CCI-000048 in U Apple macOS 15 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000023-GPOS-00006
Group ID
V-268429
Rule Version
APPL-15-000023
Rule Title
The macOS system must display a policy banner at remote login.
Rule ID
SV-268429r1034227_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Remote login service must be configured to display a policy banner at login.

Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007

Documentable
False
Check Content

Verify the macOS system is configured to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system.

Verify the operating system has the correct text listed in the "/etc/banner" file with the following command:

/usr/bin/more /etc/banner

The command must return the following text:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the operating system does not display a login banner before granting remote access or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

If the text in the "/etc/banner" file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

Check System
C-72459r1034225_chk
Fix Reference
F-72360r1034226_fix
Fix Text

Configure the macOS system to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system by creating a text file containing the required DOD text.

Name the file "banner" and place it in "/etc/".

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
CCI-000050

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.

  • 800-53 :: AC-8 b
  • 800-53 Rev. 4 :: AC-8 b
  • 800-53 Rev. 5 :: AC-8 b
  • 800-53A :: AC-8.1 (iii)
Group Title
SRG-OS-000023-GPOS-00006
Group ID
V-268431
Rule Version
APPL-15-000025
Rule Title
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.
Rule ID
SV-268431r1034233_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder.

The banner must be formatted in accordance with DTM-08-060.

Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088

Documentable
False
Check Content

Verify the macOS system is configured to display a policy banner with the following command:

/bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | /usr/bin/tr -d ' '

If the permissions for "PolicyBanner.rtfd" are not "644", this is a finding.

The banner text of the document must read:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the text is not worded exactly this way, this is a finding.

Check System
C-72461r1034231_chk
Fix Reference
F-72362r1034232_fix
Fix Text

Configure the macOS system to display a policy banner by creating an RTF file containing the required text. Name the file "PolicyBanner.rtfd" and place it in "/Library/Security/".

Update the permissions of the "/Library/Security/PolicyBanner.rtfd" file with the following command:

/usr/bin/sudo /bin/chmod 644 /Library/Security/PolicyBanner.rtfd

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
CCI-000050

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.

  • 800-53 :: AC-8 b
  • 800-53 Rev. 4 :: AC-8 b
  • 800-53 Rev. 5 :: AC-8 b
  • 800-53A :: AC-8.1 (iii)
CCI-001384

For publicly accessible systems, display system use information with organization-defined conditions before granting further access to the publicly accessible system.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 1
  • 800-53 Rev. 5 :: AC-8 c 1
  • 800-53A :: AC-8.2 (i)
CCI-001385

For publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 2
  • 800-53 Rev. 5 :: AC-8 c 2
  • 800-53A :: AC-8.2 (ii)
CCI-001386

For publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 2
  • 800-53 Rev. 5 :: AC-8 c 2
  • 800-53A :: AC-8.2 (ii)
CCI-001387

For publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 2
  • 800-53 Rev. 5 :: AC-8 c 2
  • 800-53A :: AC-8.2 (ii)
CCI-001388

For publicly accessible systems, includes a description of the authorized uses of the system.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 3
  • 800-53 Rev. 5 :: AC-8 c 3
  • 800-53A :: AC-8.2 (iii)
Group Title
SRG-OS-000023-GPOS-00006
Group ID
V-269093
Rule Version
APPL-15-000024
Rule Title
The macOS system must enforce SSH to display a policy banner.
Rule ID
SV-269093r1034754_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

SSH must be configured to display a policy banner.

Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007

Documentable
False
Check Content

Verify the macOS system is configured to display the contents of "/etc/banner" before granting access to the system with the following command:

/usr/sbin/sshd -G | /usr/bin/grep -c "^banner /etc/banner"

If the command does not return "1", this is a finding.

Check System
C-73123r1034752_chk
Fix Reference
F-73024r1034753_fix
Fix Text

Configure the macOS system to display the contents of "/etc/banner" before granting access to the system with the following command:

include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')

if [[ -z $include_dir ]]; then

/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config

fi

/usr/bin/grep -qxF 'banner /etc/banner' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "banner /etc/banner" >> "${include_dir}01-mscp-sshd.conf"

for file in $(ls ${include_dir}); do

if [[ "$file" == "100-macos.conf" ]]; then

continue

fi

if [[ "$file" == "01-mscp-sshd.conf" ]]; then

break

fi

/bin/mv ${include_dir}${file} ${include_dir}20-${file}

done

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
CCI-000050

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.

  • 800-53 :: AC-8 b
  • 800-53 Rev. 4 :: AC-8 b
  • 800-53 Rev. 5 :: AC-8 b
  • 800-53A :: AC-8.1 (iii)
UNCLASSIFIED