U Apple macOS 13 V1R4

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000341-GPOS-00132
Group ID
V-257179
Rule Version
APPL-13-001029
Rule Title
The macOS system must allocate audit record storage capacity to store at least seven days of audit records when audit records are not immediately sent to a central audit record storage facility.
Rule ID
SV-257179r905170_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to require that records are kept for seven days or longer before deletion when there is no central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old.

Documentable
False
Check Content

Verify the macOS system is configured to store at least seven days of audit records with the following command:

/usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control

expire-after:7d

If "expire-after" is not set to "7d" or greater, this is a finding.

Check System
C-60864r905168_chk
Fix Reference
F-60805r905169_fix
Fix Text

Configure the macOS system to store seven days of audit records with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

Alternatively, use a text editor to update the "/etc/security/audit_control" file.

Identities
CCI-001849

Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.

  • 800-53 Rev. 4 :: AU-4
  • 800-53 Rev. 5 :: AU-4
Group Title
SRG-OS-000343-GPOS-00134
Group ID
V-257180
Rule Version
APPL-13-001030
Rule Title
The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
Rule ID
SV-257180r905173_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to require a minimum percentage of free disk space to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs.

When "minfree" is set to 25 percent, security personnel are notified immediately when the storage volume is 75 percent full and are able to plan for audit record storage capacity expansion.

Documentable
False
Check Content

Verify the macOS system is configured to require a minimum of 25 percent free disk space for audit record storage with the following command:

/usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control

minfree:25

If "minfree" is not set to "25", this is a finding.

Check System
C-60865r905171_chk
Fix Reference
F-60806r905172_fix
Fix Text

Configure the macOS system to require 25 percent free disk space for audit record storage with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

Alternatively, use a text editor to update the "/etc/security/audit_control" file.

Identities
CCI-001855

Provide a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit log storage volume reaches an organization-defined percentage of repository maximum audit log storage capacity.

  • 800-53 Rev. 4 :: AU-5 (1)
  • 800-53 Rev. 5 :: AU-5 (1)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257192
Rule Version
APPL-13-002009
Rule Title
The macOS system must be configured to disable AirDrop.
Rule ID
SV-257192r905209_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.

AirDrop must be disabled.

Note: There is a known bug in the graphical user interface where the user can toggle AirDrop in the UI, which indicates the service has been turned on, but it remains disabled if the Restrictions Profile has been applied.

Documentable
False
Check Content

Verify the macOS system is configured to disable AirDrop with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAirDrop"

allowAirDrop = 0;

If there is no result, or if "allowAirDrop" is not set to "0", this is a finding.

Check System
C-60877r905207_chk
Fix Reference
F-60818r905208_fix
Fix Text

Configure the macOS system to disable AirDrop by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257193
Rule Version
APPL-13-002012
Rule Title
The macOS system must be configured to disable the iCloud Calendar services.
Rule ID
SV-257193r905212_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Calendar application's connections to Apple's iCloud must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable iCloud Calendar services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudCalendar"

allowCloudCalendar = 0;

If there is no result, or if "allowCloudCalendar" is not set to "0", this is a finding.

Check System
C-60878r905210_chk
Fix Reference
F-60819r905211_fix
Fix Text

Configure the macOS system to disable iCloud Calendar services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257194
Rule Version
APPL-13-002013
Rule Title
The macOS system must be configured to disable the iCloud Reminders services.
Rule ID
SV-257194r905215_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Reminder application's connections to Apple's iCloud must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable iCloud Reminders services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudReminders"

allowCloudReminders = 0;

If there is no result, or if "allowCloudReminders" is not set to "0", this is a finding.

Check System
C-60879r905213_chk
Fix Reference
F-60820r905214_fix
Fix Text

Configure the macOS system to disable iCloud Reminders services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257195
Rule Version
APPL-13-002014
Rule Title
The macOS system must be configured to disable iCloud Address Book services.
Rule ID
SV-257195r905218_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Address Book(Contacts) application's connections to Apple's iCloud must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable iCloud Address Book services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudAddressBook"

allowCloudAddressBook = 0;

If there is no result, or if "allowCloudAddressBook" is not set to "0", this is a finding.

Check System
C-60880r905216_chk
Fix Reference
F-60821r905217_fix
Fix Text

Configure the macOS system to disable iCloud Address Book services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257196
Rule Version
APPL-13-002015
Rule Title
The macOS system must be configured to disable the iCloud Mail services.
Rule ID
SV-257196r905221_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Mail application's connections to Apple's iCloud must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable iCloud Mail services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudMail"

allowCloudMail = 0;

If there is no result, or if "allowCloudMail" is not set to "0", this is a finding.

Check System
C-60881r905219_chk
Fix Reference
F-60822r905220_fix
Fix Text

Configure the macOS system to disable iCloud Mail services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257197
Rule Version
APPL-13-002016
Rule Title
The macOS system must be configured to disable the iCloud Notes services.
Rule ID
SV-257197r905224_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Notes application's connections to Apple's iCloud must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable iCloud Notes services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudNotes"

allowCloudNotes = 0;

If there is no result, or if "allowCloudNotes" is not set to "0", this is a finding.

Check System
C-60882r905222_chk
Fix Reference
F-60823r905223_fix
Fix Text

Configure the macOS system to disable iCloud Notes services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000379-GPOS-00164
Group ID
V-257218
Rule Version
APPL-13-002062
Rule Title
The macOS system must be configured with Bluetooth turned off unless approved by the organization.
Rule ID
SV-257218r905287_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system.

This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice, and pointing devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.

Satisfies: SRG-OS-000379-GPOS-00164, SRG-OS-000481-GPOS-00481

Documentable
False
Check Content

Verify the macOS system is configured to disable Bluetooth with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableBluetooth"

DisableBluetooth = 1;

If the result is not "DisableBluetooth = 1" and the use of Bluetooth has not been documented with the ISSO as an operational requirement, this is a finding.

Verify the macOS system is configured to disable access to the Bluetooth preference pane with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"

If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.Bluetooth" and the use of Bluetooth has not been documented with the ISSO as an operational requirement, this is a finding.

Check System
C-60903r905285_chk
Fix Reference
F-60844r905286_fix
Fix Text

Configure the macOS system to disable Bluetooth and disable access to the Bluetooth preference pane by installing the "Custom Policy" and "Restrictions Policy" configuration profiles.

Identities
CCI-001967

Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

  • 800-53 Rev. 4 :: IA-3 (1)
  • 800-53 Rev. 5 :: IA-3 (1)
CCI-002418

Protect the confidentiality and/or integrity of transmitted information.

  • 800-53 Rev. 4 :: SC-8
  • 800-53 Rev. 5 :: SC-8
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257245
Rule Version
APPL-13-005053
Rule Title
The macOS system must restrict the ability of individuals to write to external optical media.
Rule ID
SV-257245r905368_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

External writeable media devices must be disabled for users. External optical media devices can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.

Documentable
False
Check Content

Verify the macOS system is configured to disable writing to external optical media devices with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "BurnSupport"

BurnSupport = off;

If "BurnSupport" is not set to "off" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Check System
C-60930r905366_chk
Fix Reference
F-60871r905367_fix
Fix Text

Configure the macOS system to disable writing to external optical media devices by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257247
Rule Version
APPL-13-005055
Rule Title
The macOS system must be configured to disable prompts to configure ScreenTime.
Rule ID
SV-257247r905374_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable Screentime Setup with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipScreenTime"

SkipScreenTime = 1;

If "SkipScreenTime" is not set to "1", this is a finding.

Check System
C-60932r905372_chk
Fix Reference
F-60873r905373_fix
Fix Text

Configure the macOS system to disable Screentime Setup by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257249
Rule Version
APPL-13-005058
Rule Title
The macOS system must be configured to prevent activity continuation between Apple devices.
Rule ID
SV-257249r905380_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to prevent activity continuation between Apple devices with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowActivityContinuation"

allowActivityContinuation = 0;

If "allowActivityContinuation" is not set to "0", this is a finding.

Check System
C-60934r905378_chk
Fix Reference
F-60875r905379_fix
Fix Text

Configure the macOS system to prevent activity continuation between Apple devices by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
UNCLASSIFIED