ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257153
- Rule Version
- APPL-13-000016
- Rule Title
- The macOS system must be integrated into a directory services infrastructure.
- Rule ID
- SV-257153r905092_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions allow centralized management of users and passwords.
- Documentable
- False
- Check Content
-
If the macOS system is using a mandatory Smart Card Policy, this requirement is not applicable.
Verify the macOS system is configured to integrate into a directory service with the following command:
/usr/bin/dscl localhost -list . | /usr/bin/grep "Active Directory"
If no results are returned, this is a finding.
- Check System
- C-60838r905090_chk
- Fix Reference
- F-60779r905091_fix
- Fix Text
-
Configure the macOS system to integrate into an existing directory services infrastructure.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000033-GPOS-00014
- Group ID
- V-257165
- Rule Version
- APPL-13-000054
- Rule Title
- The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
- Rule ID
- SV-257165r919351_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.
For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to use approved SSH ciphers within the SSH server configuration with the following command:
/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "ciphers"
ciphers [email protected]
If any ciphers other than "[email protected]" are listed, or the "ciphers" keyword is missing, this is a finding.
- Check System
- C-60850r919350_chk
- Fix Reference
- F-60791r916570_fix
- Fix Text
-
Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:
Ciphers [email protected]
The SSH service must be restarted for changes to take effect.
- Identities
-
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-000803Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- 800-53 :: IA-7
- 800-53 Rev. 4 :: IA-7
- 800-53 Rev. 5 :: IA-7
- 800-53A :: IA-7.1
CCI-000877Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.
- 800-53 :: MA-4 c
- 800-53 Rev. 4 :: MA-4 c
- 800-53 Rev. 5 :: MA-4 c
- 800-53A :: MA-4.1 (iv)
CCI-001453Implement cryptographic mechanisms to protect the integrity of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-002890Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
CCI-003123Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
- Group Title
- SRG-OS-000033-GPOS-00014
- Group ID
- V-257166
- Rule Version
- APPL-13-000055
- Rule Title
- The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
- Rule ID
- SV-257166r919353_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.
For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to use approved SSH MACs within the SSH server configuration with the following command:
/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "macs"
macs hmac-sha2-256
If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.
- Check System
- C-60851r919352_chk
- Fix Reference
- F-60792r916573_fix
- Fix Text
-
Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:
MACs hmac-sha2-256
The SSH service must be restarted for changes to take effect.
- Identities
-
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-000803Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- 800-53 :: IA-7
- 800-53 Rev. 4 :: IA-7
- 800-53 Rev. 5 :: IA-7
- 800-53A :: IA-7.1
CCI-000877Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.
- 800-53 :: MA-4 c
- 800-53 Rev. 4 :: MA-4 c
- 800-53 Rev. 5 :: MA-4 c
- 800-53A :: MA-4.1 (iv)
CCI-001453Implement cryptographic mechanisms to protect the integrity of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-002890Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
CCI-003123Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
- Group Title
- SRG-OS-000033-GPOS-00014
- Group ID
- V-257167
- Rule Version
- APPL-13-000056
- Rule Title
- The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
- Rule ID
- SV-257167r919355_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.
For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH server configuration with the following command:
/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "kexalgorithms"
kexalgorithms ecdh-sha2-nistp256
If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.
- Check System
- C-60852r919354_chk
- Fix Reference
- F-60793r916576_fix
- Fix Text
-
Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:
KexAlgorithms ecdh-sha2-nistp256
The SSH service must be restarted for changes to take effect.
- Identities
-
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-000803Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- 800-53 :: IA-7
- 800-53 Rev. 4 :: IA-7
- 800-53 Rev. 5 :: IA-7
- 800-53A :: IA-7.1
CCI-000877Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.
- 800-53 :: MA-4 c
- 800-53 Rev. 4 :: MA-4 c
- 800-53 Rev. 5 :: MA-4 c
- 800-53A :: MA-4.1 (iv)
CCI-001453Implement cryptographic mechanisms to protect the integrity of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-002890Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
CCI-003123Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
- Group Title
- SRG-OS-000370-GPOS-00155
- Group ID
- V-257202
- Rule Version
- APPL-13-002031
- Rule Title
- The macOS system must be configured to disable the system preference pane for Apple ID.
- Rule ID
- SV-257202r905239_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and thus can remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Apple ID System Preference Pane must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable access to the Apple ID preference pane with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"
If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.AppleIDPrefPane", this is a finding.
- Check System
- C-60887r905237_chk
- Fix Reference
- F-60828r905238_fix
- Fix Text
-
Configure the macOS system to disable access to the Apple ID preference pane by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-001774
Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000074-GPOS-00042
- Group ID
- V-257207
- Rule Version
- APPL-13-002038
- Rule Title
- The macOS system must be configured to disable the "tftp" service.
- Rule ID
- SV-257207r905254_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
The "tftp" service must be disabled as it sends all data in a clear-text form that can be easily intercepted and read. The data needs to be protected at all times during transmission, and encryption is the standard method for protecting data in transit.
If the data is not encrypted during transmission, it can be plainly read (i.e., clear text) and easily compromised. Disabling "ftp" is one way to mitigate this risk. Administrators must be instructed to use an alternate service for data transmission that uses encryption, such as SFTP.
Additionally, the "tftp" service uses UDP, which is not secure.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the tfptd service with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep com.apple.tftpd
"com.apple.tftpd" => disabled
If the results are not "com.apple.tftpd => disabled", this is a finding.
- Check System
- C-60892r905252_chk
- Fix Reference
- F-60833r905253_fix
- Fix Text
-
Configure the macOS system to disable the "tftpd" service with the following command:
/usr/bin/sudo /bin/launchctl disable system/com.apple.tftpd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000197
For password-based authentication, transmit passwords only cryptographically-protected channels.
- 800-53 :: IA-5 (1) (c)
- 800-53 Rev. 4 :: IA-5 (1) (c)
- 800-53 Rev. 5 :: IA-5 (1) (c)
- 800-53A :: IA-5 (1).1 (v)
- Group Title
- SRG-OS-000364-GPOS-00151
- Group ID
- V-257219
- Rule Version
- APPL-13-002063
- Rule Title
- The macOS system must disable the guest account.
- Rule ID
- SV-257219r922875_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system.
Accordingly, only qualified and authorized individuals must be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications.
Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the guest account with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "GuestAccount"
DisableGuestAccount = 1;
EnableGuestAccount = 0;
If the result are not "DisableGuestAccount = 1" and "EnableGuestAccount = 0", this is a finding.
- Check System
- C-60904r922874_chk
- Fix Reference
- F-60845r905289_fix
- Fix Text
-
Configure the macOS system to disable the guest account by installing the "Login Window Policy" configuration profile.
- Identities
-
CCI-001813
Enforce access restrictions using organization-defined mechanisms.
- 800-53 Rev. 4 :: CM-5 (1)
- 800-53 Rev. 5 :: CM-5 (1) (a)
- Group Title
- SRG-OS-000366-GPOS-00153
- Group ID
- V-257220
- Rule Version
- APPL-13-002064
- Rule Title
- The macOS system must have the security assessment policy subsystem enabled.
- Rule ID
- SV-257220r905293_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
Accordingly, software defined by the organization as critical must be signed with a certificate that is recognized and approved by the organization.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with the security assessment policy subsystem enabled with the following command:
/usr/sbin/spctl --status
assessments enabled
If "assessments enabled" is not returned, this is a finding.
- Check System
- C-60905r905291_chk
- Fix Reference
- F-60846r905292_fix
- Fix Text
-
Configure the macOS system to enable the security assessment policy subsystem by installing the "Custom Policy" configuration profile.
- Identities
-
CCI-001749
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
- 800-53 Rev. 4 :: CM-5 (3)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257224
- Rule Version
- APPL-13-002070
- Rule Title
- The macOS system must use an approved antivirus program.
- Rule ID
- SV-257224r950969_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
An approved antivirus product must be installed and configured to run.
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce installation of XProtect Remediator and Gatekeeper updates automatically with the following command:
/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | /usr/bin/grep "ConfigDataInstall"
ConfigDataInstall = 1;
If the XProtect service is being used and "ConfigDataInstall" is not set to "1", this is a finding.
If XProtect is not active on the system, ask the system administrator (SA) or information system security officer (ISSO) if an approved antivirus solution is loaded on the system. The antivirus solution may be bundled with an approved host-based security solution.
If no local antivirus solution is installed on the system, this is a finding.
- Check System
- C-60909r950969_chk
- Fix Reference
- F-60850r905304_fix
- Fix Text
-
Configure the macOS system to automatically update XProtect by installing the "Restrictions Policy" configuration profile.
If XProtect is not being used, install an approved antivirus solution on the system.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000066-GPOS-00034
- Group ID
- V-257225
- Rule Version
- APPL-13-003001
- Rule Title
- The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
- Rule ID
- SV-257225r905308_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
DOD-approved certificates must be installed to the System Keychain so they will be available to all users.
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations; for example, application-specific time services. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000478-GPOS-00223
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with approved DOD certificates with the following command:
/usr/bin/sudo /usr/bin/security dump-keychain | /usr/bin/grep labl | /usr/bin/awk -F\" '{ print $4 }'
If this list contains unapproved certificates, this is a finding.
- Check System
- C-60910r905306_chk
- Fix Reference
- F-60851r905307_fix
- Fix Text
-
Configure the macOS system with approved DOD certificates from the appropriate authority. Use Keychain Access from "/Applications/Utilities" to add certificates to the System Keychain or build a certificate root trust payload as described in the supplemental documentation supplied in this STIG package.
- Identities
-
CCI-000185
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
- 800-53 :: IA-5 (2)
- 800-53 Rev. 4 :: IA-5 (2) (a)
- 800-53 Rev. 5 :: IA-5 (2) (b) (1)
- 800-53A :: IA-5 (2).1
CCI-002450Implement organization-defined types of cryptography for each specified cryptography use.
- 800-53 Rev. 4 :: SC-13
- 800-53 Rev. 5 :: SC-13 b
- Group Title
- SRG-OS-000068-GPOS-00036
- Group ID
- V-257233
- Rule Version
- APPL-13-003020
- Rule Title
- The macOS system must use multifactor authentication for local access to privileged and nonprivileged accounts.
- Rule ID
- SV-257233r905332_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased.
Multifactor authentication requires using two or more factors to achieve authentication.
Factors include:
1) something a user knows (e.g., password/PIN);
2) something a user has (e.g., cryptographic identification device, token); and
3) something a user is (e.g., biometric).
A privileged account is defined as an information system account with authorizations of a privileged user.
Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.
The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce multifactor authentication with the following commands:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "enforceSmartCard"
enforceSmartCard = 1;
If "enforceSmartCard" is not set to "1", this is a finding.
- Check System
- C-60918r905330_chk
- Fix Reference
- F-60859r905331_fix
- Fix Text
-
Configure the macOS system to enforce multifactor authentication by installing the "Smart Card Policy" configuration profile.
Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".
- Identities
-
CCI-000187
For public key-based authentication, map the authenticated identity to the account of the individual or group.
- 800-53 :: IA-5 (2)
- 800-53 Rev. 4 :: IA-5 (2) (c)
- 800-53 Rev. 5 :: IA-5 (2) (a) (2)
- 800-53A :: IA-5 (2).1
CCI-000767The information system implements multifactor authentication for local access to privileged accounts.
- 800-53 :: IA-2 (3)
- 800-53 Rev. 4 :: IA-2 (3)
- 800-53A :: IA-2 (3).1
CCI-000768The information system implements multifactor authentication for local access to non-privileged accounts.
- 800-53 :: IA-2 (4)
- 800-53 Rev. 4 :: IA-2 (4)
- 800-53A :: IA-2 (4).1
- Group Title
- SRG-OS-000051-GPOS-00024
- Group ID
- V-257240
- Rule Version
- APPL-13-005001
- Rule Title
- The macOS system must enable System Integrity Protection.
- Rule ID
- SV-257240r905353_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
System Integrity Protection (SIP) is vital to the protection of the integrity of macOS. SIP restricts what actions can be performed by administrative users, including root, against protected parts of the operating system. SIP protects all system binaries, including audit tools, from unauthorized access by preventing the modification or deletion of system binaries, or the changing of the permissions associated with those binaries. SIP limits the privileges to change software resident within software libraries to processes that have signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. By protecting audit binaries, SIP ensures the presence of an audit record generation capability for DOD-defined auditable events for all operating system components and supports on-demand and after-the-fact reporting requirements.
The XProtect program is part of the SIP component and is integral to protecting the operating system from malware and malicious code.
Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000259-GPOS-00100, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable System Integrity Protection with the following command:
/usr/bin/csrutil status
System Integrity Protection status: enabled.
If the "System Integrity Protection" is not set to "enabled", this is a finding.
- Check System
- C-60925r905351_chk
- Fix Reference
- F-60866r905352_fix
- Fix Text
-
Configure the macOS system to enable "System Integrity Protection" by booting into "Recovery" mode, then launch "Terminal" from the "Utilities" menu, and run the following command:
/usr/bin/csrutil enable
- Identities
-
CCI-000154
Provide the capability to centrally review and analyze audit records from multiple components within the system.
- 800-53 :: AU-6 (4)
- 800-53 Rev. 4 :: AU-6 (4)
- 800-53 Rev. 5 :: AU-6 (4)
- 800-53A :: AU-6 (4).1
CCI-000158Provide the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.
- 800-53 :: AU-7 (1)
- 800-53 Rev. 4 :: AU-7 (1)
- 800-53 Rev. 5 :: AU-7 (1)
- 800-53A :: AU-7 (1).1
CCI-000169Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a. on organization-defined information system components.
- 800-53 :: AU-12 a
- 800-53 Rev. 4 :: AU-12 a
- 800-53 Rev. 5 :: AU-12 a
- 800-53A :: AU-12.1 (ii)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001499Limit privileges to change software resident within software libraries.
- 800-53 :: CM-5 (6)
- 800-53 Rev. 4 :: CM-5 (6)
- 800-53 Rev. 5 :: CM-5 (6)
- 800-53A :: CM-5 (6).1
CCI-001875Provide an audit reduction capability that supports on-demand audit review and analysis.
- 800-53 Rev. 4 :: AU-7 a
- 800-53 Rev. 5 :: AU-7 a
CCI-001876Provide an audit reduction capability that supports on-demand reporting requirements.
- 800-53 Rev. 4 :: AU-7 a
- 800-53 Rev. 5 :: AU-7 a
CCI-001877Provide an audit reduction capability that supports after-the-fact investigations of incidents.
- 800-53 Rev. 4 :: AU-7 a
- 800-53 Rev. 5 :: AU-7 a
CCI-001878Provide a report generation capability that supports on-demand audit review and analysis.
- 800-53 Rev. 4 :: AU-7 a
- 800-53 Rev. 5 :: AU-7 a
CCI-001879Provide a report generation capability that supports on-demand reporting requirements.
- 800-53 Rev. 4 :: AU-7 a
- 800-53 Rev. 5 :: AU-7 a
CCI-001880Provide a report generation capability that supports after-the-fact investigations of security incidents.
- 800-53 Rev. 4 :: AU-7 a
- 800-53 Rev. 5 :: AU-7 a
CCI-001881Provide an audit reduction capability that does not alter original content or time ordering of audit records.
- 800-53 Rev. 4 :: AU-7 b
- 800-53 Rev. 5 :: AU-7 b
CCI-001882Provide a report generation capability that does not alter original content or time ordering of audit records.
- 800-53 Rev. 4 :: AU-7 b
- 800-53 Rev. 5 :: AU-7 b
- Group Title
- SRG-OS-000185-GPOS-00079
- Group ID
- V-257241
- Rule Version
- APPL-13-005020
- Rule Title
- The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
- Rule ID
- SV-257241r905356_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be lost or stolen, and the contents of their data storage (e.g., hard drives and nonvolatile memory) can be read, copied, or altered. By encrypting the system hard drive, the confidentiality and integrity of any data stored on the system is ensured. FileVault Disk Encryption mitigates this risk.
Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable "FileVault" with the following command:
/usr/bin/fdesetup status
If "FileVault" is "Off" and the device is a mobile device or the organization has determined that the drive must encrypt data at rest, this is a finding.
- Check System
- C-60926r905354_chk
- Fix Reference
- F-60867r905355_fix
- Fix Text
-
Configure the macOS system to enable "FileVault" by opening System Settings >> Privacy & Security >> Security and navigate to the "FileVault" section. Use this panel to configure full-disk encryption.
Alternatively, from the command line, run the following command to enable "FileVault":
/usr/bin/sudo /usr/bin/fdesetup enable
After "FileVault" is initially set up, additional users can be added.
- Identities
-
CCI-001199
Protects the confidentiality and/or integrity of organization-defined information at rest.
- 800-53 :: SC-28
- 800-53 Rev. 4 :: SC-28
- 800-53 Rev. 5 :: SC-28
- 800-53A :: SC-28.1
CCI-002475Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information when at rest on organization-defined system components.
- 800-53 Rev. 4 :: SC-28 (1)
- 800-53 Rev. 5 :: SC-28 (1)
CCI-002476Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components.
- 800-53 Rev. 4 :: SC-28 (1)
- 800-53 Rev. 5 :: SC-28 (1)
- Group Title
- SRG-OS-000033-GPOS-00014
- Group ID
- V-257293
- Rule Version
- APPL-13-000057
- Rule Title
- The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
- Rule ID
- SV-257293r919358_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.
For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to use approved SSH ciphers within the SSH client configuration with the following command:
/usr/bin/sudo /usr/bin/grep -ir "ciphers" /etc/ssh/ssh_config*
/etc/ssh/ssh_config.d/fips_ssh_config:Ciphers [email protected]
If any ciphers other than "[email protected]" are listed, or the "ciphers" keyword is missing, this is a finding.
- Check System
- C-60980r919356_chk
- Fix Reference
- F-60907r919357_fix
- Fix Text
-
Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:
Ciphers [email protected]
The SSH service must be restarted for changes to take effect.
- Identities
-
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-000803Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- 800-53 :: IA-7
- 800-53 Rev. 4 :: IA-7
- 800-53 Rev. 5 :: IA-7
- 800-53A :: IA-7.1
CCI-000877Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.
- 800-53 :: MA-4 c
- 800-53 Rev. 4 :: MA-4 c
- 800-53 Rev. 5 :: MA-4 c
- 800-53A :: MA-4.1 (iv)
CCI-001453Implement cryptographic mechanisms to protect the integrity of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-002890Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
CCI-003123Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
- Group Title
- SRG-OS-000033-GPOS-00014
- Group ID
- V-257294
- Rule Version
- APPL-13-000058
- Rule Title
- The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
- Rule ID
- SV-257294r919361_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.
For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to use approved SSH MACs within the SSH client configuration with the following command:
/usr/bin/sudo /usr/bin/grep -ir "macs" /etc/ssh/ssh_config*
/etc/ssh/ssh_config.d/fips_ssh_config:Macs hmac-sha2-256
If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.
- Check System
- C-60981r919359_chk
- Fix Reference
- F-60908r919360_fix
- Fix Text
-
Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:
MACs hmac-sha2-256
The SSH service must be restarted for changes to take effect.
- Identities
-
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-000803Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- 800-53 :: IA-7
- 800-53 Rev. 4 :: IA-7
- 800-53 Rev. 5 :: IA-7
- 800-53A :: IA-7.1
CCI-000877Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.
- 800-53 :: MA-4 c
- 800-53 Rev. 4 :: MA-4 c
- 800-53 Rev. 5 :: MA-4 c
- 800-53A :: MA-4.1 (iv)
CCI-001453Implement cryptographic mechanisms to protect the integrity of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-002890Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
CCI-003123Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
- Group Title
- SRG-OS-000033-GPOS-00014
- Group ID
- V-257295
- Rule Version
- APPL-13-000059
- Rule Title
- The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
- Rule ID
- SV-257295r919364_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.
For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH client configuration with the following command:
/usr/bin/sudo /usr/bin/grep -ir "kexalgorithms" /etc/ssh/ssh_config*
/etc/ssh/ssh_config.d/fips_ssh_config:KexAlgorithms ecdh-sha2-nistp256
If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.
- Check System
- C-60982r919362_chk
- Fix Reference
- F-60909r919363_fix
- Fix Text
-
Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:
KexAlgorithms ecdh-sha2-nistp256
The SSH service must be restarted for changes to take effect.
- Identities
-
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-000803Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- 800-53 :: IA-7
- 800-53 Rev. 4 :: IA-7
- 800-53 Rev. 5 :: IA-7
- 800-53A :: IA-7.1
CCI-000877Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.
- 800-53 :: MA-4 c
- 800-53 Rev. 4 :: MA-4 c
- 800-53 Rev. 5 :: MA-4 c
- 800-53A :: MA-4.1 (iv)
CCI-001453Implement cryptographic mechanisms to protect the integrity of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-002890Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
CCI-003123Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)