U Apple macOS 13 V1R4

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257153
Rule Version
APPL-13-000016
Rule Title
The macOS system must be integrated into a directory services infrastructure.
Rule ID
SV-257153r905092_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions allow centralized management of users and passwords.

Documentable
False
Check Content

If the macOS system is using a mandatory Smart Card Policy, this requirement is not applicable.

Verify the macOS system is configured to integrate into a directory service with the following command:

/usr/bin/dscl localhost -list . | /usr/bin/grep "Active Directory"

If no results are returned, this is a finding.

Check System
C-60838r905090_chk
Fix Reference
F-60779r905091_fix
Fix Text

Configure the macOS system to integrate into an existing directory services infrastructure.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257165
Rule Version
APPL-13-000054
Rule Title
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
Rule ID
SV-257165r919351_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH ciphers within the SSH server configuration with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "ciphers"

ciphers [email protected]

If any ciphers other than "[email protected]" are listed, or the "ciphers" keyword is missing, this is a finding.

Check System
C-60850r919350_chk
Fix Reference
F-60791r916570_fix
Fix Text

Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:

Ciphers [email protected]

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257166
Rule Version
APPL-13-000055
Rule Title
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
Rule ID
SV-257166r919353_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH MACs within the SSH server configuration with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "macs"

macs hmac-sha2-256

If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

Check System
C-60851r919352_chk
Fix Reference
F-60792r916573_fix
Fix Text

Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:

MACs hmac-sha2-256

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257167
Rule Version
APPL-13-000056
Rule Title
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
Rule ID
SV-257167r919355_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH server configuration with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "kexalgorithms"

kexalgorithms ecdh-sha2-nistp256

If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.

Check System
C-60852r919354_chk
Fix Reference
F-60793r916576_fix
Fix Text

Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:

KexAlgorithms ecdh-sha2-nistp256

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000370-GPOS-00155
Group ID
V-257202
Rule Version
APPL-13-002031
Rule Title
The macOS system must be configured to disable the system preference pane for Apple ID.
Rule ID
SV-257202r905239_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and thus can remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Apple ID System Preference Pane must be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable access to the Apple ID preference pane with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"

If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.AppleIDPrefPane", this is a finding.

Check System
C-60887r905237_chk
Fix Reference
F-60828r905238_fix
Fix Text

Configure the macOS system to disable access to the Apple ID preference pane by installing the "Restrictions Policy" configuration profile.

Identities
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000074-GPOS-00042
Group ID
V-257207
Rule Version
APPL-13-002038
Rule Title
The macOS system must be configured to disable the "tftp" service.
Rule ID
SV-257207r905254_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

The "tftp" service must be disabled as it sends all data in a clear-text form that can be easily intercepted and read. The data needs to be protected at all times during transmission, and encryption is the standard method for protecting data in transit.

If the data is not encrypted during transmission, it can be plainly read (i.e., clear text) and easily compromised. Disabling "ftp" is one way to mitigate this risk. Administrators must be instructed to use an alternate service for data transmission that uses encryption, such as SFTP.

Additionally, the "tftp" service uses UDP, which is not secure.

Documentable
False
Check Content

Verify the macOS system is configured to disable the tfptd service with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep com.apple.tftpd

"com.apple.tftpd" => disabled

If the results are not "com.apple.tftpd => disabled", this is a finding.

Check System
C-60892r905252_chk
Fix Reference
F-60833r905253_fix
Fix Text

Configure the macOS system to disable the "tftpd" service with the following command:

/usr/bin/sudo /bin/launchctl disable system/com.apple.tftpd

The system may need to be restarted for the update to take effect.

Identities
CCI-000197

For password-based authentication, transmit passwords only cryptographically-protected channels.

  • 800-53 :: IA-5 (1) (c)
  • 800-53 Rev. 4 :: IA-5 (1) (c)
  • 800-53 Rev. 5 :: IA-5 (1) (c)
  • 800-53A :: IA-5 (1).1 (v)
Group Title
SRG-OS-000364-GPOS-00151
Group ID
V-257219
Rule Version
APPL-13-002063
Rule Title
The macOS system must disable the guest account.
Rule ID
SV-257219r922875_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.

When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system.

Accordingly, only qualified and authorized individuals must be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications.

Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Documentable
False
Check Content

Verify the macOS system is configured to disable the guest account with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "GuestAccount"

DisableGuestAccount = 1;

EnableGuestAccount = 0;

If the result are not "DisableGuestAccount = 1" and "EnableGuestAccount = 0", this is a finding.

Check System
C-60904r922874_chk
Fix Reference
F-60845r905289_fix
Fix Text

Configure the macOS system to disable the guest account by installing the "Login Window Policy" configuration profile.

Identities
CCI-001813

Enforce access restrictions using organization-defined mechanisms.

  • 800-53 Rev. 4 :: CM-5 (1)
  • 800-53 Rev. 5 :: CM-5 (1) (a)
Group Title
SRG-OS-000366-GPOS-00153
Group ID
V-257220
Rule Version
APPL-13-002064
Rule Title
The macOS system must have the security assessment policy subsystem enabled.
Rule ID
SV-257220r905293_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.

Accordingly, software defined by the organization as critical must be signed with a certificate that is recognized and approved by the organization.

Documentable
False
Check Content

Verify the macOS system is configured with the security assessment policy subsystem enabled with the following command:

/usr/sbin/spctl --status

assessments enabled

If "assessments enabled" is not returned, this is a finding.

Check System
C-60905r905291_chk
Fix Reference
F-60846r905292_fix
Fix Text

Configure the macOS system to enable the security assessment policy subsystem by installing the "Custom Policy" configuration profile.

Identities
CCI-001749

The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

  • 800-53 Rev. 4 :: CM-5 (3)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257224
Rule Version
APPL-13-002070
Rule Title
The macOS system must use an approved antivirus program.
Rule ID
SV-257224r950969_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

An approved antivirus product must be installed and configured to run.

Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.

Documentable
False
Check Content

Verify the macOS system is configured to enforce installation of XProtect Remediator and Gatekeeper updates automatically with the following command:

/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | /usr/bin/grep "ConfigDataInstall"

ConfigDataInstall = 1;

If the XProtect service is being used and "ConfigDataInstall" is not set to "1", this is a finding.

If XProtect is not active on the system, ask the system administrator (SA) or information system security officer (ISSO) if an approved antivirus solution is loaded on the system. The antivirus solution may be bundled with an approved host-based security solution.

If no local antivirus solution is installed on the system, this is a finding.

Check System
C-60909r950969_chk
Fix Reference
F-60850r905304_fix
Fix Text

Configure the macOS system to automatically update XProtect by installing the "Restrictions Policy" configuration profile.

If XProtect is not being used, install an approved antivirus solution on the system.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000066-GPOS-00034
Group ID
V-257225
Rule Version
APPL-13-003001
Rule Title
The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Rule ID
SV-257225r905308_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

DOD-approved certificates must be installed to the System Keychain so they will be available to all users.

For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations; for example, application-specific time services. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000478-GPOS-00223

Documentable
False
Check Content

Verify the macOS system is configured with approved DOD certificates with the following command:

/usr/bin/sudo /usr/bin/security dump-keychain | /usr/bin/grep labl | /usr/bin/awk -F\" '{ print $4 }'

If this list contains unapproved certificates, this is a finding.

Check System
C-60910r905306_chk
Fix Reference
F-60851r905307_fix
Fix Text

Configure the macOS system with approved DOD certificates from the appropriate authority. Use Keychain Access from "/Applications/Utilities" to add certificates to the System Keychain or build a certificate root trust payload as described in the supplemental documentation supplied in this STIG package.

Identities
CCI-000185

For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

  • 800-53 :: IA-5 (2)
  • 800-53 Rev. 4 :: IA-5 (2) (a)
  • 800-53 Rev. 5 :: IA-5 (2) (b) (1)
  • 800-53A :: IA-5 (2).1
CCI-002450

Implement organization-defined types of cryptography for each specified cryptography use.

  • 800-53 Rev. 4 :: SC-13
  • 800-53 Rev. 5 :: SC-13 b
Group Title
SRG-OS-000068-GPOS-00036
Group ID
V-257233
Rule Version
APPL-13-003020
Rule Title
The macOS system must use multifactor authentication for local access to privileged and nonprivileged accounts.
Rule ID
SV-257233r905332_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased.

Multifactor authentication requires using two or more factors to achieve authentication.

Factors include:

1) something a user knows (e.g., password/PIN);

2) something a user has (e.g., cryptographic identification device, token); and

3) something a user is (e.g., biometric).

A privileged account is defined as an information system account with authorizations of a privileged user.

Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

The DOD CAC with DOD-approved PKI is an example of multifactor authentication.

Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055

Documentable
False
Check Content

Verify the macOS system is configured to enforce multifactor authentication with the following commands:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "enforceSmartCard"

enforceSmartCard = 1;

If "enforceSmartCard" is not set to "1", this is a finding.

Check System
C-60918r905330_chk
Fix Reference
F-60859r905331_fix
Fix Text

Configure the macOS system to enforce multifactor authentication by installing the "Smart Card Policy" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

Identities
CCI-000187

For public key-based authentication, map the authenticated identity to the account of the individual or group.

  • 800-53 :: IA-5 (2)
  • 800-53 Rev. 4 :: IA-5 (2) (c)
  • 800-53 Rev. 5 :: IA-5 (2) (a) (2)
  • 800-53A :: IA-5 (2).1
CCI-000767

The information system implements multifactor authentication for local access to privileged accounts.

  • 800-53 :: IA-2 (3)
  • 800-53 Rev. 4 :: IA-2 (3)
  • 800-53A :: IA-2 (3).1
CCI-000768

The information system implements multifactor authentication for local access to non-privileged accounts.

  • 800-53 :: IA-2 (4)
  • 800-53 Rev. 4 :: IA-2 (4)
  • 800-53A :: IA-2 (4).1
Group Title
SRG-OS-000051-GPOS-00024
Group ID
V-257240
Rule Version
APPL-13-005001
Rule Title
The macOS system must enable System Integrity Protection.
Rule ID
SV-257240r905353_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

System Integrity Protection (SIP) is vital to the protection of the integrity of macOS. SIP restricts what actions can be performed by administrative users, including root, against protected parts of the operating system. SIP protects all system binaries, including audit tools, from unauthorized access by preventing the modification or deletion of system binaries, or the changing of the permissions associated with those binaries. SIP limits the privileges to change software resident within software libraries to processes that have signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. By protecting audit binaries, SIP ensures the presence of an audit record generation capability for DOD-defined auditable events for all operating system components and supports on-demand and after-the-fact reporting requirements.

The XProtect program is part of the SIP component and is integral to protecting the operating system from malware and malicious code.

Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000259-GPOS-00100, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142

Documentable
False
Check Content

Verify the macOS system is configured to enable System Integrity Protection with the following command:

/usr/bin/csrutil status

System Integrity Protection status: enabled.

If the "System Integrity Protection" is not set to "enabled", this is a finding.

Check System
C-60925r905351_chk
Fix Reference
F-60866r905352_fix
Fix Text

Configure the macOS system to enable "System Integrity Protection" by booting into "Recovery" mode, then launch "Terminal" from the "Utilities" menu, and run the following command:

/usr/bin/csrutil enable

Identities
CCI-000154

Provide the capability to centrally review and analyze audit records from multiple components within the system.

  • 800-53 :: AU-6 (4)
  • 800-53 Rev. 4 :: AU-6 (4)
  • 800-53 Rev. 5 :: AU-6 (4)
  • 800-53A :: AU-6 (4).1
CCI-000158

Provide the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.

  • 800-53 :: AU-7 (1)
  • 800-53 Rev. 4 :: AU-7 (1)
  • 800-53 Rev. 5 :: AU-7 (1)
  • 800-53A :: AU-7 (1).1
CCI-000169

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a. on organization-defined information system components.

  • 800-53 :: AU-12 a
  • 800-53 Rev. 4 :: AU-12 a
  • 800-53 Rev. 5 :: AU-12 a
  • 800-53A :: AU-12.1 (ii)
CCI-001493

Protect audit tools from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
CCI-001494

Protect audit tools from unauthorized modification.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9
  • 800-53A :: AU-9.1
CCI-001495

Protect audit tools from unauthorized deletion.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9
  • 800-53A :: AU-9.1
CCI-001499

Limit privileges to change software resident within software libraries.

  • 800-53 :: CM-5 (6)
  • 800-53 Rev. 4 :: CM-5 (6)
  • 800-53 Rev. 5 :: CM-5 (6)
  • 800-53A :: CM-5 (6).1
CCI-001875

Provide an audit reduction capability that supports on-demand audit review and analysis.

  • 800-53 Rev. 4 :: AU-7 a
  • 800-53 Rev. 5 :: AU-7 a
CCI-001876

Provide an audit reduction capability that supports on-demand reporting requirements.

  • 800-53 Rev. 4 :: AU-7 a
  • 800-53 Rev. 5 :: AU-7 a
CCI-001877

Provide an audit reduction capability that supports after-the-fact investigations of incidents.

  • 800-53 Rev. 4 :: AU-7 a
  • 800-53 Rev. 5 :: AU-7 a
CCI-001878

Provide a report generation capability that supports on-demand audit review and analysis.

  • 800-53 Rev. 4 :: AU-7 a
  • 800-53 Rev. 5 :: AU-7 a
CCI-001879

Provide a report generation capability that supports on-demand reporting requirements.

  • 800-53 Rev. 4 :: AU-7 a
  • 800-53 Rev. 5 :: AU-7 a
CCI-001880

Provide a report generation capability that supports after-the-fact investigations of security incidents.

  • 800-53 Rev. 4 :: AU-7 a
  • 800-53 Rev. 5 :: AU-7 a
CCI-001881

Provide an audit reduction capability that does not alter original content or time ordering of audit records.

  • 800-53 Rev. 4 :: AU-7 b
  • 800-53 Rev. 5 :: AU-7 b
CCI-001882

Provide a report generation capability that does not alter original content or time ordering of audit records.

  • 800-53 Rev. 4 :: AU-7 b
  • 800-53 Rev. 5 :: AU-7 b
Group Title
SRG-OS-000185-GPOS-00079
Group ID
V-257241
Rule Version
APPL-13-005020
Rule Title
The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
Rule ID
SV-257241r905356_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be lost or stolen, and the contents of their data storage (e.g., hard drives and nonvolatile memory) can be read, copied, or altered. By encrypting the system hard drive, the confidentiality and integrity of any data stored on the system is ensured. FileVault Disk Encryption mitigates this risk.

Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184

Documentable
False
Check Content

Verify the macOS system is configured to enable "FileVault" with the following command:

/usr/bin/fdesetup status

If "FileVault" is "Off" and the device is a mobile device or the organization has determined that the drive must encrypt data at rest, this is a finding.

Check System
C-60926r905354_chk
Fix Reference
F-60867r905355_fix
Fix Text

Configure the macOS system to enable "FileVault" by opening System Settings >> Privacy & Security >> Security and navigate to the "FileVault" section. Use this panel to configure full-disk encryption.

Alternatively, from the command line, run the following command to enable "FileVault":

/usr/bin/sudo /usr/bin/fdesetup enable

After "FileVault" is initially set up, additional users can be added.

Identities
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

  • 800-53 :: SC-28
  • 800-53 Rev. 4 :: SC-28
  • 800-53 Rev. 5 :: SC-28
  • 800-53A :: SC-28.1
CCI-002475

Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information when at rest on organization-defined system components.

  • 800-53 Rev. 4 :: SC-28 (1)
  • 800-53 Rev. 5 :: SC-28 (1)
CCI-002476

Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components.

  • 800-53 Rev. 4 :: SC-28 (1)
  • 800-53 Rev. 5 :: SC-28 (1)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257293
Rule Version
APPL-13-000057
Rule Title
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
Rule ID
SV-257293r919358_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH ciphers within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "ciphers" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:Ciphers [email protected]

If any ciphers other than "[email protected]" are listed, or the "ciphers" keyword is missing, this is a finding.

Check System
C-60980r919356_chk
Fix Reference
F-60907r919357_fix
Fix Text

Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:

Ciphers [email protected]

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257294
Rule Version
APPL-13-000058
Rule Title
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
Rule ID
SV-257294r919361_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH MACs within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "macs" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:Macs hmac-sha2-256

If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

Check System
C-60981r919359_chk
Fix Reference
F-60908r919360_fix
Fix Text

Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:

MACs hmac-sha2-256

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257295
Rule Version
APPL-13-000059
Rule Title
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
Rule ID
SV-257295r919364_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "kexalgorithms" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:KexAlgorithms ecdh-sha2-nistp256

If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.

Check System
C-60982r919362_chk
Fix Reference
F-60909r919363_fix
Fix Text

Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:

KexAlgorithms ecdh-sha2-nistp256

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
UNCLASSIFIED