSS solution to be implemented on the operating system. For additional information, reference all applicable HBSS OPORDs and FRAGOs on SIPRNET.
+check: |
+ Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved HBSS solution is loaded on the system.
+ If the installed components of the HBSS solution are not at the DoD approved minimal versions, this is a finding.
+fix: |
+ Install the approved HBSS solution onto the system.
+references:
+ cce:
+ - N/A
+ cci:
+ - CCI-001233
+ 800-53r4:
+ - SI-2(2)
+ srg:
+ - SRG-OS-000191-GPOS-00080
+ disa_stig:
+ - APPL-11-000015
+macOS:
+ - "11.0"
+tags:
+ - manual
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml
index 23a85a16a..965376fe8 100644
--- a/rules/os/os_home_folders_secure.yaml
+++ b/rules/os/os_home_folders_secure.yaml
@@ -25,10 +25,10 @@ references:
800-53r4:
- AC-6
srg:
+ - SRG-OS-000480-GPOS-00228
- SRG-OS-000480-GPOS-00230
disa_stig:
- - AOSX-15-002065
- - AOSX-15-002068
+ - APPL-11-002068
800-171r2:
- 3.1.5
macOS:
@@ -38,6 +38,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml
index 3bb70c09f..1da2e020d 100644
--- a/rules/os/os_httpd_disable.yaml
+++ b/rules/os/os_httpd_disable.yaml
@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002008
+ - APPL-11-002008
800-171r2:
- 3.1.1
- 3.1.2
@@ -33,6 +33,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml
index c9dc41a3a..4df5deb6a 100644
--- a/rules/os/os_icloud_storage_prompt_disable.yaml
+++ b/rules/os/os_icloud_storage_prompt_disable.yaml
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002037
+ - APPL-11-002037
800-171r2:
- 3.1.20
macOS:
@@ -31,7 +31,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.SetupAssistant.managed:
diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml
index f38a273e0..15274b12e 100644
--- a/rules/os/os_identify_non-org_users.yaml
+++ b/rules/os/os_identify_non-org_users.yaml
@@ -24,7 +24,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- n_a
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml
index 3689ad9ea..d1a25e5aa 100644
--- a/rules/os/os_implement_cryptography.yaml
+++ b/rules/os/os_implement_cryptography.yaml
@@ -35,7 +35,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml
index c38c23365..5842c507b 100644
--- a/rules/os/os_implement_memory_protection.yaml
+++ b/rules/os/os_implement_memory_protection.yaml
@@ -35,7 +35,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_internet_accounts_prefpane_disable.yaml b/rules/os/os_internet_accounts_prefpane_disable.yaml
index 400888b77..a84c3c851 100644
--- a/rules/os/os_internet_accounts_prefpane_disable.yaml
+++ b/rules/os/os_internet_accounts_prefpane_disable.yaml
@@ -18,13 +18,15 @@ references:
- CCE-85328-3
cci:
- CCI-001774
+ - CCI-000381
800-53r4:
- AC-20
+ - CM-7(5)
srg:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002032
+ - APPL-11-002032
800-171r2:
- 3.1.20
macOS:
@@ -35,7 +37,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.systempreferences:
diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml
index 7ee763479..fee3b1f3e 100644
--- a/rules/os/os_isolate_security_functions.yaml
+++ b/rules/os/os_isolate_security_functions.yaml
@@ -23,7 +23,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml
index 9fe1bd48f..8c4ed5cb8 100644
--- a/rules/os/os_limit_auditable_events.yaml
+++ b/rules/os/os_limit_auditable_events.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml
index 2a2e9aba6..489356d76 100644
--- a/rules/os/os_limit_dos_attacks.yaml
+++ b/rules/os/os_limit_dos_attacks.yaml
@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml
index 28813fd06..69e3fdca4 100644
--- a/rules/os/os_limit_gui_sessions.yaml
+++ b/rules/os/os_limit_gui_sessions.yaml
@@ -23,7 +23,6 @@ macOS:
- "11.0"
tags:
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml
index a1cb318d7..01cf22a20 100644
--- a/rules/os/os_logical_access.yaml
+++ b/rules/os/os_logical_access.yaml
@@ -32,7 +32,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml
index a7cb712e4..ccc3300bf 100644
--- a/rules/os/os_logoff_capability_and_message.yaml
+++ b/rules/os/os_logoff_capability_and_message.yaml
@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml
index d8bb23e5a..8ee6f7eab 100644
--- a/rules/os/os_mail_app_disable.yaml
+++ b/rules/os/os_mail_app_disable.yaml
@@ -20,7 +20,6 @@ references:
- CCE-85336-6
cci:
- CCI-000381
- - CCI-001774
800-53r4:
- CM-7
- AC-20
@@ -28,7 +27,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002019
+ - APPL-11-002019
800-171r2:
- 3.1.20
- 3.4.6
@@ -40,7 +39,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml
index 6e78439eb..3bc70ae62 100644
--- a/rules/os/os_map_pki_identity.yaml
+++ b/rules/os/os_map_pki_identity.yaml
@@ -21,7 +21,6 @@ macOS:
- "11.0"
tags:
- cnssi-1253
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml
index 4970689d6..65c69a206 100644
--- a/rules/os/os_mdm_require.yaml
+++ b/rules/os/os_mdm_require.yaml
@@ -1,14 +1,25 @@
id: os_mdm_require
-title: "Enforce Enrollment in Mobile Devicement Management"
+title: "Enforce Enrollment in Mobile Device Management"
discussion: |
You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software.
User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include:
- * Whitlisting Approved Kernel Extensions
+
+ * Allowed Kernel Extensions
+ * Allowed Approved System Extensions
* Privacy Preferences Policy Control Payload
* ExtensibleSingleSignOn
+ * FDEFileVault
+
+ In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM:
+
+ * Activation Lock Bypass
+ * Access to Bootstrap Tokens
+ * Scheduling Software Updates
+ * Query list and delete local users
+
check: |
- /usr/bin/profiles status -type enrollment | /usr/bin/awk -F': ' 'END{print $2}' | /usr/bin/grep -c "Yes"
+ /usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)"
result:
integer: 1
fix: |
diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml
index 6a2bce522..d47261dbb 100644
--- a/rules/os/os_messages_app_disable.yaml
+++ b/rules/os/os_messages_app_disable.yaml
@@ -23,7 +23,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002011
+ - APPL-11-002011
800-171r2:
- 3.1.20
- 3.4.6
@@ -35,7 +35,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml
index 971d25625..c991a9f53 100644
--- a/rules/os/os_mfa_network_access.yaml
+++ b/rules/os/os_mfa_network_access.yaml
@@ -21,7 +21,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml
index 2ab85dbce..efc841efc 100644
--- a/rules/os/os_mfa_network_non-priv.yaml
+++ b/rules/os/os_mfa_network_non-priv.yaml
@@ -21,7 +21,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml
index 2e08fb8f1..37c189733 100644
--- a/rules/os/os_nfsd_disable.yaml
+++ b/rules/os/os_nfsd_disable.yaml
@@ -22,7 +22,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002003
+ - APPL-11-002003
800-171r2:
- 3.1.1
- 3.1.2
@@ -34,6 +34,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml
index 05e0bf674..42296a78f 100644
--- a/rules/os/os_notify_account_created.yaml
+++ b/rules/os/os_notify_account_created.yaml
@@ -27,7 +27,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml
index 04b52103f..7615d41ce 100644
--- a/rules/os/os_notify_account_disabled.yaml
+++ b/rules/os/os_notify_account_disabled.yaml
@@ -27,7 +27,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml
index 06e5c6bc8..fee25a2c3 100644
--- a/rules/os/os_notify_account_enable.yaml
+++ b/rules/os/os_notify_account_enable.yaml
@@ -27,7 +27,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml
index 91e33d7a9..b0b81d659 100644
--- a/rules/os/os_notify_account_modified.yaml
+++ b/rules/os/os_notify_account_modified.yaml
@@ -27,7 +27,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml
index 1ea39b163..cd19a8fb3 100644
--- a/rules/os/os_notify_account_removal.yaml
+++ b/rules/os/os_notify_account_removal.yaml
@@ -27,7 +27,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml
index f36f4275c..20359dafe 100644
--- a/rules/os/os_notify_unauthorized_baseline_change.yaml
+++ b/rules/os/os_notify_unauthorized_baseline_change.yaml
@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml
index e2168e6e5..7d0637147 100644
--- a/rules/os/os_obscure_password.yaml
+++ b/rules/os/os_obscure_password.yaml
@@ -34,7 +34,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml
index 61a9a2392..8a4661a2d 100644
--- a/rules/os/os_parental_controls_enable.yaml
+++ b/rules/os/os_parental_controls_enable.yaml
@@ -30,12 +30,11 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- 800-171
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml
index 984f51c74..91d02b8f3 100644
--- a/rules/os/os_peripherals_identify.yaml
+++ b/rules/os/os_peripherals_identify.yaml
@@ -12,19 +12,18 @@ references:
cce:
- CCE-85354-9
cci:
- - CCI-000778
+ - N/A
800-53r4:
- N/A
srg:
- - SRG-OS-000114-GPOS-00059
+ - N/A
disa_stig:
- - AOSX-15-002069
+ - N/A
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml
index 1afb8f666..e376b391b 100644
--- a/rules/os/os_policy_banner_loginwindow_enforce.yaml
+++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml
@@ -36,18 +36,24 @@ references:
- CCI-001387
- CCI-001388
800-53r4:
- - N/A
+ - AC-8
srg:
- SRG-OS-000023-GPOS-00006
- SRG-OS-000024-GPOS-00007
- SRG-OS-000228-GPOS-00088
disa_stig:
- - AOSX-15-000025
+ - APPL-11-000025
800-171r2:
- - N/A
+ - 3.1.9
macOS:
- "11.0"
tags:
- - STIG
+ - 800-171
+ - cnssi-1253
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - stig
+severity: "medium"
mobileconfig: false
-mobileconfig_info:
\ No newline at end of file
+mobileconfig_info:
diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml
index 6791bf131..8eaab28ca 100644
--- a/rules/os/os_policy_banner_ssh_configure.yaml
+++ b/rules/os/os_policy_banner_ssh_configure.yaml
@@ -26,14 +26,14 @@ references:
- AC-8
srg:
- SRG-OS-000023-GPOS-00006
- - SRG-OS-000024-GPOS-00007
disa_stig:
- - AOSX-15-000024
+ - APPL-11-000023
800-171r2:
- 3.1.9
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml
index 9f3621192..f11eb2e08 100644
--- a/rules/os/os_policy_banner_ssh_enforce.yaml
+++ b/rules/os/os_policy_banner_ssh_enforce.yaml
@@ -28,12 +28,13 @@ references:
srg:
- SRG-OS-000023-GPOS-00006
disa_stig:
- - AOSX-15-000023
+ - APPL-11-000024
800-171r2:
- 3.1.9
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml
index 0a1ba91af..080194633 100644
--- a/rules/os/os_predictable_behavior.yaml
+++ b/rules/os/os_predictable_behavior.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml
index 53096e6bb..4126dc3a4 100644
--- a/rules/os/os_prevent_priv_execution.yaml
+++ b/rules/os/os_prevent_priv_execution.yaml
@@ -26,7 +26,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml
index a5d7e9593..f61d8aa56 100644
--- a/rules/os/os_prevent_priv_functions.yaml
+++ b/rules/os/os_prevent_priv_functions.yaml
@@ -32,7 +32,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml
index 1acc939dc..19925935f 100644
--- a/rules/os/os_prevent_unauthorized_disclosure.yaml
+++ b/rules/os/os_prevent_unauthorized_disclosure.yaml
@@ -30,7 +30,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml
index fccf62feb..665b8a1e7 100644
--- a/rules/os/os_privacy_setup_prompt_disable.yaml
+++ b/rules/os/os_privacy_setup_prompt_disable.yaml
@@ -16,16 +16,16 @@ references:
cci:
- CCI-000381
800-53r4:
- - N/A
+ - CM-7
srg:
- - SRG-OS-000480-GPOS-00227
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002036
+ - APPL-11-002036
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.SetupAssistant.managed:
diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml
index f7526367b..c6560eaa3 100644
--- a/rules/os/os_protect_dos_attacks.yaml
+++ b/rules/os/os_protect_dos_attacks.yaml
@@ -28,7 +28,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml
index 22a322e41..724449281 100644
--- a/rules/os/os_provide_automated_account_management.yaml
+++ b/rules/os/os_provide_automated_account_management.yaml
@@ -27,7 +27,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml
index afe5f7ee6..cc4841827 100644
--- a/rules/os/os_provide_disconnect_remote_access.yaml
+++ b/rules/os/os_provide_disconnect_remote_access.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml
index 11117c694..6a343a0a4 100644
--- a/rules/os/os_reauth_devices_change_authenticators.yaml
+++ b/rules/os/os_reauth_devices_change_authenticators.yaml
@@ -22,7 +22,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml
index f02025126..f696e9bf6 100644
--- a/rules/os/os_reauth_privilege.yaml
+++ b/rules/os/os_reauth_privilege.yaml
@@ -21,7 +21,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml
index ef2535073..b84f0cf1f 100644
--- a/rules/os/os_reauth_users_change_authenticators.yaml
+++ b/rules/os/os_reauth_users_change_authenticators.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml
index 968f36885..483d0cd0a 100644
--- a/rules/os/os_remote_access_methods.yaml
+++ b/rules/os/os_remote_access_methods.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml
index 01f06d9a4..43c7a6049 100644
--- a/rules/os/os_remove_software_components_after_updates.yaml
+++ b/rules/os/os_remove_software_components_after_updates.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml
index 3cc751bc2..91d9a579b 100644
--- a/rules/os/os_required_crypto_module.yaml
+++ b/rules/os/os_required_crypto_module.yaml
@@ -32,7 +32,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml
index e14f634c8..5a9ac02df 100644
--- a/rules/os/os_screensaver_loginwindow_enforce.yaml
+++ b/rules/os/os_screensaver_loginwindow_enforce.yaml
@@ -18,7 +18,7 @@ references:
srg:
- SRG-OS-000031-GPOS-00012
disa_stig:
- - AOSX-15-000006
+ - APPL-11-000006
800-171r2:
- 3.1.10
macOS:
@@ -28,7 +28,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.screensaver:
diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml
index a3f190c38..c7b603ade 100644
--- a/rules/os/os_secure_name_resolution.yaml
+++ b/rules/os/os_secure_name_resolution.yaml
@@ -30,7 +30,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml
index fd35bdc0c..04a68c86e 100644
--- a/rules/os/os_separate_functionality.yaml
+++ b/rules/os/os_separate_functionality.yaml
@@ -32,7 +32,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml
index 7d58cca99..cd5452365 100644
--- a/rules/os/os_sip_enable.yaml
+++ b/rules/os/os_sip_enable.yaml
@@ -48,7 +48,6 @@ references:
- SRG-OS-000054-GPOS-00025
- SRG-OS-000062-GPOS-00031
- SRG-OS-000122-GPOS-00063
- - SRG-OS-000138-GPOS-00069
- SRG-OS-000256-GPOS-00097
- SRG-OS-000257-GPOS-00098
- SRG-OS-000258-GPOS-00099
@@ -60,10 +59,8 @@ references:
- SRG-OS-000352-GPOS-00140
- SRG-OS-000353-GPOS-00141
- SRG-OS-000354-GPOS-00142
- - SRG-OS-000480-GPOS-00228
- - SRG-OS-000480-GPOS-00230
disa_stig:
- - AOSX-15-005001
+ - APPL-11-005001
800-171r2:
- 3.1.1
- 3.1.2
@@ -79,6 +76,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml
index 7aee63b5e..a2e4b0f8d 100644
--- a/rules/os/os_siri_prompt_disable.yaml
+++ b/rules/os/os_siri_prompt_disable.yaml
@@ -20,12 +20,10 @@ references:
- CM-7
- AC-20
srg:
- - SRG-OS-000480-GPOS-00227
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002034
- - AOSX-15-002039
+ - APPL-11-002039
800-171r2:
- 3.1.20
- 3.4.6
@@ -37,7 +35,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.SetupAssistant.managed:
diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml
index 63ffed567..5d8dbcce4 100644
--- a/rules/os/os_ssh_fips_140_ciphers.yaml
+++ b/rules/os/os_ssh_fips_140_ciphers.yaml
@@ -7,7 +7,7 @@ discussion: |
Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
- NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
+ NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/ssh_config
result:
@@ -43,6 +43,5 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml
index 490c1e02f..448ac475c 100644
--- a/rules/os/os_ssh_fips_140_macs.yaml
+++ b/rules/os/os_ssh_fips_140_macs.yaml
@@ -21,16 +21,25 @@ references:
cce:
- CCE-85383-8
cci:
- - N/A
+ - CCI-000087
+ - CCI-000068
+ - CCI-000803
+ - CCI-002890
+ - CCI-003123
800-53r4:
- AC-17(2)
- IA-7
- SC-8(1)
- SC-13
srg:
- - N/A
+ - SRG-OS-000033-GPOS-00014
+ - SRG-OS-000120-GPOS-00061
+ - SRG-OS-000125-GPOS-00065
+ - SRG-OS-000250-GPOS-00093
+ - SRG-OS-000393-GPOS-00173
+ - SRG-OS-000394-GPOS-00174
disa_stig:
- - N/A
+ - APPL-11-000055
800-171r2:
- 3.1.13
- 3.13.8
@@ -43,6 +52,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml
index e7ab01665..541bd5fd2 100644
--- a/rules/os/os_ssh_server_alive_count_max_configure.yaml
+++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml
@@ -11,7 +11,7 @@ result:
fix: |
[source,bash]
----
- /usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config
+ /usr/bin/grep -q '^ServerAliveCountMax' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveCountMax 0' >> /etc/ssh/ssh_config
----
references:
cce:
@@ -33,6 +33,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml
index 031b1674c..5a8a3906b 100644
--- a/rules/os/os_ssh_server_alive_interval_configure.yaml
+++ b/rules/os/os_ssh_server_alive_interval_configure.yaml
@@ -13,7 +13,7 @@ result:
fix: |
[source,bash]
----
- /usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config
+ /usr/bin/grep -q '^ServerAliveInterval' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveInterval 900' >> /etc/ssh/ssh_config
----
references:
cce:
@@ -35,6 +35,6 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml
index 8f9b95771..e676b9afe 100644
--- a/rules/os/os_sshd_client_alive_count_max_configure.yaml
+++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml
@@ -23,12 +23,13 @@ references:
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- - AOSX-15-000052
+ - APPL-11-000052
800-171r2:
- 3.13.9
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml
index 4e5aae71e..50857f76b 100644
--- a/rules/os/os_sshd_client_alive_interval_configure.yaml
+++ b/rules/os/os_sshd_client_alive_interval_configure.yaml
@@ -25,12 +25,13 @@ references:
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- - AOSX-15-000051
+ - APPL-11-000051
800-171r2:
- 3.13.9
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml
index a134c573f..1319acf10 100644
--- a/rules/os/os_sshd_fips_140_ciphers.yaml
+++ b/rules/os/os_sshd_fips_140_ciphers.yaml
@@ -21,16 +21,21 @@ references:
cce:
- CCE-85454-7
cci:
- - CCI-001133
+ - CCI-000803
+ - CCI-000068
+ - CCI-000087
+ - CCI-003123
+ - CCI-002890
800-53r4:
- AC-17(2)
- IA-7
- SC-8(1)
- SC-13
+ - MA-4(6)
srg:
- - SRG-OS-000163-GPOS-00072
+ - SRG-OS-000033-GPOS-00014
disa_stig:
- - AOSX-15-000053
+ - APPL-11-000054
800-171r2:
- 3.1.13
- 3.13.8
@@ -38,6 +43,7 @@ references:
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml
index 524a3898b..0a00f81b8 100644
--- a/rules/os/os_sshd_fips_140_macs.yaml
+++ b/rules/os/os_sshd_fips_140_macs.yaml
@@ -21,16 +21,21 @@ references:
cce:
- CCE-85453-9
cci:
- - CCI-001133
+ - CCI-000087
+ - CCI-000068
+ - CCI-000803
+ - CCI-002890
+ - CCI-003123
800-53r4:
- AC-17(2)
- IA-7
- SC-8(1)
- SC-13
+ - MF-4(6)
srg:
- - SRG-OS-000163-GPOS-00072
+ - SRG-OS-000033-GPOS-00014
disa_stig:
- - AOSX-15-000053
+ - APPL-11-000055
800-171r2:
- 3.1.13
- 3.13.8
@@ -38,6 +43,7 @@ references:
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml
new file mode 100644
index 000000000..87bb0fb00
--- /dev/null
+++ b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml
@@ -0,0 +1,52 @@
+id: os_sshd_key_exchange_algorithm_configure
+title: "Configure SSHD to Use Secure Key Exchange Algorithms"
+discussion: |
+ Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data.
+
+ Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
+
+ The implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are FIPS 140-2 approved, the module implementing them has not been validated.
+
+ By specifying a Key Exchange Algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections.
+
+ NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
+check: |
+ /usr/bin/grep -c "^KexAlgorithms diffie-hellman-group-exchange-sha256" /etc/ssh/sshd_config
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
+ ----
+references:
+ cce:
+ - N/A
+ cci:
+ - CCI-000803
+ - CCI-000068
+ - CCI-000087
+ - CCI-003123
+ - CCI-002890
+ 800-53r4:
+ - IA-7
+ - AC-17(2)
+ - MA-4(6)
+ srg:
+ - SRG-OS-000033-GPOS-00014
+ - SRG-OS-000120-GPOS-00061
+ - SRG-OS-000125-GPOS-00065
+ - SRG-OS-000250-GPOS-00093
+ - SRG-OS-000393-GPOS-00173
+ - SRG-OS-000394-GPOS-00174
+ disa_stig:
+ - APPL-11-000056
+ 800-171r2:
+ - N/A
+macOS:
+ - "11.0"
+tags:
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml
index f8a11627f..7c355f91c 100644
--- a/rules/os/os_sshd_login_grace_time_configure.yaml
+++ b/rules/os/os_sshd_login_grace_time_configure.yaml
@@ -23,12 +23,13 @@ references:
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- - AOSX-15-000053
+ - APPL-11-000053
800-171r2:
- 3.13.9
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml
index 02d931ae6..f45eaf5da 100644
--- a/rules/os/os_sshd_permit_root_login_configure.yaml
+++ b/rules/os/os_sshd_permit_root_login_configure.yaml
@@ -26,10 +26,11 @@ references:
srg:
- SRG-OS-000109-GPOS-00056
disa_stig:
- - AOSX-15-001100
+ - APPL-11-001100
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml
index e11c2c88b..1192dc1cf 100644
--- a/rules/os/os_store_encrypted_passwords.yaml
+++ b/rules/os/os_store_encrypted_passwords.yaml
@@ -35,7 +35,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_sudoers_tty_configure.yaml b/rules/os/os_sudoers_tty_configure.yaml
index 94baf99bd..0d137f921 100644
--- a/rules/os/os_sudoers_tty_configure.yaml
+++ b/rules/os/os_sudoers_tty_configure.yaml
@@ -23,11 +23,12 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-004021
+ - APPL-11-004021
macOS:
- "11.0"
tags:
- cnssi-1253
- - STIG
+ - stig
+severity: "high"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_system_log_files_owner_group_configure.yaml b/rules/os/os_system_log_files_owner_group_configure.yaml
new file mode 100644
index 000000000..dce23950a
--- /dev/null
+++ b/rules/os/os_system_log_files_owner_group_configure.yaml
@@ -0,0 +1,46 @@
+id: os_system_log_files_owner_group_configure
+title: "Configure System Log Files to be Owned by Root and Group-Owned by Wheel or Admin"
+discussion: |
+ System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct owner mitigates this risk.
+check: |
+ Some system log files are controlled by "newsyslog" and "aslmanager".
+
+ The following commands check for log files that exist on the system and print the path to the log with the corresponding ownership. Run them from inside "/var/log".
+
+ /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null
+ /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null
+
+ Each command may return zero or more files.
+
+ If there are any system log files that are not owned by "root" and group-owned by "wheel" or admin, this is a finding.
+
+ Service logs may be owned by the service user account or group.
+fix: |
+ For any log file that returns an incorrect owner or group value, run the following command:
+
+ /usr/bin/sudo chown root:wheel [log file]
+
+ [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and ensure that the owner:group column is set to "root:wheel" or the appropriate service user account and group.
+
+ If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and ensure that "uid" and "gid" options are either not present or are set to a service user account and group respectively.
+references:
+ cce:
+ - N/A
+ cci:
+ - CCI-001314
+ 800-53r4:
+ - SI-11
+ srg:
+ - SRG-OS-000206-GPOS-00084
+ disa_stig:
+ - APPL-11-004001
+ 800-171r2:
+ - N/A
+macOS:
+ - "11.0"
+tags:
+ - manual
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_system_log_files_permissions_configure.yaml b/rules/os/os_system_log_files_permissions_configure.yaml
new file mode 100644
index 000000000..35497d6c9
--- /dev/null
+++ b/rules/os/os_system_log_files_permissions_configure.yaml
@@ -0,0 +1,41 @@
+id: os_system_log_files_permissions_configure
+title: "Configure System Log Files set to mode 640 or less permissive."
+discussion: |
+ System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
+check: |
+ The following commands check for log files that exist on the system and print the path to the log with the corresponding permissions. Run them from inside "/var/log":
+
+ /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null
+
+ /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null
+
+ Each command may return zero or more files. If the permissions on log files are not "640" or less permissive, this is a finding.
+fix: |
+ For any log file that returns an incorrect permission value, run the following command:
+
+ /usr/bin/sudo chmod 640 [log file]
+
+ [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640" or less permissive.
+
+ If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640" or less permissive.
+references:
+ cce:
+ - N/A
+ cci:
+ - CCI-001314
+ 800-53r4:
+ - SI-11
+ srg:
+ - SRG-OS-000206-GPOS-00084
+ disa_stig:
+ - APPL-11-004002
+ 800-171r2:
+ - N/A
+macOS:
+ - "11.0"
+tags:
+ - manual
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_system_wide_preferences_configure.yaml b/rules/os/os_system_wide_preferences_configure.yaml
index cdb872315..d1e84f47e 100644
--- a/rules/os/os_system_wide_preferences_configure.yaml
+++ b/rules/os/os_system_wide_preferences_configure.yaml
@@ -23,11 +23,11 @@ references:
- AC-6(1)
- AC-6(2)
disa_stig:
- - N/A
+ - APPL-11-002069
srg:
- - N/A
+ - SRG-OS-000378-GPOS-00163
cci:
- - N/A
+ - CCI-001958
800-171r2:
- 3.1.5
- 3.1.6
@@ -38,5 +38,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml
index b4c01dfd4..48d82f124 100644
--- a/rules/os/os_terminate_session.yaml
+++ b/rules/os/os_terminate_session.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml
index afb19aa65..392d993f7 100644
--- a/rules/os/os_tftpd_disable.yaml
+++ b/rules/os/os_tftpd_disable.yaml
@@ -18,13 +18,14 @@ references:
cce:
- CCE-85391-1
cci:
- - N/A
+ - CCI-000197
800-53r4:
- AC-3
+ - IA-5(1)
srg:
- - N/A
+ - SRG-OS-000074-GPOS-00042
disa_stig:
- - N/A
+ - APPL-11-002038
800-171r2:
- 3.1.1
- 3.1.2
@@ -36,6 +37,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "high"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml
index 8094d2e13..985930284 100644
--- a/rules/os/os_time_server_enabled.yaml
+++ b/rules/os/os_time_server_enabled.yaml
@@ -23,7 +23,7 @@ references:
- SRG-OS-000355-GPOS-00143
- SRG-OS-000356-GPOS-00144
disa_stig:
- - AOSX-15-000014
+ - APPL-11-000014
800-171r2:
- 3.3.7
macOS:
@@ -33,6 +33,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml
index c000d01e5..fa7b9d86c 100644
--- a/rules/os/os_unique_identification.yaml
+++ b/rules/os/os_unique_identification.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml
index 38c2b8e58..1898f8c95 100644
--- a/rules/os/os_user_app_installation_prohibit.yaml
+++ b/rules/os/os_user_app_installation_prohibit.yaml
@@ -20,11 +20,12 @@ references:
srg:
- SRG-OS-000362-GPOS-00149
disa_stig:
- - AOSX-15-002067
+ - APPL-11-002067
macOS:
- "11.0"
tags:
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess.new:
diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml
index b70c2089b..27a4f51f5 100644
--- a/rules/os/os_uucp_disable.yaml
+++ b/rules/os/os_uucp_disable.yaml
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002006
+ - APPL-11-002006
800-171r2:
- 3.1.1
- 3.1.2
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml
index 9174fe4d2..cc672036b 100644
--- a/rules/os/os_verify_remote_disconnection.yaml
+++ b/rules/os/os_verify_remote_disconnection.yaml
@@ -20,7 +20,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml
index 71fe03fda..cfe5d1cc8 100644
--- a/rules/pwpolicy/pwpolicy_50_percent.yaml
+++ b/rules/pwpolicy/pwpolicy_50_percent.yaml
@@ -38,7 +38,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
index 28f2ba824..1994cbb6d 100644
--- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000076-GPOS-00044
disa_stig:
- - AOSX-15-003008
+ - APPL-11-003008
800-171r2:
- 3.5.1
- 3.5.2
@@ -37,7 +37,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
index 9cd62d20d..4dba63354 100644
--- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
@@ -14,16 +14,13 @@ references:
cce:
- CCE-85402-6
cci:
- - CCI-000044
- CCI-002238
800-53r4:
- AC-7
srg:
- - SRG-OS-000021-GPOS-00005
- SRG-OS-000329-GPOS-00128
disa_stig:
- - AOSX-15-000020
- - AOSX-15-000022
+ - APPL-11-000022
800-171r2:
- 3.1.8
macOS:
@@ -34,7 +31,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
index 7ccff98fc..401472623 100644
--- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
@@ -15,14 +15,12 @@ references:
- CCE-85403-4
cci:
- CCI-002238
- - CCI-000366
800-53r4:
- AC-7
srg:
- SRG-OS-000329-GPOS-00128
- - SRG-OS-000480-GPOS-00226
disa_stig:
- - AOSX-15-000021
+ - APPL-11-000022
800-171r2:
- 3.1.8
macOS:
@@ -33,7 +31,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
index 4997d6277..f43078ea9 100644
--- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000071-GPOS-00039
disa_stig:
- - AOSX-15-003007
+ - APPL-11-003007
800-171r2:
- 3.5.1
- 3.5.2
@@ -37,7 +37,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
index 134ca09f3..82d54f1ba 100644
--- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
@@ -18,13 +18,13 @@ references:
cce:
- CCE-85405-9
cci:
- - CCI-001682
+ - N/A
800-53r4:
- AC-2(2)
srg:
- - SRG-OS-00123-GPOS-00064
+ - N/A
disa_stig:
- - AOSX-15-000013
+ - N/A
macOS:
- "11.0"
tags:
diff --git a/rules/pwpolicy/pwpolicy_force_change_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml
similarity index 99%
rename from rules/pwpolicy/pwpolicy_force_change_password_change.yaml
rename to rules/pwpolicy/pwpolicy_force_password_change.yaml
index d3b756cfd..b2d8aeebc 100644
--- a/rules/pwpolicy/pwpolicy_force_change_password_change.yaml
+++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml
@@ -42,7 +42,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml
index 62071e405..2b494e4ca 100644
--- a/rules/pwpolicy/pwpolicy_history_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml
@@ -22,7 +22,7 @@ references:
srg:
- SRG-OS-000077-GPOS-00045
disa_stig:
- - AOSX-15-003009
+ - APPL-11-003009
800-171r2:
- 3.5.7
- 3.5.8
@@ -36,7 +36,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
index 2b3f140b2..66d98344e 100644
--- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
@@ -61,6 +61,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
index 2ec566738..dde1ed7b5 100644
--- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000078-GPOS-00046
disa_stig:
- - AOSX-15-003010
+ - APPL-11-003010
800-171r2:
- 3.5.1
- 3.5.2
@@ -37,7 +37,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
index 3de4451d7..07e02bbe9 100644
--- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
@@ -22,7 +22,7 @@ fix: |
Minimum Password Lifetime
policyParameters
- policyAttributeMinimumLifetimeHours
+ policyAttributeMinimumLifetimeHours
24
diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
index 69d2869c3..6b1e7e483 100644
--- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
+++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
@@ -24,7 +24,6 @@ references:
macOS:
- "11.0"
tags:
- - STIG
- permanent
mobileconfig: false
mobileconfig_info:
diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
index 7c44e7fcc..c57796125 100644
--- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
@@ -23,7 +23,7 @@ references:
srg:
- SRG-OS-000266-GPOS-00101
disa_stig:
- - AOSX-15-003011
+ - APPL-11-003011
800-171r2:
- 3.5.1
- 3.5.2
@@ -39,7 +39,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
index 8699bd7ef..3c483fc4e 100644
--- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
@@ -16,20 +16,19 @@ references:
cce:
- CCE-85414-1
cci:
- - CCI-000016
+ - N/A
800-53r4:
- AC-2(2)
srg:
- - SRG-OS-000002-GPOS-00002
+ - N/A
disa_stig:
- - AOSX-15-000012
+ - N/A
macOS:
- "11.0"
tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
- inherent
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
new file mode 100644
index 000000000..ade2d3536
--- /dev/null
+++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
@@ -0,0 +1,77 @@
+id: pwpolicy_temporary_or_emergency_accounts_disable
+title: "Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours"
+discussion: |
+ The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation.
+
+ Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.
+
+ Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved.
+
+ Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers.
+
+ To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
+
+ If temporary or emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary or emergency accounts _MUST_ be set to 72 hours (or less) when the temporary or emergency account is created.
+
+ If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set.
+
+ If there are no temporary or emergency accounts defined on the system, this is Not Applicable.
+check: |
+ Verify if a password policy is enforced by a directory service by asking the System Administrator (SA) or Information System Security Officer (ISSO).
+
+ If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set.
+
+ If there are no temporary or emergency accounts defined on the system, this is Not Applicable.
+
+ To check if the password policy is configured to disable a temporary or emergency account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username:
+
+ /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2
+
+ If there is no output, and password policy is not controlled by a directory service, this is a finding.
+
+ Otherwise, look for the line "policyCategoryAuthentication".
+
+ In the array that follows, there should be a section that contains a check that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section.
+
+ If the check does not exist or if the check adds too great an amount of time to "policyAttributeCreationTime", this is a finding.
+fix: |
+ This setting may be enforced using local policy or by a directory service.
+
+ To set local policy to disable a temporary or emergency user, create a plain text file containing the following:
+
+
+ policyCategoryAuthentication
+
+
+ policyContent
+ policyAttributeCurrentTime < policyAttributeCreationTime+259299
+ policyIdentifier
+ Disable Tmp Accounts
+
+
+
+
+ After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file".
+
+ /usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file
+references:
+ cce:
+ - CCE-85414-1
+ cci:
+ - CCI-000016
+ - CCI-001682
+ 800-53r4:
+ - AC-2(2)
+ srg:
+ - SRG-OS-000002-GPOS-00002
+ - SRG-OS-000123-GPOS-00064
+ disa_stig:
+ - APPL-11-000012
+macOS:
+ - "11.0"
+tags:
+ - manual
+ - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_afp_disable.yaml b/rules/sysprefs/sysprefs_afp_disable.yaml
index 9a8d56d56..57c913f77 100644
--- a/rules/sysprefs/sysprefs_afp_disable.yaml
+++ b/rules/sysprefs/sysprefs_afp_disable.yaml
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002002
+ - APPL-11-002002
800-171r2:
- 3.1.1
- 3.1.2
@@ -36,6 +36,6 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml
index 783207a36..823bbb770 100644
--- a/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml
+++ b/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000028-GPOS-00009
disa_stig:
- - AOSX-15-000001
+ - APPL-11-000001
800-171r2:
- 3.1.10
macOS:
@@ -30,7 +30,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/rules/sysprefs/sysprefs_automatic_login_disable.yaml
index 3e08d526e..5ef406083 100644
--- a/rules/sysprefs/sysprefs_automatic_login_disable.yaml
+++ b/rules/sysprefs/sysprefs_automatic_login_disable.yaml
@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00229
disa_stig:
- - AOSX-15-002066
+ - APPL-11-002066
800-171r2:
- 3.5.1
- 3.5.2
@@ -33,7 +33,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.loginwindow:
diff --git a/rules/sysprefs/sysprefs_enforce_auto_logout.yaml b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml
similarity index 96%
rename from rules/sysprefs/sysprefs_enforce_auto_logout.yaml
rename to rules/sysprefs/sysprefs_automatic_logout_enforce.yaml
index c3e6f9790..5a93e6572 100644
--- a/rules/sysprefs/sysprefs_enforce_auto_logout.yaml
+++ b/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml
@@ -1,4 +1,4 @@
-id: sysprefs_enforce_auto_logout
+id: sysprefs_automatic_logout_enforce
title: "Enforce Auto Logout After 24 Hours of Inactivity"
discussion: |
Auto logout _MUST_ be configured to automatically terminate a user session and log out the after 86400 seconds (24 hours) of inactivity.
@@ -33,7 +33,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: true
mobileconfig_info:
.GlobalPreferences:
diff --git a/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/rules/sysprefs/sysprefs_bluetooth_disable.yaml
index d84e61177..a1e908e7b 100644
--- a/rules/sysprefs/sysprefs_bluetooth_disable.yaml
+++ b/rules/sysprefs/sysprefs_bluetooth_disable.yaml
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000481-GPOS-000481
disa_stig:
- - AOSX-15-002062
+ - APPL-11-002062
800-171r2:
- 3.13.8
macOS:
@@ -34,7 +34,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "low"
mobileconfig: true
mobileconfig_info:
com.apple.ManagedClient.preferences:
diff --git a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml
index c29fe813a..c52698da8 100644
--- a/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml
+++ b/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml
@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000096-GPOS-00050
disa_stig:
- - AOSX-15-002021
+ - APPL-11-002021
800-171r2:
- 3.1.20
macOS:
@@ -32,6 +32,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.SubmitDiagInfo:
diff --git a/rules/sysprefs/sysprefs_filevault_enforce.yaml b/rules/sysprefs/sysprefs_filevault_enforce.yaml
index 4cf02c3f2..5e310924e 100644
--- a/rules/sysprefs/sysprefs_filevault_enforce.yaml
+++ b/rules/sysprefs/sysprefs_filevault_enforce.yaml
@@ -25,7 +25,7 @@ references:
- SRG-OS-000404-GPOS-00183
- SRG-OS-000405-GPOS-00184
disa_stig:
- - AOSX-15-005020
+ - APPL-11-005020
800-171r2:
- 3.13.16
macOS:
@@ -35,6 +35,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml
index 81fc892a7..31fee32e5 100644
--- a/rules/sysprefs/sysprefs_firewall_enable.yaml
+++ b/rules/sysprefs/sysprefs_firewall_enable.yaml
@@ -28,7 +28,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00232
disa_stig:
- - AOSX-15-005050
+ - APPL-11-005050
800-171r2:
- 3.1.3
- 3.1.5
@@ -45,6 +45,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml
index af9a342fb..8093d962e 100644
--- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml
+++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml
@@ -26,11 +26,11 @@ references:
- CM-7
- SC-7(16)
srg:
- - N/A
+ - SRG-OS-000480-GPOS-00232
cci:
- - N/A
+ - CCI-000366
disa_stig:
- - N/A
+ - APPL-11-005050
800-171r2:
- 3.4.6
- 3.13.1
@@ -44,5 +44,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml
index 620ed0b60..4be5a3bcf 100644
--- a/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml
+++ b/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml
@@ -23,10 +23,9 @@ references:
- CM-5
- SI-7(15)
srg:
- - SRG-OS-000366-GPOS-00153
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-002060
+ - APPL-11-002060
800-171r2:
- 3.4.5
macOS:
@@ -36,7 +35,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.systempolicy.control:
diff --git a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml
index 3460cdfed..cb8f55159 100644
--- a/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml
+++ b/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-002061
+ - APPL-11-002061
800-171r2:
- 3.4.5
macOS:
@@ -37,7 +37,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.systempolicy.managed:
diff --git a/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/rules/sysprefs/sysprefs_hot_corners_disable.yaml
index d72b471eb..809f15d27 100644
--- a/rules/sysprefs/sysprefs_hot_corners_disable.yaml
+++ b/rules/sysprefs/sysprefs_hot_corners_disable.yaml
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000031-GPOS-00012
disa_stig:
- - AOSX-15-000007
+ - APPL-11-000007
800-171r2:
- 3.1.10
macOS:
@@ -30,7 +30,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.ManagedClient.preferences:
diff --git a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml
index 9b2b2a9ed..27469bf40 100644
--- a/rules/sysprefs/sysprefs_internet_sharing_disable.yaml
+++ b/rules/sysprefs/sysprefs_internet_sharing_disable.yaml
@@ -21,7 +21,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002007
+ - APPL-11-002007
800-171r2:
- 3.1.3
- 3.1.20
@@ -33,7 +33,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.MCX:
diff --git a/rules/sysprefs/sysprefs_location_services_disable.yaml b/rules/sysprefs/sysprefs_location_services_disable.yaml
index d327a9c0f..fbd49616c 100644
--- a/rules/sysprefs/sysprefs_location_services_disable.yaml
+++ b/rules/sysprefs/sysprefs_location_services_disable.yaml
@@ -7,7 +7,7 @@ discussion: |
check: |
/usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist LocationServicesEnabled
result:
- integer: 0
+ boolean: 0
fix: |
[source,bash]
----
@@ -23,7 +23,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002004
+ - APPL-11-002004
800-171r2:
- 3.4.6
macOS:
@@ -34,6 +34,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
-mobileconfig_info:
\ No newline at end of file
+mobileconfig_info:
diff --git a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml
index 7c00e6dd4..f67444584 100644
--- a/rules/sysprefs/sysprefs_media_sharing_disabled.yaml
+++ b/rules/sysprefs/sysprefs_media_sharing_disabled.yaml
@@ -6,12 +6,14 @@ discussion: |
When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user’s music collection with other users in the same subnet.
The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk.
+
+ NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled.
check: |
- /sbin/pfctl -a '*' -sr &> /dev/null | /usr/bin/grep -c "block drop log proto tcp from any to any port = 3689"
+ /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(homeSharingUIStatus = 0|legacySharingUIStatus = 0|mediaSharingUIStatus = 1)'
result:
integer: 1
fix: |
- NOTE: Even if the user enables this service, the firewall is configured to block access to it. See Firewall Supplemental which includes a script that has an example policy to implement this rule.
+ This is implemented by a Configuration Profile.
references:
cce:
- CCE-85436-4
@@ -30,7 +32,12 @@ macOS:
- "11.0"
tags:
- 800-171
- - STIG
-mobileconfig: false
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+mobileconfig: true
mobileconfig_info:
-
+ com.apple.preferences.sharing.SharingPrefsExtension:
+ homeSharingUIStatus: 0
+ legacySharingUIStatus: 0
+ mediaSharingUIStatus: 0
diff --git a/rules/sysprefs/sysprefs_password_hints_disable.yaml b/rules/sysprefs/sysprefs_password_hints_disable.yaml
index 018791ac2..af4d79693 100644
--- a/rules/sysprefs/sysprefs_password_hints_disable.yaml
+++ b/rules/sysprefs/sysprefs_password_hints_disable.yaml
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-003012
+ - APPL-11-003012
800-171r2:
- 3.5.11
macOS:
@@ -31,7 +31,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.loginwindow:
diff --git a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml
index 98a6d89ed..008f0fee4 100644
--- a/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml
+++ b/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml
@@ -33,7 +33,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: true
mobileconfig_info:
com.apple.AdLib:
diff --git a/rules/sysprefs/sysprefs_rae_disable.yaml b/rules/sysprefs/sysprefs_rae_disable.yaml
index 4bf44156c..9f5dbf4be 100644
--- a/rules/sysprefs/sysprefs_rae_disable.yaml
+++ b/rules/sysprefs/sysprefs_rae_disable.yaml
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000096-GPOS-00050
disa_stig:
- - AOSX-15-002022
+ - APPL-11-002022
800-171r2:
- 3.1.1
- 3.1.2
@@ -37,6 +37,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml
index 3c28586da..1fa797d1d 100644
--- a/rules/sysprefs/sysprefs_screen_sharing_disable.yaml
+++ b/rules/sysprefs/sysprefs_screen_sharing_disable.yaml
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - AOSX-15-002050
+ - APPL-11-002050
800-171r2:
- 3.1.1
- 3.1.2
@@ -37,6 +37,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml
index 87aebdd33..c7db4ff9a 100644
--- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml
+++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000028-GPOS-00009
disa_stig:
- - AOSX-15-000003
+ - APPL-11-000003
800-171r2:
- 3.1.10
macOS:
@@ -30,7 +30,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.screensaver:
diff --git a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml
index 665153154..740a13b07 100644
--- a/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml
+++ b/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000028-GPOS-00009
disa_stig:
- - AOSX-15-000002
+ - APPL-11-000002
800-171r2:
- 3.1.10
macOS:
@@ -30,7 +30,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.screensaver:
diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml
index 79b923f61..4ac2818a6 100644
--- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml
+++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000029-GPOS-00010
disa_stig:
- - AOSX-15-000004
+ - APPL-11-000004
800-171r2:
- 3.1.10
macOS:
@@ -30,7 +30,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.screensaver:
diff --git a/rules/sysprefs/sysprefs_siri_disable.yaml b/rules/sysprefs/sysprefs_siri_disable.yaml
index d1eec4feb..b421e57c6 100644
--- a/rules/sysprefs/sysprefs_siri_disable.yaml
+++ b/rules/sysprefs/sysprefs_siri_disable.yaml
@@ -23,7 +23,7 @@ references:
- SRG-OS-000095-GPOS-00049
- SRG-OS-000370-GPOS-00155
disa_stig:
- - AOSX-15-002020
+ - APPL-11-002020
800-171r2:
- 3.1.20
- 3.4.6
@@ -35,7 +35,8 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.ironwood.support:
diff --git a/rules/sysprefs/sysprefs_smbd_disable.yaml b/rules/sysprefs/sysprefs_smbd_disable.yaml
index 51c182ae4..e468b930e 100644
--- a/rules/sysprefs/sysprefs_smbd_disable.yaml
+++ b/rules/sysprefs/sysprefs_smbd_disable.yaml
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - AOSX-15-002001
+ - APPL-11-002001
800-171r2:
- 3.1.1
- 3.1.2
@@ -36,6 +36,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml
index 5ee9d5a3a..80b9f859a 100644
--- a/rules/sysprefs/sysprefs_ssh_disable.yaml
+++ b/rules/sysprefs/sysprefs_ssh_disable.yaml
@@ -24,9 +24,18 @@ references:
- IA-2(8)
- IA-2(9)
srg:
- - N/A
+ - SRG-OS-000250-GPOS-00093
+ - SRG-OS-000033-GPOS-00014
+ - SRG-OS-000393-GPOS-00173
+ - SRG-OS-000394-GPOS-00174
+ - SRG-OS-000112-GPOS-00057
+ - SRG-OS-000113-GPOS-00058
+ - SRG-OS-000423-GPOS-00187
+ - SRG-OS-000424-GPOS-00188
+ - SRG-OS-000425-GPOS-00189
+ - SRG-OS-000426-GPOS-00190
disa_stig:
- - N/A
+ - APPL-11-000011
800-171r2:
- 3.1.1
- 3.1.2
@@ -40,6 +49,7 @@ tags:
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml
index 18535156b..b8307ae54 100644
--- a/rules/sysprefs/sysprefs_ssh_enable.yaml
+++ b/rules/sysprefs/sysprefs_ssh_enable.yaml
@@ -40,16 +40,16 @@ references:
- SRG-OS-000033-GPOS-00014
- SRG-OS-000250-GPOS-00093
disa_stig:
- - AOSX-15-000040
- - AOSX-15-004011
- - AOSX-15-004010
- - AOSX-15-000011
- - AOSX-15-000010
+ - APPL-11-000040
+ - APPL-11-004011
+ - APPL-11-004010
+ - APPL-11-000011
+ - APPL-11-000010
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- - STIG
+ - none
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_time_server_configure.yaml b/rules/sysprefs/sysprefs_time_server_configure.yaml
index 091954118..423e7be26 100644
--- a/rules/sysprefs/sysprefs_time_server_configure.yaml
+++ b/rules/sysprefs/sysprefs_time_server_configure.yaml
@@ -22,7 +22,7 @@ references:
- SRG-OS-000355-GPOS-00143
- SRG-OS-000356-GPOS-00144
disa_stig:
- - AOSX-15-000014
+ - APPL-11-000014
800-171r2:
- 3.3.7
macOS:
@@ -32,7 +32,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.MCX:
diff --git a/rules/sysprefs/sysprefs_time_server_enforce.yaml b/rules/sysprefs/sysprefs_time_server_enforce.yaml
index 7b2da625e..e723a7f10 100644
--- a/rules/sysprefs/sysprefs_time_server_enforce.yaml
+++ b/rules/sysprefs/sysprefs_time_server_enforce.yaml
@@ -22,7 +22,7 @@ references:
- SRG-OS-000355-GPOS-00143
- SRG-OS-000356-GPOS-00144
disa_stig:
- - AOSX-15-000014
+ - APPL-11-000014
800-171r2:
- 3.3.7
macOS:
@@ -32,7 +32,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.ManagedClient.preferences:
diff --git a/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/rules/sysprefs/sysprefs_token_removal_enforce.yaml
index 2feb6b232..661181b06 100644
--- a/rules/sysprefs/sysprefs_token_removal_enforce.yaml
+++ b/rules/sysprefs/sysprefs_token_removal_enforce.yaml
@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000030-GPOS-00011
disa_stig:
- - AOSX-15-000005
+ - APPL-11-000005
800-171r2:
- 3.1.10
macOS:
@@ -35,7 +35,8 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+ - stig
+severity: "medium"
mobileconfig: true
mobileconfig_info:
com.apple.security.smartcard:
diff --git a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml
index 57bb545cf..f7a861fb0 100644
--- a/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml
+++ b/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml
@@ -22,7 +22,7 @@ references:
srg:
- SRG-OS-000028-GPOS-00009
disa_stig:
- - AOSX-15-000001
+ - APPL-11-000001
800-171r2:
- 3.1.10
macOS:
@@ -32,7 +32,7 @@ tags:
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- - STIG
+
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
diff --git a/rules/sysprefs/sysprefs_wifi_disable.yaml b/rules/sysprefs/sysprefs_wifi_disable.yaml
index 099672dd9..1842389af 100644
--- a/rules/sysprefs/sysprefs_wifi_disable.yaml
+++ b/rules/sysprefs/sysprefs_wifi_disable.yaml
@@ -1,45 +1,38 @@
id: sysprefs_wifi_disable
-title: "Disable Wi-Fi When Connected to Ethernet"
+title: "Disable Wi-Fi Interface"
discussion: |
- The macOS should be configured to automatically disable Wi-Fi when connected to ethernet.
+ The macOS system must be configured with Wi-Fi support software disabled.
- The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used.
+ Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit.Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication.
NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable.
check: |
- The technology does not support this requirement. This is an applicable-does not meet finding.
+ /usr/sbin/networksetup -listallnetworkservices | /usr/bin/grep -c "*Wi-Fi"
+result:
+ integer: 1
fix: |
- This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
+ /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off
references:
cce:
- - CCE-85452-1
+ - N/A
cci:
- - CCI-001967
- - CCI-001443
- - CCI-001444
+ - N/A
800-53r4:
- AC-4
- AC-18(1)
- AC-18(3)
disa_stig:
- - AOSX-15-004020
- - AOSX-15-000008
+ - APPL-11-000008
srg:
+ - SRG-OS-000299-GPOS-00117
- SRG-OS-000300-GPOS-00118
- - SRG-OS-000300-GPOS-00117
- - SRG-OS-000480-GPOS-00227
- SRG-OS-000379-GPOS-00164
800-171r2:
- - 3.1.3
- - 3.1.17
+ - N/A
macOS:
- "11.0"
tags:
- - 800-171
- - cnssi-1253
- - 800-53r4_moderate
- - 800-53r4_high
- - STIG
- - permanent
+ - stig
+severity: "medium"
mobileconfig: false
mobileconfig_info:
\ No newline at end of file
diff --git a/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml
new file mode 100644
index 000000000..f7b063ba7
--- /dev/null
+++ b/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml
@@ -0,0 +1,38 @@
+id: sysprefs_wifi_disable_when_connected_to_ethernet
+title: "Disable Wi-Fi When Connected to Ethernet"
+discussion: |
+ The macOS should be configured to automatically disable Wi-Fi when connected to ethernet.
+
+ The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used.
+
+ NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable.
+check: |
+ The technology does not support this requirement. This is an applicable-does not meet finding.
+fix: |
+ This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
+references:
+ cce:
+ - CCE-85452-1
+ cci:
+ - N/A
+ 800-53r4:
+ - AC-4
+ - AC-18(1)
+ - AC-18(3)
+ disa_stig:
+ - N/A
+ srg:
+ - N/A
+ 800-171r2:
+ - 3.1.3
+ - 3.1.17
+macOS:
+ - "11.0"
+tags:
+ - 800-171
+ - cnssi-1253
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - permanent
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py
index 995ce68c6..876d76877 100755
--- a/scripts/generate_baseline.py
+++ b/scripts/generate_baseline.py
@@ -83,7 +83,7 @@ def collect_rules():
'srg']
- for rule in glob.glob('../rules/*/*.yaml'):
+ for rule in glob.glob('../rules/**/*.yaml',recursive=True) + glob.glob('../custom/rules/**/*.yaml',recursive=True):
rule_yaml = get_rule_yaml(rule)
for key in keys:
@@ -99,7 +99,7 @@ def collect_rules():
except:
#print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)
rule_yaml[key].update({reference: ["None"]})
-
+
all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'),
rule_yaml['id'].replace('|', '\|'),
rule_yaml['severity'].replace('|', '\|'),
@@ -200,7 +200,8 @@ def output_baseline(rules, os, keyword):
elif "supplemental" in rule.rule_tags:
supplemental_rules.append(rule.rule_id)
else:
- other_rules.append(rule.rule_id)
+ if rule.rule_id not in other_rules:
+ other_rules.append(rule.rule_id)
section_name = rule.rule_id.split("_")[0]
if section_name not in sections:
sections.append(section_name)
diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py
index c402a8e3e..f831312e0 100755
--- a/scripts/generate_guidance.py
+++ b/scripts/generate_guidance.py
@@ -14,6 +14,7 @@
import argparse
import subprocess
import logging
+import tempfile
from xlwt import Workbook
from string import Template
from itertools import groupby
@@ -22,7 +23,7 @@
class MacSecurityRule():
- def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, tags, result_value, mobileconfig, mobileconfig_info):
+ def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, custom_refs, tags, result_value, mobileconfig, mobileconfig_info):
self.rule_title = title
self.rule_id = rule_id
self.rule_severity = severity
@@ -35,6 +36,7 @@ def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, n
self.rule_800171 = nist_171
self.rule_disa_stig = disa_stig
self.rule_srg = srg
+ self.rule_custom_refs = custom_refs
self.rule_result_value = result_value
self.rule_tags = tags
self.rule_mobileconfig = mobileconfig
@@ -266,12 +268,58 @@ def addMCXPayload(self, settings, baseline_name):
self._addPayload(payload_dict, baseline_name)
def finalizeAndSave(self, output_path):
- """Perform last modifications and save to an output plist.
+ """Perform last modifications and save to configuration profile.
"""
-
plistlib.dump(self.data, output_path)
print(f"Configuration profile written to {output_path.name}")
+ def finalizeAndSavePlist(self, output_path):
+ """Perform last modifications and save to an output plist.
+ """
+ output_file_path = output_path.name
+ preferences_path = os.path.dirname(output_file_path)
+
+
+ settings_dict = {}
+ for i in self.data['PayloadContent']:
+ if i['PayloadType'] == "com.apple.ManagedClient.preferences":
+ for key, value in i['PayloadContent'].items():
+ domain=key
+ preferences_output_file = os.path.join(preferences_path, domain + ".plist")
+ if not os.path.exists(preferences_output_file):
+ with open(preferences_output_file, 'w'): pass
+ with open (preferences_output_file, 'rb') as fp:
+ try:
+ settings_dict = plistlib.load(fp)
+ except:
+ settings_dict = {}
+ with open(preferences_output_file, 'wb') as fp:
+ for setting in value['Forced']:
+ for key, value in setting['mcx_preference_settings'].items():
+ settings_dict[key] = value
+
+ #preferences_output_path = open(preferences_output_file, 'wb')
+ plistlib.dump(settings_dict, fp)
+ print(f"Settings plist written to {preferences_output_file}")
+ settings_dict.clear()
+ try:
+ os.unlink(output_file_path)
+ except:
+ continue
+ else:
+ if os.path.exists(output_file_path):
+ with open (output_file_path, 'rb') as fp:
+ try:
+ settings_dict = plistlib.load(fp)
+ except:
+ settings_dict = {}
+ for key,value in i.items():
+ if not key.startswith("Payload"):
+ settings_dict[key] = value
+
+ plistlib.dump(settings_dict, output_path)
+ print(f"Settings plist written to {output_path.name}")
+
def makeNewUUID():
return str(uuid4())
@@ -294,7 +342,7 @@ def concatenate_payload_settings(settings):
return [settings_dict]
-def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml):
+def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=''):
"""Generate the configuration profiles for the rules in the provided baseline YAML file
"""
organization = "macOS Security Compliance Project"
@@ -307,22 +355,40 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml):
manifests = yaml.load(r, Loader=yaml.SafeLoader)
# Output folder
- mobileconfig_output_path = os.path.join(
- f'{build_path}', 'mobileconfigs')
- if not (os.path.isdir(mobileconfig_output_path)):
+ unsigned_mobileconfig_output_path = os.path.join(
+ f'{build_path}', 'mobileconfigs', 'unsigned')
+ if not (os.path.isdir(unsigned_mobileconfig_output_path)):
try:
- os.makedirs(mobileconfig_output_path)
+ os.makedirs(unsigned_mobileconfig_output_path)
except OSError:
print("Creation of the directory %s failed" %
- mobileconfig_output_path)
+ unsigned_mobileconfig_output_path)
+
+ if signing:
+ signed_mobileconfig_output_path = os.path.join(
+ f'{build_path}', 'mobileconfigs', 'signed')
+ if not (os.path.isdir(signed_mobileconfig_output_path)):
+ try:
+ os.makedirs(signed_mobileconfig_output_path)
+ except OSError:
+ print("Creation of the directory %s failed" %
+ signed_mobileconfig_output_path)
+ settings_plist_output_path = os.path.join(
+ f'{build_path}', 'mobileconfigs', 'preferences')
+ if not (os.path.isdir(settings_plist_output_path)):
+ try:
+ os.makedirs(settings_plist_output_path)
+ except OSError:
+ print("Creation of the directory %s failed" %
+ settings_plist_output_path)
# setup lists and dictionaries
profile_errors = []
profile_types = {}
for sections in baseline_yaml['profile']:
for profile_rule in sections['rules']:
- for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
+ for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
rule_yaml = get_rule_yaml(rule)
if rule_yaml['mobileconfig']:
@@ -370,11 +436,21 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml):
# process the payloads from the yaml file and generate new config profile for each type
for payload, settings in profile_types.items():
if payload.startswith("."):
- mobileconfig_file_path = os.path.join(
- mobileconfig_output_path, "com.apple" + payload + '.mobileconfig')
+ unsigned_mobileconfig_file_path = os.path.join(
+ unsigned_mobileconfig_output_path, "com.apple" + payload + '.mobileconfig')
+ settings_plist_file_path = os.path.join(
+ settings_plist_output_path, "com.apple" + payload + '.plist')
+ if signing:
+ signed_mobileconfig_file_path = os.path.join(
+ signed_mobileconfig_output_path, "com.apple" + payload + '.mobileconfig')
else:
- mobileconfig_file_path = os.path.join(
- mobileconfig_output_path, payload + '.mobileconfig')
+ unsigned_mobileconfig_file_path = os.path.join(
+ unsigned_mobileconfig_output_path, payload + '.mobileconfig')
+ settings_plist_file_path = os.path.join(
+ settings_plist_output_path, payload + '.plist')
+ if signing:
+ signed_mobileconfig_file_path = os.path.join(
+ signed_mobileconfig_output_path, payload + '.mobileconfig')
identifier = payload + f".{baseline_name}"
description = "Configuration settings for the {} preference domain.".format(
payload)
@@ -386,7 +462,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml):
displayname=displayname,
description=description)
- config_file = open(mobileconfig_file_path, "wb")
+
if payload == "com.apple.ManagedClient.preferences":
for item in settings:
@@ -398,9 +474,24 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml):
else:
newProfile.addNewPayload(payload, settings, baseline_name)
- newProfile.finalizeAndSave(config_file)
- config_file.close()
+ if signing:
+ unsigned_file_path=os.path.join(unsigned_mobileconfig_file_path)
+ unsigned_config_file = open(unsigned_file_path, "wb")
+ newProfile.finalizeAndSave(unsigned_config_file)
+ settings_config_file = open(settings_plist_file_path, "wb")
+ newProfile.finalizeAndSavePlist(settings_config_file)
+ unsigned_config_file.close()
+ # sign the profiles
+ sign_config_profile(unsigned_file_path, signed_mobileconfig_file_path, hash)
+ # delete the unsigned
+ else:
+ config_file = open(unsigned_mobileconfig_file_path, "wb")
+ settings_config_file = open(settings_plist_file_path, "wb")
+ newProfile.finalizeAndSave(config_file)
+ newProfile.finalizeAndSavePlist(settings_config_file)
+ config_file.close()
+
print(f"""
CAUTION: These configuration profiles are intended for evaluation in a TEST
environment. Certain configuration profiles (Smartcards), when applied could
@@ -411,7 +502,37 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml):
be available through the vendor.
""")
-def generate_script(baseline_name, build_path, baseline_yaml):
+def default_audit_plist(baseline_name, build_path, baseline_yaml):
+ """"Generate the default audit plist file to define exemptions
+ """
+
+ # Output folder
+ plist_output_path = os.path.join(
+ f'{build_path}', 'preferences')
+ if not (os.path.isdir(plist_output_path)):
+ try:
+ os.makedirs(plist_output_path)
+ except OSError:
+ print("Creation of the directory %s failed" %
+ plist_output_path)
+
+ plist_file_path = os.path.join(
+ plist_output_path, 'org.' + baseline_name + '.audit.plist')
+
+ plist_file = open(plist_file_path, "wb")
+
+ plist_dict = {}
+
+ for sections in baseline_yaml['profile']:
+ for profile_rule in sections['rules']:
+ if profile_rule.startswith("supplemental"):
+ continue
+ plist_dict[profile_rule] = { "exempt": False }
+
+ plistlib.dump(plist_dict, plist_file)
+
+
+def generate_script(baseline_name, build_path, baseline_yaml, reference):
"""Generates the zsh script from the rules in the baseline YAML
"""
compliance_script_file = open(
@@ -440,16 +561,26 @@ def generate_script(baseline_name, build_path, baseline_yaml):
exit 1
fi
+# path to PlistBuddy
+plb="/usr/libexec/PlistBuddy"
+
# get the currently logged in user
CURRENT_USER=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {{ print $3 }}')
+CURR_USER_UID=$(/usr/bin/id -u $CURR_USER)
# configure colors for text
RED='\e[31m'
-STD='\033[0;0;39m'
+STD='\e[39m'
GREEN='\e[32m'
YELLOW='\e[33m'
# setup files
+audit_plist_managed="/Library/Managed Preferences/org.{baseline_name}.audit.plist"
+
+if [[ ! -e "$audit_plist_managed" ]];then
+ audit_plist_managed="/Library/Preferences/org.{baseline_name}.audit.plist"
+fi
+
audit_plist="/Library/Preferences/org.{baseline_name}.audit.plist"
audit_log="/Library/Logs/{baseline_name}_baseline.log"
@@ -535,11 +666,13 @@ def generate_script(baseline_name, build_path, baseline_yaml):
results=$(/usr/libexec/PlistBuddy -c "Print" /Library/Preferences/org.{baseline_name}.audit.plist)
while IFS= read -r line; do
- if [[ "$line" =~ "true" ]]; then
- non_compliant=$((non_compliant+1))
- fi
- if [[ "$line" =~ "false" ]]; then
- compliant=$((compliant+1))
+ if [[ "$line" =~ "finding" ]];then
+ if [[ "$line" =~ "true" ]]; then
+ non_compliant=$((non_compliant+1))
+ fi
+ if [[ "$line" =~ "false" ]]; then
+ compliant=$((compliant+1))
+ fi
fi
done <<< "$results"
@@ -564,7 +697,16 @@ def generate_script(baseline_name, build_path, baseline_yaml):
run_scan(){{
# append to existing logfile
-echo "$(date -u) Beginning {baseline_name} baseline scan" >> "$audit_log"
+if [[ $(/usr/bin/tail -n 1 "$audit_log" 2>/dev/null) = *"Remediation complete" ]]; then
+ echo "$(date -u) Beginning {baseline_name} baseline scan" >> "$audit_log"
+else
+ echo "$(date -u) Beginning {baseline_name} baseline scan" > "$audit_log"
+fi
+
+#echo "$(date -u) Beginning {baseline_name} baseline scan" >> "$audit_log"
+
+# run mcxrefresh
+/usr/bin/mcxrefresh -u $CURR_USER_UID
# write timestamp of last compliance check
defaults write "$audit_plist" lastComplianceCheck "$(date)"
@@ -575,75 +717,97 @@ def generate_script(baseline_name, build_path, baseline_yaml):
# Read all rules in the section and output the check functions
for sections in baseline_yaml['profile']:
for profile_rule in sections['rules']:
- for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
- rule_yaml = get_rule_yaml(rule)
-
- if rule_yaml['id'].startswith("supplemental"):
- continue
- if "manual" in rule_yaml['tags']:
- continue
- # grab the 800-53 controls
- try:
- rule_yaml['references']['800-53r4']
- except KeyError:
- nist_80053r4 = 'N/A'
- else:
- nist_80053r4 = rule_yaml['references']['800-53r4']
-
- try:
- rule_yaml['references']['disa_stig']
+ logging.debug(f"checking for rule file for {profile_rule}")
+ if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
+ rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0]
+ logging.debug(f"{rule}")
+ elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
+ rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0]
+ logging.debug(f"{rule}")
+
+ #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
+ rule_yaml = get_rule_yaml(rule)
+
+ if rule_yaml['id'].startswith("supplemental"):
+ continue
+ if "manual" in rule_yaml['tags']:
+ continue
+ # grab the 800-53 controls
+ try:
+ rule_yaml['references']['800-53r4']
+ except KeyError:
+ nist_80053r4 = 'N/A'
+ else:
+ nist_80053r4 = rule_yaml['references']['800-53r4']
+
+ #try:
+ # rule_yaml['references']['disa_stig']
+ #except KeyError:
+ # stig_ref = rule_yaml['id']
+ #else:
+ # if rule_yaml['references']['disa_stig'][0] == "N/A":
+ # stig_ref = [rule_yaml['id']]
+ # else:
+ # stig_ref = rule_yaml['references']['disa_stig']
+ #
+ #if "STIG" in baseline_yaml['title']:
+ # logging.debug(f'Setting STIG reference for logging: {stig_ref}')
+ # log_reference_id = stig_ref
+ #else:
+ # log_reference_id = [rule_yaml['id']]
+ if reference == "default":
+ log_reference_id = [rule_yaml['id']]
+ else:
+ try:
+ rule_yaml['references'][reference]
except KeyError:
- stig_ref = rule_yaml['id']
- else:
- if rule_yaml['references']['disa_stig'][0] == "N/A":
- stig_ref = [rule_yaml['id']]
+ try:
+ rule_yaml['references']['custom'][reference]
+ except KeyError:
+ log_reference_id = [rule_yaml['id']]
else:
- stig_ref = rule_yaml['references']['disa_stig']
-
- try:
- rule_yaml['references']['ASCS']
- except KeyError:
- ascs_ref = ''
- else:
- ascs_ref = rule_yaml['references']['ASCS']
-
- if "STIG" in baseline_yaml['title']:
- logging.debug(f'Setting STIG reference for logging: {stig_ref}')
- log_reference_id = stig_ref
+ if isinstance(rule_yaml['references']['custom'][reference], list):
+ log_reference_id = rule_yaml['references']['custom'][reference] + [rule_yaml['id']]
+ else:
+ log_reference_id = [rule_yaml['references']['custom'][reference]] + [rule_yaml['id']]
else:
- log_reference_id = [rule_yaml['id']]
+ if isinstance(rule_yaml['references'][reference], list):
+ log_reference_id = rule_yaml['references'][reference] + [rule_yaml['id']]
+ else:
+ log_reference_id = [rule_yaml['references'][reference]] + [rule_yaml['id']]
+
+
+ # group the controls
+ nist_80053r4.sort()
+ res = [list(i) for j, i in groupby(
+ nist_80053r4, lambda a: a.split('(')[0])]
+ nist_controls = ''
+ for i in res:
+ nist_controls += group_ulify(i)
- # group the controls
- nist_80053r4.sort()
- res = [list(i) for j, i in groupby(
- nist_80053r4, lambda a: a.split('(')[0])]
- nist_controls = ''
- for i in res:
- nist_controls += group_ulify(i)
+ # print checks and result
+ try:
+ check = rule_yaml['check']
+ except KeyError:
+ print("no check found for {}".format(rule_yaml['id']))
+ continue
+ try:
+ result = rule_yaml['result']
+ except KeyError:
+ #print("no result found for {}".format(rule_yaml['id']))
+ continue
- # print checks and result
- try:
- check = rule_yaml['check']
- except KeyError:
- print("no check found for {}".format(rule_yaml['id']))
- continue
- try:
- result = rule_yaml['result']
- except KeyError:
- #print("no result found for {}".format(rule_yaml['id']))
- continue
-
- if "integer" in result:
- result_value = result['integer']
- elif "boolean" in result:
- result_value = result['boolean']
- elif "string" in result:
- result_value = result['string']
- else:
- continue
+ if "integer" in result:
+ result_value = result['integer']
+ elif "boolean" in result:
+ result_value = result['boolean']
+ elif "string" in result:
+ result_value = result['string']
+ else:
+ continue
- # write the checks
- zsh_check_text = """
+ # write the checks
+ zsh_check_text = """
#####----- Rule: {0} -----#####
## Addresses the following NIST 800-53 controls: {1}
#echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log"
@@ -651,46 +815,68 @@ def generate_script(baseline_name, build_path, baseline_yaml):
result_value=$({2})
# expected result {3}
-if [[ $result_value == "{4}" ]]; then
- echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
- defaults write "$audit_plist" {0} -bool NO
-else
- echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
- defaults write "$audit_plist" {0} -bool YES
+# check to see if rule is exempt
+unset exempt
+unset exempt_reason
+exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null)
+exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null)
+
+if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then
+ if [[ $result_value == "{4}" ]]; then
+ echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
+ defaults write "$audit_plist" {0} -dict-add finding -bool NO
+ else
+ echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
+ defaults write "$audit_plist" {0} -dict-add finding -bool YES
+ fi
+elif [[ ! -z "$exempt_reason" ]];then
+ echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log"
+ defaults write "$audit_plist" {0} -dict-add finding -bool NO
+ /bin/sleep 1
fi
- """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ','.join(log_reference_id))
+ """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id))
- check_function_string = check_function_string + zsh_check_text
+ check_function_string = check_function_string + zsh_check_text
- # print fix and result
- try:
- rule_yaml['fix']
- except KeyError:
- fix_text = 'N/A'
- else:
- fix_text = rule_yaml['fix'] or ["n/a"]
+ # print fix and result
+ try:
+ rule_yaml['fix']
+ except KeyError:
+ fix_text = 'N/A'
+ else:
+ fix_text = rule_yaml['fix'] or ["n/a"]
- # write the fixes
+# write the fixes
- if "[source,bash]" in fix_text:
- nist_controls_commented = nist_controls.replace('\n', '\n#')
- zsh_fix_text = f"""
+ if "[source,bash]" in fix_text:
+ nist_controls_commented = nist_controls.replace('\n', '\n#')
+ zsh_fix_text = f"""
#####----- Rule: {rule_yaml['id']} -----#####
## Addresses the following NIST 800-53 controls: {nist_controls_commented}
-{rule_yaml['id']}_audit_score=$(defaults read $audit_plist {rule_yaml['id']})
-if [[ ${rule_yaml['id']}_audit_score == 1 ]]; then
- ask '{rule_yaml['id']} - Run the command(s)-> {quotify(get_fix_code(rule_yaml['fix']).strip())} ' N
- if [[ $? == 0 ]]; then
- echo 'Running the command to configure the settings for: {rule_yaml['id']} ...' | tee -a "$audit_log"
- {get_fix_code(rule_yaml['fix']).strip()}
+# check to see if rule is exempt
+unset exempt
+unset exempt_reason
+exempt=$($plb -c "print {rule_yaml['id']}:exempt" "$audit_plist_managed" 2>/dev/null)
+exempt_reason=$($plb -c "print {rule_yaml['id']}:exempt_reason" "$audit_plist_managed" 2>/dev/null)
+
+{rule_yaml['id']}_audit_score=$($plb -c "print {rule_yaml['id']}:finding" $audit_plist)
+if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then
+ if [[ ${rule_yaml['id']}_audit_score == "true" ]]; then
+ ask '{rule_yaml['id']} - Run the command(s)-> {quotify(get_fix_code(rule_yaml['fix']).strip())} ' N
+ if [[ $? == 0 ]]; then
+ echo 'Running the command to configure the settings for: {rule_yaml['id']} ...' | tee -a "$audit_log"
+ {get_fix_code(rule_yaml['fix']).strip()}
+ fi
+ else
+ echo 'Settings for: {rule_yaml['id']} already configured, continuing...' | tee -a "$audit_log"
fi
-else
- echo 'Settings for: {rule_yaml['id']} already configured, continuing...' | tee -a "$audit_log"
+elif [[ ! -z "$exempt_reason" ]];then
+ echo "$(date -u) {rule_yaml['id']} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log"
fi
"""
- fix_function_string = fix_function_string + zsh_fix_text
+ fix_function_string = fix_function_string + zsh_fix_text
# write the footer for the check functions
zsh_check_footer = """
@@ -727,13 +913,18 @@ def generate_script(baseline_name, build_path, baseline_yaml):
fi
# append to existing logfile
-echo "$(date -u) Beginning FISMA fixes" >> "$audit_log"
+echo "$(date -u) Beginning remediation of non-compliant settings" >> "$audit_log"
+
+# run mcxrefresh
+/usr/bin/mcxrefresh -u $CURR_USER_UID
"""
# write the footer for the script
zsh_fix_footer = """
+echo "$(date -u) Remediation complete" >> "$audit_log"
+
}
# check for command line arguments, if --check or --fix, then just do them.
@@ -742,12 +933,14 @@ def generate_script(baseline_name, build_path, baseline_yaml):
exit 1
fi
-zparseopts -D -E -check=check -fix=fix
+zparseopts -D -E -check=check -fix=fix -configure=configure
if [[ $check ]];then
run_scan
elif [[ $fix ]];then
run_fix
+elif [[ $configure ]];then
+ run_configure
else
while true; do
show_menus
@@ -774,11 +967,15 @@ def generate_script(baseline_name, build_path, baseline_yaml):
def get_rule_yaml(rule_file):
""" Takes a rule file, checks for a custom version, and returns the yaml for the rule
"""
- if os.path.basename(rule_file) in glob.glob1('../custom/rules/', '*.yaml'):
- #print(f"Custom settings found for rule: {rule_file}")
- override_rule = os.path.join(
- '../custom/rules', os.path.basename(rule_file))
- with open(override_rule) as r:
+ names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)]
+ file_name = os.path.basename(rule_file)
+ if file_name in names:
+ print(f"Custom settings found for rule: {rule_file}")
+ try:
+ override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0]
+ except IndexError:
+ override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0]
+ with open(override_path) as r:
rule_yaml = yaml.load(r, Loader=yaml.SafeLoader)
else:
with open(rule_file) as r:
@@ -802,11 +999,12 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
wb = Workbook()
- sheet1 = wb.add_sheet('Sheet 1')
+ sheet1 = wb.add_sheet('Sheet 1', cell_overwrite_ok=True)
topWrap = xlwt.easyxf("align: vert top; alignment: wrap True")
top = xlwt.easyxf("align: vert top")
headers = xlwt.easyxf("font: bold on")
counter = 1
+ column_counter = 13
sheet1.write(0, 0, "CCE", headers)
sheet1.write(0, 1, "Rule ID", headers)
sheet1.write(0, 2, "Title", headers)
@@ -902,6 +1100,15 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.write(counter, 12, cci, topWrap)
sheet1.col(12).width = 400 * 15
+ if rule.rule_custom_refs != ['None']:
+ for title, ref in rule.rule_custom_refs.items():
+ sheet1.write(0, column_counter, title, headers )
+ sheet1.col(column_counter).width = 512 * 25
+ added_ref = (str(ref)).strip('[]\'')
+ added_ref = added_ref.replace(", ", "\n").replace("\'", "")
+ sheet1.write(counter, column_counter, added_ref, topWrap)
+ column_counter = column_counter + 1
+
tall_style = xlwt.easyxf('font:height 640;') # 36pt
sheet1.row(counter).set_style(tall_style)
@@ -931,43 +1138,51 @@ def create_rules(baseline_yaml):
'cce',
'800-53r4',
'800-171r2',
- 'srg']
+ 'srg',
+ 'custom']
+
for sections in baseline_yaml['profile']:
for profile_rule in sections['rules']:
- for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
- rule_yaml = get_rule_yaml(rule)
+ if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
+ rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0]
+ elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
+ rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0]
- for key in keys:
- try:
- rule_yaml[key]
- except:
- #print "{} key missing ..for {}".format(key, rule)
- rule_yaml.update({key: "missing"})
- if key == "references":
- for reference in references:
- try:
- rule_yaml[key][reference]
- except:
- #print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)
- rule_yaml[key].update({reference: ["None"]})
- all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'),
- rule_yaml['id'].replace('|', '\|'),
- rule_yaml['severity'].replace('|', '\|'),
- rule_yaml['discussion'].replace('|', '\|'),
- rule_yaml['check'].replace('|', '\|'),
- rule_yaml['fix'].replace('|', '\|'),
- rule_yaml['references']['cci'],
- rule_yaml['references']['cce'],
- rule_yaml['references']['800-53r4'],
- rule_yaml['references']['800-171r2'],
- rule_yaml['references']['disa_stig'],
- rule_yaml['references']['srg'],
- rule_yaml['tags'],
- rule_yaml['result'],
- rule_yaml['mobileconfig'],
- rule_yaml['mobileconfig_info']
- ))
+ #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
+ rule_yaml = get_rule_yaml(rule)
+
+ for key in keys:
+ try:
+ rule_yaml[key]
+ except:
+ #print "{} key missing ..for {}".format(key, rule)
+ rule_yaml.update({key: "missing"})
+ if key == "references":
+ for reference in references:
+ try:
+ rule_yaml[key][reference]
+ except:
+ #print "expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)
+ rule_yaml[key].update({reference: ["None"]})
+ all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'),
+ rule_yaml['id'].replace('|', '\|'),
+ rule_yaml['severity'].replace('|', '\|'),
+ rule_yaml['discussion'].replace('|', '\|'),
+ rule_yaml['check'].replace('|', '\|'),
+ rule_yaml['fix'].replace('|', '\|'),
+ rule_yaml['references']['cci'],
+ rule_yaml['references']['cce'],
+ rule_yaml['references']['800-53r4'],
+ rule_yaml['references']['800-171r2'],
+ rule_yaml['references']['disa_stig'],
+ rule_yaml['references']['srg'],
+ rule_yaml['references']['custom'],
+ rule_yaml['tags'],
+ rule_yaml['result'],
+ rule_yaml['mobileconfig'],
+ rule_yaml['mobileconfig_info']
+ ))
return all_rules
@@ -978,12 +1193,16 @@ def create_args():
description='Given a baseline, create guidance documents and files.')
parser.add_argument("baseline", default=None,
help="Baseline YAML file used to create the guide.", type=argparse.FileType('rt'))
+ parser.add_argument("-c", "--clean", default=None,
+ help=argparse.SUPPRESS, action="store_true")
parser.add_argument("-d", "--debug", default=None,
help=argparse.SUPPRESS, action="store_true")
parser.add_argument("-l", "--logo", default=None,
help="Full path to logo file to be included in the guide.", action="store")
parser.add_argument("-p", "--profiles", default=None,
help="Generate configuration profiles for the rules.", action="store_true")
+ parser.add_argument("-r", "--reference", default=None,
+ help="Use the reference ID instead of rule ID for identification.")
parser.add_argument("-s", "--script", default=None,
help="Generate the compliance script for the rules.", action="store_true")
# add gary argument to include tags for XCCDF generation, with a nod to Gary the SCAP guru
@@ -991,6 +1210,8 @@ def create_args():
help=argparse.SUPPRESS, action="store_true")
parser.add_argument("-x", "--xls", default=None,
help="Generate the excel (xls) document for the rules.", action="store_true")
+ parser.add_argument("-H", "--hash", default=None,
+ help="sign the configuration profiles with subject key ID (hash value without spaces)")
return parser.parse_args()
def is_asciidoctor_installed():
@@ -1002,7 +1223,7 @@ def is_asciidoctor_installed():
output, error = process.communicate()
# return path to asciidoctor
- return output.decode("utf-8")
+ return output.decode("utf-8").strip()
def is_asciidoctor_pdf_installed():
@@ -1013,8 +1234,45 @@ def is_asciidoctor_pdf_installed():
process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
+ return output.decode("utf-8").strip()
+
+def verify_signing_hash(hash):
+ """Attempts to validate the existence of the certificate provided by the hash
+ """
+ with tempfile.NamedTemporaryFile(mode="w") as in_file:
+ unsigned_tmp_file_path=in_file.name
+ in_file.write("temporary file for signing")
+
+ cmd = f"security cms -S -Z {hash} -i {unsigned_tmp_file_path}"
+ FNULL = open(os.devnull, 'w')
+ process = subprocess.Popen(cmd.split(), stdout=FNULL, stderr=FNULL)
+ output, error = process.communicate()
+ if process.returncode == 0:
+ return True
+ else:
+ return False
+
+def sign_config_profile(in_file, out_file, hash):
+ """Signs the configuration profile using the identity associated with the provided hash
+ """
+ cmd = f"security cms -S -Z {hash} -i {in_file} -o {out_file}"
+ process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
+ output, error = process.communicate()
+ print(f"Signed Configuration profile written to {out_file}")
return output.decode("utf-8")
+def parse_custom_references(reference):
+ string = "\n"
+ for item in reference:
+ if isinstance(reference[item], list):
+ string += "!" + str(item) + "\n!\n"
+ for i in reference[item]:
+ string += "* " + str(i) + "\n"
+ else:
+ string += "!" + str(item) + "!* " + str(reference[item]) + "\n"
+ return string
+
+
def main():
args = create_args()
@@ -1026,7 +1284,7 @@ def main():
try:
output_basename = os.path.basename(args.baseline.name)
output_filename = os.path.splitext(output_basename)[0]
- baseline_name = os.path.splitext(output_basename)[0].capitalize()
+ baseline_name = os.path.splitext(output_basename)[0]#.capitalize()
file_dir = os.path.dirname(os.path.abspath(__file__))
parent_dir = os.path.dirname(file_dir)
@@ -1051,6 +1309,19 @@ def main():
print('Profile YAML:', args.baseline.name)
print('Output path:', adoc_output_file.name)
+ if args.hash:
+ signing = True
+ if not verify_signing_hash(args.hash):
+ sys.exit('Cannot use the provided hash to sign. Please make sure you provide the subject key ID hash from an installed certificate')
+ else:
+ signing = False
+
+ if args.reference:
+ use_custom_reference = True
+ log_reference = args.reference
+ else:
+ log_reference = "default"
+ use_custom_reference = False
except IOError as msg:
parser.error(str(msg))
@@ -1064,6 +1335,7 @@ def main():
adoc_templates = [ "adoc_rule",
"adoc_supplemental",
"adoc_rule_no_setting",
+ "adoc_rule_custom_refs",
"adoc_section",
"adoc_header",
"adoc_footer",
@@ -1091,6 +1363,9 @@ def main():
with open(adoc_templates_dict['adoc_rule_no_setting']) as adoc_rule_no_setting_file:
adoc_rule_no_setting_template = Template(adoc_rule_no_setting_file.read())
+
+ with open(adoc_templates_dict['adoc_rule_custom_refs']) as adoc_rule_custom_refs_file:
+ adoc_rule_custom_refs_template = Template(adoc_rule_custom_refs_file.read())
with open(adoc_templates_dict['adoc_section']) as adoc_section_file:
adoc_section_template = Template(adoc_section_file.read())
@@ -1119,14 +1394,15 @@ def main():
else:
adoc_tag_show=":show_tags!:"
- if "STIG" in baseline_yaml['title']:
+ if "STIG" in baseline_yaml['title'].upper():
adoc_STIG_show=":show_STIG:"
- adoc_SRG_show=":show_SRG:"
else:
adoc_STIG_show=":show_STIG!:"
- adoc_SRG_show=":show_SRG!:"
- adoc_171_show=":show_171:"
+ if "800" in baseline_yaml['title']:
+ adoc_171_show=":show_171:"
+ else:
+ adoc_171_show=":show_171!:"
# Create header
header_adoc = adoc_header_template.substitute(
@@ -1139,7 +1415,6 @@ def main():
tag_attribute=adoc_tag_show,
nist171_attribute=adoc_171_show,
stig_attribute=adoc_STIG_show,
- srg_attribute=adoc_SRG_show,
version=version_yaml['version'],
os_version=version_yaml['os'],
release_date=version_yaml['date']
@@ -1184,6 +1459,9 @@ def main():
for rule in sections['rules']:
logging.debug(f'processing rule id: {rule}')
rule_path = glob.glob('../rules/*/{}.yaml'.format(rule))
+ if not rule_path:
+ print(f"Rule file not found in library, checking in custom folder for rule: {rule}")
+ rule_path = glob.glob('../custom/rules/**/{}.yaml'.format(rule), recursive=True)
try:
rule_file = (os.path.basename(rule_path[0]))
except IndexError:
@@ -1191,9 +1469,9 @@ def main():
#check for custom rule
- if rule_file in glob.glob1('../custom/rules/', '*.yaml'):
+ if glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True):
print(f"Custom settings found for rule: {rule_file}")
- override_rule = os.path.join('../custom/rules', rule_file)
+ override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0]
with open(override_rule) as r:
rule_yaml = yaml.load(r, Loader=yaml.SafeLoader)
else:
@@ -1245,6 +1523,13 @@ def main():
else:
srg = ulify(rule_yaml['references']['srg'])
+ try:
+ rule_yaml['references']['custom']
+ except KeyError:
+ custom_refs = ''
+ else:
+ custom_refs = parse_custom_references(rule_yaml['references']['custom'])
+
try:
rule_yaml['fix']
except KeyError:
@@ -1276,7 +1561,7 @@ def main():
else:
result_value = 'N/A'
- # deteremine if configprofile
+ # determine if configprofile
try:
rule_yaml['mobileconfig']
except KeyError:
@@ -1293,7 +1578,6 @@ def main():
nist_controls = ''
for i in res:
nist_controls += group_ulify(i)
-
if 'supplemental' in tags:
rule_adoc = adoc_supplemental_template.substitute(
rule_title=rule_yaml['title'].replace('|', '\|'),
@@ -1314,6 +1598,23 @@ def main():
rule_tags=tags,
rule_srg=srg
)
+ elif custom_refs:
+ rule_adoc = adoc_rule_custom_refs_template.substitute(
+ rule_title=rule_yaml['title'].replace('|', '\|'),
+ rule_id=rule_yaml['id'].replace('|', '\|'),
+ rule_discussion=rule_yaml['discussion'].replace('|', '\|'),
+ rule_check=rule_yaml['check'], # .replace('|', '\|'),
+ rule_fix=rulefix,
+ rule_cci=cci,
+ rule_80053r4=nist_controls,
+ rule_800171=nist_800171,
+ rule_disa_stig=disa_stig,
+ rule_cce=cce,
+ rule_custom_refs=custom_refs,
+ rule_tags=tags,
+ rule_srg=srg,
+ rule_result=result_value
+ )
else:
rule_adoc = adoc_rule_template.substitute(
rule_title=rule_yaml['title'].replace('|', '\|'),
@@ -1343,11 +1644,12 @@ def main():
if args.profiles:
print("Generating configuration profiles...")
- generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml)
+ generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash)
if args.script:
print("Generating compliance script...")
- generate_script(baseline_name, build_path, baseline_yaml)
+ generate_script(baseline_name, build_path, baseline_yaml, log_reference)
+ default_audit_plist(baseline_name, build_path, baseline_yaml)
if args.xls:
print('Generating excel document...')
@@ -1356,8 +1658,8 @@ def main():
asciidoctor_path = is_asciidoctor_installed()
if asciidoctor_path != "":
print('Generating HTML file from AsciiDoc...')
- cmd = f"{asciidoctor_path} {adoc_output_file.name}"
- process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
+ cmd = f"{asciidoctor_path} \'{adoc_output_file.name}\'"
+ process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
process.communicate()
else:
print("If you would like to generate the HTML file from the AsciiDoc file, install the ruby gem for asciidoctor")
@@ -1365,8 +1667,8 @@ def main():
asciidoctorPDF_path = is_asciidoctor_pdf_installed()
if asciidoctorPDF_path != "":
print('Generating PDF file from AsciiDoc...')
- cmd = f"{asciidoctorPDF_path} {adoc_output_file.name}"
- process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
+ cmd = f"{asciidoctorPDF_path} \'{adoc_output_file.name}\'"
+ process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
process.communicate()
else:
print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf")
diff --git a/scripts/yaml-to-oval.py b/scripts/yaml-to-oval.py
index b4ca01986..7aa526f1f 100755
--- a/scripts/yaml-to-oval.py
+++ b/scripts/yaml-to-oval.py
@@ -85,11 +85,13 @@ def main():
rule_yaml = yaml.load(r, Loader=yaml.SafeLoader)
if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']:
continue
- if len(rule_yaml['tags']) < 2 and "STIG" in rule_yaml['tags']:
+ if rule_yaml['check'][0] != "/" and "[source,bash]" not in rule_yaml['fix']:
+ print(rule_yaml['id'] + " - Manual Check")
continue
if "manual" in rule_yaml['tags']:
print(rule_yaml['id'] + " - Manual Check")
continue
+
if "os_home_folders_secure" in rule_file:
oval_definition = oval_definition + '''
@@ -236,7 +238,7 @@ def main():
{}
-
+
1
'''.format(x+1999,key,x,key,x)
@@ -416,7 +418,7 @@ def main():
1
-
+
boolean(plist/dict/array/string/text() = "{}")
'''.format(x+1999,rule_yaml['id'],x,x,str(value).strip('[]').strip("'"))
@@ -715,7 +717,110 @@ def main():
'''.format(rule_yaml['id'],x,state_test)
-
+
+
+ abc = 0
+ if "defaults" in rule_yaml['check'] and "grep" in rule_yaml['check'] and "CURRENT_USER" in rule_yaml['check']:
+
+ regex = r"(?<=\()(.*?)(?=\))"
+
+ test_str = rule_yaml['check'].split("grep")[1]
+
+ matches = re.finditer(regex, test_str, re.MULTILINE)
+ matchy_match = ""
+ for matchNum, match in enumerate(matches, start=1):
+ matchy_match = match.group()
+
+
+ oval_definition = oval_definition + '''
+
+
+ {}
+
+
+ {}
+
+
+ '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x)
+
+ for multi_grep in matchy_match.split("|"):
+
+ oval_definition = oval_definition + '''
+
+ '''.format(rule_yaml['id']+"_"+str(abc),x)
+
+ oval_test = oval_test + '''
+
+
+
+ '''.format(rule_yaml['id']+"_"+str(abc),x,x,x)
+
+ key = matchy_match.split("|")[abc].split(" = ")[0].replace("\"","")
+ value = matchy_match.split("|")[abc].split(" = ")[1].replace(";","")
+ if "$CURRENT_USER" in rule_yaml['check']:
+
+
+ oval_object = oval_object + '''
+
+ .*
+ oval:mscp:ste:{}
+
+ '''.format(x+1999,x+1999)
+
+ oval_state = oval_state + '''
+
+ ^[^_\s].*
+ 0
+ 0
+ /usr/bin/false
+ '''.format(x+1999)
+ plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","")
+
+
+
+ oval_variable = oval_variable + '''
+
+
+
+ /Library/Preferences/{}.
+ plist
+
+ '''.format(x,x+1999,plist)
+
+
+ oval_object = oval_object + '''
+
+ {}
+
+ 1
+ '''.format(rule_yaml['id']+"_"+str(abc),x,key,x)
+
+ oval_datatype = ""
+ try:
+ int(value)
+
+ oval_datatype = "int"
+ except:
+ if value.lower() == "true" or value.lower == "false":
+ oval_datatype = "boolean"
+
+ else:
+ oval_datatype = "string"
+ oval_state = oval_state + '''
+
+ {}
+ '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value)
+
+ abc =+ 1
+ x = x+1
+ oval_definition = oval_definition + '''
+ '''
+ oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition)
+
+ x = x+1
+ break
+
+
if "defaults" in rule_yaml['check']:
oval_definition = oval_definition + '''
@@ -730,7 +835,7 @@ def main():
'''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x)
-
+
oval_test = oval_test + '''
@@ -760,7 +865,7 @@ def main():
{}
-
+
1
'''.format(x+1999,x+1999,rule_yaml['id'],x,key,x)
@@ -792,7 +897,7 @@ def main():
oval_object = oval_object + '''
{}
-
+
1
'''.format(rule_yaml['id'],x,key,x)
@@ -825,7 +930,7 @@ def main():
{}
'''.format(rule_yaml['id'],x,oval_datatype,value)
-
+ oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition)
x = x+1
@@ -1209,10 +1314,20 @@ def main():
x += 1
continue
if "awk" in command[3]:
+
awk_file = rule_yaml['check'].split("'")[2].strip(" ")
awk_search = rule_yaml['check'].split("'")[1].split("/")[1]
+ field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"")
+
+ try:
+ awk_result = rule_yaml['result']['string']
+
+ except:
+
+ awk_result = str(rule_yaml['result']['integer'])
+
oval_definition = oval_definition + '''
@@ -1236,7 +1351,7 @@ def main():
{}
1
- '''.format(x,rule_yaml['id'],awk_file.rstrip(),"^" + awk_search + ":" + rule_yaml['result']['string'])
+ '''.format(x,rule_yaml['id'],awk_file.rstrip(),"^" + awk_search + field_sep + awk_result)
x += 1
continue
if "grep" in command[3]:
@@ -1399,8 +1514,8 @@ def main():
total_oval = ovalPrefix + "\n\n" + oval_definition + "\n\n\n" + oval_test + "\n\n\n" + oval_object + "\n\n\n"+ oval_state +"\n\n\n" + oval_variable + "\n\n"
-
- final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', total_oval)
+ final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n$.*', '<', total_oval)
+ # final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', total_oval)
oval_file = output
@@ -1408,4 +1523,4 @@ def main():
rite.write(final_oval)
if __name__ == "__main__":
- main()
+ main()
\ No newline at end of file
diff --git a/templates/adoc_header.adoc b/templates/adoc_header.adoc
index f21e5734f..59c5e5f67 100644
--- a/templates/adoc_header.adoc
+++ b/templates/adoc_header.adoc
@@ -14,7 +14,6 @@
:nofooter:
$nist171_attribute
$stig_attribute
-$srg_attribute
ifdef::backend-pdf[]
= $profile_title
$version ($release_date)
diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc
index cf1a4b163..d741b09f0 100644
--- a/templates/adoc_rule.adoc
+++ b/templates/adoc_rule.adoc
@@ -45,11 +45,6 @@ ifdef::show_STIG[]
!$rule_disa_stig
endif::[]
-ifdef::show_STIG[]
-!DISA SRG(s)
-!$rule_srg
-endif::[]
-
!CCE
!$rule_cce
diff --git a/templates/adoc_rule_custom_refs.adoc b/templates/adoc_rule_custom_refs.adoc
new file mode 100644
index 000000000..8ffbd2eaf
--- /dev/null
+++ b/templates/adoc_rule_custom_refs.adoc
@@ -0,0 +1,61 @@
+=== $rule_title
+
+$rule_discussion
+
+To check the state of the system, run the following command(s):
+[source,bash]
+----
+$rule_check
+----
+
+If the result is not *$rule_result*, this is a finding.
+
+====
+**Remediation Description**
+
+Perform the following to configure the system to meet the requirements:
+
+$rule_fix
+====
+
+[cols="15%h, 85%a"]
+|===
+
+|ID
+|$rule_id
+
+|References
+|
+
+[cols="20%h,80%a"]
+[frame="none"]
+[grid="cols"]
+!===
+
+!800-53r4
+!$rule_80053r4
+
+ifdef::show_171[]
+!800-171r2
+!$rule_800171
+endif::[]
+
+ifdef::show_STIG[]
+!DISA STIG(s)
+!$rule_disa_stig
+endif::[]
+
+!CCE
+!$rule_cce
+
+$rule_custom_refs
+
+ifdef::show_tags[]
+!TAGS
+!$rule_tags
+endif::[]
+
+!===
+
+|
+|===
diff --git a/templates/adoc_rule_no_setting.adoc b/templates/adoc_rule_no_setting.adoc
index 980e7da8f..48f0de0f9 100644
--- a/templates/adoc_rule_no_setting.adoc
+++ b/templates/adoc_rule_no_setting.adoc
@@ -31,11 +31,6 @@ ifdef::show_STIG[]
!$rule_disa_stig
endif::[]
-ifdef::show_STIG[]
-!DISA SRG(s)
-!$rule_srg
-endif::[]
-
ifdef::show_tags[]
!CCE
!$rule_cce
diff --git a/templates/images/mscp_banner_outline.png b/templates/images/mscp_banner_outline.png
new file mode 100644
index 000000000..57796de58
Binary files /dev/null and b/templates/images/mscp_banner_outline.png differ