ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- SRG-OS-000341-GPOS-00132
- Group ID
- V-257179
- Rule Version
- APPL-13-001029
- Rule Title
- The macOS system must allocate audit record storage capacity to store at least seven days of audit records when audit records are not immediately sent to a central audit record storage facility.
- Rule ID
- SV-257179r905170_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to require that records are kept for seven days or longer before deletion when there is no central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to store at least seven days of audit records with the following command:
/usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control
expire-after:7d
If "expire-after" is not set to "7d" or greater, this is a finding.
- Check System
- C-60864r905168_chk
- Fix Reference
- F-60805r905169_fix
- Fix Text
-
Configure the macOS system to store seven days of audit records with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
Alternatively, use a text editor to update the "/etc/security/audit_control" file.
- Identities
-
CCI-001849
Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.
- 800-53 Rev. 4 :: AU-4
- 800-53 Rev. 5 :: AU-4
- Group Title
- SRG-OS-000343-GPOS-00134
- Group ID
- V-257180
- Rule Version
- APPL-13-001030
- Rule Title
- The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
- Rule ID
- SV-257180r905173_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to require a minimum percentage of free disk space to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs.
When "minfree" is set to 25 percent, security personnel are notified immediately when the storage volume is 75 percent full and are able to plan for audit record storage capacity expansion.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to require a minimum of 25 percent free disk space for audit record storage with the following command:
/usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control
minfree:25
If "minfree" is not set to "25", this is a finding.
- Check System
- C-60865r905171_chk
- Fix Reference
- F-60806r905172_fix
- Fix Text
-
Configure the macOS system to require 25 percent free disk space for audit record storage with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
Alternatively, use a text editor to update the "/etc/security/audit_control" file.
- Identities
-
CCI-001855
Provide a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit log storage volume reaches an organization-defined percentage of repository maximum audit log storage capacity.
- 800-53 Rev. 4 :: AU-5 (1)
- 800-53 Rev. 5 :: AU-5 (1)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257192
- Rule Version
- APPL-13-002009
- Rule Title
- The macOS system must be configured to disable AirDrop.
- Rule ID
- SV-257192r905209_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.
AirDrop must be disabled.
Note: There is a known bug in the graphical user interface where the user can toggle AirDrop in the UI, which indicates the service has been turned on, but it remains disabled if the Restrictions Profile has been applied.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable AirDrop with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAirDrop"
allowAirDrop = 0;
If there is no result, or if "allowAirDrop" is not set to "0", this is a finding.
- Check System
- C-60877r905207_chk
- Fix Reference
- F-60818r905208_fix
- Fix Text
-
Configure the macOS system to disable AirDrop by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257193
- Rule Version
- APPL-13-002012
- Rule Title
- The macOS system must be configured to disable the iCloud Calendar services.
- Rule ID
- SV-257193r905212_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Calendar application's connections to Apple's iCloud must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Calendar services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudCalendar"
allowCloudCalendar = 0;
If there is no result, or if "allowCloudCalendar" is not set to "0", this is a finding.
- Check System
- C-60878r905210_chk
- Fix Reference
- F-60819r905211_fix
- Fix Text
-
Configure the macOS system to disable iCloud Calendar services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257194
- Rule Version
- APPL-13-002013
- Rule Title
- The macOS system must be configured to disable the iCloud Reminders services.
- Rule ID
- SV-257194r905215_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Reminder application's connections to Apple's iCloud must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Reminders services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudReminders"
allowCloudReminders = 0;
If there is no result, or if "allowCloudReminders" is not set to "0", this is a finding.
- Check System
- C-60879r905213_chk
- Fix Reference
- F-60820r905214_fix
- Fix Text
-
Configure the macOS system to disable iCloud Reminders services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257195
- Rule Version
- APPL-13-002014
- Rule Title
- The macOS system must be configured to disable iCloud Address Book services.
- Rule ID
- SV-257195r905218_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Address Book(Contacts) application's connections to Apple's iCloud must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Address Book services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudAddressBook"
allowCloudAddressBook = 0;
If there is no result, or if "allowCloudAddressBook" is not set to "0", this is a finding.
- Check System
- C-60880r905216_chk
- Fix Reference
- F-60821r905217_fix
- Fix Text
-
Configure the macOS system to disable iCloud Address Book services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257196
- Rule Version
- APPL-13-002015
- Rule Title
- The macOS system must be configured to disable the iCloud Mail services.
- Rule ID
- SV-257196r905221_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Mail application's connections to Apple's iCloud must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Mail services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudMail"
allowCloudMail = 0;
If there is no result, or if "allowCloudMail" is not set to "0", this is a finding.
- Check System
- C-60881r905219_chk
- Fix Reference
- F-60822r905220_fix
- Fix Text
-
Configure the macOS system to disable iCloud Mail services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257197
- Rule Version
- APPL-13-002016
- Rule Title
- The macOS system must be configured to disable the iCloud Notes services.
- Rule ID
- SV-257197r905224_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Notes application's connections to Apple's iCloud must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Notes services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudNotes"
allowCloudNotes = 0;
If there is no result, or if "allowCloudNotes" is not set to "0", this is a finding.
- Check System
- C-60882r905222_chk
- Fix Reference
- F-60823r905223_fix
- Fix Text
-
Configure the macOS system to disable iCloud Notes services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000379-GPOS-00164
- Group ID
- V-257218
- Rule Version
- APPL-13-002062
- Rule Title
- The macOS system must be configured with Bluetooth turned off unless approved by the organization.
- Rule ID
- SV-257218r905287_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system.
This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice, and pointing devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.
Satisfies: SRG-OS-000379-GPOS-00164, SRG-OS-000481-GPOS-00481
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Bluetooth with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableBluetooth"
DisableBluetooth = 1;
If the result is not "DisableBluetooth = 1" and the use of Bluetooth has not been documented with the ISSO as an operational requirement, this is a finding.
Verify the macOS system is configured to disable access to the Bluetooth preference pane with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"
If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.Bluetooth" and the use of Bluetooth has not been documented with the ISSO as an operational requirement, this is a finding.
- Check System
- C-60903r905285_chk
- Fix Reference
- F-60844r905286_fix
- Fix Text
-
Configure the macOS system to disable Bluetooth and disable access to the Bluetooth preference pane by installing the "Custom Policy" and "Restrictions Policy" configuration profiles.
- Identities
-
CCI-001967
Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
- 800-53 Rev. 4 :: IA-3 (1)
- 800-53 Rev. 5 :: IA-3 (1)
CCI-002418Protect the confidentiality and/or integrity of transmitted information.
- 800-53 Rev. 4 :: SC-8
- 800-53 Rev. 5 :: SC-8
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257245
- Rule Version
- APPL-13-005053
- Rule Title
- The macOS system must restrict the ability of individuals to write to external optical media.
- Rule ID
- SV-257245r905368_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
External writeable media devices must be disabled for users. External optical media devices can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable writing to external optical media devices with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "BurnSupport"
BurnSupport = off;
If "BurnSupport" is not set to "off" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
- Check System
- C-60930r905366_chk
- Fix Reference
- F-60871r905367_fix
- Fix Text
-
Configure the macOS system to disable writing to external optical media devices by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257247
- Rule Version
- APPL-13-005055
- Rule Title
- The macOS system must be configured to disable prompts to configure ScreenTime.
- Rule ID
- SV-257247r905374_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Screentime Setup with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipScreenTime"
SkipScreenTime = 1;
If "SkipScreenTime" is not set to "1", this is a finding.
- Check System
- C-60932r905372_chk
- Fix Reference
- F-60873r905373_fix
- Fix Text
-
Configure the macOS system to disable Screentime Setup by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257249
- Rule Version
- APPL-13-005058
- Rule Title
- The macOS system must be configured to prevent activity continuation between Apple devices.
- Rule ID
- SV-257249r905380_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prevent activity continuation between Apple devices with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowActivityContinuation"
allowActivityContinuation = 0;
If "allowActivityContinuation" is not set to "0", this is a finding.
- Check System
- C-60934r905378_chk
- Fix Reference
- F-60875r905379_fix
- Fix Text
-
Configure the macOS system to prevent activity continuation between Apple devices by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)