ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- SRG-OS-000028-GPOS-00009
- Group ID
- V-257142
- Rule Version
- APPL-13-000001
- Rule Title
- The macOS system must be configured to prevent Apple Watch from terminating a session lock.
- Rule ID
- SV-257142r905059_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Users must be prompted to enter their passwords when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAutoUnlock"
allowAutoUnlock = 0;
If there is no result or "allowAutoUnlock" is not set to "0", this is a finding.
- Check System
- C-60827r905057_chk
- Fix Reference
- F-60768r905058_fix
- Fix Text
-
Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000056
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
- 800-53 :: AC-11 b
- 800-53 Rev. 4 :: AC-11 b
- 800-53 Rev. 5 :: AC-11 b
- 800-53A :: AC-11.1 (iii)
- Group Title
- SRG-OS-000028-GPOS-00009
- Group ID
- V-257143
- Rule Version
- APPL-13-000002
- Rule Title
- The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
- Rule ID
- SV-257143r905062_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Users must be prompted to enter their passwords when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -w "askForPassword"
askForPassword = 1;
If there is no result, or if "askForPassword" is not set to "1", this is a finding.
- Check System
- C-60828r905060_chk
- Fix Reference
- F-60769r905061_fix
- Fix Text
-
Configure the macOS system to prompt users to enter a password to unlock the screen saver by installing the "Login Window Policy" configuration profile.
- Identities
-
CCI-000056
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
- 800-53 :: AC-11 b
- 800-53 Rev. 4 :: AC-11 b
- 800-53 Rev. 5 :: AC-11 b
- 800-53A :: AC-11.1 (iii)
- Group Title
- SRG-OS-000028-GPOS-00009
- Group ID
- V-257144
- Rule Version
- APPL-13-000003
- Rule Title
- The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
- Rule ID
- SV-257144r905065_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
A screen saver must be enabled and set to require a password to unlock. An excessive grace period impacts the ability for a session to be truly locked, requiring authentication to unlock.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "askForPasswordDelay"
askForPasswordDelay = 5;
If there is no result, or if "askForPasswordDelay" is not set to "5" or less, this is a finding.
- Check System
- C-60829r905063_chk
- Fix Reference
- F-60770r905064_fix
- Fix Text
-
Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "Login Window Policy" configuration profile.
- Identities
-
CCI-000056
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
- 800-53 :: AC-11 b
- 800-53 Rev. 4 :: AC-11 b
- 800-53 Rev. 5 :: AC-11 b
- 800-53A :: AC-11.1 (iii)
- Group Title
- SRG-OS-000029-GPOS-00010
- Group ID
- V-257145
- Rule Version
- APPL-13-000004
- Rule Title
- The macOS system must initiate a session lock after a 15-minute period of inactivity.
- Rule ID
- SV-257145r905068_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
A screen saver must be enabled and set to require a password to unlock. The timeout must be set to 15 minutes of inactivity. This mitigates the risk that a user might forget to manually lock the screen before stepping away from the computer.
A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to initiate the screen saver after 15 minutes of inactivity with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "loginWindowIdleTime"
loginWindowIdleTime = 900;
If there is no result, or if "idleTime" is not set to "900" seconds or less, this is a finding.
- Check System
- C-60830r905066_chk
- Fix Reference
- F-60771r905067_fix
- Fix Text
-
Configure the macOS system to initiate the screen saver after 15 minutes of inactivity by installing the "Login Window Policy" configuration profile.
- Identities
-
CCI-000057
The information system initiates a session lock after the organization-defined time period of inactivity.
- 800-53 :: AC-11 a
- 800-53 Rev. 4 :: AC-11 a
- 800-53 Rev. 5 :: AC-11 a
- 800-53A :: AC-11.1 (ii)
- Group Title
- SRG-OS-000030-GPOS-00011
- Group ID
- V-257146
- Rule Version
- APPL-13-000005
- Rule Title
- The macOS system must be configured to lock the user session when a smart token is removed.
- Rule ID
- SV-257146r905071_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems must provide users with the ability to manually invoke a session lock so users may secure their session should they need to temporarily vacate the immediate physical vicinity.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to lock the user session when a smart token is removed with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "tokenRemovalAction"
tokenRemovalAction = 1;
If there is no result, or if "tokenRemovalAction" is not set to "1", this is a finding.
- Check System
- C-60831r905069_chk
- Fix Reference
- F-60772r905070_fix
- Fix Text
-
Configure the macOS system to lock the user session when a smart token is removed by installing the "Smart Card Policy" configuration profile.
Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".
- Identities
-
CCI-000058
The information system provides the capability for users to directly initiate session lock mechanisms.
- 800-53 :: AC-11 a
- 800-53 Rev. 4 :: AC-11 a
- 800-53A :: AC-11
- Group Title
- SRG-OS-000031-GPOS-00012
- Group ID
- V-257147
- Rule Version
- APPL-13-000006
- Rule Title
- The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
- Rule ID
- SV-257147r905074_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
A default screen saver must be configured for all users, as the screen saver will act as a session timeout lock for the system and must conceal the contents of the screen from unauthorized users. The screen saver must not display any sensitive information or reveal the contents of the locked session screen. Publicly viewable images can include static or dynamic images such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with a screen saver with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "moduleName"
moduleName = Ventura;
If there is no result or the "moduleName" is undefined, this is a finding.
- Check System
- C-60832r905072_chk
- Fix Reference
- F-60773r905073_fix
- Fix Text
-
Configure the macOS system with a screen saver by installing the "Login Window Policy" configuration profile.
- Identities
-
CCI-000060
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
- 800-53 :: AC-11 (1)
- 800-53 Rev. 4 :: AC-11 (1)
- 800-53 Rev. 5 :: AC-11 (1)
- 800-53A :: AC-11 (1).1
- Group Title
- SRG-OS-000031-GPOS-00012
- Group ID
- V-257148
- Rule Version
- APPL-13-000007
- Rule Title
- The macOS system must be configured to disable hot corners.
- Rule ID
- SV-257148r905077_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Although hot corners can be used to initiate a session lock or launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable hot corners with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "wvous"
"wvous-bl-corner" = 0;
"wvous-br-corner" = 0;
"wvous-tl-corner" = 0;
"wvous-tr-corner" = 0;
If the command does not return the following, this is a finding.
"wvous-bl-corner = 0;
wvous-br-corner = 0;
wvous-tl-corner = 0;
wvous-tr-corner = 0;"
- Check System
- C-60833r905075_chk
- Fix Reference
- F-60774r905076_fix
- Fix Text
-
Configure the macOS system to disable hot corners by installing the "Custom Policy" configuration profile.
- Identities
-
CCI-000060
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
- 800-53 :: AC-11 (1)
- 800-53 Rev. 4 :: AC-11 (1)
- 800-53 Rev. 5 :: AC-11 (1)
- 800-53A :: AC-11 (1).1
- Group Title
- SRG-OS-000002-GPOS-00002
- Group ID
- V-257150
- Rule Version
- APPL-13-000012
- Rule Title
- The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours.
- Rule ID
- SV-257150r905083_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.
If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DOD-defined time period of 72 hours.
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.
Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers.
To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
Satisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with a policy via directory service to disable temporary or emergency accounts after 72 hours by asking the System Administrator (SA) or Information System Security Officer (ISSO).
If a policy is not set by a directory service, a password policy must be set with the "pwpolicy" utility. The variable names may differ depending on how the policy was set.
If temporary or emergency accounts are not defined on the macOS system, this is not applicable.
Verify the macOS system is configured with a policy to disable temporary or emergency accounts after 72 hours with the following command:
/usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2
If there is no output and password policy is not controlled by a directory service, this is a finding.
Otherwise, look for the line "<key>policyCategoryAuthentication</key>".
In the array that follows, a <dict> section contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section.
If the check does not exist or if the check adds more than 72 hours to "policyAttributeCreationTime", this is a finding.
- Check System
- C-60835r905081_chk
- Fix Reference
- F-60776r905082_fix
- Fix Text
-
Configure the macOS system to disable temporary or emergency accounts after 72 hours. This setting may be enforced using local policy or by a directory service.
To set local policy to disable a temporary or emergency user, create a plain text file containing the following:
<dict>
<key>policyCategoryAuthentication</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeCurrentTime < policyAttributeCreationTime+259299</string>
<key>policyIdentifier</key>
<string>Disable Tmp Accounts </string>
</dict>
</array>
</dict>
After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file".
/usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file
- Identities
-
CCI-000016
Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account.
- 800-53 :: AC-2 (2)
- 800-53 Rev. 4 :: AC-2 (2)
- 800-53 Rev. 5 :: AC-2 (2)
- 800-53A :: AC-2 (2).1 (ii)
CCI-001682Automatically removes or disables emergency accounts after an organization-defined time period for each type of account.
- 800-53 :: AC-2 (2)
- 800-53 Rev. 4 :: AC-2 (2)
- 800-53 Rev. 5 :: AC-2 (2)
- 800-53A :: AC-2 (2).1 (ii)
- Group Title
- SRG-OS-000355-GPOS-00143
- Group ID
- V-257151
- Rule Version
- APPL-13-000014
- Rule Title
- The macOS system must compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS).
- Rule ID
- SV-257151r922872_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate.
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with the timed service enabled and an authorized time server with the following commands:
/usr/bin/sudo /usr/sbin/systemsetup -getusingnetworktime
Network Time: On
If "Network Time" is not set to "On", this is a finding.
/usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver
If no time server is configured, or if an unapproved time server is in use, this is a finding.
- Check System
- C-60836r922871_chk
- Fix Reference
- F-60777r905085_fix
- Fix Text
-
Configure the macOS system to enable the timed service and set an authorized time server with the following commands:
/usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on
/usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver "server"
- Identities
-
CCI-001891
The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.
- 800-53 Rev. 4 :: AU-8 (1) (a)
CCI-002046The information system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
- 800-53 Rev. 4 :: AU-8 (1) (b)
- Group Title
- SRG-OS-000191-GPOS-00080
- Group ID
- V-257152
- Rule Version
- APPL-13-000015
- Rule Title
- The macOS system must use an Endpoint Security Solution (ESS) and implement all DOD required modules.
- Rule ID
- SV-257152r939261_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS system must employ automated mechanisms to determine the state of system components. The DOD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNet.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with an approved ESS solution.
If an approved ESS solution is not installed, this is a finding.
Verify that all installed components of the ESS solution are at the DOD-approved minimal version.
If the installed components are not at the DOD-approved minimal versions, this is a finding.
- Check System
- C-60837r905087_chk
- Fix Reference
- F-60778r905088_fix
- Fix Text
-
Configure the macOS system with an approved ESS solution and ensure that all components are at least updated to their DOD-approved minimal versions.
- Identities
-
CCI-001233
The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.
- 800-53 :: SI-2 (2)
- 800-53 Rev. 4 :: SI-2 (2)
- 800-53A :: SI-2 (2).1 (ii)
- Group Title
- SRG-OS-000329-GPOS-00128
- Group ID
- V-257154
- Rule Version
- APPL-13-000022
- Rule Title
- The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.
- Rule ID
- SV-257154r905095_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "maxFailedAttempts\|minutesUntilFailedLoginReset"
maxFailedAttempts = 3;
minutesUntilFailedLoginReset = 15;
If "maxFailedAttempts" is not set to "3" and "minutesUntilFailedLoginReset" is not set to "15", this is a finding.
- Check System
- C-60839r905093_chk
- Fix Reference
- F-60780r905094_fix
- Fix Text
-
Configure the macOS system to enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked by installing the "Passcode Policy" configuration profile or by a directory service.
- Identities
-
CCI-002238
Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.
- 800-53 Rev. 4 :: AC-7 b
- 800-53 Rev. 5 :: AC-7 b
- Group Title
- SRG-OS-000023-GPOS-00006
- Group ID
- V-257155
- Rule Version
- APPL-13-000023
- Rule Title
- The macOS system must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system.
- Rule ID
- SV-257155r905098_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
The banner must be formatted in accordance with DTM-08-060.
- Documentable
- False
- Check Content
-
If SSH is not being used, this is not applicable.
Verify the macOS system is configured to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system.
Check to see if the operating system has the correct text listed in the "/etc/banner" file with the following command:
/usr/bin/more /etc/banner
The command must return the following text:
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
If the operating system does not display a logon banner before granting remote access or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
If the text in the "/etc/banner" file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
- Check System
- C-60840r905096_chk
- Fix Reference
- F-60781r905097_fix
- Fix Text
-
Configure the macOS system to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system by creating a text file containing the required DOD text.
Name the file "banner" and place it in "/etc/".
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
- Group Title
- SRG-OS-000023-GPOS-00006
- Group ID
- V-257156
- Rule Version
- APPL-13-000024
- Rule Title
- The macOS system must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH.
- Rule ID
- SV-257156r905101_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
The banner must be formatted in accordance with DTM-08-060.
Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007
- Documentable
- False
- Check Content
-
If SSH is not being used, this is not applicable.
Verify the macOS system is configured to display the contents of "/etc/banner" before granting access to the system with the following command:
/usr/bin/grep -r Banner /etc/ssh/sshd_config*
Banner /etc/banner
If the sshd Banner configuration option does not point to "/etc/banner", this is a finding.
If conflicting results are returned, this is a finding.
- Check System
- C-60841r905099_chk
- Fix Reference
- F-60782r905100_fix
- Fix Text
-
Configure the macOS system to display the contents of "/etc/banner" before granting access to the system with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak 's/^#Banner.*/Banner \/etc\/banner/' /etc/ssh/sshd_config
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
CCI-000050Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.
- 800-53 :: AC-8 b
- 800-53 Rev. 4 :: AC-8 b
- 800-53 Rev. 5 :: AC-8 b
- 800-53A :: AC-8.1 (iii)
- Group Title
- SRG-OS-000023-GPOS-00006
- Group ID
- V-257157
- Rule Version
- APPL-13-000025
- Rule Title
- The macOS system must be configured so that any connection to the system must display the Standard Mandatory DOD Notice and Consent Banner before granting GUI access to the system.
- Rule ID
- SV-257157r905104_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
The banner must be formatted in accordance with DTM-08-060.
Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to display a policy banner with the following command:
/bin/ls -l /Library/Security/PolicyBanner.rtfd
-rw-r--r--@ 1 admin sheel 37 Jan 27 11:18 /Library/Security/PolicyBanner.rtfd
If "PolicyBanner.rtfd" does not exist, this is a finding.
If the permissions for "PolicyBanner.rtfd" are not "644", this is a finding.
The banner text of the document must read:
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
If the text is not worded exactly this way, this is a finding.
- Check System
- C-60842r905102_chk
- Fix Reference
- F-60783r905103_fix
- Fix Text
-
Configure the macOS system to display a policy banner by creating an RTF file containing the required text. Name the file "PolicyBanner.rtfd" and place it in "/Library/Security/".
Update the permissions of the "/Library/Security/PolicyBanner.rtfd" file with the following command:
/usr/bin/sudo /bin/chmod 644 /Library/Security/PolicyBanner.rtfd
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
CCI-000050Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.
- 800-53 :: AC-8 b
- 800-53 Rev. 4 :: AC-8 b
- 800-53 Rev. 5 :: AC-8 b
- 800-53A :: AC-8.1 (iii)
CCI-001384For publicly accessible systems, display system use information with organization-defined conditions before granting further access to the publicly accessible system.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 1
- 800-53 Rev. 5 :: AC-8 c 1
- 800-53A :: AC-8.2 (i)
CCI-001385For publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 2
- 800-53 Rev. 5 :: AC-8 c 2
- 800-53A :: AC-8.2 (ii)
CCI-001386For publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 2
- 800-53 Rev. 5 :: AC-8 c 2
- 800-53A :: AC-8.2 (ii)
CCI-001387For publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 2
- 800-53 Rev. 5 :: AC-8 c 2
- 800-53A :: AC-8.2 (ii)
CCI-001388For publicly accessible systems, includes a description of the authorized uses of the system.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 3
- 800-53 Rev. 5 :: AC-8 c 3
- 800-53A :: AC-8.2 (iii)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-257158
- Rule Version
- APPL-13-000030
- Rule Title
- The macOS system must be configured so that log files do not contain access control lists (ACLs).
- Rule ID
- SV-257158r905107_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log files with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084
- Documentable
- False
- Check Content
-
Verify the macOS system is configured without ACLs applied to log files with the following command:
/usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current
In the output from the above command, ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,readextattr,readsecurity").
If any ACLs exists, this is a finding.
- Check System
- C-60843r905105_chk
- Fix Reference
- F-60784r905106_fix
- Fix Text
-
Configure the macOS system so that log files do not contain ACLs with the following command:
/usr/bin/sudo /bin/chmod -N [audit log file]
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001314Reveal error messages only to organization-defined personnel or roles.
- 800-53 :: SI-11 c
- 800-53 Rev. 4 :: SI-11 b
- 800-53 Rev. 5 :: SI-11 b
- 800-53A :: SI-11.1 (iv)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-257159
- Rule Version
- APPL-13-000031
- Rule Title
- The macOS system must be configured so that log folders do not contain access control lists (ACLs).
- Rule ID
- SV-257159r905110_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log folders with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured without ACLs applied to log folders with the following command:
/usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
In the output from the above command, ACLs will be listed under any folder that may contain them (e.g., "0: group:admin allow list,readattr,readextattr,readsecurity").
If any ACLs exists, this is a finding.
- Check System
- C-60844r905108_chk
- Fix Reference
- F-60785r905109_fix
- Fix Text
-
Configure the macOS system so that log folders do not contain ACLs with the following command:
/usr/bin/sudo /bin/chmod -N [audit log folder]
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257160
- Rule Version
- APPL-13-000032
- Rule Title
- The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
- Rule ID
- SV-257160r905113_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with dedicated user accounts to decrypt the hard disk upon startup with the following command:
/usr/bin/sudo /usr/bin/fdesetup list
fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A
If any unauthorized users are listed, this is a finding.
Verify that the shell for authorized FileVault users is set to "/usr/bin/false" to prevent console logons:
/usr/bin/sudo /usr/bin/dscl . read /Users/<FileVault_User> UserShell
UserShell: /usr/bin/false
If the FileVault users' shell is not set to "/usr/bin/false", this is a finding.
- Check System
- C-60845r905111_chk
- Fix Reference
- F-60786r905112_fix
- Fix Text
-
Configure the macOS system with a dedicated user account to decrypt the hard disk at startup and disable the logon ability of the newly created user account with the following commands:
/usr/bin/sudo /usr/bin/fdesetup add -user <username>
/usr/bin/sudo /usr/bin/dscl . change /Users/<FileVault_User> UserShell </path/to/current/shell> /usr/bin/false
Remove all FileVault logon access from each user account defined on the system that is not a designated FileVault user:
/usr/bin/sudo /usr/bin/fdesetup remove -user <username>
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257161
- Rule Version
- APPL-13-000033
- Rule Title
- The macOS system must be configured to disable password forwarding for FileVault.
- Rule ID
- SV-257161r905116_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable password forwarding with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableFDEAutoLogin"
DisableFDEAutoLogin = 1;
If "DisableFDEAutoLogin" is not set to a value of "1", this is a finding.
- Check System
- C-60846r905114_chk
- Fix Reference
- F-60787r905115_fix
- Fix Text
-
Configure the macOS system to disable password forwarding by installing the "Smart Card Policy" configuration profile.
Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-257162
- Rule Version
- APPL-13-000051
- Rule Title
- The macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.
- Rule ID
- SV-257162r922873_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
SSH options ClientAliveInterval and ClientAliveCountMax are used in combination to monitor SSH connections. If an SSH client is deemed unresponsive, sshd will terminate the connection. An example would be if a client lost network connectivity the SSH connection to the server would be unresponsive and therefore sshd would terminate the connection after the ClientAliveCountMax and ClientAliveInterval thresholds have been met.
The ClientAliveInterval is a timeout measured in seconds. After which if no data is received from the client, sshd will request a response through the encrypted tunnel from the client. The default is "0", indicating no messages will be sent.
The ClientAliveCountMax is the number of client alive messages that can be sent from the server without receiving a reply from the client. If this threshold is met, sshd will terminate the session. Setting the ClientAliveCountMax to "0" disables connection termination.
- Documentable
- False
- Check Content
-
If SSH is not being used, this is not applicable.
Verify the macOS system is configured with the SSH daemon "ClientAliveInterval" option set to "900" or less with the following command:
/usr/bin/grep -r ^ClientAliveInterval /etc/ssh/sshd_config*
If "ClientAliveInterval" is not configured or has a value of "0", this is a finding.
If "ClientAliveInterval" is not "900" or less, this is a finding.
If conflicting results are returned, this is a finding.
- Check System
- C-60847r905117_chk
- Fix Reference
- F-60788r905118_fix
- Fix Text
-
Configure the macOS system to set the SSH daemon "ClientAliveInterval" option to "900" with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 900/' /etc/ssh/sshd_config
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-257163
- Rule Version
- APPL-13-000052
- Rule Title
- The macOS system must be configured with the SSH daemon ClientAliveCountMax option set to 1.
- Rule ID
- SV-257163r905122_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Terminating an idle session within a short time reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.
SSH options ClientAliveInterval and ClientAliveCountMax are used in combination to monitor SSH connections. If an SSH client is deemed unresponsive, sshd will terminate the connection. An example would be if a client lost network connectivity the SSH connection to the server would be unresponsive and therefore sshd would terminate the connection after the ClientAliveCountMax and ClientAliveInterval thresholds have been met.
The ClientAliveInterval is a timeout measured in seconds. After which if no data is received from the client, sshd will request a response through the encrypted tunnel from the client. The default is 0, indicating no messages will be sent.
The ClientAliveCountMax is the number of client alive messages that can be sent from the server without receiving a reply from the client. If this threshold is met, sshd will terminate the session. Setting the ClientAliveCountMax to 0 disables connection termination.
- Documentable
- False
- Check Content
-
If SSH is not being used, this is not applicable.
Verify the macOS system is configured with the SSH daemon "ClientAliveCountMax" option set to "1" with the following command:
/usr/bin/grep -r ^ClientAliveCountMax /etc/ssh/sshd_config*
If the setting is not "ClientAliveCountMax 1", this is a finding.
If conflicting results are returned, this is a finding.
- Check System
- C-60848r905120_chk
- Fix Reference
- F-60789r905121_fix
- Fix Text
-
Configure the macOS system to set the SSH daemon "ClientAliveCountMax" option to "1" with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 1/' /etc/ssh/sshd_config
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-257164
- Rule Version
- APPL-13-000053
- Rule Title
- The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.
- Rule ID
- SV-257164r905125_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
SSH must be configured to log users out after a 15-minute interval of inactivity and to wait only 30 seconds before timing out logon attempts. Terminating an idle session within a short time reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.
- Documentable
- False
- Check Content
-
If SSH is not being used, this is not applicable.
Verify the macOS system is configured with the SSH daemon "LoginGraceTime" option set to "30" or less with the following command:
/usr/bin/grep -r ^LoginGraceTime /etc/ssh/sshd_config*
If "LoginGraceTime" is not configured or has a value of "0", this is a finding.
If "LoginGraceTime" is not set to "30" or less, this is a finding.
If conflicting results are returned, this is a finding.
- Check System
- C-60849r905123_chk
- Fix Reference
- F-60790r905124_fix
- Fix Text
-
Configure the macOS system to set the SSH daemon "LoginGraceTime" option to "30" with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
- Group Title
- SRG-OS-000004-GPOS-00004
- Group ID
- V-257168
- Rule Version
- APPL-13-001001
- Rule Title
- The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all nonlocal maintenance and diagnostic sessions.
- Rule ID
- SV-257168r905137_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.
This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems.
Administrative and privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings, are logged by way of the "ad" flag.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.
This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch.
Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000327-GPOS-00127, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit privileged access with the following command:
/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control
If "ad" is not listed in the output, this is a finding.
- Check System
- C-60853r905135_chk
- Fix Reference
- F-60794r905136_fix
- Fix Text
-
Configure the macOS system to audit privileged access with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
- Identities
-
CCI-000018
Automatically audit account creation actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001403Automatically audit account modification actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-001404Automatically audit account disabling actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-001405Automatically audit account removal actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-002234Log the execution of privileged functions.
- 800-53 Rev. 4 :: AC-6 (9)
- 800-53 Rev. 5 :: AC-6 (9)
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
- Group Title
- SRG-OS-000032-GPOS-00013
- Group ID
- V-257169
- Rule Version
- APPL-13-001002
- Rule Title
- The macOS system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
- Rule ID
- SV-257169r905140_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges to proceed. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
Attempts to log in as another user are logged by way of the "lo" flag.
Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000462-GPOS-00206
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit attempts to access/modify privileges with the following command:
/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control
If "lo" is not listed in the result of the check, this is a finding.
- Check System
- C-60854r905138_chk
- Fix Reference
- F-60795r905139_fix
- Fix Text
-
Configure the macOS system to audit attempts to access/modify privileges with the following command:
/usr/bin/sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
- Identities
-
CCI-000067
Employ automated mechanisms to monitor remote access methods.
- 800-53 :: AC-17 (1)
- 800-53 Rev. 4 :: AC-17 (1)
- 800-53 Rev. 5 :: AC-17 (1)
- 800-53A :: AC-17 (1).1
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
- Group Title
- SRG-OS-000037-GPOS-00015
- Group ID
- V-257170
- Rule Version
- APPL-13-001003
- Rule Title
- The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.
- Rule ID
- SV-257170r905143_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Without establishing what type of events occurred, when they occurred, and by whom, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
Associating event types with detected events in the operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured operating system.
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000055-GPOS-00026, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000303-GPOS-00120, SRG-OS-000337-GPOS-00129, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable the auditd service with the following command:
/bin/launchctl print-disabled system| /usr/bin/grep com.apple.auditd
"com.apple.auditd" => enabled
If the results are not "com.apple.auditd => enabled", this is a finding.
- Check System
- C-60855r905141_chk
- Fix Reference
- F-60796r905142_fix
- Fix Text
-
Configure the macOS system to enable the auditd service with the following command:
/usr/bin/sudo /bin/launchctl enable system/com.apple.auditd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000130
Ensure that audit records containing information that establishes what type of event occurred.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 a
- 800-53A :: AU-3.1
CCI-000131Ensure that audit records containing information that establishes when the event occurred.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 b
- 800-53A :: AU-3.1
CCI-000132Ensure that audit records containing information that establishes where the event occurred.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 c
- 800-53A :: AU-3.1
CCI-000133Ensure that audit records containing information that establishes the source of the event.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 d
- 800-53A :: AU-3.1
CCI-000134Ensure that audit records containing information that establishes the outcome of the event.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 e
- 800-53A :: AU-3.1
CCI-000135Generate audit records containing the organization-defined additional information that is to be included in the audit records.
- 800-53 :: AU-3 (1)
- 800-53 Rev. 4 :: AU-3 (1)
- 800-53 Rev. 5 :: AU-3 (1)
- 800-53A :: AU-3 (1).1 (ii)
CCI-000159Use internal system clocks to generate time stamps for audit records.
- 800-53 :: AU-8
- 800-53 Rev. 4 :: AU-8 a
- 800-53 Rev. 5 :: AU-8 a
- 800-53A :: AU-8.1
CCI-001464Initiates session audits automatically at system start-up.
- 800-53 :: AU-14 (1)
- 800-53 Rev. 4 :: AU-14 (1)
- 800-53 Rev. 5 :: AU-14 (1)
- 800-53A :: AU-14 (1).1
CCI-001487Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 f
- 800-53A :: AU-3.1
CCI-001889Record time stamps for audit records that meet organization-defined granularity of time measurement.
- 800-53 Rev. 4 :: AU-8 b
- 800-53 Rev. 5 :: AU-8 b
CCI-001890Record time stamps for audit records that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
- 800-53 Rev. 4 :: AU-8 b
- 800-53 Rev. 5 :: AU-8 b
CCI-001914Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.
- 800-53 Rev. 4 :: AU-12 (3)
- 800-53 Rev. 5 :: AU-12 (3)
CCI-002130Automatically audit account enabling actions.
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- Group Title
- SRG-OS-000047-GPOS-00023
- Group ID
- V-257171
- Rule Version
- APPL-13-001010
- Rule Title
- The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).
- Rule ID
- SV-257171r905146_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity are no longer recorded and malicious activity could go undetected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode.
When availability is an overriding concern, other approved actions in response to an audit failure are as follows:
(i) If the failure was caused by the lack of audit record storage capacity, the operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner.
(ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to shut down upon audit failure with the following command:
/usr/bin/sudo /usr/bin/grep ^policy /etc/security/audit_control | /usr/bin/grep ahlt
If there is no result, this is a finding.
- Check System
- C-60856r905144_chk
- Fix Reference
- F-60797r905145_fix
- Fix Text
-
Configure the macOS system to shut down upon audit failure by editing the "/etc/security/audit_control" file and updating the policy value to include "ahlt" with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
- Identities
-
CCI-000140
Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
- 800-53 :: AU-5 b
- 800-53 Rev. 4 :: AU-5 b
- 800-53 Rev. 5 :: AU-5 b
- 800-53A :: AU-5.1 (iv)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-257172
- Rule Version
- APPL-13-001012
- Rule Title
- The macOS system must be configured with audit log files owned by root.
- Rule ID
- SV-257172r905149_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by root or administrative users with sudo, the risk is mitigated.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log files owned by root with the following command:
/usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current
If the files are not owned by root, this is a finding.
- Check System
- C-60857r905147_chk
- Fix Reference
- F-60798r905148_fix
- Fix Text
-
Configure the macOS system with audit log files owned by root with the following command:
/usr/bin/sudo chown root [audit log file]
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-257173
- Rule Version
- APPL-13-001013
- Rule Title
- The macOS system must be configured with audit log folders owned by root.
- Rule ID
- SV-257173r905152_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log folders owned by root with the following command:
/usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
If the folders are not owned by root, this is a finding.
- Check System
- C-60858r905150_chk
- Fix Reference
- F-60799r905151_fix
- Fix Text
-
Configure the macOS system with audit log folders owned by root with the following command:
/usr/bin/sudo chown root [audit log folder]
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-257174
- Rule Version
- APPL-13-001014
- Rule Title
- The macOS system must be configured with audit log files group-owned by wheel.
- Rule ID
- SV-257174r905155_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log files group-owned by wheel with the following command:
/usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current
If the files are not group-owned by wheel, this is a finding.
- Check System
- C-60859r905153_chk
- Fix Reference
- F-60800r905154_fix
- Fix Text
-
Configure the macOS system with audit log files group-owned by wheel with the following command:
/usr/bin/sudo chgrp wheel [audit log file]
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-257175
- Rule Version
- APPL-13-001015
- Rule Title
- The macOS system must be configured with audit log folders group-owned by wheel.
- Rule ID
- SV-257175r905158_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log folders group-owned by wheel with the following command:
/usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
If the folders are not group-owned by wheel, this is a finding.
- Check System
- C-60860r905156_chk
- Fix Reference
- F-60801r905157_fix
- Fix Text
-
Configure the macOS system with audit log folders group-owned by wheel with the following command:
/usr/bin/sudo chgrp wheel [audit log folder]
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-257176
- Rule Version
- APPL-13-001016
- Rule Title
- The macOS system must be configured with audit log files set to mode 440 or less permissive.
- Rule ID
- SV-257176r905161_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log files with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log files set to mode 440 or less with the following command:
/usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current
If the files are not mode 440 or less, this is a finding.
- Check System
- C-60861r905159_chk
- Fix Reference
- F-60802r905160_fix
- Fix Text
-
Configure the macOS system with audit log files set to mode 440 with the following command:
/usr/bin/sudo /bin/chmod 440 [audit log file]
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-257177
- Rule Version
- APPL-13-001017
- Rule Title
- The macOS system must be configured with audit log folders set to mode 700 or less permissive.
- Rule ID
- SV-257177r905164_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log folders with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log folders set to mode 700 or less with the following command:
/usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
If the folders are not set to mode 700 or less, this is a finding.
- Check System
- C-60862r905162_chk
- Fix Reference
- F-60803r905163_fix
- Fix Text
-
Configure the macOS system with audit log folders set to mode 700 with the following command:
/usr/bin/sudo /bin/chmod 700 [audit log folder]
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000064-GPOS-00033
- Group ID
- V-257178
- Rule Version
- APPL-13-001020
- Rule Title
- The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.
- Rule ID
- SV-257178r905167_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
Enforcement actions are logged by way of the "fm" flag, which audits permission changes; "-fr" and "-fw", which denote failed attempts to read or write to a file; and "-fd", which audits failed file deletion.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000474-GPOS-00219
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit enforcement actions with the following command:
/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control
If "fm", "-fr", "-fw", and "-fd" are not listed in the result of the check, this is a finding.
- Check System
- C-60863r905165_chk
- Fix Reference
- F-60804r905166_fix
- Fix Text
-
Configure the macOS system to audit enforcement actions with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,fm,-fr,-fw,-fd/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
- Identities
-
CCI-000172
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001814The Information system supports auditing of the enforcement actions.
- 800-53 Rev. 4 :: CM-5 (1)
- Group Title
- SRG-OS-000344-GPOS-00135
- Group ID
- V-257181
- Rule Version
- APPL-13-001031
- Rule Title
- The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
- Rule ID
- SV-257181r905176_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to print error messages to the console with the following command:
/usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn
logger -s -p security.warning "audit warning: $type $argument"
If the argument "-s" is missing, or if "audit_warn" has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.
- Check System
- C-60866r905174_chk
- Fix Reference
- F-60807r905175_fix
- Fix Text
-
Configure the macOS system to print error messages to the console with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/bin/sudo /usr/sbin/audit -s
Alternatively, use a text editor to update the "/etc/security/audit_warn" file.
- Identities
-
CCI-001858
Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.
- 800-53 Rev. 4 :: AU-5 (2)
- 800-53 Rev. 5 :: AU-5 (2)
- Group Title
- SRG-OS-000470-GPOS-00214
- Group ID
- V-257182
- Rule Version
- APPL-13-001044
- Rule Title
- The macOS system must generate audit records for DOD-defined events such as successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.
- Rule ID
- SV-257182r905179_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
Logon events are logged by way of the "aa" flag.
Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit logon events with the following command:
/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control
If "aa" is not listed in the result of the check, this is a finding.
- Check System
- C-60867r905177_chk
- Fix Reference
- F-60808r905178_fix
- Fix Text
-
Configure the macOS system to audit logon events with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
- Identities
-
CCI-000172
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
- Group Title
- SRG-OS-000067-GPOS-00035
- Group ID
- V-257183
- Rule Version
- APPL-13-001060
- Rule Title
- The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
- Rule ID
- SV-257183r905182_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.
DOD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.
The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.
Satisfies: SRG-OS-000067-GPOS-00035, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000384-GPOS-00167, SRG-OS-000403-GPOS-00182
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to check the revocation status of user certificates with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "checkCertificateTrust"
checkCertificateTrust = 1;
If there is no result, or if "checkCertificateTrust" is not set to "1" or greater, this is a finding.
- Check System
- C-60868r905180_chk
- Fix Reference
- F-60809r905181_fix
- Fix Text
-
Configure the macOS system to check the revocation status of user certificates by installing the "Smart Card Policy" configuration profile.
Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".
- Identities
-
CCI-000186
For public key-based authentication, enforce authorized access to the corresponding private key.
- 800-53 :: IA-5 (2)
- 800-53 Rev. 4 :: IA-5 (2) (b)
- 800-53 Rev. 5 :: IA-5 (2) (a) (1)
- 800-53A :: IA-5 (2).1
CCI-001953Accepts Personal Identity Verification-compliant credentials.
- 800-53 Rev. 4 :: IA-2 (12)
- 800-53 Rev. 5 :: IA-2 (12)
CCI-001954Electronically verifies Personal Identity Verification-compliant credentials.
- 800-53 Rev. 4 :: IA-2 (12)
- 800-53 Rev. 5 :: IA-2 (12)
CCI-001991The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
- 800-53 Rev. 4 :: IA-5 (2) (d)
CCI-002470Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.
- 800-53 Rev. 4 :: SC-23 (5)
- 800-53 Rev. 5 :: SC-23 (5)
- Group Title
- SRG-OS-000109-GPOS-00056
- Group ID
- V-257184
- Rule Version
- APPL-13-001100
- Rule Title
- The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
- Rule ID
- SV-257184r905185_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administrators must only run commands as root after first authenticating with their individual usernames and passwords.
- Documentable
- False
- Check Content
-
If SSH is not being used, this is not applicable.
Verify the macOS system is configured to disable root logins over SSH with the following command:
/usr/bin/grep -r ^PermitRootLogin /etc/ssh/sshd_config*
If there is no result, or the result is set to "yes", this is a finding.
If conflicting results are returned, this is a finding.
- Check System
- C-60869r905183_chk
- Fix Reference
- F-60810r905184_fix
- Fix Text
-
Configure the macOS system to disable root logins over SSH with the following command:
/usr/bin/sudo /usr/bin/sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
- Identities
-
CCI-000770
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
- 800-53 :: IA-2 (5) (b)
- 800-53 Rev. 4 :: IA-2 (5)
- 800-53A :: IA-2 (5).2 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257185
- Rule Version
- APPL-13-002001
- Rule Title
- The macOS system must be configured to disable SMB File Sharing unless it is required.
- Rule ID
- SV-257185r905188_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
File sharing is usually nonessential and must be disabled if not required. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the SMB File Sharing service with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep com.apple.smbd
"com.apple.smbd" => disabled
If the results are not "com.apple.smbd => disabled" or SMB file sharing has not been documented with the ISSO as an operational requirement, this is a finding.
- Check System
- C-60870r905186_chk
- Fix Reference
- F-60811r905187_fix
- Fix Text
-
Configure the macOS system to disable the SMB File Sharing service with the following command:
/usr/bin/sudo /bin/launchctl disable system/com.apple.smbd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257186
- Rule Version
- APPL-13-002003
- Rule Title
- The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.
- Rule ID
- SV-257186r905191_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If the system does not require access to NFS file shares or is not acting as an NFS server, support for NFS is nonessential and NFS services must be disabled. NFS is a network file system protocol supported by UNIX-like operating systems. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the NFS daemon with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep com.apple.nfsd
"com.apple.nfsd" => disabled
If the results are not "com.apple.nfsd => disabled" or the use of NFS has not been documented with the ISSO as an operational requirement, this is a finding.
- Check System
- C-60871r905189_chk
- Fix Reference
- F-60812r905190_fix
- Fix Text
-
Configure the macOS system to disable the NFS daemon with the following command:
/usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257187
- Rule Version
- APPL-13-002004
- Rule Title
- The macOS system must be configured to disable Location Services.
- Rule ID
- SV-257187r905194_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.
Location Services must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Location Services with the following command:
/usr/bin/sudo /usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd | /usr/bin/grep "LocationServicesEnabled"
LocationServicesEnabled = 0;
If "LocationServicesEnabled" is not set to "0" and the AO has not authorized the use of location services, this is a finding.
- Check System
- C-60872r905192_chk
- Fix Reference
- F-60813r905193_fix
- Fix Text
-
Configure the macOS system to disable Location Services with the following command:
/usr/bin/sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257188
- Rule Version
- APPL-13-002005
- Rule Title
- The macOS system must be configured to disable Bonjour multicast advertising.
- Rule ID
- SV-257188r905197_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.
Bonjour multicast advertising must be disabled on the system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Bonjour multicast advertising with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "NoMulticastAdvertisements"
NoMulticastAdverstisements = 1;
If there is no result, or if "NoMulticastAdvertisements" is not set to "1", this is a finding.
- Check System
- C-60873r905195_chk
- Fix Reference
- F-60814r905196_fix
- Fix Text
-
Configure the macOS system to disable Bonjour multicast advertising by installing the "Custom Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257189
- Rule Version
- APPL-13-002006
- Rule Title
- The macOS system must be configured to disable the UUCP service.
- Rule ID
- SV-257189r905200_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The system must not have the UUCP service active.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the UUCP service with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep com.apple.uucp
"com.apple.uucp" => disabled
If the results are not "com.apple.uucp => disabled", this is a finding.
- Check System
- C-60874r905198_chk
- Fix Reference
- F-60815r905199_fix
- Fix Text
-
Configure the macOS system to disable the UUCP service with the following command:
/usr/bin/sudo /bin/launchctl disable system/com.apple.uucp
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257190
- Rule Version
- APPL-13-002007
- Rule Title
- The macOS system must be configured to disable Internet Sharing.
- Rule ID
- SV-257190r905203_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.
Internet Sharing is nonessential and must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Internet Sharing with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "forceInternetSharingOff"
forceInternetSharingOff = 1;
If there is no result, or if "forceInternetSharingOff" is not set to "1", this is a finding.
- Check System
- C-60875r905201_chk
- Fix Reference
- F-60816r905202_fix
- Fix Text
-
Configure the macOS system to disable Internet Sharing by installing the "Custom Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257191
- Rule Version
- APPL-13-002008
- Rule Title
- The macOS system must be configured to disable Web Sharing.
- Rule ID
- SV-257191r905206_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues.
Web Sharing is nonessential and must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Web Sharing with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep org.apache.httpd
"org.apache.httpd" => disabled
If the results are not "org.apache.httpd => disabled", this is a finding.
- Check System
- C-60876r905204_chk
- Fix Reference
- F-60817r905205_fix
- Fix Text
-
Configure the macOS system to disable Web Sharing with the following command:
/usr/bin/sudo /bin/launchctl disable system/org.apache.httpd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257198
- Rule Version
- APPL-13-002017
- Rule Title
- The macOS system must cover or disable the built-in or attached camera when not in use.
- Rule ID
- SV-257198r905227_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants carry out the disconnect activity without having to go through complex and tedious procedures.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
If the device or operating system does not have a camera installed, this requirement is not applicable.
This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.
For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding.
For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.
If the camera is not disconnected, covered, or physically disabled, the following configuration is required:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCamera"
allowCamera = 0;
If the result is "allowCamera = 1" and the collaborative computing device has not been authorized for use, this is a finding.
- Check System
- C-60883r905225_chk
- Fix Reference
- F-60824r905226_fix
- Fix Text
-
Configure the macOS system to disable the built-in camera by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257199
- Rule Version
- APPL-13-002020
- Rule Title
- The macOS system must be configured to disable Siri and dictation.
- Rule ID
- SV-257199r922885_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
Siri and dictation must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
To check if Siri and dictation has been disabled, run the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -e "Ironwood Allowed"
If the output is not:
"Ironwood Allowed = 0",
this is a finding.
- Check System
- C-60884r922884_chk
- Fix Reference
- F-60825r905229_fix
- Fix Text
-
Configure the macOS system to disable Siri and dictation by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000096-GPOS-00050
- Group ID
- V-257200
- Rule Version
- APPL-13-002021
- Rule Title
- The macOS system must be configured to disable sending diagnostic and usage data to Apple.
- Rule ID
- SV-257200r905233_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
Sending diagnostic data to Apple must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable sending diagnostic and usage data to Apple with the following command:
/usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowDiagnosticSubmission"
allowDiagnosticSubmission = 0;
If there is no result, or if "allowDiagnosticSubmission" is not set to "0", this is a finding.
Alternatively, the settings are found in System Settings >> Privacy & Security >> Privacy >> Analytics & Improvements.
If the box "Share Mac Analytics" is checked, this is a finding.
If the box "Improve Siri & Dictation" is checked, this is a finding.
If the box "Share with app developers" is checked, this is a finding.
- Check System
- C-60885r905231_chk
- Fix Reference
- F-60826r905232_fix
- Fix Text
-
Configure the macOS system to disable sending diagnostic and usage data to Apple by installing the "Restrictions Policy" configuration profile.
Alternatively, the settings can be configured in System Settings >> Privacy & Security >> Privacy >> Analytics & Improvements by performing the following:
- Uncheck the box, "Share Mac Analytics".
- Uncheck the box "Improve Siri & Dictation".
- Uncheck the box "Share with app developers".
- Identities
-
CCI-000382
Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 b
- 800-53 Rev. 5 :: CM-7 b
- 800-53A :: CM-7.1 (iii)
- Group Title
- SRG-OS-000096-GPOS-00050
- Group ID
- V-257201
- Rule Version
- APPL-13-002022
- Rule Title
- The macOS system must be configured to disable Remote Apple Events.
- Rule ID
- SV-257201r905236_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
Remote Apple Events must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Remote Apple Events with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep com.apple.AEServer
"com.apple.AEServer" => disabled
If the results are not "com.apple.AEServer => disabled", this is a finding.
- Check System
- C-60886r905234_chk
- Fix Reference
- F-60827r905235_fix
- Fix Text
-
Configure the macOS system to disable Remote Apple Events with the following command:
/usr/bin/sudo /bin/launchctl disable system/com.apple.AEServer
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000382
Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 b
- 800-53 Rev. 5 :: CM-7 b
- 800-53A :: CM-7.1 (iii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257203
- Rule Version
- APPL-13-002032
- Rule Title
- The macOS system must be configured to disable the system preference pane for Internet Accounts.
- Rule ID
- SV-257203r905242_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Internet Accounts System Preference Pane must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable access to the Internet Accounts preference pane with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"
If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.internetaccounts", this is a finding.
- Check System
- C-60888r905240_chk
- Fix Reference
- F-60829r905241_fix
- Fix Text
-
Configure the macOS system to disable access to the Internet Accounts preference pane by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257204
- Rule Version
- APPL-13-002035
- Rule Title
- The macOS system must be configured to disable the Cloud Setup services.
- Rule ID
- SV-257204r905245_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the Cloud Setup services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipCloudSetup"
SkipCloudSetup = 1;
If there is no result, or if "SkipCloudSetup" is not set to "1", this is a finding.
- Check System
- C-60889r905243_chk
- Fix Reference
- F-60830r905244_fix
- Fix Text
-
Configure the macOS system to disable the Cloud Setup services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257205
- Rule Version
- APPL-13-002036
- Rule Title
- The macOS system must be configured to disable the Privacy Setup services.
- Rule ID
- SV-257205r905248_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the Privacy Setup services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipPrivacySetup"
SkipPrivacySetup = 1;
If there is no result, or if "SkipPrivacySetup" is not set to "1", this is a finding.
- Check System
- C-60890r905246_chk
- Fix Reference
- F-60831r905247_fix
- Fix Text
-
Configure the macOS system to disable the Privacy Setup services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257206
- Rule Version
- APPL-13-002037
- Rule Title
- The macOS system must be configured to disable the Cloud Storage Setup services.
- Rule ID
- SV-257206r905251_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the Cloud Storage Setup services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipiCloudStorageSetup"
SkipiCloudStorageSetup = 1;
If there is no result, or if "SkipiCloudStorageSetup" is not set to "1", this is a finding.
- Check System
- C-60891r905249_chk
- Fix Reference
- F-60832r905250_fix
- Fix Text
-
Configure the macOS system to disable the Cloud Storage Setup services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257208
- Rule Version
- APPL-13-002039
- Rule Title
- The macOS system must be configured to disable the Siri Setup services.
- Rule ID
- SV-257208r905257_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Siri setup pop-up must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the Siri Setup services with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipSiriSetup"
SkipSiriSetup = 1;
If there is no result, or if "SkipSiriSetup" is not set to "1", this is a finding.
- Check System
- C-60893r905255_chk
- Fix Reference
- F-60834r905256_fix
- Fix Text
-
Configure the macOS system to disable the Siri Setup services by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257209
- Rule Version
- APPL-13-002040
- Rule Title
- The macOS system must disable iCloud Keychain synchronization.
- Rule ID
- SV-257209r905260_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
Keychain synchronization must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Keychain synchronization with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudKeychainSync"
allowCloudKeychainSync = 0;
If there is no result, or if "allowCloudKeychainSync" is not set to "0", this is a finding.
- Check System
- C-60894r905258_chk
- Fix Reference
- F-60835r905259_fix
- Fix Text
-
Configure the macOS system to disable iCloud Keychain synchronization by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257210
- Rule Version
- APPL-13-002041
- Rule Title
- The macOS system must disable iCloud Document synchronization.
- Rule ID
- SV-257210r905263_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
iCloud Document synchronization must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Document synchronization with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudDocumentSync"
allowCloudDocumentSync = 0;
If there is no result, or if "allowCloudDocumentSync" is not set to "0", this is a finding.
- Check System
- C-60895r905261_chk
- Fix Reference
- F-60836r905262_fix
- Fix Text
-
Configure the macOS system to disable iCloud Document synchronization by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257211
- Rule Version
- APPL-13-002042
- Rule Title
- The macOS system must disable iCloud Bookmark synchronization.
- Rule ID
- SV-257211r905266_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
iCloud Bookmark syncing must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Bookmark synchronization with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudBookmarks"
allowCloudBookmarks = 0;
If there is no result, or if "allowCloudBookmarks" is not set to "0", this is a finding.
- Check System
- C-60896r905264_chk
- Fix Reference
- F-60837r905265_fix
- Fix Text
-
Configure the macOS system to disable iCloud Bookmark synchronization by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257212
- Rule Version
- APPL-13-002043
- Rule Title
- The macOS system must disable the iCloud Photo Library.
- Rule ID
- SV-257212r905269_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The iCloud Photo Library must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the iCloud Photo Library with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudPhotoLibrary"
allowCloudPhotoLibrary = 0;
If there is no result, or if "allowCloudPhotoLibrary" is not set to "0", this is a finding.
- Check System
- C-60897r905267_chk
- Fix Reference
- F-60838r905268_fix
- Fix Text
-
Configure the macOS system to disable the iCloud Photo Library by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257213
- Rule Version
- APPL-13-002050
- Rule Title
- The macOS system must disable the Screen Sharing feature.
- Rule ID
- SV-257213r905272_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The Screen Sharing feature allows remote users to view or control the desktop of the current user. A malicious user can take advantage of screen sharing to gain full access to the system remotely, either with stolen credentials or by guessing the username and password. Disabling Screen Sharing mitigates this risk.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the Screen Sharing feature with the following command:
/usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.screensharing
"com.apple.screensharing => disabled"
If "com.apple.screensharing" is not set to "disabled", this is a finding.
- Check System
- C-60898r905270_chk
- Fix Reference
- F-60839r905271_fix
- Fix Text
-
Configure the macOS system to disable the Screen Sharing service with the following command:
/usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257214
- Rule Version
- APPL-13-002051
- Rule Title
- The macOS system must be configured to disable the system preference pane for TouchID and Password.
- Rule ID
- SV-257214r905275_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The TouchID & Password preference pane must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable access to the TouchID & Password preference pane with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"
If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.password", this is a finding.
- Check System
- C-60899r905273_chk
- Fix Reference
- F-60840r905274_fix
- Fix Text
-
Configure the macOS system to disable access to the TouchID & Password preference pane by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257215
- Rule Version
- APPL-13-002052
- Rule Title
- The macOS system must be configured to disable the system preference pane for Wallet and ApplePay.
- Rule ID
- SV-257215r905278_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Wallet & ApplePay preference pane must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable access to the Wallet & ApplePay preference pane with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"
If the return is not two arrays "HiddenPreferencePanes" and "DisabledPreferencePanes", each containing "com.apple.preferences.wallet", this is a finding.
- Check System
- C-60900r905276_chk
- Fix Reference
- F-60841r905277_fix
- Fix Text
-
Configure the macOS system to disable access to the Wallet & ApplePay preference pane by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257216
- Rule Version
- APPL-13-002053
- Rule Title
- The macOS system must be configured to disable the system preference pane for Siri.
- Rule ID
- SV-257216r905281_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled.
The Siri preference pane must be disabled.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable access to the Siri preference pane with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes"
If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preference.speech", this is a finding.
- Check System
- C-60901r905279_chk
- Fix Reference
- F-60842r905280_fix
- Fix Text
-
Configure the macOS system to disable access to the Siri preference pane by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001774Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
- 800-53 Rev. 4 :: CM-7 (5) (b)
- 800-53 Rev. 5 :: CM-7 (5) (b)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257217
- Rule Version
- APPL-13-002060
- Rule Title
- The macOS system must only allow applications with a valid digital signature to run.
- Rule ID
- SV-257217r905284_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Gatekeeper settings must be configured correctly to only allow the system to run applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to only allow applications with a valid digital signature with the following commands:
/usr/sbin/system_profiler SPApplicationsDataType | /usr/bin/grep -B 3 -A 4 -e "Obtained from: Unknown" | /usr/bin/grep -v -e "Location: /Library/Application Support/Script Editor/Templates" -e "Location: /System/Library/" | /usr/bin/awk -F "Location: " '{print $2}' | /usr/bin/sort -u
If any results are returned and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Verify only applications with a valid digital signature are allowed to run:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E "(EnableAssessment | AllowIdentifiedDevelopers)"
If the result is not as follows, this is a finding.
"AllowIdentifiedDevelopers = 1;
EnableAssessment = 1;"
- Check System
- C-60902r905282_chk
- Fix Reference
- F-60843r905283_fix
- Fix Text
-
Configure the macOS system to only allow applications with a valid digital signature by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00229
- Group ID
- V-257221
- Rule Version
- APPL-13-002066
- Rule Title
- The macOS system must not allow an unattended or automatic logon to the system.
- Rule ID
- SV-257221r905296_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Failure to restrict system access to authenticated users negatively impacts operating system security.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to not allow automatic logon with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableAutoLoginClient"
"com.apple.login.mcx.DisableAutoLoginClient" = 1;
If "com.apple.login.mcx.DisableAutoLoginClient" is not set to "1", this is a finding.
- Check System
- C-60906r905294_chk
- Fix Reference
- F-60847r905295_fix
- Fix Text
-
Configure the macOS system to not allow automatic login by installing the "Login Window Policy" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00228
- Group ID
- V-257222
- Rule Version
- APPL-13-002068
- Rule Title
- The macOS system must set permissions on user home directories to prevent users from having access to read or modify another user's files.
- Rule ID
- SV-257222r905299_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures.
Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230
- Documentable
- False
- Check Content
-
Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands:
/bin/ls -le /Users
This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as "staff". The plus(+) sign indicates an associated Access Control List, which must be:
0: group:everyone deny delete
For every authorized user account, also run the following command:
/usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user.
This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be:
drwx------+
0: group:everyone deny delete
The exception is the "Public" directory, whose permissions must match the following:
drwxr-xr-x+
0: group:everyone deny delete
If the permissions returned by either of these checks differ from what is shown, this is a finding.
- Check System
- C-60907r905297_chk
- Fix Reference
- F-60848r905298_fix
- Fix Text
-
Configure the macOS system to set the appropriate permissions for each user on the system with the following command:
/usr/sbin/diskutil resetUserPermissions / DeviceNode UID, where "DeviceNode UID" is the ID number for the user whose home directory permissions need to be repaired.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000071-GPOS-00039
- Group ID
- V-257226
- Rule Version
- APPL-13-003007
- Rule Title
- The macOS system must enforce password complexity by requiring that at least one numeric character be used.
- Rule ID
- SV-257226r905311_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to require at least one numeric character in password complexity with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "requireAlphanumeric"
requireAlphanumeric = 1;
If the result is not "requireAlphanumeric = 1", this is a finding.
- Check System
- C-60911r905309_chk
- Fix Reference
- F-60852r905310_fix
- Fix Text
-
Configure the macOS system to require at least one numeric character in password complexity by installing the "Passcode Policy" configuration profile.
- Identities
-
CCI-000194
The information system enforces password complexity by the minimum number of numeric characters used.
- 800-53 :: IA-5 (1) (a)
- 800-53 Rev. 4 :: IA-5 (1) (a)
- 800-53A :: IA-5 (1).1 (v)
- Group Title
- SRG-OS-000076-GPOS-00044
- Group ID
- V-257227
- Rule Version
- APPL-13-003008
- Rule Title
- The macOS system must enforce a 60-day maximum password lifetime restriction.
- Rule ID
- SV-257227r905314_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically.
One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce a 60-day maximum password lifetime with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "maxPINAgeInDays"
maxPINAgeInDays = 60;
If "maxPINAgeInDays" is set a value greater than "60", this is a finding.
- Check System
- C-60912r905312_chk
- Fix Reference
- F-60853r905313_fix
- Fix Text
-
Configure the macOS system to require the enforcement of a 60-day maximum password lifetime by installing the "Passcode Policy" configuration profile.
- Identities
-
CCI-000199
The information system enforces maximum password lifetime restrictions.
- 800-53 :: IA-5 (1) (d)
- 800-53 Rev. 4 :: IA-5 (1) (d)
- 800-53A :: IA-5 (1).1 (v)
- Group Title
- SRG-OS-000077-GPOS-00045
- Group ID
- V-257228
- Rule Version
- APPL-13-003009
- Rule Title
- The macOS system must prohibit password reuse for a minimum of five generations.
- Rule ID
- SV-257228r905317_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed as per policy requirements.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prohibit password reuse for a minimum of five generations with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "pinHistory"
pinHistory = 5;
If "pinHistory" is not set to "5" or greater, this is a finding.
- Check System
- C-60913r905315_chk
- Fix Reference
- F-60854r905316_fix
- Fix Text
-
Configure the macOS system to prohibit password reuse for five generations by installing the "Passcode Policy" configuration profile.
- Identities
-
CCI-000200
The information system prohibits password reuse for the organization-defined number of generations.
- 800-53 :: IA-5 (1) (e)
- 800-53 Rev. 4 :: IA-5 (1) (e)
- 800-53A :: IA-5 (1).1 (v)
- Group Title
- SRG-OS-000078-GPOS-00046
- Group ID
- V-257229
- Rule Version
- APPL-13-003010
- Rule Title
- The macOS system must enforce a minimum 15-character password length.
- Rule ID
- SV-257229r905320_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The minimum password length must be set to 15 characters. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce a minimum 15-character password length with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "minLength"
minLength = 15;
If "minLength" is not set to "15", this is a finding.
- Check System
- C-60914r905318_chk
- Fix Reference
- F-60855r905319_fix
- Fix Text
-
Configure the macOS system to enforce a 15-character password length by installing the "Passcode Policy" configuration profile.
- Identities
-
CCI-000205
The information system enforces minimum password length.
- 800-53 :: IA-5 (1) (a)
- 800-53 Rev. 4 :: IA-5 (1) (a)
- 800-53A :: IA-5 (1).1 (i)
- Group Title
- SRG-OS-000266-GPOS-00101
- Group ID
- V-257230
- Rule Version
- APPL-13-003011
- Rule Title
- The macOS system must enforce password complexity by requiring that at least one special character be used.
- Rule ID
- SV-257230r905323_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce at least one special character of password complexity with the following commands:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "minComplexChars"
minComplexChar = 1;
If "minComplexChars" is not set to "1", this is a finding.
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowSimple"
allowSimple = 0;
If "allowSimple" is not set to "0", this is a finding.
- Check System
- C-60915r905321_chk
- Fix Reference
- F-60856r905322_fix
- Fix Text
-
Configure the macOS system to enforce at least one special character of password complexity by installing the "Passcode Policy" configuration profile.
- Identities
-
CCI-001619
The information system enforces password complexity by the minimum number of special characters used.
- 800-53 :: IA-5 (1) (a)
- 800-53 Rev. 4 :: IA-5 (1) (a)
- 800-53A :: IA-5 (1).1 (v)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257231
- Rule Version
- APPL-13-003012
- Rule Title
- The macOS system must be configured to prevent displaying password hints.
- Rule ID
- SV-257231r905326_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Password hints leak information about passwords in use and can lead to loss of confidentiality.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prevent displaying passwords hints with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "RetriesUntilHint"
RetriesUntilHint = 0;
If "RetriesUntilHint" is not set to "0", this is a finding.
- Check System
- C-60916r905324_chk
- Fix Reference
- F-60857r905325_fix
- Fix Text
-
Configure the macOS system to prevent displaying password hints by installing the "Login Window Policy" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257232
- Rule Version
- APPL-13-003013
- Rule Title
- The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.
- Rule ID
- SV-257232r905329_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Single user mode and the boot picker, as well as numerous other tools, are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.
- Documentable
- False
- Check Content
-
For Apple Silicon-based systems, this is not applicable.
Verify the macOS system is configured with a firmware password with the following command:
/usr/bin/sudo /usr/sbin/firmwarepasswd -check
Password Enabled:Yes
If "Password Enabled" is not set to "Yes", this is a finding.
- Check System
- C-60917r905327_chk
- Fix Reference
- F-60858r905328_fix
- Fix Text
-
Configure the macOS system with a firmware password with the following command:
/usr/bin/sudo /usr/sbin/firmwarepasswd -setpasswd
Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257234
- Rule Version
- APPL-13-003050
- Rule Title
- The macOS system must be configured so that the login command requires smart card authentication.
- Rule ID
- SV-257234r905335_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
- Documentable
- False
- Check Content
-
For systems that are not using smart card authentication, this requirements is not applicable.
Verify the macOS system is configured to require smart card authentication for the login command with the following command:
/bin/cat /etc/pam.d/login
If the text that returns does not include the line "auth sufficient pam_smartcard.so" at the TOP of the listing and "auth required pam_deny.so" as the last entry of the auth management group, this is a finding.
- Check System
- C-60919r905333_chk
- Fix Reference
- F-60860r905334_fix
- Fix Text
-
Configure the macOS system to require smart card authentication for the login command with the following procedure:
/usr/bin/sudo /bin/cp /etc/pam.d/login /etc/pam.d/login_backup_`date "+%Y-%m-%d_%H:%M"`
Replace the contents of "/etc/pam.d/login" with the following:
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_deny.so
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257235
- Rule Version
- APPL-13-003051
- Rule Title
- The macOS system must be configured so that the su command requires smart card authentication.
- Rule ID
- SV-257235r905338_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
- Documentable
- False
- Check Content
-
For systems that are not using smart card authentication, this requirement is not applicable.
Verify the macOS system is configured to require smart card authentication for the "su" command with the following command:
/bin/cat /etc/pam.d/su
If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing and the next line is not "auth required pam_rootok.so", this is a finding.
- Check System
- C-60920r905336_chk
- Fix Reference
- F-60861r905337_fix
- Fix Text
-
Configure the macOS system to require smart card authentication for the su command with the following procedure:
/usr/bin/sudo /bin/cp /etc/pam.d/su /etc/pam.d/su_backup_`date "+%Y-%m-%d_%H:%M"`
Replace the contents of "/etc/pam.d/su" with the following:
# su: auth account session
auth sufficient pam_smartcard.so
auth required pam_rootok.so
account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257236
- Rule Version
- APPL-13-003052
- Rule Title
- The macOS system must be configured so that the sudo command requires smart card authentication.
- Rule ID
- SV-257236r905341_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
- Documentable
- False
- Check Content
-
For systems that are not using smart card authentication, this requirement is not applicable.
Verify the macOS system is configured to require smart card authentication for the "sudo" command with the following command:
/bin/cat /etc/pam.d/sudo
If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the top of the listing and "auth required pam_deny.so" as the last entry of the auth management group, this is a finding.
- Check System
- C-60921r905339_chk
- Fix Reference
- F-60862r905340_fix
- Fix Text
-
Configure the macOS system to require smart card authentication for the sudo command with the following procedure:
/usr/bin/sudo /bin/cp /etc/pam.d/login /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"`
Replace the contents of "/etc/pam.d/sudo" with the following:
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000206-GPOS-00084
- Group ID
- V-257237
- Rule Version
- APPL-13-004001
- Rule Title
- The macOS system must be configured with system log files owned by root and group-owned by wheel or admin.
- Rule ID
- SV-257237r905344_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
System logs must only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct owner mitigates this risk.
Some system log files are controlled by "newsyslog" and "aslmanager".
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with system log files owned by root or a service account and group-owned by wheel or admin with the commands below.
These commands must be run from inside "/var/log".
/usr/bin/sudo /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null
/usr/bin/sudo /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null
If there are any system log files that are not owned by "root" or a service account and group-owned by "wheel" or "admin", this is a finding.
- Check System
- C-60922r905342_chk
- Fix Reference
- F-60863r905343_fix
- Fix Text
-
Configure the macOS system with system log files owned by root or a service account and group-owned by wheel or admin with the following command:
/usr/bin/sudo chown root:wheel [log file]
Alternatively, if the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and ensure the owner:group column is set to "root:wheel" or the appropriate service account and group.
If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and ensure that "uid" and "gid" options are set to a service account and group, respectively.
- Identities
-
CCI-001314
Reveal error messages only to organization-defined personnel or roles.
- 800-53 :: SI-11 c
- 800-53 Rev. 4 :: SI-11 b
- 800-53 Rev. 5 :: SI-11 b
- 800-53A :: SI-11.1 (iv)
- Group Title
- SRG-OS-000206-GPOS-00084
- Group ID
- V-257238
- Rule Version
- APPL-13-004002
- Rule Title
- The macOS system must be configured with system log files set to mode 640 or less permissive.
- Rule ID
- SV-257238r905347_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
System logs must only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with system log files set to mode 640 or less with the commands below.
These commands must be run from inside "/var/log".
/usr/bin/sudo /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null
/usr/bin/sudo /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null
If the permissions on log files are not "640" or less permissive, this is a finding.
- Check System
- C-60923r905345_chk
- Fix Reference
- F-60864r905346_fix
- Fix Text
-
Configure the macOS system with system log files set to mode 640 with the following command:
/usr/bin/sudo chmod 640 [log file]
Alternatively, if the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640". Or, if the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640".
- Identities
-
CCI-001314
Reveal error messages only to organization-defined personnel or roles.
- 800-53 :: SI-11 c
- 800-53 Rev. 4 :: SI-11 b
- 800-53 Rev. 5 :: SI-11 b
- 800-53A :: SI-11.1 (iv)
- Group Title
- SRG-OS-000373-GPOS-00156
- Group ID
- V-257239
- Rule Version
- APPL-13-004022
- Rule Title
- The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
- Rule ID
- SV-257239r922880_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
- Documentable
- False
- Check Content
-
Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command:
/usr/bin/sudo /usr/bin/grep -r "timestamp_timeout" /etc/sudoers*
/etc/sudoers.d/<customfile>:Defaults timestamp_timeout=0
If conflicting results are returned, this is a finding.
If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.
- Check System
- C-60924r922878_chk
- Fix Reference
- F-60865r922879_fix
- Fix Text
-
Configure the macOS system to require reauthentication when using the "sudo" command by creating a plain text file in the /private/etc/sudoers.d/ directory containing the following:
Defaults timestamp_timeout=0
- Identities
-
CCI-002038
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.
- 800-53 Rev. 4 :: IA-11
- Group Title
- SRG-OS-000480-GPOS-00232
- Group ID
- V-257242
- Rule Version
- APPL-13-005050
- Rule Title
- The macOS Application Firewall must be enabled.
- Rule ID
- SV-257242r905359_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable the built-in firewall with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "EnableFirewall\|EnableStealthMode"
EnableFirewall = 1;
EnableStealthMode = 1;
If "EnableFirewall" and "EnableStealthMode" are not set to "1", this is a finding.
- Check System
- C-60927r905357_chk
- Fix Reference
- F-60868r905358_fix
- Fix Text
-
Configure the macOS system to enable the built-in firewall by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-257243
- Rule Version
- APPL-13-005051
- Rule Title
- The macOS system must restrict the ability of individuals to use USB storage devices.
- Rule ID
- SV-257243r905362_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable USB storage devices with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 32 "mount-controls"
bd = (
"read-only"
);
blankbd = (
deny,
eject
);
blankcd = (
deny,
eject
);
blankdvd = (
deny,
eject
);
cd = (
"read-only"
);
"disk-image" = (
"read-only"
);
dvd = (
"read-only"
);
dvdram = (
deny,
eject
);
"harddisk-external" = (
deny,
eject
);
If the result does not match the output above and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
- Check System
- C-60928r905360_chk
- Fix Reference
- F-60869r905361_fix
- Fix Text
-
Configure the macOS system to disable USB storage devices by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00229
- Group ID
- V-257244
- Rule Version
- APPL-13-005052
- Rule Title
- The macOS system logon window must be configured to prompt for username and password.
- Rule ID
- SV-257244r905365_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The logon window must be configured to prompt all users for both a username and a password. By default, the system displays a list of known users at the logon screen. This gives an advantage to an attacker with physical access to the system, as the attacker would only have to guess the password for one of the listed accounts.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prompt for username and password at the logon window with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SHOWFULLNAME"
SHOWFULLNAME = 1;
If "SHOWFULLNAME" is not set to "1", this is a finding.
- Check System
- C-60929r905363_chk
- Fix Reference
- F-60870r905364_fix
- Fix Text
-
Configure the macOS system to prompt for username and password at the logon window by installing the "Login Window Policy" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257246
- Rule Version
- APPL-13-005054
- Rule Title
- The macOS system must be configured to disable prompts to configure Touch ID.
- Rule ID
- SV-257246r905371_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable prompts to setup TouchID with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipTouchIDSetup"
SkipTouchIDSetup = 1;
If "SkipTouchIDSetup" is not set to "1", this is a finding.
- Check System
- C-60931r905369_chk
- Fix Reference
- F-60872r905370_fix
- Fix Text
-
Configure the macOS system to disable prompts to setup TouchID by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257248
- Rule Version
- APPL-13-005056
- Rule Title
- The macOS system must be configured to disable prompts to configure Unlock with Watch.
- Rule ID
- SV-257248r905377_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable prompts to setup Unlock with Watch with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipUnlockWithWatch"
SkipUnlockWithWatch = 1;
If "SkipUnlockWithWatch" is not set to "1", this is a finding.
- Check System
- C-60933r905375_chk
- Fix Reference
- F-60874r905376_fix
- Fix Text
-
Configure the macOS system to disable prompts to setup Unlock with Watch by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257250
- Rule Version
- APPL-13-005060
- Rule Title
- The macOS system must be configured to prevent password proximity sharing requests from nearby Apple devices.
- Rule ID
- SV-257250r905383_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prevent password proximity sharing with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowPasswordProximityRequests"
allowPasswordProximityRequests = 0;
If "allowPasswordProximityRequests" is not set to "0", this is a finding.
- Check System
- C-60935r905381_chk
- Fix Reference
- F-60876r905382_fix
- Fix Text
-
Configure the macOS system to prevent Configure the macOS system to prevent password proximity sharing by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-257251
- Rule Version
- APPL-13-005061
- Rule Title
- The macOS system must be configured to prevent users from erasing all system content and settings.
- Rule ID
- SV-257251r905386_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prevent users from erasing all system content and settings with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowEraseContentAndSettings"
allowEraseContentAndSettings = 0;
If "allowEraseContentAndSettings" is not set to "0", this is a finding.
- Check System
- C-60936r905384_chk
- Fix Reference
- F-60877r905385_fix
- Fix Text
-
Configure the macOS system to prevent users from erasing all system content and settings by installing the "Restrictions Policy" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000324-GPOS-00125
- Group ID
- V-257776
- Rule Version
- APPL-13-002069
- Rule Title
- The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
- Rule ID
- SV-257776r922883_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to require authentication to access all system-level preference panes with the following commands:
/usr/bin/sudo /usr/bin/security authorizationdb read system.preferences | /usr/bin/grep -A1 shared
<key>shared</key>
<false/>
If the "shared" key is not set to "false", this is a finding.
- Check System
- C-61517r922881_chk
- Fix Reference
- F-61441r922882_fix
- Fix Text
-
Configure the macOS system to require authentication to access all system-level preference panes with the following actions:
Copy the authorization database to a file:
/usr/bin/sudo /usr/bin/security authorizationdb read system.preferences > ~/Desktop/authdb.txt
Edit the "shared" section of the file:
<key>shared</key>
<false/>
Reload the authorization database:
/usr/bin/sudo /usr/bin/security authorizationdb write system.preferences < ~/Desktop/authdb.txt
- Identities
-
CCI-002235
Prevent non-privileged users from executing privileged functions.
- 800-53 Rev. 4 :: AC-6 (10)
- 800-53 Rev. 5 :: AC-6 (10)