U Apple macOS 13 V1R4

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000028-GPOS-00009
Group ID
V-257142
Rule Version
APPL-13-000001
Rule Title
The macOS system must be configured to prevent Apple Watch from terminating a session lock.
Rule ID
SV-257142r905059_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Users must be prompted to enter their passwords when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.

Documentable
False
Check Content

Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAutoUnlock"

allowAutoUnlock = 0;

If there is no result or "allowAutoUnlock" is not set to "0", this is a finding.

Check System
C-60827r905057_chk
Fix Reference
F-60768r905058_fix
Fix Text

Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

  • 800-53 :: AC-11 b
  • 800-53 Rev. 4 :: AC-11 b
  • 800-53 Rev. 5 :: AC-11 b
  • 800-53A :: AC-11.1 (iii)
Group Title
SRG-OS-000028-GPOS-00009
Group ID
V-257143
Rule Version
APPL-13-000002
Rule Title
The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
Rule ID
SV-257143r905062_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Users must be prompted to enter their passwords when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.

Documentable
False
Check Content

Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -w "askForPassword"

askForPassword = 1;

If there is no result, or if "askForPassword" is not set to "1", this is a finding.

Check System
C-60828r905060_chk
Fix Reference
F-60769r905061_fix
Fix Text

Configure the macOS system to prompt users to enter a password to unlock the screen saver by installing the "Login Window Policy" configuration profile.

Identities
CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

  • 800-53 :: AC-11 b
  • 800-53 Rev. 4 :: AC-11 b
  • 800-53 Rev. 5 :: AC-11 b
  • 800-53A :: AC-11.1 (iii)
Group Title
SRG-OS-000028-GPOS-00009
Group ID
V-257144
Rule Version
APPL-13-000003
Rule Title
The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
Rule ID
SV-257144r905065_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

A screen saver must be enabled and set to require a password to unlock. An excessive grace period impacts the ability for a session to be truly locked, requiring authentication to unlock.

Documentable
False
Check Content

Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "askForPasswordDelay"

askForPasswordDelay = 5;

If there is no result, or if "askForPasswordDelay" is not set to "5" or less, this is a finding.

Check System
C-60829r905063_chk
Fix Reference
F-60770r905064_fix
Fix Text

Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "Login Window Policy" configuration profile.

Identities
CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

  • 800-53 :: AC-11 b
  • 800-53 Rev. 4 :: AC-11 b
  • 800-53 Rev. 5 :: AC-11 b
  • 800-53A :: AC-11.1 (iii)
Group Title
SRG-OS-000029-GPOS-00010
Group ID
V-257145
Rule Version
APPL-13-000004
Rule Title
The macOS system must initiate a session lock after a 15-minute period of inactivity.
Rule ID
SV-257145r905068_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

A screen saver must be enabled and set to require a password to unlock. The timeout must be set to 15 minutes of inactivity. This mitigates the risk that a user might forget to manually lock the screen before stepping away from the computer.

A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

Documentable
False
Check Content

Verify the macOS system is configured to initiate the screen saver after 15 minutes of inactivity with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "loginWindowIdleTime"

loginWindowIdleTime = 900;

If there is no result, or if "idleTime" is not set to "900" seconds or less, this is a finding.

Check System
C-60830r905066_chk
Fix Reference
F-60771r905067_fix
Fix Text

Configure the macOS system to initiate the screen saver after 15 minutes of inactivity by installing the "Login Window Policy" configuration profile.

Identities
CCI-000057

The information system initiates a session lock after the organization-defined time period of inactivity.

  • 800-53 :: AC-11 a
  • 800-53 Rev. 4 :: AC-11 a
  • 800-53 Rev. 5 :: AC-11 a
  • 800-53A :: AC-11.1 (ii)
Group Title
SRG-OS-000030-GPOS-00011
Group ID
V-257146
Rule Version
APPL-13-000005
Rule Title
The macOS system must be configured to lock the user session when a smart token is removed.
Rule ID
SV-257146r905071_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.

The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems must provide users with the ability to manually invoke a session lock so users may secure their session should they need to temporarily vacate the immediate physical vicinity.

Documentable
False
Check Content

Verify the macOS system is configured to lock the user session when a smart token is removed with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "tokenRemovalAction"

tokenRemovalAction = 1;

If there is no result, or if "tokenRemovalAction" is not set to "1", this is a finding.

Check System
C-60831r905069_chk
Fix Reference
F-60772r905070_fix
Fix Text

Configure the macOS system to lock the user session when a smart token is removed by installing the "Smart Card Policy" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

Identities
CCI-000058

The information system provides the capability for users to directly initiate session lock mechanisms.

  • 800-53 :: AC-11 a
  • 800-53 Rev. 4 :: AC-11 a
  • 800-53A :: AC-11
Group Title
SRG-OS-000031-GPOS-00012
Group ID
V-257147
Rule Version
APPL-13-000006
Rule Title
The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
Rule ID
SV-257147r905074_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

A default screen saver must be configured for all users, as the screen saver will act as a session timeout lock for the system and must conceal the contents of the screen from unauthorized users. The screen saver must not display any sensitive information or reveal the contents of the locked session screen. Publicly viewable images can include static or dynamic images such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen.

Documentable
False
Check Content

Verify the macOS system is configured with a screen saver with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "moduleName"

moduleName = Ventura;

If there is no result or the "moduleName" is undefined, this is a finding.

Check System
C-60832r905072_chk
Fix Reference
F-60773r905073_fix
Fix Text

Configure the macOS system with a screen saver by installing the "Login Window Policy" configuration profile.

Identities
CCI-000060

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

  • 800-53 :: AC-11 (1)
  • 800-53 Rev. 4 :: AC-11 (1)
  • 800-53 Rev. 5 :: AC-11 (1)
  • 800-53A :: AC-11 (1).1
Group Title
SRG-OS-000031-GPOS-00012
Group ID
V-257148
Rule Version
APPL-13-000007
Rule Title
The macOS system must be configured to disable hot corners.
Rule ID
SV-257148r905077_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Although hot corners can be used to initiate a session lock or launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.

Documentable
False
Check Content

Verify the macOS system is configured to disable hot corners with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "wvous"

"wvous-bl-corner" = 0;

"wvous-br-corner" = 0;

"wvous-tl-corner" = 0;

"wvous-tr-corner" = 0;

If the command does not return the following, this is a finding.

"wvous-bl-corner = 0;

wvous-br-corner = 0;

wvous-tl-corner = 0;

wvous-tr-corner = 0;"

Check System
C-60833r905075_chk
Fix Reference
F-60774r905076_fix
Fix Text

Configure the macOS system to disable hot corners by installing the "Custom Policy" configuration profile.

Identities
CCI-000060

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

  • 800-53 :: AC-11 (1)
  • 800-53 Rev. 4 :: AC-11 (1)
  • 800-53 Rev. 5 :: AC-11 (1)
  • 800-53A :: AC-11 (1).1
Group Title
SRG-OS-000002-GPOS-00002
Group ID
V-257150
Rule Version
APPL-13-000012
Rule Title
The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours.
Rule ID
SV-257150r905083_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.

Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.

If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DOD-defined time period of 72 hours.

Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.

Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers.

To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.

Satisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064

Documentable
False
Check Content

Verify the macOS system is configured with a policy via directory service to disable temporary or emergency accounts after 72 hours by asking the System Administrator (SA) or Information System Security Officer (ISSO).

If a policy is not set by a directory service, a password policy must be set with the "pwpolicy" utility. The variable names may differ depending on how the policy was set.

If temporary or emergency accounts are not defined on the macOS system, this is not applicable.

Verify the macOS system is configured with a policy to disable temporary or emergency accounts after 72 hours with the following command:

/usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2

If there is no output and password policy is not controlled by a directory service, this is a finding.

Otherwise, look for the line "<key>policyCategoryAuthentication</key>".

In the array that follows, a <dict> section contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section.

If the check does not exist or if the check adds more than 72 hours to "policyAttributeCreationTime", this is a finding.

Check System
C-60835r905081_chk
Fix Reference
F-60776r905082_fix
Fix Text

Configure the macOS system to disable temporary or emergency accounts after 72 hours. This setting may be enforced using local policy or by a directory service.

To set local policy to disable a temporary or emergency user, create a plain text file containing the following:

<dict>

<key>policyCategoryAuthentication</key>

<array>

<dict>

<key>policyContent</key>

<string>policyAttributeCurrentTime &lt; policyAttributeCreationTime+259299</string>

<key>policyIdentifier</key>

<string>Disable Tmp Accounts </string>

</dict>

</array>

</dict>

After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file".

/usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file

Identities
CCI-000016

Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account.

  • 800-53 :: AC-2 (2)
  • 800-53 Rev. 4 :: AC-2 (2)
  • 800-53 Rev. 5 :: AC-2 (2)
  • 800-53A :: AC-2 (2).1 (ii)
CCI-001682

Automatically removes or disables emergency accounts after an organization-defined time period for each type of account.

  • 800-53 :: AC-2 (2)
  • 800-53 Rev. 4 :: AC-2 (2)
  • 800-53 Rev. 5 :: AC-2 (2)
  • 800-53A :: AC-2 (2).1 (ii)
Group Title
SRG-OS-000355-GPOS-00143
Group ID
V-257151
Rule Version
APPL-13-000014
Rule Title
The macOS system must compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS).
Rule ID
SV-257151r922872_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate.

Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144

Documentable
False
Check Content

Verify the macOS system is configured with the timed service enabled and an authorized time server with the following commands:

/usr/bin/sudo /usr/sbin/systemsetup -getusingnetworktime

Network Time: On

If "Network Time" is not set to "On", this is a finding.

/usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver

If no time server is configured, or if an unapproved time server is in use, this is a finding.

Check System
C-60836r922871_chk
Fix Reference
F-60777r905085_fix
Fix Text

Configure the macOS system to enable the timed service and set an authorized time server with the following commands:

/usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on

/usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver "server"

Identities
CCI-001891

The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.

  • 800-53 Rev. 4 :: AU-8 (1) (a)
CCI-002046

The information system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

  • 800-53 Rev. 4 :: AU-8 (1) (b)
Group Title
SRG-OS-000191-GPOS-00080
Group ID
V-257152
Rule Version
APPL-13-000015
Rule Title
The macOS system must use an Endpoint Security Solution (ESS) and implement all DOD required modules.
Rule ID
SV-257152r939261_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The macOS system must employ automated mechanisms to determine the state of system components. The DOD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNet.

Documentable
False
Check Content

Verify the macOS system is configured with an approved ESS solution.

If an approved ESS solution is not installed, this is a finding.

Verify that all installed components of the ESS solution are at the DOD-approved minimal version.

If the installed components are not at the DOD-approved minimal versions, this is a finding.

Check System
C-60837r905087_chk
Fix Reference
F-60778r905088_fix
Fix Text

Configure the macOS system with an approved ESS solution and ensure that all components are at least updated to their DOD-approved minimal versions.

Identities
CCI-001233

The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.

  • 800-53 :: SI-2 (2)
  • 800-53 Rev. 4 :: SI-2 (2)
  • 800-53A :: SI-2 (2).1 (ii)
Group Title
SRG-OS-000329-GPOS-00128
Group ID
V-257154
Rule Version
APPL-13-000022
Rule Title
The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.
Rule ID
SV-257154r905095_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Documentable
False
Check Content

Verify the macOS system is configured to enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "maxFailedAttempts\|minutesUntilFailedLoginReset"

maxFailedAttempts = 3;

minutesUntilFailedLoginReset = 15;

If "maxFailedAttempts" is not set to "3" and "minutesUntilFailedLoginReset" is not set to "15", this is a finding.

Check System
C-60839r905093_chk
Fix Reference
F-60780r905094_fix
Fix Text

Configure the macOS system to enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked by installing the "Passcode Policy" configuration profile or by a directory service.

Identities
CCI-002238

Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

  • 800-53 Rev. 4 :: AC-7 b
  • 800-53 Rev. 5 :: AC-7 b
Group Title
SRG-OS-000023-GPOS-00006
Group ID
V-257155
Rule Version
APPL-13-000023
Rule Title
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system.
Rule ID
SV-257155r905098_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with DTM-08-060.

Documentable
False
Check Content

If SSH is not being used, this is not applicable.

Verify the macOS system is configured to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system.

Check to see if the operating system has the correct text listed in the "/etc/banner" file with the following command:

/usr/bin/more /etc/banner

The command must return the following text:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the operating system does not display a logon banner before granting remote access or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

If the text in the "/etc/banner" file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

Check System
C-60840r905096_chk
Fix Reference
F-60781r905097_fix
Fix Text

Configure the macOS system to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system by creating a text file containing the required DOD text.

Name the file "banner" and place it in "/etc/".

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
Group Title
SRG-OS-000023-GPOS-00006
Group ID
V-257156
Rule Version
APPL-13-000024
Rule Title
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH.
Rule ID
SV-257156r905101_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with DTM-08-060.

Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007

Documentable
False
Check Content

If SSH is not being used, this is not applicable.

Verify the macOS system is configured to display the contents of "/etc/banner" before granting access to the system with the following command:

/usr/bin/grep -r Banner /etc/ssh/sshd_config*

Banner /etc/banner

If the sshd Banner configuration option does not point to "/etc/banner", this is a finding.

If conflicting results are returned, this is a finding.

Check System
C-60841r905099_chk
Fix Reference
F-60782r905100_fix
Fix Text

Configure the macOS system to display the contents of "/etc/banner" before granting access to the system with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/^#Banner.*/Banner \/etc\/banner/' /etc/ssh/sshd_config

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
CCI-000050

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.

  • 800-53 :: AC-8 b
  • 800-53 Rev. 4 :: AC-8 b
  • 800-53 Rev. 5 :: AC-8 b
  • 800-53A :: AC-8.1 (iii)
Group Title
SRG-OS-000023-GPOS-00006
Group ID
V-257157
Rule Version
APPL-13-000025
Rule Title
The macOS system must be configured so that any connection to the system must display the Standard Mandatory DOD Notice and Consent Banner before granting GUI access to the system.
Rule ID
SV-257157r905104_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with DTM-08-060.

Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088

Documentable
False
Check Content

Verify the macOS system is configured to display a policy banner with the following command:

/bin/ls -l /Library/Security/PolicyBanner.rtfd

-rw-r--r--@ 1 admin sheel 37 Jan 27 11:18 /Library/Security/PolicyBanner.rtfd

If "PolicyBanner.rtfd" does not exist, this is a finding.

If the permissions for "PolicyBanner.rtfd" are not "644", this is a finding.

The banner text of the document must read:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the text is not worded exactly this way, this is a finding.

Check System
C-60842r905102_chk
Fix Reference
F-60783r905103_fix
Fix Text

Configure the macOS system to display a policy banner by creating an RTF file containing the required text. Name the file "PolicyBanner.rtfd" and place it in "/Library/Security/".

Update the permissions of the "/Library/Security/PolicyBanner.rtfd" file with the following command:

/usr/bin/sudo /bin/chmod 644 /Library/Security/PolicyBanner.rtfd

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
CCI-000050

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.

  • 800-53 :: AC-8 b
  • 800-53 Rev. 4 :: AC-8 b
  • 800-53 Rev. 5 :: AC-8 b
  • 800-53A :: AC-8.1 (iii)
CCI-001384

For publicly accessible systems, display system use information with organization-defined conditions before granting further access to the publicly accessible system.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 1
  • 800-53 Rev. 5 :: AC-8 c 1
  • 800-53A :: AC-8.2 (i)
CCI-001385

For publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 2
  • 800-53 Rev. 5 :: AC-8 c 2
  • 800-53A :: AC-8.2 (ii)
CCI-001386

For publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 2
  • 800-53 Rev. 5 :: AC-8 c 2
  • 800-53A :: AC-8.2 (ii)
CCI-001387

For publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 2
  • 800-53 Rev. 5 :: AC-8 c 2
  • 800-53A :: AC-8.2 (ii)
CCI-001388

For publicly accessible systems, includes a description of the authorized uses of the system.

  • 800-53 :: AC-8 c
  • 800-53 Rev. 4 :: AC-8 c 3
  • 800-53 Rev. 5 :: AC-8 c 3
  • 800-53A :: AC-8.2 (iii)
Group Title
SRG-OS-000057-GPOS-00027
Group ID
V-257158
Rule Version
APPL-13-000030
Rule Title
The macOS system must be configured so that log files do not contain access control lists (ACLs).
Rule ID
SV-257158r905107_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to create log files with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.

Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084

Documentable
False
Check Content

Verify the macOS system is configured without ACLs applied to log files with the following command:

/usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current

In the output from the above command, ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,readextattr,readsecurity").

If any ACLs exists, this is a finding.

Check System
C-60843r905105_chk
Fix Reference
F-60784r905106_fix
Fix Text

Configure the macOS system so that log files do not contain ACLs with the following command:

/usr/bin/sudo /bin/chmod -N [audit log file]

Identities
CCI-000162

Protect audit information from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
CCI-001314

Reveal error messages only to organization-defined personnel or roles.

  • 800-53 :: SI-11 c
  • 800-53 Rev. 4 :: SI-11 b
  • 800-53 Rev. 5 :: SI-11 b
  • 800-53A :: SI-11.1 (iv)
Group Title
SRG-OS-000057-GPOS-00027
Group ID
V-257159
Rule Version
APPL-13-000031
Rule Title
The macOS system must be configured so that log folders do not contain access control lists (ACLs).
Rule ID
SV-257159r905110_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to create log folders with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.

Documentable
False
Check Content

Verify the macOS system is configured without ACLs applied to log folders with the following command:

/usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')

In the output from the above command, ACLs will be listed under any folder that may contain them (e.g., "0: group:admin allow list,readattr,readextattr,readsecurity").

If any ACLs exists, this is a finding.

Check System
C-60844r905108_chk
Fix Reference
F-60785r905109_fix
Fix Text

Configure the macOS system so that log folders do not contain ACLs with the following command:

/usr/bin/sudo /bin/chmod -N [audit log folder]

Identities
CCI-000162

Protect audit information from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257160
Rule Version
APPL-13-000032
Rule Title
The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
Rule ID
SV-257160r905113_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

Documentable
False
Check Content

Verify the macOS system is configured with dedicated user accounts to decrypt the hard disk upon startup with the following command:

/usr/bin/sudo /usr/bin/fdesetup list

fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A

If any unauthorized users are listed, this is a finding.

Verify that the shell for authorized FileVault users is set to "/usr/bin/false" to prevent console logons:

/usr/bin/sudo /usr/bin/dscl . read /Users/<FileVault_User> UserShell

UserShell: /usr/bin/false

If the FileVault users' shell is not set to "/usr/bin/false", this is a finding.

Check System
C-60845r905111_chk
Fix Reference
F-60786r905112_fix
Fix Text

Configure the macOS system with a dedicated user account to decrypt the hard disk at startup and disable the logon ability of the newly created user account with the following commands:

/usr/bin/sudo /usr/bin/fdesetup add -user <username>

/usr/bin/sudo /usr/bin/dscl . change /Users/<FileVault_User> UserShell </path/to/current/shell> /usr/bin/false

Remove all FileVault logon access from each user account defined on the system that is not a designated FileVault user:

/usr/bin/sudo /usr/bin/fdesetup remove -user <username>

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257161
Rule Version
APPL-13-000033
Rule Title
The macOS system must be configured to disable password forwarding for FileVault.
Rule ID
SV-257161r905116_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

Documentable
False
Check Content

Verify the macOS system is configured to disable password forwarding with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableFDEAutoLogin"

DisableFDEAutoLogin = 1;

If "DisableFDEAutoLogin" is not set to a value of "1", this is a finding.

Check System
C-60846r905114_chk
Fix Reference
F-60787r905115_fix
Fix Text

Configure the macOS system to disable password forwarding by installing the "Smart Card Policy" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000163-GPOS-00072
Group ID
V-257162
Rule Version
APPL-13-000051
Rule Title
The macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.
Rule ID
SV-257162r922873_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

SSH options ClientAliveInterval and ClientAliveCountMax are used in combination to monitor SSH connections. If an SSH client is deemed unresponsive, sshd will terminate the connection. An example would be if a client lost network connectivity the SSH connection to the server would be unresponsive and therefore sshd would terminate the connection after the ClientAliveCountMax and ClientAliveInterval thresholds have been met.

The ClientAliveInterval is a timeout measured in seconds. After which if no data is received from the client, sshd will request a response through the encrypted tunnel from the client. The default is "0", indicating no messages will be sent.

The ClientAliveCountMax is the number of client alive messages that can be sent from the server without receiving a reply from the client. If this threshold is met, sshd will terminate the session. Setting the ClientAliveCountMax to "0" disables connection termination.

Documentable
False
Check Content

If SSH is not being used, this is not applicable.

Verify the macOS system is configured with the SSH daemon "ClientAliveInterval" option set to "900" or less with the following command:

/usr/bin/grep -r ^ClientAliveInterval /etc/ssh/sshd_config*

If "ClientAliveInterval" is not configured or has a value of "0", this is a finding.

If "ClientAliveInterval" is not "900" or less, this is a finding.

If conflicting results are returned, this is a finding.

Check System
C-60847r905117_chk
Fix Reference
F-60788r905118_fix
Fix Text

Configure the macOS system to set the SSH daemon "ClientAliveInterval" option to "900" with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 900/' /etc/ssh/sshd_config

Identities
CCI-001133

Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

  • 800-53 :: SC-10
  • 800-53 Rev. 4 :: SC-10
  • 800-53 Rev. 5 :: SC-10
  • 800-53A :: SC-10.1 (ii)
Group Title
SRG-OS-000163-GPOS-00072
Group ID
V-257163
Rule Version
APPL-13-000052
Rule Title
The macOS system must be configured with the SSH daemon ClientAliveCountMax option set to 1.
Rule ID
SV-257163r905122_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Terminating an idle session within a short time reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.

SSH options ClientAliveInterval and ClientAliveCountMax are used in combination to monitor SSH connections. If an SSH client is deemed unresponsive, sshd will terminate the connection. An example would be if a client lost network connectivity the SSH connection to the server would be unresponsive and therefore sshd would terminate the connection after the ClientAliveCountMax and ClientAliveInterval thresholds have been met.

The ClientAliveInterval is a timeout measured in seconds. After which if no data is received from the client, sshd will request a response through the encrypted tunnel from the client. The default is 0, indicating no messages will be sent.

The ClientAliveCountMax is the number of client alive messages that can be sent from the server without receiving a reply from the client. If this threshold is met, sshd will terminate the session. Setting the ClientAliveCountMax to 0 disables connection termination.

Documentable
False
Check Content

If SSH is not being used, this is not applicable.

Verify the macOS system is configured with the SSH daemon "ClientAliveCountMax" option set to "1" with the following command:

/usr/bin/grep -r ^ClientAliveCountMax /etc/ssh/sshd_config*

If the setting is not "ClientAliveCountMax 1", this is a finding.

If conflicting results are returned, this is a finding.

Check System
C-60848r905120_chk
Fix Reference
F-60789r905121_fix
Fix Text

Configure the macOS system to set the SSH daemon "ClientAliveCountMax" option to "1" with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 1/' /etc/ssh/sshd_config

Identities
CCI-001133

Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

  • 800-53 :: SC-10
  • 800-53 Rev. 4 :: SC-10
  • 800-53 Rev. 5 :: SC-10
  • 800-53A :: SC-10.1 (ii)
Group Title
SRG-OS-000163-GPOS-00072
Group ID
V-257164
Rule Version
APPL-13-000053
Rule Title
The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.
Rule ID
SV-257164r905125_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

SSH must be configured to log users out after a 15-minute interval of inactivity and to wait only 30 seconds before timing out logon attempts. Terminating an idle session within a short time reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.

Documentable
False
Check Content

If SSH is not being used, this is not applicable.

Verify the macOS system is configured with the SSH daemon "LoginGraceTime" option set to "30" or less with the following command:

/usr/bin/grep -r ^LoginGraceTime /etc/ssh/sshd_config*

If "LoginGraceTime" is not configured or has a value of "0", this is a finding.

If "LoginGraceTime" is not set to "30" or less, this is a finding.

If conflicting results are returned, this is a finding.

Check System
C-60849r905123_chk
Fix Reference
F-60790r905124_fix
Fix Text

Configure the macOS system to set the SSH daemon "LoginGraceTime" option to "30" with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config

Identities
CCI-001133

Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

  • 800-53 :: SC-10
  • 800-53 Rev. 4 :: SC-10
  • 800-53 Rev. 5 :: SC-10
  • 800-53A :: SC-10.1 (ii)
Group Title
SRG-OS-000004-GPOS-00004
Group ID
V-257168
Rule Version
APPL-13-001001
Rule Title
The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all nonlocal maintenance and diagnostic sessions.
Rule ID
SV-257168r905137_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.

This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems.

Administrative and privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings, are logged by way of the "ad" flag.

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.

This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch.

Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000327-GPOS-00127, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222

Documentable
False
Check Content

Verify the macOS system is configured to audit privileged access with the following command:

/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control

If "ad" is not listed in the output, this is a finding.

Check System
C-60853r905135_chk
Fix Reference
F-60794r905136_fix
Fix Text

Configure the macOS system to audit privileged access with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

Identities
CCI-000018

Automatically audit account creation actions.

  • 800-53 :: AC-2 (4)
  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
  • 800-53A :: AC-2 (4).1 (i and ii)
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

  • 800-53 :: AU-12 c
  • 800-53 Rev. 4 :: AU-12 c
  • 800-53 Rev. 5 :: AU-12 c
  • 800-53A :: AU-12.1 (iv)
CCI-001403

Automatically audit account modification actions.

  • 800-53 :: AC-2 (4)
  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
  • 800-53A :: AC-2 (4).1 (i and ii)
CCI-001404

Automatically audit account disabling actions.

  • 800-53 :: AC-2 (4)
  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
  • 800-53A :: AC-2 (4).1 (i and ii)
CCI-001405

Automatically audit account removal actions.

  • 800-53 :: AC-2 (4)
  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
  • 800-53A :: AC-2 (4).1 (i and ii)
CCI-002234

Log the execution of privileged functions.

  • 800-53 Rev. 4 :: AC-6 (9)
  • 800-53 Rev. 5 :: AC-6 (9)
CCI-002884

Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.

  • 800-53 Rev. 4 :: MA-4 (1) (a)
  • 800-53 Rev. 5 :: MA-4 (1) (a)
Group Title
SRG-OS-000032-GPOS-00013
Group ID
V-257169
Rule Version
APPL-13-001002
Rule Title
The macOS system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
Rule ID
SV-257169r905140_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges to proceed. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Attempts to log in as another user are logged by way of the "lo" flag.

Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000462-GPOS-00206

Documentable
False
Check Content

Verify the macOS system is configured to audit attempts to access/modify privileges with the following command:

/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control

If "lo" is not listed in the result of the check, this is a finding.

Check System
C-60854r905138_chk
Fix Reference
F-60795r905139_fix
Fix Text

Configure the macOS system to audit attempts to access/modify privileges with the following command:

/usr/bin/sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

Identities
CCI-000067

Employ automated mechanisms to monitor remote access methods.

  • 800-53 :: AC-17 (1)
  • 800-53 Rev. 4 :: AC-17 (1)
  • 800-53 Rev. 5 :: AC-17 (1)
  • 800-53A :: AC-17 (1).1
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

  • 800-53 :: AU-12 c
  • 800-53 Rev. 4 :: AU-12 c
  • 800-53 Rev. 5 :: AU-12 c
  • 800-53A :: AU-12.1 (iv)
Group Title
SRG-OS-000037-GPOS-00015
Group ID
V-257170
Rule Version
APPL-13-001003
Rule Title
The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.
Rule ID
SV-257170r905143_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Without establishing what type of events occurred, when they occurred, and by whom, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

Associating event types with detected events in the operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured operating system.

Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000055-GPOS-00026, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000303-GPOS-00120, SRG-OS-000337-GPOS-00129, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146

Documentable
False
Check Content

Verify the macOS system is configured to enable the auditd service with the following command:

/bin/launchctl print-disabled system| /usr/bin/grep com.apple.auditd

"com.apple.auditd" => enabled

If the results are not "com.apple.auditd => enabled", this is a finding.

Check System
C-60855r905141_chk
Fix Reference
F-60796r905142_fix
Fix Text

Configure the macOS system to enable the auditd service with the following command:

/usr/bin/sudo /bin/launchctl enable system/com.apple.auditd

The system may need to be restarted for the update to take effect.

Identities
CCI-000130

Ensure that audit records containing information that establishes what type of event occurred.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 a
  • 800-53A :: AU-3.1
CCI-000131

Ensure that audit records containing information that establishes when the event occurred.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 b
  • 800-53A :: AU-3.1
CCI-000132

Ensure that audit records containing information that establishes where the event occurred.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 c
  • 800-53A :: AU-3.1
CCI-000133

Ensure that audit records containing information that establishes the source of the event.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 d
  • 800-53A :: AU-3.1
CCI-000134

Ensure that audit records containing information that establishes the outcome of the event.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 e
  • 800-53A :: AU-3.1
CCI-000135

Generate audit records containing the organization-defined additional information that is to be included in the audit records.

  • 800-53 :: AU-3 (1)
  • 800-53 Rev. 4 :: AU-3 (1)
  • 800-53 Rev. 5 :: AU-3 (1)
  • 800-53A :: AU-3 (1).1 (ii)
CCI-000159

Use internal system clocks to generate time stamps for audit records.

  • 800-53 :: AU-8
  • 800-53 Rev. 4 :: AU-8 a
  • 800-53 Rev. 5 :: AU-8 a
  • 800-53A :: AU-8.1
CCI-001464

Initiates session audits automatically at system start-up.

  • 800-53 :: AU-14 (1)
  • 800-53 Rev. 4 :: AU-14 (1)
  • 800-53 Rev. 5 :: AU-14 (1)
  • 800-53A :: AU-14 (1).1
CCI-001487

Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 f
  • 800-53A :: AU-3.1
CCI-001889

Record time stamps for audit records that meet organization-defined granularity of time measurement.

  • 800-53 Rev. 4 :: AU-8 b
  • 800-53 Rev. 5 :: AU-8 b
CCI-001890

Record time stamps for audit records that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

  • 800-53 Rev. 4 :: AU-8 b
  • 800-53 Rev. 5 :: AU-8 b
CCI-001914

Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.

  • 800-53 Rev. 4 :: AU-12 (3)
  • 800-53 Rev. 5 :: AU-12 (3)
CCI-002130

Automatically audit account enabling actions.

  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
Group Title
SRG-OS-000047-GPOS-00023
Group ID
V-257171
Rule Version
APPL-13-001010
Rule Title
The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).
Rule ID
SV-257171r905146_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity are no longer recorded and malicious activity could go undetected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode.

When availability is an overriding concern, other approved actions in response to an audit failure are as follows:

(i) If the failure was caused by the lack of audit record storage capacity, the operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner.

(ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.

Documentable
False
Check Content

Verify the macOS system is configured to shut down upon audit failure with the following command:

/usr/bin/sudo /usr/bin/grep ^policy /etc/security/audit_control | /usr/bin/grep ahlt

If there is no result, this is a finding.

Check System
C-60856r905144_chk
Fix Reference
F-60797r905145_fix
Fix Text

Configure the macOS system to shut down upon audit failure by editing the "/etc/security/audit_control" file and updating the policy value to include "ahlt" with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

Identities
CCI-000140

Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.

  • 800-53 :: AU-5 b
  • 800-53 Rev. 4 :: AU-5 b
  • 800-53 Rev. 5 :: AU-5 b
  • 800-53A :: AU-5.1 (iv)
Group Title
SRG-OS-000057-GPOS-00027
Group ID
V-257172
Rule Version
APPL-13-001012
Rule Title
The macOS system must be configured with audit log files owned by root.
Rule ID
SV-257172r905149_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by root or administrative users with sudo, the risk is mitigated.

Documentable
False
Check Content

Verify the macOS system is configured with audit log files owned by root with the following command:

/usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current

If the files are not owned by root, this is a finding.

Check System
C-60857r905147_chk
Fix Reference
F-60798r905148_fix
Fix Text

Configure the macOS system with audit log files owned by root with the following command:

/usr/bin/sudo chown root [audit log file]

Identities
CCI-000162

Protect audit information from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
Group Title
SRG-OS-000057-GPOS-00027
Group ID
V-257173
Rule Version
APPL-13-001013
Rule Title
The macOS system must be configured with audit log folders owned by root.
Rule ID
SV-257173r905152_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.

Documentable
False
Check Content

Verify the macOS system is configured with audit log folders owned by root with the following command:

/usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')

If the folders are not owned by root, this is a finding.

Check System
C-60858r905150_chk
Fix Reference
F-60799r905151_fix
Fix Text

Configure the macOS system with audit log folders owned by root with the following command:

/usr/bin/sudo chown root [audit log folder]

Identities
CCI-000162

Protect audit information from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
Group Title
SRG-OS-000057-GPOS-00027
Group ID
V-257174
Rule Version
APPL-13-001014
Rule Title
The macOS system must be configured with audit log files group-owned by wheel.
Rule ID
SV-257174r905155_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.

Documentable
False
Check Content

Verify the macOS system is configured with audit log files group-owned by wheel with the following command:

/usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current

If the files are not group-owned by wheel, this is a finding.

Check System
C-60859r905153_chk
Fix Reference
F-60800r905154_fix
Fix Text

Configure the macOS system with audit log files group-owned by wheel with the following command:

/usr/bin/sudo chgrp wheel [audit log file]

Identities
CCI-000162

Protect audit information from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
Group Title
SRG-OS-000057-GPOS-00027
Group ID
V-257175
Rule Version
APPL-13-001015
Rule Title
The macOS system must be configured with audit log folders group-owned by wheel.
Rule ID
SV-257175r905158_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.

Documentable
False
Check Content

Verify the macOS system is configured with audit log folders group-owned by wheel with the following command:

/usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')

If the folders are not group-owned by wheel, this is a finding.

Check System
C-60860r905156_chk
Fix Reference
F-60801r905157_fix
Fix Text

Configure the macOS system with audit log folders group-owned by wheel with the following command:

/usr/bin/sudo chgrp wheel [audit log folder]

Identities
CCI-000162

Protect audit information from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
Group Title
SRG-OS-000057-GPOS-00027
Group ID
V-257176
Rule Version
APPL-13-001016
Rule Title
The macOS system must be configured with audit log files set to mode 440 or less permissive.
Rule ID
SV-257176r905161_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to create log files with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.

Documentable
False
Check Content

Verify the macOS system is configured with audit log files set to mode 440 or less with the following command:

/usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current

If the files are not mode 440 or less, this is a finding.

Check System
C-60861r905159_chk
Fix Reference
F-60802r905160_fix
Fix Text

Configure the macOS system with audit log files set to mode 440 with the following command:

/usr/bin/sudo /bin/chmod 440 [audit log file]

Identities
CCI-000162

Protect audit information from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
Group Title
SRG-OS-000057-GPOS-00027
Group ID
V-257177
Rule Version
APPL-13-001017
Rule Title
The macOS system must be configured with audit log folders set to mode 700 or less permissive.
Rule ID
SV-257177r905164_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to create log folders with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.

Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Documentable
False
Check Content

Verify the macOS system is configured with audit log folders set to mode 700 or less with the following command:

/usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')

If the folders are not set to mode 700 or less, this is a finding.

Check System
C-60862r905162_chk
Fix Reference
F-60803r905163_fix
Fix Text

Configure the macOS system with audit log folders set to mode 700 with the following command:

/usr/bin/sudo /bin/chmod 700 [audit log folder]

Identities
CCI-000162

Protect audit information from unauthorized access.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
CCI-000163

Protect audit information from unauthorized modification.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
CCI-000164

Protect audit information from unauthorized deletion.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9 a
  • 800-53A :: AU-9.1
Group Title
SRG-OS-000064-GPOS-00033
Group ID
V-257178
Rule Version
APPL-13-001020
Rule Title
The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.
Rule ID
SV-257178r905167_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation.

Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

Enforcement actions are logged by way of the "fm" flag, which audits permission changes; "-fr" and "-fw", which denote failed attempts to read or write to a file; and "-fd", which audits failed file deletion.

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000474-GPOS-00219

Documentable
False
Check Content

Verify the macOS system is configured to audit enforcement actions with the following command:

/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control

If "fm", "-fr", "-fw", and "-fd" are not listed in the result of the check, this is a finding.

Check System
C-60863r905165_chk
Fix Reference
F-60804r905166_fix
Fix Text

Configure the macOS system to audit enforcement actions with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,fm,-fr,-fw,-fd/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

Identities
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

  • 800-53 :: AU-12 c
  • 800-53 Rev. 4 :: AU-12 c
  • 800-53 Rev. 5 :: AU-12 c
  • 800-53A :: AU-12.1 (iv)
CCI-001814

The Information system supports auditing of the enforcement actions.

  • 800-53 Rev. 4 :: CM-5 (1)
Group Title
SRG-OS-000344-GPOS-00135
Group ID
V-257181
Rule Version
APPL-13-001031
Rule Title
The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
Rule ID
SV-257181r905176_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.

Documentable
False
Check Content

Verify the macOS system is configured to print error messages to the console with the following command:

/usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn

logger -s -p security.warning "audit warning: $type $argument"

If the argument "-s" is missing, or if "audit_warn" has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.

Check System
C-60866r905174_chk
Fix Reference
F-60807r905175_fix
Fix Text

Configure the macOS system to print error messages to the console with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/bin/sudo /usr/sbin/audit -s

Alternatively, use a text editor to update the "/etc/security/audit_warn" file.

Identities
CCI-001858

Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

  • 800-53 Rev. 4 :: AU-5 (2)
  • 800-53 Rev. 5 :: AU-5 (2)
Group Title
SRG-OS-000470-GPOS-00214
Group ID
V-257182
Rule Version
APPL-13-001044
Rule Title
The macOS system must generate audit records for DOD-defined events such as successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.
Rule ID
SV-257182r905179_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Logon events are logged by way of the "aa" flag.

Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220

Documentable
False
Check Content

Verify the macOS system is configured to audit logon events with the following command:

/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control

If "aa" is not listed in the result of the check, this is a finding.

Check System
C-60867r905177_chk
Fix Reference
F-60808r905178_fix
Fix Text

Configure the macOS system to audit logon events with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

Identities
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

  • 800-53 :: AU-12 c
  • 800-53 Rev. 4 :: AU-12 c
  • 800-53 Rev. 5 :: AU-12 c
  • 800-53A :: AU-12.1 (iv)
Group Title
SRG-OS-000067-GPOS-00035
Group ID
V-257183
Rule Version
APPL-13-001060
Rule Title
The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
Rule ID
SV-257183r905182_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.

DOD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.

The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.

Satisfies: SRG-OS-000067-GPOS-00035, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000384-GPOS-00167, SRG-OS-000403-GPOS-00182

Documentable
False
Check Content

Verify the macOS system is configured to check the revocation status of user certificates with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "checkCertificateTrust"

checkCertificateTrust = 1;

If there is no result, or if "checkCertificateTrust" is not set to "1" or greater, this is a finding.

Check System
C-60868r905180_chk
Fix Reference
F-60809r905181_fix
Fix Text

Configure the macOS system to check the revocation status of user certificates by installing the "Smart Card Policy" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

Identities
CCI-000186

For public key-based authentication, enforce authorized access to the corresponding private key.

  • 800-53 :: IA-5 (2)
  • 800-53 Rev. 4 :: IA-5 (2) (b)
  • 800-53 Rev. 5 :: IA-5 (2) (a) (1)
  • 800-53A :: IA-5 (2).1
CCI-001953

Accepts Personal Identity Verification-compliant credentials.

  • 800-53 Rev. 4 :: IA-2 (12)
  • 800-53 Rev. 5 :: IA-2 (12)
CCI-001954

Electronically verifies Personal Identity Verification-compliant credentials.

  • 800-53 Rev. 4 :: IA-2 (12)
  • 800-53 Rev. 5 :: IA-2 (12)
CCI-001991

The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

  • 800-53 Rev. 4 :: IA-5 (2) (d)
CCI-002470

Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

  • 800-53 Rev. 4 :: SC-23 (5)
  • 800-53 Rev. 5 :: SC-23 (5)
Group Title
SRG-OS-000109-GPOS-00056
Group ID
V-257184
Rule Version
APPL-13-001100
Rule Title
The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
Rule ID
SV-257184r905185_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administrators must only run commands as root after first authenticating with their individual usernames and passwords.

Documentable
False
Check Content

If SSH is not being used, this is not applicable.

Verify the macOS system is configured to disable root logins over SSH with the following command:

/usr/bin/grep -r ^PermitRootLogin /etc/ssh/sshd_config*

If there is no result, or the result is set to "yes", this is a finding.

If conflicting results are returned, this is a finding.

Check System
C-60869r905183_chk
Fix Reference
F-60810r905184_fix
Fix Text

Configure the macOS system to disable root logins over SSH with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

Identities
CCI-000770

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

  • 800-53 :: IA-2 (5) (b)
  • 800-53 Rev. 4 :: IA-2 (5)
  • 800-53A :: IA-2 (5).2 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257185
Rule Version
APPL-13-002001
Rule Title
The macOS system must be configured to disable SMB File Sharing unless it is required.
Rule ID
SV-257185r905188_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

File sharing is usually nonessential and must be disabled if not required. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.

Documentable
False
Check Content

Verify the macOS system is configured to disable the SMB File Sharing service with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep com.apple.smbd

"com.apple.smbd" => disabled

If the results are not "com.apple.smbd => disabled" or SMB file sharing has not been documented with the ISSO as an operational requirement, this is a finding.

Check System
C-60870r905186_chk
Fix Reference
F-60811r905187_fix
Fix Text

Configure the macOS system to disable the SMB File Sharing service with the following command:

/usr/bin/sudo /bin/launchctl disable system/com.apple.smbd

The system may need to be restarted for the update to take effect.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257186
Rule Version
APPL-13-002003
Rule Title
The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.
Rule ID
SV-257186r905191_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

If the system does not require access to NFS file shares or is not acting as an NFS server, support for NFS is nonessential and NFS services must be disabled. NFS is a network file system protocol supported by UNIX-like operating systems. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.

Documentable
False
Check Content

Verify the macOS system is configured to disable the NFS daemon with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep com.apple.nfsd

"com.apple.nfsd" => disabled

If the results are not "com.apple.nfsd => disabled" or the use of NFS has not been documented with the ISSO as an operational requirement, this is a finding.

Check System
C-60871r905189_chk
Fix Reference
F-60812r905190_fix
Fix Text

Configure the macOS system to disable the NFS daemon with the following command:

/usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd

The system may need to be restarted for the update to take effect.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257187
Rule Version
APPL-13-002004
Rule Title
The macOS system must be configured to disable Location Services.
Rule ID
SV-257187r905194_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.

Location Services must be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable Location Services with the following command:

/usr/bin/sudo /usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd | /usr/bin/grep "LocationServicesEnabled"

LocationServicesEnabled = 0;

If "LocationServicesEnabled" is not set to "0" and the AO has not authorized the use of location services, this is a finding.

Check System
C-60872r905192_chk
Fix Reference
F-60813r905193_fix
Fix Text

Configure the macOS system to disable Location Services with the following command:

/usr/bin/sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false

The system may need to be restarted for the update to take effect.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257188
Rule Version
APPL-13-002005
Rule Title
The macOS system must be configured to disable Bonjour multicast advertising.
Rule ID
SV-257188r905197_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.

Bonjour multicast advertising must be disabled on the system.

Documentable
False
Check Content

Verify the macOS system is configured to disable Bonjour multicast advertising with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "NoMulticastAdvertisements"

NoMulticastAdverstisements = 1;

If there is no result, or if "NoMulticastAdvertisements" is not set to "1", this is a finding.

Check System
C-60873r905195_chk
Fix Reference
F-60814r905196_fix
Fix Text

Configure the macOS system to disable Bonjour multicast advertising by installing the "Custom Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257189
Rule Version
APPL-13-002006
Rule Title
The macOS system must be configured to disable the UUCP service.
Rule ID
SV-257189r905200_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The system must not have the UUCP service active.

Documentable
False
Check Content

Verify the macOS system is configured to disable the UUCP service with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep com.apple.uucp

"com.apple.uucp" => disabled

If the results are not "com.apple.uucp => disabled", this is a finding.

Check System
C-60874r905198_chk
Fix Reference
F-60815r905199_fix
Fix Text

Configure the macOS system to disable the UUCP service with the following command:

/usr/bin/sudo /bin/launchctl disable system/com.apple.uucp

The system may need to be restarted for the update to take effect.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257190
Rule Version
APPL-13-002007
Rule Title
The macOS system must be configured to disable Internet Sharing.
Rule ID
SV-257190r905203_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.

Internet Sharing is nonessential and must be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable Internet Sharing with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "forceInternetSharingOff"

forceInternetSharingOff = 1;

If there is no result, or if "forceInternetSharingOff" is not set to "1", this is a finding.

Check System
C-60875r905201_chk
Fix Reference
F-60816r905202_fix
Fix Text

Configure the macOS system to disable Internet Sharing by installing the "Custom Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257191
Rule Version
APPL-13-002008
Rule Title
The macOS system must be configured to disable Web Sharing.
Rule ID
SV-257191r905206_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.

Web Sharing is nonessential and must be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable Web Sharing with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep org.apache.httpd

"org.apache.httpd" => disabled

If the results are not "org.apache.httpd => disabled", this is a finding.

Check System
C-60876r905204_chk
Fix Reference
F-60817r905205_fix
Fix Text

Configure the macOS system to disable Web Sharing with the following command:

/usr/bin/sudo /bin/launchctl disable system/org.apache.httpd

The system may need to be restarted for the update to take effect.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257198
Rule Version
APPL-13-002017
Rule Title
The macOS system must cover or disable the built-in or attached camera when not in use.
Rule ID
SV-257198r905227_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants carry out the disconnect activity without having to go through complex and tedious procedures.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

If the device or operating system does not have a camera installed, this requirement is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered, or physically disabled, the following configuration is required:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCamera"

allowCamera = 0;

If the result is "allowCamera = 1" and the collaborative computing device has not been authorized for use, this is a finding.

Check System
C-60883r905225_chk
Fix Reference
F-60824r905226_fix
Fix Text

Configure the macOS system to disable the built-in camera by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257199
Rule Version
APPL-13-002020
Rule Title
The macOS system must be configured to disable Siri and dictation.
Rule ID
SV-257199r922885_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

Siri and dictation must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

To check if Siri and dictation has been disabled, run the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -e "Ironwood Allowed"

If the output is not:

"Ironwood Allowed = 0",

this is a finding.

Check System
C-60884r922884_chk
Fix Reference
F-60825r905229_fix
Fix Text

Configure the macOS system to disable Siri and dictation by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000096-GPOS-00050
Group ID
V-257200
Rule Version
APPL-13-002021
Rule Title
The macOS system must be configured to disable sending diagnostic and usage data to Apple.
Rule ID
SV-257200r905233_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

Sending diagnostic data to Apple must be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable sending diagnostic and usage data to Apple with the following command:

/usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowDiagnosticSubmission"

allowDiagnosticSubmission = 0;

If there is no result, or if "allowDiagnosticSubmission" is not set to "0", this is a finding.

Alternatively, the settings are found in System Settings >> Privacy & Security >> Privacy >> Analytics & Improvements.

If the box "Share Mac Analytics" is checked, this is a finding.

If the box "Improve Siri & Dictation" is checked, this is a finding.

If the box "Share with app developers" is checked, this is a finding.

Check System
C-60885r905231_chk
Fix Reference
F-60826r905232_fix
Fix Text

Configure the macOS system to disable sending diagnostic and usage data to Apple by installing the "Restrictions Policy" configuration profile.

Alternatively, the settings can be configured in System Settings >> Privacy & Security >> Privacy >> Analytics & Improvements by performing the following:

- Uncheck the box, "Share Mac Analytics".

- Uncheck the box "Improve Siri & Dictation".

- Uncheck the box "Share with app developers".

Identities
CCI-000382

Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 b
  • 800-53 Rev. 5 :: CM-7 b
  • 800-53A :: CM-7.1 (iii)
Group Title
SRG-OS-000096-GPOS-00050
Group ID
V-257201
Rule Version
APPL-13-002022
Rule Title
The macOS system must be configured to disable Remote Apple Events.
Rule ID
SV-257201r905236_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

Remote Apple Events must be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable Remote Apple Events with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep com.apple.AEServer

"com.apple.AEServer" => disabled

If the results are not "com.apple.AEServer => disabled", this is a finding.

Check System
C-60886r905234_chk
Fix Reference
F-60827r905235_fix
Fix Text

Configure the macOS system to disable Remote Apple Events with the following command:

/usr/bin/sudo /bin/launchctl disable system/com.apple.AEServer

The system may need to be restarted for the update to take effect.

Identities
CCI-000382

Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 b
  • 800-53 Rev. 5 :: CM-7 b
  • 800-53A :: CM-7.1 (iii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257203
Rule Version
APPL-13-002032
Rule Title
The macOS system must be configured to disable the system preference pane for Internet Accounts.
Rule ID
SV-257203r905242_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Internet Accounts System Preference Pane must be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable access to the Internet Accounts preference pane with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"

If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.internetaccounts", this is a finding.

Check System
C-60888r905240_chk
Fix Reference
F-60829r905241_fix
Fix Text

Configure the macOS system to disable access to the Internet Accounts preference pane by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257204
Rule Version
APPL-13-002035
Rule Title
The macOS system must be configured to disable the Cloud Setup services.
Rule ID
SV-257204r905245_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable the Cloud Setup services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipCloudSetup"

SkipCloudSetup = 1;

If there is no result, or if "SkipCloudSetup" is not set to "1", this is a finding.

Check System
C-60889r905243_chk
Fix Reference
F-60830r905244_fix
Fix Text

Configure the macOS system to disable the Cloud Setup services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257205
Rule Version
APPL-13-002036
Rule Title
The macOS system must be configured to disable the Privacy Setup services.
Rule ID
SV-257205r905248_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable the Privacy Setup services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipPrivacySetup"

SkipPrivacySetup = 1;

If there is no result, or if "SkipPrivacySetup" is not set to "1", this is a finding.

Check System
C-60890r905246_chk
Fix Reference
F-60831r905247_fix
Fix Text

Configure the macOS system to disable the Privacy Setup services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257206
Rule Version
APPL-13-002037
Rule Title
The macOS system must be configured to disable the Cloud Storage Setup services.
Rule ID
SV-257206r905251_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable the Cloud Storage Setup services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipiCloudStorageSetup"

SkipiCloudStorageSetup = 1;

If there is no result, or if "SkipiCloudStorageSetup" is not set to "1", this is a finding.

Check System
C-60891r905249_chk
Fix Reference
F-60832r905250_fix
Fix Text

Configure the macOS system to disable the Cloud Storage Setup services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257208
Rule Version
APPL-13-002039
Rule Title
The macOS system must be configured to disable the Siri Setup services.
Rule ID
SV-257208r905257_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Siri setup pop-up must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable the Siri Setup services with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipSiriSetup"

SkipSiriSetup = 1;

If there is no result, or if "SkipSiriSetup" is not set to "1", this is a finding.

Check System
C-60893r905255_chk
Fix Reference
F-60834r905256_fix
Fix Text

Configure the macOS system to disable the Siri Setup services by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257209
Rule Version
APPL-13-002040
Rule Title
The macOS system must disable iCloud Keychain synchronization.
Rule ID
SV-257209r905260_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

Keychain synchronization must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable iCloud Keychain synchronization with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudKeychainSync"

allowCloudKeychainSync = 0;

If there is no result, or if "allowCloudKeychainSync" is not set to "0", this is a finding.

Check System
C-60894r905258_chk
Fix Reference
F-60835r905259_fix
Fix Text

Configure the macOS system to disable iCloud Keychain synchronization by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257210
Rule Version
APPL-13-002041
Rule Title
The macOS system must disable iCloud Document synchronization.
Rule ID
SV-257210r905263_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

iCloud Document synchronization must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable iCloud Document synchronization with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudDocumentSync"

allowCloudDocumentSync = 0;

If there is no result, or if "allowCloudDocumentSync" is not set to "0", this is a finding.

Check System
C-60895r905261_chk
Fix Reference
F-60836r905262_fix
Fix Text

Configure the macOS system to disable iCloud Document synchronization by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257211
Rule Version
APPL-13-002042
Rule Title
The macOS system must disable iCloud Bookmark synchronization.
Rule ID
SV-257211r905266_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

iCloud Bookmark syncing must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable iCloud Bookmark synchronization with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudBookmarks"

allowCloudBookmarks = 0;

If there is no result, or if "allowCloudBookmarks" is not set to "0", this is a finding.

Check System
C-60896r905264_chk
Fix Reference
F-60837r905265_fix
Fix Text

Configure the macOS system to disable iCloud Bookmark synchronization by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257212
Rule Version
APPL-13-002043
Rule Title
The macOS system must disable the iCloud Photo Library.
Rule ID
SV-257212r905269_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The iCloud Photo Library must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable the iCloud Photo Library with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudPhotoLibrary"

allowCloudPhotoLibrary = 0;

If there is no result, or if "allowCloudPhotoLibrary" is not set to "0", this is a finding.

Check System
C-60897r905267_chk
Fix Reference
F-60838r905268_fix
Fix Text

Configure the macOS system to disable the iCloud Photo Library by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257213
Rule Version
APPL-13-002050
Rule Title
The macOS system must disable the Screen Sharing feature.
Rule ID
SV-257213r905272_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The Screen Sharing feature allows remote users to view or control the desktop of the current user. A malicious user can take advantage of screen sharing to gain full access to the system remotely, either with stolen credentials or by guessing the username and password. Disabling Screen Sharing mitigates this risk.

Documentable
False
Check Content

Verify the macOS system is configured to disable the Screen Sharing feature with the following command:

/usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.screensharing

"com.apple.screensharing => disabled"

If "com.apple.screensharing" is not set to "disabled", this is a finding.

Check System
C-60898r905270_chk
Fix Reference
F-60839r905271_fix
Fix Text

Configure the macOS system to disable the Screen Sharing service with the following command:

/usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing

The system may need to be restarted for the update to take effect.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257214
Rule Version
APPL-13-002051
Rule Title
The macOS system must be configured to disable the system preference pane for TouchID and Password.
Rule ID
SV-257214r905275_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The TouchID & Password preference pane must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable access to the TouchID & Password preference pane with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"

If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.password", this is a finding.

Check System
C-60899r905273_chk
Fix Reference
F-60840r905274_fix
Fix Text

Configure the macOS system to disable access to the TouchID & Password preference pane by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257215
Rule Version
APPL-13-002052
Rule Title
The macOS system must be configured to disable the system preference pane for Wallet and ApplePay.
Rule ID
SV-257215r905278_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Wallet & ApplePay preference pane must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable access to the Wallet & ApplePay preference pane with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"

If the return is not two arrays "HiddenPreferencePanes" and "DisabledPreferencePanes", each containing "com.apple.preferences.wallet", this is a finding.

Check System
C-60900r905276_chk
Fix Reference
F-60841r905277_fix
Fix Text

Configure the macOS system to disable access to the Wallet & ApplePay preference pane by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257216
Rule Version
APPL-13-002053
Rule Title
The macOS system must be configured to disable the system preference pane for Siri.
Rule ID
SV-257216r905281_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.

The Siri preference pane must be disabled.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Documentable
False
Check Content

Verify the macOS system is configured to disable access to the Siri preference pane with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"

If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preference.speech", this is a finding.

Check System
C-60901r905279_chk
Fix Reference
F-60842r905280_fix
Fix Text

Configure the macOS system to disable access to the Siri preference pane by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

  • 800-53 Rev. 4 :: CM-7 (5) (b)
  • 800-53 Rev. 5 :: CM-7 (5) (b)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257217
Rule Version
APPL-13-002060
Rule Title
The macOS system must only allow applications with a valid digital signature to run.
Rule ID
SV-257217r905284_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Gatekeeper settings must be configured correctly to only allow the system to run applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.

Documentable
False
Check Content

Verify the macOS system is configured to only allow applications with a valid digital signature with the following commands:

/usr/sbin/system_profiler SPApplicationsDataType | /usr/bin/grep -B 3 -A 4 -e "Obtained from: Unknown" | /usr/bin/grep -v -e "Location: /Library/Application Support/Script Editor/Templates" -e "Location: /System/Library/" | /usr/bin/awk -F "Location: " '{print $2}' | /usr/bin/sort -u

If any results are returned and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Verify only applications with a valid digital signature are allowed to run:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E "(EnableAssessment | AllowIdentifiedDevelopers)"

If the result is not as follows, this is a finding.

"AllowIdentifiedDevelopers = 1;

EnableAssessment = 1;"

Check System
C-60902r905282_chk
Fix Reference
F-60843r905283_fix
Fix Text

Configure the macOS system to only allow applications with a valid digital signature by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00229
Group ID
V-257221
Rule Version
APPL-13-002066
Rule Title
The macOS system must not allow an unattended or automatic logon to the system.
Rule ID
SV-257221r905296_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Failure to restrict system access to authenticated users negatively impacts operating system security.

Documentable
False
Check Content

Verify the macOS system is configured to not allow automatic logon with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableAutoLoginClient"

"com.apple.login.mcx.DisableAutoLoginClient" = 1;

If "com.apple.login.mcx.DisableAutoLoginClient" is not set to "1", this is a finding.

Check System
C-60906r905294_chk
Fix Reference
F-60847r905295_fix
Fix Text

Configure the macOS system to not allow automatic login by installing the "Login Window Policy" configuration profile.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00228
Group ID
V-257222
Rule Version
APPL-13-002068
Rule Title
The macOS system must set permissions on user home directories to prevent users from having access to read or modify another user's files.
Rule ID
SV-257222r905299_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures.

Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230

Documentable
False
Check Content

Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands:

/bin/ls -le /Users

This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as "staff". The plus(+) sign indicates an associated Access Control List, which must be:

0: group:everyone deny delete

For every authorized user account, also run the following command:

/usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user.

This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be:

drwx------+

0: group:everyone deny delete

The exception is the "Public" directory, whose permissions must match the following:

drwxr-xr-x+

0: group:everyone deny delete

If the permissions returned by either of these checks differ from what is shown, this is a finding.

Check System
C-60907r905297_chk
Fix Reference
F-60848r905298_fix
Fix Text

Configure the macOS system to set the appropriate permissions for each user on the system with the following command:

/usr/sbin/diskutil resetUserPermissions / DeviceNode UID, where "DeviceNode UID" is the ID number for the user whose home directory permissions need to be repaired.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000071-GPOS-00039
Group ID
V-257226
Rule Version
APPL-13-003007
Rule Title
The macOS system must enforce password complexity by requiring that at least one numeric character be used.
Rule ID
SV-257226r905311_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Documentable
False
Check Content

Verify the macOS system is configured to require at least one numeric character in password complexity with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "requireAlphanumeric"

requireAlphanumeric = 1;

If the result is not "requireAlphanumeric = 1", this is a finding.

Check System
C-60911r905309_chk
Fix Reference
F-60852r905310_fix
Fix Text

Configure the macOS system to require at least one numeric character in password complexity by installing the "Passcode Policy" configuration profile.

Identities
CCI-000194

The information system enforces password complexity by the minimum number of numeric characters used.

  • 800-53 :: IA-5 (1) (a)
  • 800-53 Rev. 4 :: IA-5 (1) (a)
  • 800-53A :: IA-5 (1).1 (v)
Group Title
SRG-OS-000076-GPOS-00044
Group ID
V-257227
Rule Version
APPL-13-003008
Rule Title
The macOS system must enforce a 60-day maximum password lifetime restriction.
Rule ID
SV-257227r905314_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically.

One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Documentable
False
Check Content

Verify the macOS system is configured to enforce a 60-day maximum password lifetime with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "maxPINAgeInDays"

maxPINAgeInDays = 60;

If "maxPINAgeInDays" is set a value greater than "60", this is a finding.

Check System
C-60912r905312_chk
Fix Reference
F-60853r905313_fix
Fix Text

Configure the macOS system to require the enforcement of a 60-day maximum password lifetime by installing the "Passcode Policy" configuration profile.

Identities
CCI-000199

The information system enforces maximum password lifetime restrictions.

  • 800-53 :: IA-5 (1) (d)
  • 800-53 Rev. 4 :: IA-5 (1) (d)
  • 800-53A :: IA-5 (1).1 (v)
Group Title
SRG-OS-000077-GPOS-00045
Group ID
V-257228
Rule Version
APPL-13-003009
Rule Title
The macOS system must prohibit password reuse for a minimum of five generations.
Rule ID
SV-257228r905317_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed as per policy requirements.

Documentable
False
Check Content

Verify the macOS system is configured to prohibit password reuse for a minimum of five generations with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "pinHistory"

pinHistory = 5;

If "pinHistory" is not set to "5" or greater, this is a finding.

Check System
C-60913r905315_chk
Fix Reference
F-60854r905316_fix
Fix Text

Configure the macOS system to prohibit password reuse for five generations by installing the "Passcode Policy" configuration profile.

Identities
CCI-000200

The information system prohibits password reuse for the organization-defined number of generations.

  • 800-53 :: IA-5 (1) (e)
  • 800-53 Rev. 4 :: IA-5 (1) (e)
  • 800-53A :: IA-5 (1).1 (v)
Group Title
SRG-OS-000078-GPOS-00046
Group ID
V-257229
Rule Version
APPL-13-003010
Rule Title
The macOS system must enforce a minimum 15-character password length.
Rule ID
SV-257229r905320_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The minimum password length must be set to 15 characters. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Documentable
False
Check Content

Verify the macOS system is configured to enforce a minimum 15-character password length with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "minLength"

minLength = 15;

If "minLength" is not set to "15", this is a finding.

Check System
C-60914r905318_chk
Fix Reference
F-60855r905319_fix
Fix Text

Configure the macOS system to enforce a 15-character password length by installing the "Passcode Policy" configuration profile.

Identities
CCI-000205

The information system enforces minimum password length.

  • 800-53 :: IA-5 (1) (a)
  • 800-53 Rev. 4 :: IA-5 (1) (a)
  • 800-53A :: IA-5 (1).1 (i)
Group Title
SRG-OS-000266-GPOS-00101
Group ID
V-257230
Rule Version
APPL-13-003011
Rule Title
The macOS system must enforce password complexity by requiring that at least one special character be used.
Rule ID
SV-257230r905323_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.

Documentable
False
Check Content

Verify the macOS system is configured to enforce at least one special character of password complexity with the following commands:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "minComplexChars"

minComplexChar = 1;

If "minComplexChars" is not set to "1", this is a finding.

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowSimple"

allowSimple = 0;

If "allowSimple" is not set to "0", this is a finding.

Check System
C-60915r905321_chk
Fix Reference
F-60856r905322_fix
Fix Text

Configure the macOS system to enforce at least one special character of password complexity by installing the "Passcode Policy" configuration profile.

Identities
CCI-001619

The information system enforces password complexity by the minimum number of special characters used.

  • 800-53 :: IA-5 (1) (a)
  • 800-53 Rev. 4 :: IA-5 (1) (a)
  • 800-53A :: IA-5 (1).1 (v)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257231
Rule Version
APPL-13-003012
Rule Title
The macOS system must be configured to prevent displaying password hints.
Rule ID
SV-257231r905326_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Password hints leak information about passwords in use and can lead to loss of confidentiality.

Documentable
False
Check Content

Verify the macOS system is configured to prevent displaying passwords hints with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "RetriesUntilHint"

RetriesUntilHint = 0;

If "RetriesUntilHint" is not set to "0", this is a finding.

Check System
C-60916r905324_chk
Fix Reference
F-60857r905325_fix
Fix Text

Configure the macOS system to prevent displaying password hints by installing the "Login Window Policy" configuration profile.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257232
Rule Version
APPL-13-003013
Rule Title
The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.
Rule ID
SV-257232r905329_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Single user mode and the boot picker, as well as numerous other tools, are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.

Documentable
False
Check Content

For Apple Silicon-based systems, this is not applicable.

Verify the macOS system is configured with a firmware password with the following command:

/usr/bin/sudo /usr/sbin/firmwarepasswd -check

Password Enabled:Yes

If "Password Enabled" is not set to "Yes", this is a finding.

Check System
C-60917r905327_chk
Fix Reference
F-60858r905328_fix
Fix Text

Configure the macOS system with a firmware password with the following command:

/usr/bin/sudo /usr/sbin/firmwarepasswd -setpasswd

Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257234
Rule Version
APPL-13-003050
Rule Title
The macOS system must be configured so that the login command requires smart card authentication.
Rule ID
SV-257234r905335_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.

Documentable
False
Check Content

For systems that are not using smart card authentication, this requirements is not applicable.

Verify the macOS system is configured to require smart card authentication for the login command with the following command:

/bin/cat /etc/pam.d/login

If the text that returns does not include the line "auth sufficient pam_smartcard.so" at the TOP of the listing and "auth required pam_deny.so" as the last entry of the auth management group, this is a finding.

Check System
C-60919r905333_chk
Fix Reference
F-60860r905334_fix
Fix Text

Configure the macOS system to require smart card authentication for the login command with the following procedure:

/usr/bin/sudo /bin/cp /etc/pam.d/login /etc/pam.d/login_backup_`date "+%Y-%m-%d_%H:%M"`

Replace the contents of "/etc/pam.d/login" with the following:

# login: auth account password session

auth sufficient pam_smartcard.so

auth optional pam_krb5.so use_kcminit

auth optional pam_ntlm.so try_first_pass

auth optional pam_mount.so try_first_pass

auth required pam_opendirectory.so try_first_pass

auth required pam_deny.so

account required pam_nologin.so

account required pam_opendirectory.so

password required pam_opendirectory.so

session required pam_launchd.so

session required pam_uwtmp.so

session optional pam_mount.so

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257235
Rule Version
APPL-13-003051
Rule Title
The macOS system must be configured so that the su command requires smart card authentication.
Rule ID
SV-257235r905338_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.

Documentable
False
Check Content

For systems that are not using smart card authentication, this requirement is not applicable.

Verify the macOS system is configured to require smart card authentication for the "su" command with the following command:

/bin/cat /etc/pam.d/su

If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing and the next line is not "auth required pam_rootok.so", this is a finding.

Check System
C-60920r905336_chk
Fix Reference
F-60861r905337_fix
Fix Text

Configure the macOS system to require smart card authentication for the su command with the following procedure:

/usr/bin/sudo /bin/cp /etc/pam.d/su /etc/pam.d/su_backup_`date "+%Y-%m-%d_%H:%M"`

Replace the contents of "/etc/pam.d/su" with the following:

# su: auth account session

auth sufficient pam_smartcard.so

auth required pam_rootok.so

account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe

account required pam_opendirectory.so no_check_shell

password required pam_opendirectory.so

session required pam_launchd.so

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257236
Rule Version
APPL-13-003052
Rule Title
The macOS system must be configured so that the sudo command requires smart card authentication.
Rule ID
SV-257236r905341_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.

Documentable
False
Check Content

For systems that are not using smart card authentication, this requirement is not applicable.

Verify the macOS system is configured to require smart card authentication for the "sudo" command with the following command:

/bin/cat /etc/pam.d/sudo

If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the top of the listing and "auth required pam_deny.so" as the last entry of the auth management group, this is a finding.

Check System
C-60921r905339_chk
Fix Reference
F-60862r905340_fix
Fix Text

Configure the macOS system to require smart card authentication for the sudo command with the following procedure:

/usr/bin/sudo /bin/cp /etc/pam.d/login /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"`

Replace the contents of "/etc/pam.d/sudo" with the following:

# sudo: auth account password session

auth sufficient pam_smartcard.so

auth required pam_opendirectory.so

auth required pam_deny.so

account required pam_permit.so

password required pam_deny.so

session required pam_permit.so

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000206-GPOS-00084
Group ID
V-257237
Rule Version
APPL-13-004001
Rule Title
The macOS system must be configured with system log files owned by root and group-owned by wheel or admin.
Rule ID
SV-257237r905344_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

System logs must only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct owner mitigates this risk.

Some system log files are controlled by "newsyslog" and "aslmanager".

Documentable
False
Check Content

Verify the macOS system is configured with system log files owned by root or a service account and group-owned by wheel or admin with the commands below.

These commands must be run from inside "/var/log".

/usr/bin/sudo /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null

/usr/bin/sudo /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null

If there are any system log files that are not owned by "root" or a service account and group-owned by "wheel" or "admin", this is a finding.

Check System
C-60922r905342_chk
Fix Reference
F-60863r905343_fix
Fix Text

Configure the macOS system with system log files owned by root or a service account and group-owned by wheel or admin with the following command:

/usr/bin/sudo chown root:wheel [log file]

Alternatively, if the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and ensure the owner:group column is set to "root:wheel" or the appropriate service account and group.

If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and ensure that "uid" and "gid" options are set to a service account and group, respectively.

Identities
CCI-001314

Reveal error messages only to organization-defined personnel or roles.

  • 800-53 :: SI-11 c
  • 800-53 Rev. 4 :: SI-11 b
  • 800-53 Rev. 5 :: SI-11 b
  • 800-53A :: SI-11.1 (iv)
Group Title
SRG-OS-000206-GPOS-00084
Group ID
V-257238
Rule Version
APPL-13-004002
Rule Title
The macOS system must be configured with system log files set to mode 640 or less permissive.
Rule ID
SV-257238r905347_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

System logs must only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.

Documentable
False
Check Content

Verify the macOS system is configured with system log files set to mode 640 or less with the commands below.

These commands must be run from inside "/var/log".

/usr/bin/sudo /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null

/usr/bin/sudo /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null

If the permissions on log files are not "640" or less permissive, this is a finding.

Check System
C-60923r905345_chk
Fix Reference
F-60864r905346_fix
Fix Text

Configure the macOS system with system log files set to mode 640 with the following command:

/usr/bin/sudo chmod 640 [log file]

Alternatively, if the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640". Or, if the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640".

Identities
CCI-001314

Reveal error messages only to organization-defined personnel or roles.

  • 800-53 :: SI-11 c
  • 800-53 Rev. 4 :: SI-11 b
  • 800-53 Rev. 5 :: SI-11 b
  • 800-53A :: SI-11.1 (iv)
Group Title
SRG-OS-000373-GPOS-00156
Group ID
V-257239
Rule Version
APPL-13-004022
Rule Title
The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
Rule ID
SV-257239r922880_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Without reauthentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.

Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Documentable
False
Check Content

Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command:

/usr/bin/sudo /usr/bin/grep -r "timestamp_timeout" /etc/sudoers*

/etc/sudoers.d/<customfile>:Defaults timestamp_timeout=0

If conflicting results are returned, this is a finding.

If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.

Check System
C-60924r922878_chk
Fix Reference
F-60865r922879_fix
Fix Text

Configure the macOS system to require reauthentication when using the "sudo" command by creating a plain text file in the /private/etc/sudoers.d/ directory containing the following:

Defaults timestamp_timeout=0

Identities
CCI-002038

The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.

  • 800-53 Rev. 4 :: IA-11
Group Title
SRG-OS-000480-GPOS-00232
Group ID
V-257242
Rule Version
APPL-13-005050
Rule Title
The macOS Application Firewall must be enabled.
Rule ID
SV-257242r905359_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.

Documentable
False
Check Content

Verify the macOS system is configured to enable the built-in firewall with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "EnableFirewall\|EnableStealthMode"

EnableFirewall = 1;

EnableStealthMode = 1;

If "EnableFirewall" and "EnableStealthMode" are not set to "1", this is a finding.

Check System
C-60927r905357_chk
Fix Reference
F-60868r905358_fix
Fix Text

Configure the macOS system to enable the built-in firewall by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00227
Group ID
V-257243
Rule Version
APPL-13-005051
Rule Title
The macOS system must restrict the ability of individuals to use USB storage devices.
Rule ID
SV-257243r905362_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.

Documentable
False
Check Content

Verify the macOS system is configured to disable USB storage devices with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 32 "mount-controls"

bd = (

"read-only"

);

blankbd = (

deny,

eject

);

blankcd = (

deny,

eject

);

blankdvd = (

deny,

eject

);

cd = (

"read-only"

);

"disk-image" = (

"read-only"

);

dvd = (

"read-only"

);

dvdram = (

deny,

eject

);

"harddisk-external" = (

deny,

eject

);

If the result does not match the output above and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Check System
C-60928r905360_chk
Fix Reference
F-60869r905361_fix
Fix Text

Configure the macOS system to disable USB storage devices by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000480-GPOS-00229
Group ID
V-257244
Rule Version
APPL-13-005052
Rule Title
The macOS system logon window must be configured to prompt for username and password.
Rule ID
SV-257244r905365_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The logon window must be configured to prompt all users for both a username and a password. By default, the system displays a list of known users at the logon screen. This gives an advantage to an attacker with physical access to the system, as the attacker would only have to guess the password for one of the listed accounts.

Documentable
False
Check Content

Verify the macOS system is configured to prompt for username and password at the logon window with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SHOWFULLNAME"

SHOWFULLNAME = 1;

If "SHOWFULLNAME" is not set to "1", this is a finding.

Check System
C-60929r905363_chk
Fix Reference
F-60870r905364_fix
Fix Text

Configure the macOS system to prompt for username and password at the logon window by installing the "Login Window Policy" configuration profile.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257246
Rule Version
APPL-13-005054
Rule Title
The macOS system must be configured to disable prompts to configure Touch ID.
Rule ID
SV-257246r905371_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable prompts to setup TouchID with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipTouchIDSetup"

SkipTouchIDSetup = 1;

If "SkipTouchIDSetup" is not set to "1", this is a finding.

Check System
C-60931r905369_chk
Fix Reference
F-60872r905370_fix
Fix Text

Configure the macOS system to disable prompts to setup TouchID by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257248
Rule Version
APPL-13-005056
Rule Title
The macOS system must be configured to disable prompts to configure Unlock with Watch.
Rule ID
SV-257248r905377_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to disable prompts to setup Unlock with Watch with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipUnlockWithWatch"

SkipUnlockWithWatch = 1;

If "SkipUnlockWithWatch" is not set to "1", this is a finding.

Check System
C-60933r905375_chk
Fix Reference
F-60874r905376_fix
Fix Text

Configure the macOS system to disable prompts to setup Unlock with Watch by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257250
Rule Version
APPL-13-005060
Rule Title
The macOS system must be configured to prevent password proximity sharing requests from nearby Apple devices.
Rule ID
SV-257250r905383_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to prevent password proximity sharing with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowPasswordProximityRequests"

allowPasswordProximityRequests = 0;

If "allowPasswordProximityRequests" is not set to "0", this is a finding.

Check System
C-60935r905381_chk
Fix Reference
F-60876r905382_fix
Fix Text

Configure the macOS system to prevent Configure the macOS system to prevent password proximity sharing by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000095-GPOS-00049
Group ID
V-257251
Rule Version
APPL-13-005061
Rule Title
The macOS system must be configured to prevent users from erasing all system content and settings.
Rule ID
SV-257251r905386_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.

Documentable
False
Check Content

Verify the macOS system is configured to prevent users from erasing all system content and settings with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowEraseContentAndSettings"

allowEraseContentAndSettings = 0;

If "allowEraseContentAndSettings" is not set to "0", this is a finding.

Check System
C-60936r905384_chk
Fix Reference
F-60877r905385_fix
Fix Text

Configure the macOS system to prevent users from erasing all system content and settings by installing the "Restrictions Policy" configuration profile.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
SRG-OS-000324-GPOS-00125
Group ID
V-257776
Rule Version
APPL-13-002069
Rule Title
The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Rule ID
SV-257776r922883_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.

Documentable
False
Check Content

Verify the macOS system is configured to require authentication to access all system-level preference panes with the following commands:

/usr/bin/sudo /usr/bin/security authorizationdb read system.preferences | /usr/bin/grep -A1 shared

<key>shared</key>

<false/>

If the "shared" key is not set to "false", this is a finding.

Check System
C-61517r922881_chk
Fix Reference
F-61441r922882_fix
Fix Text

Configure the macOS system to require authentication to access all system-level preference panes with the following actions:

Copy the authorization database to a file:

/usr/bin/sudo /usr/bin/security authorizationdb read system.preferences > ~/Desktop/authdb.txt

Edit the "shared" section of the file:

<key>shared</key>

<false/>

Reload the authorization database:

/usr/bin/sudo /usr/bin/security authorizationdb write system.preferences < ~/Desktop/authdb.txt

Identities
CCI-002235

Prevent non-privileged users from executing privileged functions.

  • 800-53 Rev. 4 :: AC-6 (10)
  • 800-53 Rev. 5 :: AC-6 (10)
UNCLASSIFIED