ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- SRG-OS-000028-GPOS-00009
- Group ID
- V-268420
- Rule Version
- APPL-15-000001
- Rule Title
- The macOS system must prevent Apple Watch from terminating a session lock.
- Rule ID
- SV-268420r1034200_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Apple Watches are not an approved authenticator and their use must be disabled.
Disabling Apple Watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
NOTE: Unlocking the system with an Apple Watch is not an approved authenticator for U.S. Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAutoUnlock').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72450r1034198_chk
- Fix Reference
- F-72351r1034199_fix
- Fix Text
-
Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000056
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
- 800-53 :: AC-11 b
- 800-53 Rev. 4 :: AC-11 b
- 800-53 Rev. 5 :: AC-11 b
- 800-53A :: AC-11.1 (iii)
- Group Title
- SRG-OS-000028-GPOS-00009
- Group ID
- V-268421
- Rule Version
- APPL-15-000002
- Rule Title
- The macOS system must enforce screen saver password.
- Rule ID
- SV-268421r1034203_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Users must authenticate when unlocking the screen saver.
The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
.objectForKey('askForPassword').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72451r1034201_chk
- Fix Reference
- F-72352r1034202_fix
- Fix Text
-
Configure the macOS system to prompt users to enter a password to unlock the screen saver by installing the "com.apple.screensaver" configuration profile.
- Identities
-
CCI-000056
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
- 800-53 :: AC-11 b
- 800-53 Rev. 4 :: AC-11 b
- 800-53 Rev. 5 :: AC-11 b
- 800-53A :: AC-11.1 (iii)
- Group Title
- SRG-OS-000028-GPOS-00009
- Group ID
- V-268422
- Rule Version
- APPL-15-000003
- Rule Title
- The macOS system must enforce session lock no more than five seconds after screen saver is started.
- Rule ID
- SV-268422r1034206_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
A screen saver must be enabled and the system must be configured to require a password to unlock once the screen saver has been on for a maximum of five seconds.
An unattended system with an excessive grace period is vulnerable to a malicious user.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
.objectForKey('askForPasswordDelay'))
if ( delay <= 5 ) {
return("true")
} else {
return("false")
}
}
EOS
If the result is not "true", this is a finding.
- Check System
- C-72452r1034204_chk
- Fix Reference
- F-72353r1034205_fix
- Fix Text
-
Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "com.apple.screensaver" configuration profile.
- Identities
-
CCI-000056
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
- 800-53 :: AC-11 b
- 800-53 Rev. 4 :: AC-11 b
- 800-53 Rev. 5 :: AC-11 b
- 800-53A :: AC-11.1 (iii)
- Group Title
- SRG-OS-000030-GPOS-00011
- Group ID
- V-268423
- Rule Version
- APPL-15-000005
- Rule Title
- The macOS system must configure user session lock when a smart token is removed.
- Rule ID
- SV-268423r1034209_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The screen lock must be configured to initiate automatically when the smart token is removed from the system.
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absences. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token.
[IMPORTANT]
====
Information system security officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization.
====
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to lock the user session when a smart token is removed with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
.objectForKey('tokenRemovalAction').js
EOS
If the result is not "1", this is a finding.
- Check System
- C-72453r1034207_chk
- Fix Reference
- F-72354r1034208_fix
- Fix Text
-
Configure the macOS system to lock the user session when a smart token is removed by installing the "com.apple.security.smartcard" configuration profile.
NOTE: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.
- Identities
-
CCI-000057
The information system initiates a session lock after the organization-defined time period of inactivity.
- 800-53 :: AC-11 a
- 800-53 Rev. 4 :: AC-11 a
- 800-53 Rev. 5 :: AC-11 a
- 800-53A :: AC-11.1 (ii)
- Group Title
- SRG-OS-000031-GPOS-00012
- Group ID
- V-268424
- Rule Version
- APPL-15-000007
- Rule Title
- The macOS system must disable hot corners.
- Rule ID
- SV-268424r1034212_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Hot corners must be disabled.
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot corners can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable hot corners with the following command:
/usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '"wvous-bl-corner" = 0|"wvous-br-corner" = 0|"wvous-tl-corner" = 0|"wvous-tr-corner" = 0'
If the result is not "4", this is a finding.
- Check System
- C-72454r1034210_chk
- Fix Reference
- F-72355r1034211_fix
- Fix Text
-
Configure the macOS system to disable hot corners by installing the "com.apple.ManagedClient.preferences" configuration profile.
- Identities
-
CCI-000060
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
- 800-53 :: AC-11 (1)
- 800-53 Rev. 4 :: AC-11 (1)
- 800-53 Rev. 5 :: AC-11 (1)
- 800-53A :: AC-11 (1).1
- Group Title
- SRG-OS-000031-GPOS-00012
- Group ID
- V-268425
- Rule Version
- APPL-15-000009
- Rule Title
- The macOS system must prevent AdminHostInfo from being available at LoginWindow.
- Rule ID
- SV-268425r1034215_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo, when configured, will allow the HostName, IP Address, and operating system version and build to be displayed.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prevent AdminHostInfo from being available at LoginWindow with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectIsForcedForKey('AdminHostInfo')
EOS
If the result is not "false", this is a finding.
- Check System
- C-72455r1034213_chk
- Fix Reference
- F-72356r1034214_fix
- Fix Text
-
Configure the macOS system to prevent AdminHostInfo from being available at LoginWindow by installing the "com.apple.loginwindow" configuration profile.
- Identities
-
CCI-000060
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
- 800-53 :: AC-11 (1)
- 800-53 Rev. 4 :: AC-11 (1)
- 800-53 Rev. 5 :: AC-11 (1)
- 800-53A :: AC-11 (1).1
- Group Title
- SRG-OS-000002-GPOS-00002
- Group ID
- V-268426
- Rule Version
- APPL-15-000012
- Rule Title
- The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.
- Rule ID
- SV-268426r1034218_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS system can be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation.
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.
Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved.
Emergency administrator accounts are different from infrequently used accounts (i.e., local login accounts used by system administrators when network or normal login is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers.
To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
If temporary or emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary or emergency accounts must be set to 72 hours (or less) when the temporary or emergency account is created.
If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set.
If no temporary or emergency accounts are defined on the system, this is not applicable.
Satisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064
- Documentable
- False
- Check Content
-
Verify that a password policy is enforced by a directory service by asking the system administrator (SA) or information system security officer (ISSO).
If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set.
If no temporary or emergency accounts are defined on the system, this is not applicable.
To check if the password policy is configured to disable a temporary or emergency account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username:
/usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2
If there is no output, and password policy is not controlled by a directory service, this is a finding.
Otherwise, look for the line "<key>policyCategoryAuthentication</key>".
In the array that follows, there should be a <dict> section that contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section.
If the check does not exist or if the check adds too great an amount of time to "policyAttributeCreationTime", this is a finding.
- Check System
- C-72456r1034216_chk
- Fix Reference
- F-72357r1034217_fix
- Fix Text
-
This setting may be enforced using local policy or by a directory service.
To set local policy to disable a temporary or emergency user, create a plain text file containing the following:
<dict>
<key>policyCategoryAuthentication</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeCurrentTime < policyAttributeCreationTime+259299</string>
<key>policyIdentifier</key>
<string>Disable Tmp Accounts </string>
</dict>
</array>
</dict>
After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file".
/usr/bin/pwpolicy -u username setaccountpolicies /path/to/file
- Identities
-
CCI-000016
Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account.
- 800-53 :: AC-2 (2)
- 800-53 Rev. 4 :: AC-2 (2)
- 800-53 Rev. 5 :: AC-2 (2)
- 800-53A :: AC-2 (2).1 (ii)
CCI-001682Automatically removes or disables emergency accounts after an organization-defined time period for each type of account.
- 800-53 :: AC-2 (2)
- 800-53 Rev. 4 :: AC-2 (2)
- 800-53 Rev. 5 :: AC-2 (2)
- 800-53A :: AC-2 (2).1 (ii)
- Group Title
- SRG-OS-000355-GPOS-00143
- Group ID
- V-268427
- Rule Version
- APPL-15-000014
- Rule Title
- The macOS system must enforce time synchronization.
- Rule ID
- SV-268427r1034221_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Time synchronization must be enforced on all networked systems.
This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000785-GPOS-00250
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce time synchronization with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.timed')\
.objectForKey('TMAutomaticTimeOnlyEnabled').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72457r1034219_chk
- Fix Reference
- F-72358r1034220_fix
- Fix Text
-
Configure the macOS system to enforce time synchronization by installing the "com.apple.timed" configuration profile.
- Identities
-
CCI-004922
Synchronize system clocks within and between systems or system components.
- 800-53 Rev. 5 :: SC-45
CCI-004923Compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.
- 800-53 Rev. 5 :: SC-45 (1) (a)
CCI-004926Synchronize the internal system clocks to the authoritative time source when the time difference is greater than organization-defined time period.
- 800-53 Rev. 5 :: SC-45 (1) (b)
- Group Title
- SRG-OS-000021-GPOS-00005
- Group ID
- V-268428
- Rule Version
- APPL-15-000022
- Rule Title
- The macOS system must limit consecutive failed login attempts to three.
- Rule ID
- SV-268428r1034224_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS must be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of time.
This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.
Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to limit consecutive failed login attempts to three with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= 3) {print "yes"} else {print "no"}}'
If the result is not "yes", this is a finding.
- Check System
- C-72458r1034222_chk
- Fix Reference
- F-72359r1034223_fix
- Fix Text
-
Configure the macOS system to limit consecutive failed login attempts to three by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.
- Identities
-
CCI-000044
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
- 800-53 :: AC-7 a
- 800-53 Rev. 4 :: AC-7 a
- 800-53 Rev. 5 :: AC-7 a
- 800-53A :: AC-7.1 (ii)
CCI-002238Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.
- 800-53 Rev. 4 :: AC-7 b
- 800-53 Rev. 5 :: AC-7 b
- Group Title
- SRG-OS-000023-GPOS-00006
- Group ID
- V-268429
- Rule Version
- APPL-15-000023
- Rule Title
- The macOS system must display a policy banner at remote login.
- Rule ID
- SV-268429r1034227_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Remote login service must be configured to display a policy banner at login.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system.
Verify the operating system has the correct text listed in the "/etc/banner" file with the following command:
/usr/bin/more /etc/banner
The command must return the following text:
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
If the operating system does not display a login banner before granting remote access or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
If the text in the "/etc/banner" file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
- Check System
- C-72459r1034225_chk
- Fix Reference
- F-72360r1034226_fix
- Fix Text
-
Configure the macOS system to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system by creating a text file containing the required DOD text.
Name the file "banner" and place it in "/etc/".
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
CCI-000050Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.
- 800-53 :: AC-8 b
- 800-53 Rev. 4 :: AC-8 b
- 800-53 Rev. 5 :: AC-8 b
- 800-53A :: AC-8.1 (iii)
- Group Title
- SRG-OS-000023-GPOS-00006
- Group ID
- V-268431
- Rule Version
- APPL-15-000025
- Rule Title
- The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.
- Rule ID
- SV-268431r1034233_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder.
The banner must be formatted in accordance with DTM-08-060.
Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to display a policy banner with the following command:
/bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | /usr/bin/tr -d ' '
If the permissions for "PolicyBanner.rtfd" are not "644", this is a finding.
The banner text of the document must read:
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
If the text is not worded exactly this way, this is a finding.
- Check System
- C-72461r1034231_chk
- Fix Reference
- F-72362r1034232_fix
- Fix Text
-
Configure the macOS system to display a policy banner by creating an RTF file containing the required text. Name the file "PolicyBanner.rtfd" and place it in "/Library/Security/".
Update the permissions of the "/Library/Security/PolicyBanner.rtfd" file with the following command:
/usr/bin/sudo /bin/chmod 644 /Library/Security/PolicyBanner.rtfd
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
CCI-000050Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.
- 800-53 :: AC-8 b
- 800-53 Rev. 4 :: AC-8 b
- 800-53 Rev. 5 :: AC-8 b
- 800-53A :: AC-8.1 (iii)
CCI-001384For publicly accessible systems, display system use information with organization-defined conditions before granting further access to the publicly accessible system.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 1
- 800-53 Rev. 5 :: AC-8 c 1
- 800-53A :: AC-8.2 (i)
CCI-001385For publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 2
- 800-53 Rev. 5 :: AC-8 c 2
- 800-53A :: AC-8.2 (ii)
CCI-001386For publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 2
- 800-53 Rev. 5 :: AC-8 c 2
- 800-53A :: AC-8.2 (ii)
CCI-001387For publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 2
- 800-53 Rev. 5 :: AC-8 c 2
- 800-53A :: AC-8.2 (ii)
CCI-001388For publicly accessible systems, includes a description of the authorized uses of the system.
- 800-53 :: AC-8 c
- 800-53 Rev. 4 :: AC-8 c 3
- 800-53 Rev. 5 :: AC-8 c 3
- 800-53A :: AC-8.2 (iii)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268432
- Rule Version
- APPL-15-000030
- Rule Title
- The macOS system must configure audit log files to not contain access control lists (ACLs).
- Rule ID
- SV-268432r1034236_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit log files must not contain ACLs.
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured without ACLs applied to log files with the following command:
/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
If the result is not "0", this is a finding.
- Check System
- C-72462r1034234_chk
- Fix Reference
- F-72363r1034235_fix
- Fix Text
-
Configure the macOS system without ACLs applied to log files with the following command:
/bin/chmod -RN /var/audit
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268433
- Rule Version
- APPL-15-000031
- Rule Title
- The macOS system must configure the audit log folder to not contain access control lists (ACLs).
- Rule ID
- SV-268433r1034239_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit log folder must not contain ACLs.
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators to prevent normal users from reading audit logs.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured without ACLs applied to log folders with the following command:
/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
If the result is not "0", this is a finding.
- Check System
- C-72463r1034237_chk
- Fix Reference
- F-72364r1034238_fix
- Fix Text
-
Configure the macOS system without ACLs applied to log folders with the following command:
/bin/chmod -N /var/audit
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268434
- Rule Version
- APPL-15-000033
- Rule Title
- The macOS system must disable FileVault automatic login.
- Rule ID
- SV-268434r1034242_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If FileVault is enabled, automatic login must be disabled so that both FileVault and login window authentication are required.
The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing FileVault credentials.
NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon-based macOS systems that are smart card enforced, as smart cards are available at preboot.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable FileVault automatic login with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('DisableFDEAutoLogin').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72464r1034240_chk
- Fix Reference
- F-72365r1034241_fix
- Fix Text
-
Configure the macOS system to disable FileVault automatic login by installing the "com.apple.loginwindow" configuration profile.
NOTE: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-268435
- Rule Version
- APPL-15-000051
- Rule Title
- The macOS system must configure SSHD ClientAliveInterval to 900.
- Rule ID
- SV-268435r1034245_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If SSHD is enabled, it must be configured with the Client Alive Interval set to 900.
This sets a timeout interval in seconds, after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.
This setting works in conjunction with ClientAliveCountMax to determine the termination of the connection after the threshold has been reached.
NOTE: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set the SSHD ClientAliveInterval to 900 with the following command:
/usr/sbin/sshd -G | /usr/bin/awk '/clientaliveinterval/{print $2}'
If the result is not "900", this is a finding.
- Check System
- C-72465r1034243_chk
- Fix Reference
- F-72366r1034244_fix
- Fix Text
-
Configure the macOS system to set the SSHD ClientAliveInterval to 900 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'clientaliveinterval 900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "clientaliveinterval 900" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-268436
- Rule Version
- APPL-15-000052
- Rule Title
- The macOS system must configure SSHD ClientAliveCountMax to 1.
- Rule ID
- SV-268436r1034780_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If SSHD is enabled, it must be configured with the Client Alive Maximum Count set to 1.
This will set the number of client alive messages that may be sent without the SSH server receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, the SSH server will disconnect the client, terminating the session. The client alive messages are sent through the encrypted channel and therefore cannot be spoofed. The client alive mechanism is valuable when the client or server depends on knowing when a connection has become unresponsive.
NOTE: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set the SSHD ClientAliveCountMax to 1 with the following command:
/usr/sbin/sshd -G | /usr/bin/awk '/clientalivecountmax/{print $2}'
If the result is not "1", this is a finding.
- Check System
- C-72466r1034246_chk
- Fix Reference
- F-72367r1034247_fix
- Fix Text
-
Configure the macOS system to set the SSHD ClientAliveCountMax to 1 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'clientalivecountmax 1' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "clientalivecountmax 1" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-268437
- Rule Version
- APPL-15-000053
- Rule Title
- The macOS system must set login grace time to 30.
- Rule ID
- SV-268437r1034251_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If SSHD is enabled, it must be configured to wait only 30 seconds before timing out login attempts.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set Login Grace Time to 30 with the following command:
/usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}'
If the result is not "30", this is a finding.
- Check System
- C-72467r1034249_chk
- Fix Reference
- F-72368r1034250_fix
- Fix Text
-
Configure the macOS system to set Login Grace Time to 30 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'logingracetime 30' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "logingracetime 30" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
- Group Title
- SRG-OS-000033-GPOS-00014
- Group ID
- V-268438
- Rule Version
- APPL-15-000054
- Rule Title
- The macOS system must limit SSHD to FIPS-compliant connections.
- Rule ID
- SV-268438r1034254_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
If SSHD is enabled, it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS-140 validated.
FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets federal requirements.
Operating systems using encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules.
NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information.
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to limit SSHD to FIPS-compliant connections with the following command:
fips_sshd_config=("Ciphers [email protected]" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]" "HostKeyAlgorithms [email protected],[email protected],ecdsa-sha2-nistp256,[email protected]" "KexAlgorithms ecdh-sha2-nistp256" "MACs [email protected],hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected],[email protected]" "CASignatureAlgorithms ecdsa-sha2-nistp256,[email protected]")
total=0
for config in $fips_sshd_config; do
total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total)
done
echo $total
If the result is not "7", this is a finding.
- Check System
- C-72468r1034252_chk
- Fix Reference
- F-72369r1034253_fix
- Fix Text
-
Configure the macOS system to limit SSHD to FIPS-compliant connections with the following command:
/bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
- Identities
-
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-000803Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- 800-53 :: IA-7
- 800-53 Rev. 4 :: IA-7
- 800-53 Rev. 5 :: IA-7
- 800-53A :: IA-7.1
CCI-001453Implement cryptographic mechanisms to protect the integrity of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-002421Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
- 800-53 Rev. 4 :: SC-8 (1)
- 800-53 Rev. 5 :: SC-8 (1)
CCI-002450Implement organization-defined types of cryptography for each specified cryptography use.
- 800-53 Rev. 4 :: SC-13
- 800-53 Rev. 5 :: SC-13 b
CCI-002890Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
CCI-003123Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
- 800-53 Rev. 4 :: MA-4 (6)
- 800-53 Rev. 5 :: MA-4 (6)
- Group Title
- SRG-OS-000033-GPOS-00014
- Group ID
- V-268439
- Rule Version
- APPL-15-000057
- Rule Title
- The macOS system must limit SSH to FIPS-compliant connections.
- Rule ID
- SV-268439r1034803_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS-140 validated.
FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets federal requirements.
Operating systems using encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules.
NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000250-GPOS-00093, SRG-OS-000396-GPOS-00176, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to limit SSH to FIPS-compliant connections with the following command:
fips_ssh_config=("Ciphers [email protected]" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]" "HostKeyAlgorithms [email protected],[email protected],ecdsa-sha2-nistp256,[email protected]" "KexAlgorithms ecdh-sha2-nistp256" "MACs [email protected],hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected],[email protected]" "CASignatureAlgorithms ecdsa-sha2-nistp256,[email protected]")
total=0
ret="pass"
for config in $fips_ssh_config; do
if [[ "$ret" == "fail" ]]; then
break
fi
for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do
sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -ci "$config")
if [[ "$sshCheck" == "0" ]]; then
ret="fail"
break
fi
done
done
echo $ret
If the result is not "pass", this is a finding.
- Check System
- C-72469r1034801_chk
- Fix Reference
- F-72370r1034802_fix
- Fix Text
-
Configure the macOS system to limit SSH to FIPS-compliant connections with the following command:
if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/ssh_config.d/100-macos.conf 2>/dev/null; then
/bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
fi
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*')
fips_ssh_config=("Ciphers [email protected]" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]" "HostKeyAlgorithms [email protected],[email protected],ecdsa-sha2-nistp256,[email protected]" "KexAlgorithms ecdh-sha2-nistp256" "MACs [email protected],hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected],[email protected]" "CASignatureAlgorithms ecdsa-sha2-nistp256,[email protected]")
for ssh_config in $fips_ssh_config; do
ssh_setting=$(echo $ssh_config | /usr/bin/cut -d " " -f1)
/usr/bin/grep -qEi "^$ssh_setting" "${include_dir}01-mscp-ssh.conf" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/" "${include_dir}01-mscp-ssh.conf" || echo "$ssh_config" >> "${include_dir}01-mscp-ssh.conf"
for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do
config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1)
configfiles=$(echo "$config" | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
configarray=( ${(f)configfiles} )
if ! echo $config | /usr/bin/grep -q -i "$ssh_config" ; then
for c in $configarray; do
if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then
continue
fi
/usr/bin/sudo -u $u /usr/bin/grep -qEi "^$ssh_setting" "$c" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/I" "$c"
if [[ "$c" =~ ".ssh/config" ]]; then
if /usr/bin/grep -qEi "$ssh_setting" "$c" 2> /dev/null; then
old_file=$(cat ~$u/.ssh/config)
echo "$ssh_config" > ~$u/.ssh/config
echo "$old_file" >> ~$u/.ssh/config
fi
fi
done
fi
done
done
- Identities
-
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-000803Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- 800-53 :: IA-7
- 800-53 Rev. 4 :: IA-7
- 800-53 Rev. 5 :: IA-7
- 800-53A :: IA-7.1
CCI-001453Implement cryptographic mechanisms to protect the integrity of remote access sessions.
- 800-53 :: AC-17 (2)
- 800-53 Rev. 4 :: AC-17 (2)
- 800-53 Rev. 5 :: AC-17 (2)
- 800-53A :: AC-17 (2).1
CCI-002421Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
- 800-53 Rev. 4 :: SC-8 (1)
- 800-53 Rev. 5 :: SC-8 (1)
CCI-002450Implement organization-defined types of cryptography for each specified cryptography use.
- 800-53 Rev. 4 :: SC-13
- 800-53 Rev. 5 :: SC-13 b
- Group Title
- SRG-OS-000021-GPOS-00005
- Group ID
- V-268440
- Rule Version
- APPL-15-000060
- Rule Title
- The macOS system must set account lockout time to 15 minutes.
- Rule ID
- SV-268440r1034260_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS system must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed login attempts is reached.
This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.
Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set account lockout time to 15 minutes with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= 15 ) {print "yes"} else {print "no"}}'
If the result is not "yes", this is a finding.
- Check System
- C-72470r1034258_chk
- Fix Reference
- F-72371r1034259_fix
- Fix Text
-
Configure the macOS system to set account lockout time to 15 minutes by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.
- Identities
-
CCI-000044
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
- 800-53 :: AC-7 a
- 800-53 Rev. 4 :: AC-7 a
- 800-53 Rev. 5 :: AC-7 a
- 800-53A :: AC-7.1 (ii)
CCI-002238Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.
- 800-53 Rev. 4 :: AC-7 b
- 800-53 Rev. 5 :: AC-7 b
- Group Title
- SRG-OS-000029-GPOS-00010
- Group ID
- V-268441
- Rule Version
- APPL-15-000070
- Rule Title
- The macOS system must enforce screen saver timeout.
- Rule ID
- SV-268441r1034263_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The screen saver timeout must be set to 900 seconds or a shorter length of time.
This rule ensures that a full session lock is triggered within no more than 900 seconds of inactivity.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to initiate the screen saver timeout after 15 minutes of inactivity with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
.objectForKey('idleTime'))
if ( timeout <= 900 ) {
return("true")
} else {
return("false")
}
}
EOS
If the result is not "true", this is a finding.
- Check System
- C-72471r1034261_chk
- Fix Reference
- F-72372r1034262_fix
- Fix Text
-
Configure the macOS system to initiate the screen saver after 15 minutes of inactivity by installing the "com.apple.screensaver" configuration profile.
- Identities
-
CCI-000057
The information system initiates a session lock after the organization-defined time period of inactivity.
- 800-53 :: AC-11 a
- 800-53 Rev. 4 :: AC-11 a
- 800-53 Rev. 5 :: AC-11 a
- 800-53A :: AC-11.1 (ii)
- Group Title
- SRG-OS-000104-GPOS-00051
- Group ID
- V-268442
- Rule Version
- APPL-15-000090
- Rule Title
- The macOS system must disable login to other users' active and locked sessions.
- Rule ID
- SV-268442r1034266_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The ability to log in to another user's active or locked session must be disabled.
macOS has a privilege that can be granted to any user that will allow that user to unlock active users' sessions. Disabling the administrator's and/or user's ability to log in to another user's active and locked session prevents unauthorized people from viewing potentially sensitive and/or personal information.
NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screen saver. To restore the user experience and allow TouchID to unlock the screen saver, run "/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1". This setting can also be deployed with a configuration profile.
Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000109-GPOS-00056
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable login to other users' active and locked sessions with the following command:
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>'
If the result is not "1", this is a finding.
- Check System
- C-72472r1034264_chk
- Fix Reference
- F-72373r1034265_fix
- Fix Text
-
Configure the macOS system to disable login to other users' active and locked sessions with the following command:
/usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"
- Identities
-
CCI-000764
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
- 800-53 :: IA-2
- 800-53 Rev. 4 :: IA-2
- 800-53 Rev. 5 :: IA-2
- 800-53A :: IA-2.1
CCI-004045Require users to be individually authenticated before granting access to the shared accounts or resources.
- 800-53 Rev. 5 :: IA-2 (5)
- Group Title
- SRG-OS-000104-GPOS-00051
- Group ID
- V-268443
- Rule Version
- APPL-15-000100
- Rule Title
- The macOS system must disable root login.
- Rule ID
- SV-268443r1034269_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
To assure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.
The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.
Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000109-GPOS-00056, SRG-OS-000364-GPOS-00151
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable root login with the following command:
/usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false"
If the result is not "1", this is a finding.
- Check System
- C-72473r1034267_chk
- Fix Reference
- F-72374r1034268_fix
- Fix Text
-
Configure the macOS system to disable root login with the following command:
/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
- Identities
-
CCI-000764
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
- 800-53 :: IA-2
- 800-53 Rev. 4 :: IA-2
- 800-53 Rev. 5 :: IA-2
- 800-53A :: IA-2.1
CCI-001813Enforce access restrictions using organization-defined mechanisms.
- 800-53 Rev. 4 :: CM-5 (1)
- 800-53 Rev. 5 :: CM-5 (1) (a)
CCI-004045Require users to be individually authenticated before granting access to the shared accounts or resources.
- 800-53 Rev. 5 :: IA-2 (5)
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-268444
- Rule Version
- APPL-15-000110
- Rule Title
- The macOS system must configure the SSH ServerAliveInterval to 900.
- Rule ID
- SV-268444r1034800_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
SSH must be configured with an Active Server Alive Maximum Count set to 900.
Setting the Active Server Alive Maximum Count to 900 will log users out after a 900-second interval of inactivity.
NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set the SSH ServerAliveInterval to 900 with the following command:
ret="pass"
for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveraliveinterval 900")
if [[ "$sshCheck" == "0" ]]; then
ret="fail"
break
fi
done
/bin/echo $ret
If the result is not "pass", this is a finding.
- Check System
- C-72474r1034270_chk
- Fix Reference
- F-72375r1034799_fix
- Fix Text
-
Configure the macOS system to set the SSH ServerAliveInterval to 900 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*')
ssh_config_string=("ServerAliveInterval 900")
for ssh_config in $ssh_config_string; do
ssh_setting=$(echo $ssh_config | /usr/bin/cut -d " " -f1)
/usr/bin/grep -qEi "^$ssh_setting" "${include_dir}01-mscp-ssh.conf" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/" "${include_dir}01-mscp-ssh.conf" || echo "$ssh_config" >> "${include_dir}01-mscp-ssh.conf"
for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do
config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1)
configfiles=$(echo "$config" | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
configarray=( ${(f)configfiles} )
if ! echo $config | /usr/bin/grep -q -i "$ssh_config" ; then
for c in $configarray; do
if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then
continue
fi
/usr/bin/sudo -u $u /usr/bin/grep -qEi "^$ssh_setting" "$c" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/I" "$c"
if [[ "$c" =~ ".ssh/config" ]]; then
if /usr/bin/grep -qEi "$ssh_setting" "$c" 2> /dev/null; then
old_file=$(cat ~$u/.ssh/config)
echo "$ssh_config" > ~$u/.ssh/config
echo "$old_file" >> ~$u/.ssh/config
fi
fi
done
fi
done
done
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-268445
- Rule Version
- APPL-15-000120
- Rule Title
- The macOS system must configure SSHD channel timeout to 900.
- Rule ID
- SV-268445r1034275_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If SSHD is enabled, it must be configured with session ChannelTimeout set to 900.
This will set the timeout when the session is inactive.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set the SSHD Channel Timeout to 900 with the following command:
/usr/sbin/sshd -G | /usr/bin/awk -F "=" '/channeltimeout session:*/{print $2}'
If the result is not "900", this is a finding.
- Check System
- C-72475r1034273_chk
- Fix Reference
- F-72376r1034274_fix
- Fix Text
-
Configure the macOS system to set the SSHD ChannelTimeout to 900 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'channeltimeout session:*=900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "channeltimeout session:*=900" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
CCI-002361Automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
- 800-53 Rev. 4 :: AC-12
- 800-53 Rev. 5 :: AC-12
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-268446
- Rule Version
- APPL-15-000130
- Rule Title
- The macOS system must configure SSHD unused connection timeout to 900.
- Rule ID
- SV-268446r1034278_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If SSHD is enabled, it must be configured with unused connection timeout set to 900.
This will set the timeout when there are no open channels within a session.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set the SSHD unused connection timeout to 900 with the following command:
/usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectiontimeout/{print $2}'
If the result is not "900", this is a finding.
- Check System
- C-72476r1034276_chk
- Fix Reference
- F-72377r1034277_fix
- Fix Text
-
Configure the macOS system to set the SSHD unused connection timeout to 900 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'unusedconnectiontimeout 900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "unusedconnectiontimeout 900" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
CCI-002361Automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
- 800-53 Rev. 4 :: AC-12
- 800-53 Rev. 5 :: AC-12
- Group Title
- SRG-OS-000163-GPOS-00072
- Group ID
- V-268447
- Rule Version
- APPL-15-000140
- Rule Title
- The macOS system must set SSH Active Server Alive Maximum to 0.
- Rule ID
- SV-268447r1034805_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.
NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set SSH Active Server Alive Maximum to 0 with the following command:
ret="pass"
for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0")
if [[ "$sshCheck" == "0" ]]; then
ret="fail"
break
fi
done
/bin/echo $ret
If the result is not "pass", this is a finding.
- Check System
- C-72477r1034279_chk
- Fix Reference
- F-72378r1034804_fix
- Fix Text
-
Configure the macOS system to set SSH Active Server Alive Maximum to 0 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*')
ssh_config=("ServerAliveCountMax 0")
ssh_setting=$(echo $ssh_config | /usr/bin/cut -d " " -f1)
/usr/bin/grep -qEi "^$ssh_setting" "${include_dir}01-mscp-ssh.conf" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/" "${include_dir}01-mscp-ssh.conf" || echo "$ssh_config" >> "${include_dir}01-mscp-ssh.conf"
for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do
config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1)
configfiles=$(echo "$config" | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
configarray=( ${(f)configfiles} )
if ! echo $config | /usr/bin/grep -q -i "$ssh_config" ; then
for c in $configarray; do
if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then
continue
fi
/usr/bin/sudo -u $u /usr/bin/grep -qEi "^$ssh_setting" "$c" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/I" "$c"
if [[ "$c" =~ ".ssh/config" ]]; then
if /usr/bin/grep -qEi "$ssh_setting" "$c" 2> /dev/null; then
old_file=$(cat ~$u/.ssh/config)
echo "$ssh_config" > ~$u/.ssh/config
echo "$old_file" >> ~$u/.ssh/config
fi
fi
done
fi
done
- Identities
-
CCI-001133
Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
- 800-53 :: SC-10
- 800-53 Rev. 4 :: SC-10
- 800-53 Rev. 5 :: SC-10
- 800-53A :: SC-10.1 (ii)
- Group Title
- SRG-OS-000279-GPOS-00109
- Group ID
- V-268448
- Rule Version
- APPL-15-000160
- Rule Title
- The macOS system must enforce auto logout after 86400 seconds of inactivity.
- Rule ID
- SV-268448r1034284_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Auto logout must be configured to automatically terminate a user session and log out after 86400 seconds of inactivity.
NOTE: The maximum that macOS can be configured for autologoff is 86400 seconds.
[IMPORTANT]
====
The automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information system security officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the automatic logout setting.
====
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce auto logout after 86400 seconds of inactivity with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\
.objectForKey('com.apple.autologout.AutoLogOutDelay').js
EOS
If the result is not "86400", this is a finding.
- Check System
- C-72478r1034282_chk
- Fix Reference
- F-72379r1034283_fix
- Fix Text
-
Configure the macOS system to enforce auto logout after 86400 seconds of inactivity by installing the "com.apple.GlobalPreferences" configuration profile.
- Identities
-
CCI-002361
Automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
- 800-53 Rev. 4 :: AC-12
- 800-53 Rev. 5 :: AC-12
- Group Title
- SRG-OS-000355-GPOS-00143
- Group ID
- V-268449
- Rule Version
- APPL-15-000170
- Rule Title
- The macOS system must be configured to use an authorized time server.
- Rule ID
- SV-268449r1034287_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
An approved time server must be the only server configured for use. As of macOS 10.13, only one time server is supported.
This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to use an authorized time server with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('timeServer').js
EOS
If the result is not an authoritative time server that is synchronized with redundant USNO time servers as designated for the appropriate DOD network, this is a finding.
- Check System
- C-72479r1034285_chk
- Fix Reference
- F-72380r1034286_fix
- Fix Text
-
Configure the macOS system to use an authorized time server by installing the "com.apple.MCX" configuration profile.
- Identities
-
CCI-004923
Compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.
- 800-53 Rev. 5 :: SC-45 (1) (a)
CCI-004926Synchronize the internal system clocks to the authoritative time source when the time difference is greater than organization-defined time period.
- 800-53 Rev. 5 :: SC-45 (1) (b)
- Group Title
- SRG-OS-000355-GPOS-00143
- Group ID
- V-268450
- Rule Version
- APPL-15-000180
- Rule Title
- The macOS system must enable the time synchronization daemon.
- Rule ID
- SV-268450r1034290_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server.
NOTE: The time synchronization daemon is enabled by default on macOS.
Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000785-GPOS-00250
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable the time synchronization daemon with the following command:
/bin/launchctl list | /usr/bin/grep -c com.apple.timed
If the result is not "1", this is a finding.
- Check System
- C-72480r1034288_chk
- Fix Reference
- F-72381r1034289_fix
- Fix Text
-
Configure the macOS system to enable the time synchronization daemon with the following command:
/bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist
NOTE: The service "timed" cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled.
- Identities
-
CCI-004922
Synchronize system clocks within and between systems or system components.
- 800-53 Rev. 5 :: SC-45
CCI-004923Compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.
- 800-53 Rev. 5 :: SC-45 (1) (a)
CCI-004926Synchronize the internal system clocks to the authoritative time source when the time difference is greater than organization-defined time period.
- 800-53 Rev. 5 :: SC-45 (1) (b)
- Group Title
- SRG-OS-000064-GPOS-00033
- Group ID
- V-268451
- Rule Version
- APPL-15-000190
- Rule Title
- The macOS system must configure sudo to log events.
- Rule ID
- SV-268451r1034293_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Sudo must be configured to log privilege escalation.
Without logging privilege escalation, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to log privilege escalation with the following command:
/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Log when a command is allowed by sudoers"
If the result is not "1", this is a finding.
- Check System
- C-72481r1034291_chk
- Fix Reference
- F-72382r1034292_fix
- Fix Text
-
Configure the macOS system to log privilege escalation with the following command:
/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \;
/bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp
- Identities
-
CCI-000172
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
- Group Title
- SRG-OS-000004-GPOS-00004
- Group ID
- V-268452
- Rule Version
- APPL-15-001001
- Rule Title
- The macOS system must be configured to audit all administrative action events.
- Rule ID
- SV-268452r1034296_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The auditing system must be configured to flag administrative action (ad) events.
Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
The information system audits the execution of privileged functions.
NOTE: Changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event is recommended. This will prevent sandbox violations from being audited by the ad flag.
Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000327-GPOS-00127, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000476-GPOS-00221
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit privileged access with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad'
If "ad" is not listed in the output, this is a finding.
- Check System
- C-72482r1034294_chk
- Fix Reference
- F-72383r1034295_fix
- Fix Text
-
Configure the macOS system to audit privileged access with the following command:
/usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
- Identities
-
CCI-000018
Automatically audit account creation actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001403Automatically audit account modification actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-001404Automatically audit account disabling actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-001405Automatically audit account removal actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-002130Automatically audit account enabling actions.
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
CCI-002234Log the execution of privileged functions.
- 800-53 Rev. 4 :: AC-6 (9)
- 800-53 Rev. 5 :: AC-6 (9)
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
- Group Title
- SRG-OS-000032-GPOS-00013
- Group ID
- V-268453
- Rule Version
- APPL-15-001002
- Rule Title
- The macOS system must be configured to audit all login and logout events.
- Rule ID
- SV-268453r1034299_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit system must be configured to record all attempts to log in and out of the system (lo).
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or service account. The attacker must attempt to change to another user account with normal or elevated privileges to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring login and logout events) mitigates this risk.
The information system monitors login and logout events.
Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit all login and logout events with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^lo'
If the result is not "1", this is a finding.
- Check System
- C-72483r1034297_chk
- Fix Reference
- F-72384r1034298_fix
- Fix Text
-
Configure the macOS system to audit all login and logout events with the following command:
/usr/bin/grep -qE "^flags.*[^-]lo" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
- Identities
-
CCI-000067
Employ automated mechanisms to monitor remote access methods.
- 800-53 :: AC-17 (1)
- 800-53 Rev. 4 :: AC-17 (1)
- 800-53 Rev. 5 :: AC-17 (1)
- 800-53A :: AC-17 (1).1
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
- Group Title
- SRG-OS-000037-GPOS-00015
- Group ID
- V-268454
- Rule Version
- APPL-15-001003
- Rule Title
- The macOS system must enable security auditing.
- Rule ID
- SV-268454r1034302_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The information system must be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system startup.
NOTE: Security auditing is NOT enabled by default on macOS Sequoia.
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000055-GPOS-00026, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000337-GPOS-00129, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222, SRG-OS-000755-GPOS-00220
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable the auditd service with the following command:
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi
If the result is not "pass", this is a finding.
- Check System
- C-72484r1034300_chk
- Fix Reference
- F-72385r1034301_fix
- Fix Text
-
Configure the macOS system to enable the auditd service with the following command:
if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then
/bin/cp /etc/security/audit_control.example /etc/security/audit_control
fi
/bin/launchctl enable system/com.apple.auditd
/bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist
/usr/sbin/audit -i
- Identities
-
CCI-000130
Ensure that audit records containing information that establishes what type of event occurred.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 a
- 800-53A :: AU-3.1
CCI-000131Ensure that audit records containing information that establishes when the event occurred.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 b
- 800-53A :: AU-3.1
CCI-000132Ensure that audit records containing information that establishes where the event occurred.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 c
- 800-53A :: AU-3.1
CCI-000133Ensure that audit records containing information that establishes the source of the event.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 d
- 800-53A :: AU-3.1
CCI-000134Ensure that audit records containing information that establishes the outcome of the event.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 e
- 800-53A :: AU-3.1
CCI-000135Generate audit records containing the organization-defined additional information that is to be included in the audit records.
- 800-53 :: AU-3 (1)
- 800-53 Rev. 4 :: AU-3 (1)
- 800-53 Rev. 5 :: AU-3 (1)
- 800-53A :: AU-3 (1).1 (ii)
CCI-000159Use internal system clocks to generate time stamps for audit records.
- 800-53 :: AU-8
- 800-53 Rev. 4 :: AU-8 a
- 800-53 Rev. 5 :: AU-8 a
- 800-53A :: AU-8.1
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001464Initiates session audits automatically at system start-up.
- 800-53 :: AU-14 (1)
- 800-53 Rev. 4 :: AU-14 (1)
- 800-53 Rev. 5 :: AU-14 (1)
- 800-53A :: AU-14 (1).1
CCI-001487Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
- 800-53 :: AU-3
- 800-53 Rev. 4 :: AU-3
- 800-53 Rev. 5 :: AU-3 f
- 800-53A :: AU-3.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001889Record time stamps for audit records that meet organization-defined granularity of time measurement.
- 800-53 Rev. 4 :: AU-8 b
- 800-53 Rev. 5 :: AU-8 b
CCI-001890Record time stamps for audit records that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
- 800-53 Rev. 4 :: AU-8 b
- 800-53 Rev. 5 :: AU-8 b
CCI-001914Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.
- 800-53 Rev. 4 :: AU-12 (3)
- 800-53 Rev. 5 :: AU-12 (3)
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
CCI-004188Monitor the use of maintenance tools that execute with increased privilege.
- 800-53 Rev. 5 :: MA-3 (5)
- Group Title
- SRG-OS-000047-GPOS-00023
- Group ID
- V-268455
- Rule Version
- APPL-15-001010
- Rule Title
- The macOS system must be configured to shut down upon audit failure.
- Rule ID
- SV-268455r1034305_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to shut down the computer if it is unable to audit system events.
Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to shut down upon audit failure with the following command:
/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'
If the result is not "1", this is a finding.
- Check System
- C-72485r1034303_chk
- Fix Reference
- F-72386r1034304_fix
- Fix Text
-
Configure the macOS system to shut down upon audit failure with the following command:
/usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s
- Identities
-
CCI-000140
Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
- 800-53 :: AU-5 b
- 800-53 Rev. 4 :: AU-5 b
- 800-53 Rev. 5 :: AU-5 b
- 800-53A :: AU-5.1 (iv)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268456
- Rule Version
- APPL-15-001012
- Rule Title
- The macOS system must configure audit log files to be owned by root.
- Rule ID
- SV-268456r1034308_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Audit log files must be owned by root.
The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log files owned by root with the following command:
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'
If the result is not "0", this is a finding.
- Check System
- C-72486r1034306_chk
- Fix Reference
- F-72387r1034307_fix
- Fix Text
-
Configure the macOS system with audit log files owned by root with the following command:
/usr/sbin/chown -R root /var/audit/*
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268457
- Rule Version
- APPL-15-001013
- Rule Title
- The macOS system must configure audit log folders to be owned by root.
- Rule ID
- SV-268457r1034311_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Audit log folders must be owned by root.
The audit service must be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by system administrators, the risk is mitigated.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log folders owned by root with the following command:
/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'
If the result is not "0", this is a finding.
- Check System
- C-72487r1034309_chk
- Fix Reference
- F-72388r1034310_fix
- Fix Text
-
Configure the macOS system with audit log folders owned by root with the following command:
/usr/sbin/chown root /var/audit
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268458
- Rule Version
- APPL-15-001014
- Rule Title
- The macOS system must configure the audit log files group to wheel.
- Rule ID
- SV-268458r1034314_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log files group-owned by wheel with the following command:
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'
If the result is not "0", this is a finding.
- Check System
- C-72488r1034312_chk
- Fix Reference
- F-72389r1034313_fix
- Fix Text
-
Configure the macOS system with audit log files group-owned by wheel with the following command:
/usr/bin/chgrp -R wheel /var/audit/*
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268459
- Rule Version
- APPL-15-001015
- Rule Title
- The macOS system must configure the audit log folders group to wheel.
- Rule ID
- SV-268459r1034317_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log folders group-owned by wheel with the following command:
/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'
If the result is not "0", this is a finding.
- Check System
- C-72489r1034315_chk
- Fix Reference
- F-72390r1034316_fix
- Fix Text
-
Configure the macOS system with audit log folders group-owned by wheel with the following command:
/usr/bin/chgrp wheel /var/audit
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268460
- Rule Version
- APPL-15-001016
- Rule Title
- The macOS system must configure audit log files to mode 440 or less permissive.
- Rule ID
- SV-268460r1034320_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files must be configured to mode 440 or less permissive to prevent normal users from reading, modifying, or deleting audit logs.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log files set to mode 440 or less with the following command:
/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
If the result is not "0", this is a finding.
- Check System
- C-72490r1034318_chk
- Fix Reference
- F-72391r1034319_fix
- Fix Text
-
Configure the macOS system with audit log files set to mode 440 with the following command:
/bin/chmod 440 /var/audit/*
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268461
- Rule Version
- APPL-15-001017
- Rule Title
- The macOS system must configure audit log folders to mode 700 or less permissive.
- Rule ID
- SV-268461r1034323_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service must be configured to mode 700 or less permissive to prevent normal users from reading, modifying or deleting audit logs.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with audit log folders set to mode 700 or less permissive with the following command:
/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
If the result is not a mode of 700 or less permissive, this is a finding.
- Check System
- C-72491r1034321_chk
- Fix Reference
- F-72392r1034322_fix
- Fix Text
-
Configure the macOS system with audit log folders set to mode 700 with the following command:
/bin/chmod 700 /var/audit
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268462
- Rule Version
- APPL-15-001020
- Rule Title
- The macOS system must be configured to audit all deletions of object attributes.
- Rule ID
- SV-268462r1034326_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd).
***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000064-GPOS-00033, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit all deletions of object attributes with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fd'
If the result is not "1", this is a finding.
- Check System
- C-72492r1034324_chk
- Fix Reference
- F-72393r1034325_fix
- Fix Text
-
Configure the macOS system to audit all deletions of object attributes with the following command:
/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268463
- Rule Version
- APPL-15-001021
- Rule Title
- The macOS system must be configured to audit all changes of object attributes.
- Rule ID
- SV-268463r1034329_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions attempt to modify a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000064-GPOS-00033, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit all changes of object attributes with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm'
If the result is not "1", this is a finding.
- Check System
- C-72493r1034327_chk
- Fix Reference
- F-72394r1034328_fix
- Fix Text
-
Configure the macOS system to audit all changes of object attributes with the following command:
/usr/bin/grep -qE "^flags.*fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268464
- Rule Version
- APPL-15-001022
- Rule Title
- The macOS system must be configured to audit all failed read actions on the system.
- Rule ID
- SV-268464r1034332_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000064-GPOS-00033, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000474-GPOS-00219
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit all failed read actions on the system with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fr'
If the result is not "1", this is a finding.
- Check System
- C-72494r1034330_chk
- Fix Reference
- F-72395r1034331_fix
- Fix Text
-
Configure the macOS system to audit all failed read actions on the system with the following command:
/usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268465
- Rule Version
- APPL-15-001023
- Rule Title
- The macOS system must be configured to audit all failed write actions on the system.
- Rule ID
- SV-268465r1034335_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000064-GPOS-00033, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit all failed write actions on the system with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw'
If the result is not "1", this is a finding.
- Check System
- C-72495r1034333_chk
- Fix Reference
- F-72396r1034334_fix
- Fix Text
-
Configure the macOS system to audit all failed write actions on the system with the following command:
/usr/bin/grep -qE "^flags.*-fw" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
- Group Title
- SRG-OS-000341-GPOS-00132
- Group ID
- V-268467
- Rule Version
- APPL-15-001029
- Rule Title
- The macOS system must configure audit retention to seven days.
- Rule ID
- SV-268467r1034341_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set audit retention to seven days with the following command:
/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control
If the result is not "7d", this is a finding.
- Check System
- C-72497r1034339_chk
- Fix Reference
- F-72398r1034340_fix
- Fix Text
-
Configure the macOS system to set audit retention to seven days with the following command:
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s
- Identities
-
CCI-001849
Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.
- 800-53 Rev. 4 :: AU-4
- 800-53 Rev. 5 :: AU-4
- Group Title
- SRG-OS-000046-GPOS-00022
- Group ID
- V-268468
- Rule Version
- APPL-15-001030
- Rule Title
- The macOS system must configure audit capacity warning.
- Rule ID
- SV-268468r1034344_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization-defined value.
This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.
Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to require a minimum of 25 percent free disk space for audit record storage with the following command:
/usr/bin/awk -F: '/^minfree/{print $2}' /etc/security/audit_control
If the result is not "25", this is a finding.
- Check System
- C-72498r1034342_chk
- Fix Reference
- F-72399r1034343_fix
- Fix Text
-
Configure the macOS system to require a minimum of 25 percent free disk space for audit record storage with the following command:
/usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/sbin/audit -s
- Identities
-
CCI-000139
Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure.
- 800-53 :: AU-5 a
- 800-53 Rev. 4 :: AU-5 a
- 800-53 Rev. 5 :: AU-5 a
- 800-53A :: AU-5.1 (ii)
CCI-001855Provide a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit log storage volume reaches an organization-defined percentage of repository maximum audit log storage capacity.
- 800-53 Rev. 4 :: AU-5 (1)
- 800-53 Rev. 5 :: AU-5 (1)
- Group Title
- SRG-OS-000047-GPOS-00023
- Group ID
- V-268469
- Rule Version
- APPL-15-001031
- Rule Title
- The macOS system must configure audit failure notification.
- Rule ID
- SV-268469r1034347_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.
It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected.
Satisfies: SRG-OS-000047-GPOS-00023, SRG-OS-000344-GPOS-00135
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to produce audit failure notification with the following command:
/usr/bin/grep -c "logger -s -p" /etc/security/audit_warn
If the result is not "1", this is a finding.
- Check System
- C-72499r1034345_chk
- Fix Reference
- F-72400r1034346_fix
- Fix Text
-
Configure the macOS system to produce audit failure notification with the following command:
/usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s
- Identities
-
CCI-000140
Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
- 800-53 :: AU-5 b
- 800-53 Rev. 4 :: AU-5 b
- 800-53 Rev. 5 :: AU-5 b
- 800-53A :: AU-5.1 (iv)
CCI-001858Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.
- 800-53 Rev. 4 :: AU-5 (2)
- 800-53 Rev. 5 :: AU-5 (2)
- Group Title
- SRG-OS-000365-GPOS-00152
- Group ID
- V-268470
- Rule Version
- APPL-15-001044
- Rule Title
- The macOS system must be configured to audit all authorization and authentication events.
- Rule ID
- SV-268470r1034350_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The auditing system must be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and correlate incidents to subsequent events.
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
Satisfies: SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000475-GPOS-00220, SRG-OS-000477-GPOS-00222
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit login events with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa'
If the result is not "1", this is a finding.
- Check System
- C-72500r1034348_chk
- Fix Reference
- F-72401r1034349_fix
- Fix Text
-
Configure the macOS system to audit login events with the following command:
/usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s
- Identities
-
CCI-000172
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
- Group Title
- SRG-OS-000066-GPOS-00034
- Group ID
- V-268471
- Rule Version
- APPL-15-001060
- Rule Title
- The macOS system must set smart card certificate trust to moderate.
- Rule ID
- SV-268471r1034353_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
To prevent the use of untrusted certificates, the certificates on a smart card must meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking.
By setting the smart card certificate trust level to moderate, the system will execute a soft revocation, i.e., if the OCSP/CRL server is unreachable, authentication will still succeed.
NOTE: Before applying this setting, refer to the smart card supplemental guidance.
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000377-GPOS-00162, SRG-OS-000384-GPOS-00167, SRG-OS-000403-GPOS-00182
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to check the revocation status of user certificates with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
.objectForKey('checkCertificateTrust').js
EOS
If the result is not "2", this is a finding.
- Check System
- C-72501r1034351_chk
- Fix Reference
- F-72402r1034352_fix
- Fix Text
-
Configure the macOS system to check the revocation status of user certificates by installing the "com.apple.security.smartcard" configuration profile.
NOTE: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.
- Identities
-
CCI-000185
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
- 800-53 :: IA-5 (2)
- 800-53 Rev. 4 :: IA-5 (2) (a)
- 800-53 Rev. 5 :: IA-5 (2) (b) (1)
- 800-53A :: IA-5 (2).1
CCI-001954Electronically verifies Personal Identity Verification-compliant credentials.
- 800-53 Rev. 4 :: IA-2 (12)
- 800-53 Rev. 5 :: IA-2 (12)
CCI-002470Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.
- 800-53 Rev. 4 :: SC-23 (5)
- 800-53 Rev. 5 :: SC-23 (5)
CCI-004068For public key-based authentication, implement a local cache of revocation data to support path discovery and validation.
- 800-53 Rev. 5 :: IA-5 (2) (b) (2)
- Group Title
- SRG-OS-000109-GPOS-00056
- Group ID
- V-268472
- Rule Version
- APPL-15-001100
- Rule Title
- The macOS system must disable root login for SSH.
- Rule ID
- SV-268472r1034356_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled.
The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000109-GPOS-00056, SRG-OS-000364-GPOS-00151
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable root login for SSH with the following command:
/usr/sbin/sshd -G | /usr/bin/awk '/permitrootlogin/{print $2}'
If the result is not "no", this is a finding.
- Check System
- C-72502r1034354_chk
- Fix Reference
- F-72403r1034355_fix
- Fix Text
-
Configure the macOS system to disable root login for SSH with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'permitrootlogin no' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "permitrootlogin no" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
- Identities
-
CCI-001813
Enforce access restrictions using organization-defined mechanisms.
- 800-53 Rev. 4 :: CM-5 (1)
- 800-53 Rev. 5 :: CM-5 (1) (a)
CCI-004045Require users to be individually authenticated before granting access to the shared accounts or resources.
- 800-53 Rev. 5 :: IA-2 (5)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268473
- Rule Version
- APPL-15-001110
- Rule Title
- The macOS system must configure audit_control group to wheel.
- Rule ID
- SV-268473r1034359_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
/etc/security/audit_control must have the group set to wheel.
The audit service must be configured with the correct group ownership to prevent normal users from manipulating audit log configurations.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with the audit_control group to wheel with the following command:
/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'
If the result is not "0", this is a finding.
- Check System
- C-72503r1034357_chk
- Fix Reference
- F-72404r1034358_fix
- Fix Text
-
Configure the macOS system with the audit_control group to wheel with the following command:
/usr/bin/chgrp wheel /etc/security/audit_control
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000171Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system.
- 800-53 :: AU-12 b
- 800-53 Rev. 4 :: AU-12 b
- 800-53 Rev. 5 :: AU-12 b
- 800-53A :: AU-12.1 (iii)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268474
- Rule Version
- APPL-15-001120
- Rule Title
- The macOS system must configure audit_control owner to root.
- Rule ID
- SV-268474r1034362_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
/etc/security/audit_control must have the owner set to root.
The audit service must be configured with the correct ownership to prevent normal users from manipulating audit log configurations.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with the audit_control owner to root with the following command:
/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'
If the result is not "0", this is a finding.
- Check System
- C-72504r1034360_chk
- Fix Reference
- F-72405r1034361_fix
- Fix Text
-
Configure the macOS system with the audit_control owner to root with the following command:
/usr/sbin/chown root /etc/security/audit_control
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000171Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system.
- 800-53 :: AU-12 b
- 800-53 Rev. 4 :: AU-12 b
- 800-53 Rev. 5 :: AU-12 b
- 800-53A :: AU-12.1 (iii)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-268475
- Rule Version
- APPL-15-001130
- Rule Title
- The macOS system must configure audit_control owner to mode 440 or less permissive.
- Rule ID
- SV-268475r1034365_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
/etc/security/audit_control must be configured so that it is readable only by the root user and group wheel.
The audit service must be configured with the correct mode to prevent normal users from manipulating audit log configurations.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with the audit_control to mode 440 or less with the following command:
/bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs
If the result is not "0", this is a finding.
- Check System
- C-72505r1034363_chk
- Fix Reference
- F-72406r1034364_fix
- Fix Text
-
Configure the macOS system with the audit_control to mode 440 with the following command:
/bin/chmod 440 /etc/security/audit_control
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000171Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system.
- 800-53 :: AU-12 b
- 800-53 Rev. 4 :: AU-12 b
- 800-53 Rev. 5 :: AU-12 b
- 800-53A :: AU-12.1 (iii)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000067-GPOS-00035
- Group ID
- V-268477
- Rule Version
- APPL-15-001150
- Rule Title
- The macOS system must disable password authentication for SSH.
- Rule ID
- SV-268477r1034371_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
If remote login through SSH is enabled, password-based authentication must be disabled for user login.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000067-GPOS-00035, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000125-GPOS-00065, SRG-OS-000375-GPOS-00160
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable password authentication for SSH with the following command:
/usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)'
If the result is not "2", this is a finding.
- Check System
- C-72507r1034369_chk
- Fix Reference
- F-72408r1034370_fix
- Fix Text
-
Configure the macOS system to disable password authentication for SSH with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
echo "passwordauthentication no" >> "${include_dir}01-mscp-sshd.conf"
echo "kbdinteractiveauthentication no" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
- Identities
-
CCI-000186
For public key-based authentication, enforce authorized access to the corresponding private key.
- 800-53 :: IA-5 (2)
- 800-53 Rev. 4 :: IA-5 (2) (b)
- 800-53 Rev. 5 :: IA-5 (2) (a) (1)
- 800-53A :: IA-5 (2).1
CCI-000765Implement multifactor authentication for network access to privileged accounts.
- 800-53 :: IA-2 (1)
- 800-53 Rev. 4 :: IA-2 (1)
- 800-53 Rev. 5 :: IA-2 (1)
- 800-53A :: IA-2 (1).1
CCI-000766Implement multifactor authentication for network access to non-privileged accounts.
- 800-53 :: IA-2 (2)
- 800-53 Rev. 4 :: IA-2 (2)
- 800-53 Rev. 5 :: IA-2 (2)
- 800-53A :: IA-2 (2).1
CCI-000877Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.
- 800-53 :: MA-4 c
- 800-53 Rev. 4 :: MA-4 c
- 800-53 Rev. 5 :: MA-4 c
- 800-53A :: MA-4.1 (iv)
CCI-001941Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.
- 800-53 Rev. 4 :: IA-2 (8)
- 800-53 Rev. 5 :: IA-2 (8)
CCI-004046Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
- 800-53 Rev. 5 :: IA-2 (6) (a)
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268478
- Rule Version
- APPL-15-002001
- Rule Title
- The macOS system must disable Server Message Block (SMB) sharing.
- Rule ID
- SV-268478r1034374_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Support for SMB file sharing is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable SMB sharing with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.smbd" => disabled'
If the result is not "1", this is a finding.
- Check System
- C-72508r1034372_chk
- Fix Reference
- F-72409r1034373_fix
- Fix Text
-
Configure the macOS system to disable SMB sharing with the following command:
/bin/launchctl disable system/com.apple.smbd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268479
- Rule Version
- APPL-15-002003
- Rule Title
- The macOS system must disable Network File System (NFS) service.
- Rule ID
- SV-268479r1034377_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Support for NFS services is nonessential and, therefore, must be disabled. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable NFS service with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.nfsd" => disabled'
If the result is not "1", this is a finding.
- Check System
- C-72509r1034375_chk
- Fix Reference
- F-72410r1034376_fix
- Fix Text
-
Configure the macOS system to disable NFS service with the following command:
/bin/launchctl disable system/com.apple.nfsd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268480
- Rule Version
- APPL-15-002004
- Rule Title
- The macOS system must disable Location Services.
- Rule ID
- SV-268480r1034380_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Location Services must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Location Services helps prevent unauthorized connection of devices, transfer of information, and tunneling.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Location Services with the following command:
/usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\
.objectForKey('LocationServicesEnabled').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72510r1034378_chk
- Fix Reference
- F-72411r1034379_fix
- Fix Text
-
Configure the macOS system to disable Location Services with the following command:
/usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false;
pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }')
kill -9 $pid
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268481
- Rule Version
- APPL-15-002005
- Rule Title
- The macOS system must disable Bonjour multicast.
- Rule ID
- SV-268481r1034383_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Bonjour multicast advertising must be disabled to prevent the system from broadcasting its presence and available services over network interfaces.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Bonjour multicast with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\
.objectForKey('NoMulticastAdvertisements').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72511r1034381_chk
- Fix Reference
- F-72412r1034382_fix
- Fix Text
-
Configure the macOS system to disable Bonjour multicast by installing the "com.apple.mDNSResponder" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268482
- Rule Version
- APPL-15-002006
- Rule Title
- The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.
- Rule ID
- SV-268482r1034386_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must not have the UUCP service active.
UUCP, a set of programs that enables sending files between different Unix systems and sending commands to be executed on another system, is not essential and must be disabled to prevent unauthorized connection of devices, transfer of information, and tunneling.
NOTE: UUCP service is disabled at startup by default with macOS.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable UUCP service with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => disabled'
If the result is not "1", this is a finding.
- Check System
- C-72512r1034384_chk
- Fix Reference
- F-72413r1034385_fix
- Fix Text
-
Configure the macOS system to disable UUCP service with the following command:
/bin/launchctl disable system/com.apple.uucp
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268483
- Rule Version
- APPL-15-002007
- Rule Title
- The macOS system must disable Internet Sharing.
- Rule ID
- SV-268483r1034389_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If the system does not require Internet Sharing, support for it is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Internet Sharing helps prevent unauthorized connection of devices, transfer of information, and tunneling.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Internet Sharing with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('forceInternetSharingOff').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72513r1034387_chk
- Fix Reference
- F-72414r1034388_fix
- Fix Text
-
Configure the macOS system to disable Internet Sharing by installing the "com.apple.MCX" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268484
- Rule Version
- APPL-15-002008
- Rule Title
- The macOS system must disable the built-in web server.
- Rule ID
- SV-268484r1034392_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The built-in web server is a nonessential service built into macOS and must be disabled.
NOTE: The built-in web server is disabled at startup by default with macOS.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the built-in web server with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => disabled'
If the result is not "1", this is a finding.
- Check System
- C-72514r1034390_chk
- Fix Reference
- F-72415r1034391_fix
- Fix Text
-
Configure the macOS system to disable the built-in web server with the following command:
/bin/launchctl disable system/org.apache.httpd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268485
- Rule Version
- APPL-15-002009
- Rule Title
- The macOS system must disable AirDrop.
- Rule ID
- SV-268485r1034395_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
AirDrop must be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable AirDrop with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAirDrop').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72515r1034393_chk
- Fix Reference
- F-72416r1034394_fix
- Fix Text
-
Configure the macOS system to disable AirDrop by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
CCI-000381Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001443Protect wireless access to the system using authentication of users and/or devices.
- 800-53 :: AC-18 (1)
- 800-53 Rev. 4 :: AC-18 (1)
- 800-53 Rev. 5 :: AC-18 (1)
- 800-53A :: AC-18 (1).1
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268486
- Rule Version
- APPL-15-002010
- Rule Title
- The macOS system must disable FaceTime.app.
- Rule ID
- SV-268486r1034398_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in FaceTime.app must be disabled.
The FaceTime.app establishes a connection to Apple's iCloud service even when security controls have been put in place to disable iCloud access.
[IMPORTANT]
====
Apple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third-party software may be required to fulfill the compliance requirements.
====
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable FaceTime.app with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
.objectForKey('familyControlsEnabled'))
let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
.objectForKey('pathBlackList').js
for ( let app in pathlist ) {
if ( ObjC.unwrap(pathlist[app]) == "/Applications/FaceTime.app" && pref1 == true ){
return("true")
}
}
return("false")
}
EOS
If the result is not "true", this is a finding.
- Check System
- C-72516r1034396_chk
- Fix Reference
- F-72417r1034397_fix
- Fix Text
-
Configure the macOS system to disable FaceTime.app by installing the "com.apple.applicationaccess.new" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268487
- Rule Version
- APPL-15-002012
- Rule Title
- The macOS system must disable the iCloud Calendar services.
- Rule ID
- SV-268487r1034401_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Calendar services with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudCalendar').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72517r1034399_chk
- Fix Reference
- F-72418r1034400_fix
- Fix Text
-
Configure the macOS system to disable iCloud Calendar services by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268488
- Rule Version
- APPL-15-002013
- Rule Title
- The macOS system must disable iCloud Reminders.
- Rule ID
- SV-268488r1034404_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Reminders with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudReminders').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72518r1034402_chk
- Fix Reference
- F-72419r1034403_fix
- Fix Text
-
Configure the macOS system to disable iCloud Reminders by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268489
- Rule Version
- APPL-15-002014
- Rule Title
- The macOS system must disable iCloud Address Book.
- Rule ID
- SV-268489r1034407_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in Contacts.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Address Book with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudAddressBook').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72519r1034405_chk
- Fix Reference
- F-72420r1034406_fix
- Fix Text
-
Configure the macOS system to disable iCloud Address Book by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268490
- Rule Version
- APPL-15-002015
- Rule Title
- The macOS system must disable iCloud Mail.
- Rule ID
- SV-268490r1034410_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in Mail.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Mail with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudMail').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72520r1034408_chk
- Fix Reference
- F-72421r1034409_fix
- Fix Text
-
Configure the macOS system to disable iCloud Mail by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268491
- Rule Version
- APPL-15-002016
- Rule Title
- The macOS system must disable iCloud Notes.
- Rule ID
- SV-268491r1034413_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in Notes.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Notes with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudNotes').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72521r1034411_chk
- Fix Reference
- F-72422r1034412_fix
- Fix Text
-
Configure the macOS system to disable iCloud Notes by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268492
- Rule Version
- APPL-15-002017
- Rule Title
- The macOS system must disable the camera.
- Rule ID
- SV-268492r1034416_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants carry out the disconnect activity without having to go through complex and tedious procedures.
- Documentable
- False
- Check Content
-
If the device or operating system does not have a camera installed, this requirement is not applicable.
This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local authorizing official (AO) decision.
This requirement is not applicable to dedicated video teleconference (VTC) suites in approved VTC locations that are centrally managed.
For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding.
For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use.
If the built-in camera is not protected with a camera cover or is not physically disabled, this is a finding.
If the camera is not disconnected, covered, or physically disabled, verify the macOS system is configured to disable the camera with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCamera').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72522r1034414_chk
- Fix Reference
- F-72423r1034415_fix
- Fix Text
-
Configure the macOS system to disable the camera by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268493
- Rule Version
- APPL-15-002020
- Rule Title
- The macOS system must disable Siri.
- Rule ID
- SV-268493r1034419_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Support for Siri is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Siri with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAssistant').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72523r1034417_chk
- Fix Reference
- F-72424r1034418_fix
- Fix Text
-
Configure the macOS system to disable Siri by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000205-GPOS-00083
- Group ID
- V-268494
- Rule Version
- APPL-15-002021
- Rule Title
- The macOS system must disable sending diagnostic and usage data to Apple.
- Rule ID
- SV-268494r1034422_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The ability to submit diagnostic data to Apple must be disabled.
The information system must be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000206-GPOS-00084
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable sending diagnostic and usage data to Apple with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\
.objectForKey('AutoSubmit').js
let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowDiagnosticSubmission').js
if ( pref1 == false && pref2 == false ){
return("true")
} else {
return("false")
}
}
EOS
If the result is not "true", this is a finding.
- Check System
- C-72524r1034420_chk
- Fix Reference
- F-72425r1034421_fix
- Fix Text
-
Configure the macOS system to disable sending diagnostic and usage data to Apple by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-001312
Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited.
- 800-53 :: SI-11 b
- 800-53 Rev. 4 :: SI-11 a
- 800-53 Rev. 5 :: SI-11 a
- 800-53A :: SI-11.1 (iii)
CCI-001314Reveal error messages only to organization-defined personnel or roles.
- 800-53 :: SI-11 c
- 800-53 Rev. 4 :: SI-11 b
- 800-53 Rev. 5 :: SI-11 b
- 800-53A :: SI-11.1 (iv)
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268495
- Rule Version
- APPL-15-002022
- Rule Title
- The macOS system must disable Remote Apple Events.
- Rule ID
- SV-268495r1034425_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
If the system does not require Remote Apple Events, support for Apple Remote Events is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent unauthorized connection of devices, transfer of information, and tunneling.
Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000096-GPOS-00050
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Remote Apple Events with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AEServer" => disabled'
If the result is not "1", this is a finding.
- Check System
- C-72525r1034423_chk
- Fix Reference
- F-72426r1034424_fix
- Fix Text
-
Configure the macOS system to disable Remote Apple Events with the following commands:
/usr/sbin/systemsetup -setremoteappleevents off
/bin/launchctl disable system/com.apple.AEServer
NOTE: Systemsetup with -setremoteappleevents flag will fail unless Full Disk Access to systemsetup or its parent process is granted. This requires supervision.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
CCI-000382Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 b
- 800-53 Rev. 5 :: CM-7 b
- 800-53A :: CM-7.1 (iii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268496
- Rule Version
- APPL-15-002035
- Rule Title
- The macOS system must disable Apple ID setup during Setup Assistant.
- Rule ID
- SV-268496r1034428_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The prompt for Apple ID setup during Setup Assistant must be disabled.
macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled. This can mislead new users into thinking they need to create Apple ID accounts upon their first login.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Apple ID setup during Setup Assistant with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
.objectForKey('SkipCloudSetup').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72526r1034426_chk
- Fix Reference
- F-72427r1034427_fix
- Fix Text
-
Configure the macOS system to disable Apple ID setup during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268497
- Rule Version
- APPL-15-002036
- Rule Title
- The macOS system must disable Privacy Setup services during Setup Assistant.
- Rule ID
- SV-268497r1034431_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The prompt for Privacy Setup services during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings. This is not essential and, therefore, must be disabled to prevent the risk of individuals electing privacy settings with the potential to override organizationwide settings.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Privacy Setup services during Setup Assistant with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
.objectForKey('SkipPrivacySetup').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72527r1034429_chk
- Fix Reference
- F-72428r1034430_fix
- Fix Text
-
Configure the macOS system to disable Privacy Setup services during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268498
- Rule Version
- APPL-15-002037
- Rule Title
- The macOS system must disable iCloud storage setup during Setup Assistant.
- Rule ID
- SV-268498r1034434_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The prompt to set up iCloud storage services during Setup Assistant must be disabled.
The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations with more control over their data storage.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud storage setup during Setup Assistant with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
.objectForKey('SkipiCloudStorageSetup').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72528r1034432_chk
- Fix Reference
- F-72429r1034433_fix
- Fix Text
-
Configure the macOS system to disable iCloud storage setup during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000074-GPOS-00042
- Group ID
- V-268499
- Rule Version
- APPL-15-002038
- Rule Title
- The macOS system must disable Trivial File Transfer Protocol (TFTP) service.
- Rule ID
- SV-268499r1034437_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
If the system does not require TFTP support, it is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and unauthorized transfer of information.
NOTE: TFTP service is disabled at startup by default with macOS.
Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000080-GPOS-00048
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable TFTP service with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => disabled'
If the result is not "1", this is a finding.
- Check System
- C-72529r1034435_chk
- Fix Reference
- F-72430r1034436_fix
- Fix Text
-
Configure the macOS system to disable TFTP service with the following command:
/bin/launchctl disable system/com.apple.tftpd
The system may need to be restarted for the update to take effect.
- Identities
-
CCI-000197
For password-based authentication, transmit passwords only cryptographically-protected channels.
- 800-53 :: IA-5 (1) (c)
- 800-53 Rev. 4 :: IA-5 (1) (c)
- 800-53 Rev. 5 :: IA-5 (1) (c)
- 800-53A :: IA-5 (1).1 (v)
CCI-000213Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268500
- Rule Version
- APPL-15-002039
- Rule Title
- The macOS system must disable Siri Setup during Setup Assistant.
- Rule ID
- SV-268500r1034440_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The prompt for Siri during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings. This is not essential and, therefore, must be disabled to prevent the risk of individuals electing Siri settings with the potential to override organizationwide settings.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Siri Setup during Setup Assistant with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
.objectForKey('SkipSiriSetup').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72530r1034438_chk
- Fix Reference
- F-72431r1034439_fix
- Fix Text
-
Configure the macOS system to disable Siri Setup during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268501
- Rule Version
- APPL-15-002040
- Rule Title
- The macOS system must disable iCloud Keychain Sync.
- Rule ID
- SV-268501r1034443_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Keychain Sync with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudKeychainSync').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72531r1034441_chk
- Fix Reference
- F-72432r1034442_fix
- Fix Text
-
Configure the macOS system to disable iCloud Keychain Sync by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268502
- Rule Version
- APPL-15-002041
- Rule Title
- The macOS system must disable iCloud Document Sync.
- Rule ID
- SV-268502r1034446_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nonapproved storage.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Document Sync with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudDocumentSync').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72532r1034444_chk
- Fix Reference
- F-72433r1034445_fix
- Fix Text
-
Configure the macOS system to disable iCloud Document Sync by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268503
- Rule Version
- APPL-15-002042
- Rule Title
- The macOS system must disable iCloud Bookmarks.
- Rule ID
- SV-268503r1034449_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Bookmarks with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudBookmarks').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72533r1034447_chk
- Fix Reference
- F-72434r1034448_fix
- Fix Text
-
Configure the macOS system to disable iCloud Bookmarks by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268504
- Rule Version
- APPL-15-002043
- Rule Title
- The macOS system must disable iCloud Photo Library.
- Rule ID
- SV-268504r1034452_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in Photos.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the iCloud Photo Library with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudPhotoLibrary').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72534r1034450_chk
- Fix Reference
- F-72435r1034451_fix
- Fix Text
-
Configure the macOS system to disable the iCloud Photo Library by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268505
- Rule Version
- APPL-15-002050
- Rule Title
- The macOS system must disable Screen Sharing and Apple Remote Desktop.
- Rule ID
- SV-268505r1034455_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Support for both Screen Sharing and Apple Remote Desktop is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Screen Sharing and Apple Remote Desktop helps prevent unauthorized connection of devices, transfer of information, and tunneling.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Screen Sharing and Apple Remote Desktop with the following command:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" => disabled'
If the result is not "1", this is a finding.
- Check System
- C-72535r1034453_chk
- Fix Reference
- F-72436r1034454_fix
- Fix Text
-
Configure the macOS system to disable Screen Sharing and Apple Remote Desktop with the following command:
/bin/launchctl disable system/com.apple.screensharing
The system may need to be restarted for the update to take effect.
NOTE: This will apply to the whole system.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268506
- Rule Version
- APPL-15-002052
- Rule Title
- The macOS system must disable the System Settings pane for Wallet and Apple Pay.
- Rule ID
- SV-268506r1034458_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The System Settings pane for Wallet and Apple Pay must be disabled.
Disabling the System Settings pane prevents the users from configuring Wallet and Apple Pay. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the System Settings pane for Wallet and Apple Pay with the following command:
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.WalletSettingsExtension"
If the result is not "1", this is a finding.
- Check System
- C-72536r1034456_chk
- Fix Reference
- F-72437r1034457_fix
- Fix Text
-
Configure the macOS system to disable the System Settings pane for Wallet and Apple Pay by installing the "com.apple.systempreferences" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268507
- Rule Version
- APPL-15-002053
- Rule Title
- The macOS system must disable the system settings pane for Siri.
- Rule ID
- SV-268507r1034461_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The System Settings pane for Siri must be hidden.
Hiding the System Settings pane prevents users from configuring Siri. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the system settings pane for Siri with the following command:
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.Siri-Settings.extension
If the result is not "1", this is a finding.
- Check System
- C-72537r1034459_chk
- Fix Reference
- F-72438r1034460_fix
- Fix Text
-
Configure the macOS system to disable the system settings pane for Siri by installing the "com.apple.systempreferences" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000366-GPOS-00153
- Group ID
- V-268508
- Rule Version
- APPL-15-002060
- Rule Title
- The macOS system must apply gatekeeper settings to block applications from unidentified developers.
- Rule ID
- SV-268508r1034464_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
The information system implements cryptographic mechanisms to authenticate software prior to installation.
Gatekeeper settings must be configured correctly to allow the system to run only applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to apply gatekeeper settings to block applications from unidentified developers with the following command:
/usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled"
If the result is not "1", this is a finding.
- Check System
- C-72538r1034462_chk
- Fix Reference
- F-72439r1034463_fix
- Fix Text
-
Configure the macOS system to apply gatekeeper settings to block applications from unidentified developers with the following command:
/usr/sbin/spctl --global-enable; /usr/sbin/spctl --enable
- Identities
-
CCI-003992
Prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
- 800-53 Rev. 5 :: CM-14
- Group Title
- SRG-OS-000423-GPOS-00187
- Group ID
- V-268509
- Rule Version
- APPL-15-002062
- Rule Title
- The macOS system must disable Bluetooth when no approved device is connected.
- Rule ID
- SV-268509r1034467_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS system must be configured to disable Bluetooth unless an approved device is connected.
[IMPORTANT]
====
Information system security officers (ISSOs) may make the risk-based decision not to disable Bluetooth to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000481-GPOS-00481
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Bluetooth with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\
.objectForKey('DisableBluetooth').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72539r1034465_chk
- Fix Reference
- F-72440r1034466_fix
- Fix Text
-
Configure the macOS system to disable Bluetooth by installing the "com.apple.MCXBluetooth" configuration profile.
- Identities
-
CCI-002418
Protect the confidentiality and/or integrity of transmitted information.
- 800-53 Rev. 4 :: SC-8
- 800-53 Rev. 5 :: SC-8
- Group Title
- SRG-OS-000364-GPOS-00151
- Group ID
- V-268510
- Rule Version
- APPL-15-002063
- Rule Title
- The macOS system must disable the guest account.
- Rule ID
- SV-268510r1034470_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Guest access must be disabled.
Turning off guest access prevents anonymous users from accessing files.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the guest account with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('DisableGuestAccount'))
let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('EnableGuestAccount'))
if ( pref1 == true && pref2 == false ) {
return("true")
} else {
return("false")
}
}
EOS
If the result is not "true", this is a finding.
- Check System
- C-72540r1034468_chk
- Fix Reference
- F-72441r1034469_fix
- Fix Text
-
Configure the macOS system to disable the guest account by installing the "com.apple.MCX" configuration profile.
- Identities
-
CCI-001813
Enforce access restrictions using organization-defined mechanisms.
- 800-53 Rev. 4 :: CM-5 (1)
- 800-53 Rev. 5 :: CM-5 (1) (a)
- Group Title
- SRG-OS-000366-GPOS-00153
- Group ID
- V-268511
- Rule Version
- APPL-15-002064
- Rule Title
- The macOS system must enable gatekeeper.
- Rule ID
- SV-268511r1034473_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Gatekeeper must be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
Administrator users will still have the option to override these settings on a case-by-case basis.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable gatekeeper with the following command:
/usr/sbin/spctl --status | /usr/bin/grep -c "assessments enabled"
If the result is not "1", this is a finding.
- Check System
- C-72541r1034471_chk
- Fix Reference
- F-72442r1034472_fix
- Fix Text
-
Configure the macOS system to enable gatekeeper with the following command:
/usr/sbin/spctl --global-enable
- Identities
-
CCI-003992
Prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
- 800-53 Rev. 5 :: CM-14
- Group Title
- SRG-OS-000104-GPOS-00051
- Group ID
- V-268512
- Rule Version
- APPL-15-002066
- Rule Title
- The macOS system must disable unattended or automatic login to the system.
- Rule ID
- SV-268512r1034476_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Automatic login must be disabled.
When automatic logins are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logins mitigates this risk.
Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000480-GPOS-00229
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable unattended or automatic login to the system with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72542r1034474_chk
- Fix Reference
- F-72443r1034475_fix
- Fix Text
-
Configure the macOS system to disable unattended or automatic login to the system by installing the "com.apple.loginwindow" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-000764Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
- 800-53 :: IA-2
- 800-53 Rev. 4 :: IA-2
- 800-53 Rev. 5 :: IA-2
- 800-53A :: IA-2.1
- Group Title
- SRG-OS-000480-GPOS-00230
- Group ID
- V-268513
- Rule Version
- APPL-15-002068
- Rule Title
- The macOS system must secure users' home folders.
- Rule ID
- SV-268513r1034479_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must be configured to prevent access to other users' home folders.
The default behavior of macOS is to allow all valid users access to the top level of every other user's home folder while restricting access only to the Apple default folders within.
Satisfies: SRG-OS-000480-GPOS-00230, SRG-OS-000480-GPOS-00228
- Documentable
- False
- Check Content
-
Verify the macOS system is configured so that permissions are set correctly on user home directories with the following command:
/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs
If the result is not "0", this is a finding.
- Check System
- C-72543r1034477_chk
- Fix Reference
- F-72444r1034478_fix
- Fix Text
-
Configure the macOS system to set the appropriate permissions for each user on the system with the following command:
IFS=$'\n'
for userDirs in $( /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" ); do
/bin/chmod og-rwx "$userDirs"
done
unset IFS
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000324-GPOS-00125
- Group ID
- V-268514
- Rule Version
- APPL-15-002069
- Rule Title
- The macOS system must require an administrator password to modify systemwide preferences.
- Rule ID
- SV-268514r1034482_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must be configured to require an administrator password to modify the systemwide preferences in System Settings.
Some Preference Panes in System Settings contain settings that affect the entire system. Requiring a password to unlock these systemwide settings reduces the risk of an unauthorized user modifying system configurations.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to require administrator privileges to modify systemwide settings with the following command:
authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine")
result="1"
for section in ${authDBs[@]}; do
if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "shared")]/following-sibling::*[1])' -) != "false" ]]; then
result="0"
fi
if [[ $(security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath '//*[contains(text(), "group")]/following-sibling::*[1]/text()' - ) != "admin" ]]; then
result="0"
fi
if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "authenticate-user")]/following-sibling::*[1])' -) != "true" ]]; then
result="0"
fi
if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "session-owner")]/following-sibling::*[1])' -) != "false" ]]; then
result="0"
fi
done
echo $result
If the result is not "1", this is a finding.
- Check System
- C-72544r1034480_chk
- Fix Reference
- F-72445r1034481_fix
- Fix Text
-
Configure the macOS system to require administrator privileges to modify systemwide settings with the following command:
authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine")
for section in ${authDBs[@]}; do
/usr/bin/security -q authorizationdb read "$section" > "/tmp/$section.plist"
class_key_value=$(usr/libexec/PlistBuddy -c "Print :class" "/tmp/$section.plist" 2>&1)
if [[ "$class_key_value" == *"Does Not Exist"* ]]; then
/usr/libexec/PlistBuddy -c "Add :class string user" "/tmp/$section.plist"
else
/usr/libexec/PlistBuddy -c "Set :class user" "/tmp/$section.plist"
fi
key_value=$(/usr/libexec/PlistBuddy -c "Print :shared" "/tmp/$section.plist" 2>&1)
if [[ "$key_value" == *"Does Not Exist"* ]]; then
/usr/libexec/PlistBuddy -c "Add :shared bool false" "/tmp/$section.plist"
else
/usr/libexec/PlistBuddy -c "Set :shared false" "/tmp/$section.plist"
fi
auth_user_key=$(/usr/libexec/PlistBuddy -c "Print :authenticate-user" "/tmp/$section.plist" 2>&1)
if [[ "$auth_user_key" == *"Does Not Exist"* ]]; then
/usr/libexec/PlistBuddy -c "Add :authenticate-user bool true" "/tmp/$section.plist"
else
/usr/libexec/PlistBuddy -c "Set :authenticate-user true" "/tmp/$section.plist"
fi
session_owner_key=$(/usr/libexec/PlistBuddy -c "Print :session-owner" "/tmp/$section.plist" 2>&1)
if [[ "$session_owner_key" == *"Does Not Exist"* ]]; then
/usr/libexec/PlistBuddy -c "Add :session-owner bool false" "/tmp/$section.plist"
else
/usr/libexec/PlistBuddy -c "Set :session-owner false" "/tmp/$section.plist"
fi
group_key=$(usr/libexec/PlistBuddy -c "Print :group" "/tmp/$section.plist" 2>&1)
if [[ "$group_key" == *"Does Not Exist"* ]]; then
/usr/libexec/PlistBuddy -c "Add :group string admin" "/tmp/$section.plist"
else
/usr/libexec/PlistBuddy -c "Set :group admin" "/tmp/$section.plist"
fi
/usr/bin/security -q authorizationdb write "$section" < "/tmp/$section.plist"
done
- Identities
-
CCI-002235
Prevent non-privileged users from executing privileged functions.
- 800-53 Rev. 4 :: AC-6 (10)
- 800-53 Rev. 5 :: AC-6 (10)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268515
- Rule Version
- APPL-15-002080
- Rule Title
- The macOS system must disable Airplay Receiver.
- Rule ID
- SV-268515r1034485_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Airplay Receiver allows users to send content from one Apple device to be displayed on the screen as it is being played from another device.
Support for Airplay Receiver is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Airplay Receiver with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAirPlayIncomingRequests').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72545r1034483_chk
- Fix Reference
- F-72446r1034484_fix
- Fix Text
-
Configure the macOS system to disable Airplay Receiver by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001443Protect wireless access to the system using authentication of users and/or devices.
- 800-53 :: AC-18 (1)
- 800-53 Rev. 4 :: AC-18 (1)
- 800-53 Rev. 5 :: AC-18 (1)
- 800-53A :: AC-18 (1).1
- Group Title
- SRG-OS-000028-GPOS-00009
- Group ID
- V-268516
- Rule Version
- APPL-15-002090
- Rule Title
- The macOS system must disable TouchID for unlocking the device.
- Rule ID
- SV-268516r1034488_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
TouchID enables the ability to unlock a Mac system with a user's fingerprint.
TouchID must be disabled for "Unlocking your Mac" on all macOS devices that are capable of using TouchID.
The system must remain locked until the user establishes access using an authorized identification and authentication method.
NOTE: TouchID is not an approved biometric authenticator for U.S. Federal Government use as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable TouchID for unlocking the device with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowFingerprintForUnlock').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72546r1034486_chk
- Fix Reference
- F-72447r1034487_fix
- Fix Text
-
Configure the macOS system to disable TouchID for unlocking the device by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000056
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
- 800-53 :: AC-11 b
- 800-53 Rev. 4 :: AC-11 b
- 800-53 Rev. 5 :: AC-11 b
- 800-53A :: AC-11.1 (iii)
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268517
- Rule Version
- APPL-15-002100
- Rule Title
- The macOS system must disable Media Sharing.
- Rule ID
- SV-268517r1034491_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Media Sharing must be disabled.
When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet.
The information system must be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and unauthorized transfer of information. Disabling Media Sharing mitigates this risk.
NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked, but the service will not be enabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Media Sharing with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowMediaSharing').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72547r1034489_chk
- Fix Reference
- F-72448r1034490_fix
- Fix Text
-
Configure the macOS system to disable Media Sharing by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268518
- Rule Version
- APPL-15-002110
- Rule Title
- The macOS system must disable Bluetooth Sharing.
- Rule ID
- SV-268518r1034494_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Bluetooth Sharing must be disabled.
Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated.
[NOTE]
====
The check and fix are for the currently logged in user. To get the currently logged in user, run the following.
[source,bash]
----
CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
----
====
Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000095-GPOS-00049
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Bluetooth sharing with the following command:
/usr/bin/defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled
If the result is not "0", this is a finding.
- Check System
- C-72548r1034492_chk
- Fix Reference
- F-72449r1034493_fix
- Fix Text
-
Configure the macOS system to disable Bluetooth sharing with the following command:
/usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
CCI-000381Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268519
- Rule Version
- APPL-15-002120
- Rule Title
- The macOS system must disable AppleID and internet Account Modification.
- Rule ID
- SV-268519r1034497_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must disable Account Modification.
Account Modification includes adding or modifying internet accounts in Apple Mail, Calendar, or Contacts in the Internet Account System Setting Pane or the AppleID System Setting Pane.
This prevents the addition of unauthorized accounts.
[IMPORTANT]
====
Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information system security officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
====
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable account modification with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowAccountModification').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72549r1034495_chk
- Fix Reference
- F-72450r1034496_fix
- Fix Text
-
Configure the macOS system to disable Account Modification by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268520
- Rule Version
- APPL-15-002130
- Rule Title
- The macOS system must disable CD/DVD Sharing.
- Rule ID
- SV-268520r1034500_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
CD/DVD Sharing must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable CD/DVD Sharing with the following command:
/usr/bin/pgrep -q ODSAgent; /bin/echo $?
If the result is not "1", this is a finding.
- Check System
- C-72550r1034498_chk
- Fix Reference
- F-72451r1034499_fix
- Fix Text
-
Configure the macOS system to disable CD/DVD Sharing with the following command:
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.ODSAgent.plist
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268521
- Rule Version
- APPL-15-002140
- Rule Title
- The macOS system must disable Content Caching service.
- Rule ID
- SV-268521r1034503_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Content Caching must be disabled.
Content Caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Content Caching service with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowContentCaching').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72551r1034501_chk
- Fix Reference
- F-72452r1034502_fix
- Fix Text
-
Configure the macOS system to disable Content Caching service by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268522
- Rule Version
- APPL-15-002150
- Rule Title
- The macOS system must disable iCloud Desktop and Document folder sync.
- Rule ID
- SV-268522r1034506_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS system's ability to automatically synchronize a user's Desktop and Documents folder to their iCloud Drive must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization must be controlled by an organization-approved service.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Desktop and Document folder synchronization with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudDesktopAndDocuments').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72552r1034504_chk
- Fix Reference
- F-72453r1034505_fix
- Fix Text
-
Configure the macOS system to disable iCloud Desktop and Document folder synchronization by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268523
- Rule Version
- APPL-15-002160
- Rule Title
- The macOS system must disable iCloud Game Center.
- Rule ID
- SV-268523r1034509_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
This works only with supervised devices (mobile device management [MDM]) and allows to disable Apple Game Center. The rationale is that Game Center is using Apple ID and will share data on AppleID-based services; therefore, Game Center must be disabled.
This setting also prohibits the functionality of adding friends to Game Center.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Game Center with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowGameCenter').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72553r1034507_chk
- Fix Reference
- F-72454r1034508_fix
- Fix Text
-
Configure the macOS system to disable iCloud Game Center by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268524
- Rule Version
- APPL-15-002170
- Rule Title
- The macOS system must disable iCloud Private Relay.
- Rule ID
- SV-268524r1034512_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled.
Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the iCloud Private Relay with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudPrivateRelay').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72554r1034510_chk
- Fix Reference
- F-72455r1034511_fix
- Fix Text
-
Configure the macOS system to disable the iCloud Private Relay by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268525
- Rule Version
- APPL-15-002180
- Rule Title
- The macOS system must disable Find My service.
- Rule ID
- SV-268525r1034515_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The Find My service must be disabled.
A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service.
Apple's Find My service uses a personal AppleID for authentication. Organizations must rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Find My service with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowFindMyDevice'))
let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowFindMyFriends'))
let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\
.objectForKey('DisableFMMiCloudSetting'))
if ( pref1 == false && pref2 == false && pref3 == true ) {
return("true")
} else {
return("false")
}
}
EOS
If the result is not "true", this is a finding.
- Check System
- C-72555r1034513_chk
- Fix Reference
- F-72456r1034514_fix
- Fix Text
-
Configure the macOS system to disable Find My service by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268526
- Rule Version
- APPL-15-002200
- Rule Title
- The macOS system must disable Personalized Advertising.
- Rule ID
- SV-268526r1034518_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Ad tracking and targeted ads must be disabled.
The information system must be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Personalized Advertising with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowApplePersonalizedAdvertising').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72556r1034516_chk
- Fix Reference
- F-72457r1034517_fix
- Fix Text
-
Configure the macOS system to disable Personalized Advertising by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268527
- Rule Version
- APPL-15-002210
- Rule Title
- The macOS system must disable sending Siri and Dictation information to Apple.
- Rule ID
- SV-268527r1034521_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The ability for Apple to store and review audio of Siri and Dictation interactions must be disabled.
The information system must be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable sending Siri and Dictation information to Apple with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\
.objectForKey('Siri Data Sharing Opt-In Status').js
EOS
If the result is not "2", this is a finding.
- Check System
- C-72557r1034519_chk
- Fix Reference
- F-72458r1034520_fix
- Fix Text
-
Configure the macOS system to disable sending Siri and Dictation information to Apple by installing the "com.apple.assistant.support" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268528
- Rule Version
- APPL-15-002220
- Rule Title
- The macOS system must enforce On Device Dictation.
- Rule ID
- SV-268528r1034524_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Dictation must be restricted to On Device Only to prevent potential data exfiltration.
The information system must be configured to provide only essential capabilities.
- Documentable
- False
- Check Content
-
For Intel-based systems, this is not applicable.
Verify the macOS system is configured to enforce On Device Only Dictation with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('forceOnDeviceOnlyDictation').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72558r1034522_chk
- Fix Reference
- F-72459r1034523_fix
- Fix Text
-
Configure the macOS system to enforce On Device Only Dictation by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268529
- Rule Version
- APPL-15-002230
- Rule Title
- The macOS system must disable Dictation.
- Rule ID
- SV-268529r1034527_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Dictation must be disabled on Intel-based Macs as the feature On Device Dictation is only available on Apple Silicon devices.
- Documentable
- False
- Check Content
-
For Apple Silicon-based systems, this is not applicable.
Verify the macOS system is configured to disable Dictation with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowDictation').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72559r1034525_chk
- Fix Reference
- F-72460r1034526_fix
- Fix Text
-
Configure the macOS system to disable Dictation by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268530
- Rule Version
- APPL-15-002240
- Rule Title
- The macOS system must disable Printer Sharing.
- Rule ID
- SV-268530r1034530_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Printer Sharing must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Printer Sharing with the following command:
/usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0"
If the result is not "1", this is a finding.
- Check System
- C-72560r1034528_chk
- Fix Reference
- F-72461r1034529_fix
- Fix Text
-
Configure the macOS system to disable Printer Sharing with the following commands:
/usr/sbin/cupsctl --no-share-printers
/usr/bin/lpstat -p | awk '{print $2}'| /usr/bin/xargs -I{} lpadmin -p {} -o printer-is-shared=false
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268531
- Rule Version
- APPL-15-002250
- Rule Title
- The macOS system must disable Remote Management.
- Rule ID
- SV-268531r1034533_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Remote Management must be disabled.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Remote Management with the following command:
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0"
If the result is not "1", this is a finding.
- Check System
- C-72561r1034531_chk
- Fix Reference
- F-72462r1034532_fix
- Fix Text
-
Configure the macOS system to disable Remote Management with the following commands:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268532
- Rule Version
- APPL-15-002260
- Rule Title
- The macOS system must disable the Bluetooth System Settings pane.
- Rule ID
- SV-268532r1034536_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the Bluetooth System Settings pane with the following command:
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.BluetoothSettings
If the result is not "1", this is a finding.
- Check System
- C-72562r1034534_chk
- Fix Reference
- F-72463r1034535_fix
- Fix Text
-
Configure the macOS system to disable the Bluetooth System Settings pane by installing the "com.apple.systempreferences" configuration profiles.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268533
- Rule Version
- APPL-15-002270
- Rule Title
- The macOS system must disable the iCloud Freeform services.
- Rule ID
- SV-268533r1034539_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled.
Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable iCloud Freeform services with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowCloudFreeform').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72563r1034537_chk
- Fix Reference
- F-72464r1034538_fix
- Fix Text
-
Configure the macOS system to disable iCloud Freeform services by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000403-GPOS-00182
- Group ID
- V-268534
- Rule Version
- APPL-15-003001
- Rule Title
- The macOS system must issue or obtain public key certificates from an approved service provider.
- Rule ID
- SV-268534r1034542_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The organization must issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain.
Satisfies: SRG-OS-000403-GPOS-00182, SRG-OS-000775-GPOS-00230
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to issue or obtain public key certificates from an approved service provider with the following command:
/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}'
If the result does not contain a list of approved certificate authorities, this is a finding.
- Check System
- C-72564r1034540_chk
- Fix Reference
- F-72465r1034541_fix
- Fix Text
-
Configure the macOS system to issue or obtain public key certificates from an approved service provider by obtaining the approved certificates from the appropriate authority and install them to the System Keychain.
- Identities
-
CCI-002470
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.
- 800-53 Rev. 4 :: SC-23 (5)
- 800-53 Rev. 5 :: SC-23 (5)
CCI-004909Include only approved trust anchors in trust stores or certificate stores managed by the organization.
- 800-53 Rev. 5 :: SC-17 b
- Group Title
- SRG-OS-000071-GPOS-00039
- Group ID
- V-268535
- Rule Version
- APPL-15-003007
- Rule Title
- The macOS system must require that passwords contain a minimum of one numeric character.
- Rule ID
- SV-268535r1034545_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS must be configured to require at least one numeric character be used when a password is created.
This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B states that complexity rules should be organizationally defined. The values defined are based on common complexity values, but each organization may define its own password complexity rules.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to require that passwords contain a minimum of one numeric character with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyIdentifier"]/following-sibling::*[1]/text()' - | /usr/bin/grep "requireAlphanumeric" -c
If the result is not "1", this is a finding.
- Check System
- C-72565r1034543_chk
- Fix Reference
- F-72466r1034544_fix
- Fix Text
-
Configure the macOS system to require that passwords contain a minimum of one numeric character by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.
- Identities
-
CCI-004066
For password-based authentication, enforce organization-defined composition and complexity rules.
- 800-53 Rev. 5 :: IA-5 (1) (h)
- Group Title
- SRG-OS-000076-GPOS-00044
- Group ID
- V-268536
- Rule Version
- APPL-15-003008
- Rule Title
- The macOS system must restrict maximum password lifetime to 60 days.
- Rule ID
- SV-268536r1034548_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days.
This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B states that complexity rules should be organizationally defined. The values defined are based on common complexity values, but each organization may define its own password complexity rules.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to restrict maximum password lifetime to 60 days with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeExpiresEveryNDays"]/following-sibling::*[1]/text()' -
If the result is not "60" or less, this is a finding.
- Check System
- C-72566r1034546_chk
- Fix Reference
- F-72467r1034547_fix
- Fix Text
-
Configure the macOS system to restrict maximum password lifetime to 60 days by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.
- Identities
-
CCI-004066
For password-based authentication, enforce organization-defined composition and complexity rules.
- 800-53 Rev. 5 :: IA-5 (1) (h)
- Group Title
- SRG-OS-000078-GPOS-00046
- Group ID
- V-268537
- Rule Version
- APPL-15-003010
- Rule Title
- The macOS system must require a minimum password length of 14 characters.
- Rule ID
- SV-268537r1034551_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS must be configured to require that a minimum of 14 characters be used when a password is created.
This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B states that complexity rules should be organizationally defined. The values defined are based on common complexity values, but each organization may define its own password complexity rules.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce a minimum 14-character password length with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{14,}'\''")])' -
If the result is not "true", this is a finding.
- Check System
- C-72567r1034549_chk
- Fix Reference
- F-72468r1034550_fix
- Fix Text
-
Configure the macOS system to enforce a 14-character password length by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.
- Identities
-
CCI-004066
For password-based authentication, enforce organization-defined composition and complexity rules.
- 800-53 Rev. 5 :: IA-5 (1) (h)
- Group Title
- SRG-OS-000266-GPOS-00101
- Group ID
- V-268538
- Rule Version
- APPL-15-003011
- Rule Title
- The macOS system must require that passwords contain a minimum of one special character.
- Rule ID
- SV-268538r1034554_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS must be configured to require that at least one special character be used when a password is created.
Special characters are characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B states that complexity rules should be organizationally defined. The values defined are based on common complexity values, but each organization may define its own password complexity rules.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to require passwords contain a minimum of one special character with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){1,}'\''")])' -
If the result is not "true", this is a finding.
- Check System
- C-72568r1034552_chk
- Fix Reference
- F-72469r1034553_fix
- Fix Text
-
Configure the macOS system to require that passwords contain a minimum of one special character by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.
- Identities
-
CCI-004066
For password-based authentication, enforce organization-defined composition and complexity rules.
- 800-53 Rev. 5 :: IA-5 (1) (h)
- Group Title
- SRG-OS-000079-GPOS-00047
- Group ID
- V-268539
- Rule Version
- APPL-15-003012
- Rule Title
- The macOS system must disable password hints.
- Rule ID
- SV-268539r1034557_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Password hints must be disabled.
Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable password hints with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('RetriesUntilHint').js
EOS
If the result is not "0", this is a finding.
- Check System
- C-72569r1034555_chk
- Fix Reference
- F-72470r1034556_fix
- Fix Text
-
Configure the macOS system to disable password hints by installing the "com.apple.loginwindow" configuration profile.
- Identities
-
CCI-000206
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
- 800-53 :: IA-6
- 800-53 Rev. 4 :: IA-6
- 800-53 Rev. 5 :: IA-6
- 800-53A :: IA-6.1
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-268540
- Rule Version
- APPL-15-003013
- Rule Title
- The macOS system must enable firmware password.
- Rule ID
- SV-268540r1034560_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
A firmware password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools.
To set a firmware passcode, use the following command:
[source,bash]
----
/usr/sbin/firmwarepasswd -setpasswd
----
NOTE: If the firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.
NOTE: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices.
- Documentable
- False
- Check Content
-
For Apple Silicon systems, this is not applicable.
Verify the macOS system is configured with a firmware password with the following command:
/usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes"
If the result is not "1", this is a finding.
- Check System
- C-72570r1034558_chk
- Fix Reference
- F-72471r1034559_fix
- Fix Text
-
Configure the macOS system with a firmware password with the following command:
/usr/sbin/firmwarepasswd -setpasswd
NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000079-GPOS-00047
- Group ID
- V-268541
- Rule Version
- APPL-15-003014
- Rule Title
- The macOS system must remove password hints from user accounts.
- Rule ID
- SV-268541r1034563_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
User accounts must not contain password hints.
Password hints leak information about passwords in use and can lead to loss of confidentiality.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to remove password hints from user accounts with the following command:
HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }')
if [ -z "$HINT" ]; then
echo "PASS"
else
echo "FAIL"
fi
If the result is not "PASS", this is a finding.
- Check System
- C-72571r1034561_chk
- Fix Reference
- F-72472r1034562_fix
- Fix Text
-
Configure the macOS system to remove password hints from user accounts with the following command:
for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
/usr/bin/dscl . -delete /Users/$u hint
done
- Identities
-
CCI-000206
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
- 800-53 :: IA-6
- 800-53 Rev. 4 :: IA-6
- 800-53 Rev. 5 :: IA-6
- 800-53A :: IA-6.1
- Group Title
- SRG-OS-000067-GPOS-00035
- Group ID
- V-268542
- Rule Version
- APPL-15-003020
- Rule Title
- The macOS system must enforce smart card authentication.
- Rule ID
- SV-268542r1034566_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Smart card authentication must be enforced.
The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access.
When enforceSmartCard is set to "true", the smart card must be used for login, authorization, and unlocking the screen saver.
CAUTION: enforceSmartCard will apply to the whole system. No users will be able to log in with their password unless the profile is removed or a user is exempt from smart card enforcement.
NOTE: enforceSmartcard requires allowSmartcard to be set to "true" to work.
Satisfies: SRG-OS-000067-GPOS-00035, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000705-GPOS-00150
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce multifactor authentication with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
.objectForKey('enforceSmartCard').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72572r1034564_chk
- Fix Reference
- F-72473r1034565_fix
- Fix Text
-
Configure the macOS system to enforce multifactor authentication by installing the "com.apple.security.smartcard" configuration profile.
NOTE: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.
- Identities
-
CCI-000186
For public key-based authentication, enforce authorized access to the corresponding private key.
- 800-53 :: IA-5 (2)
- 800-53 Rev. 4 :: IA-5 (2) (b)
- 800-53 Rev. 5 :: IA-5 (2) (a) (1)
- 800-53A :: IA-5 (2).1
CCI-000765Implement multifactor authentication for network access to privileged accounts.
- 800-53 :: IA-2 (1)
- 800-53 Rev. 4 :: IA-2 (1)
- 800-53 Rev. 5 :: IA-2 (1)
- 800-53A :: IA-2 (1).1
CCI-000766Implement multifactor authentication for network access to non-privileged accounts.
- 800-53 :: IA-2 (2)
- 800-53 Rev. 4 :: IA-2 (2)
- 800-53 Rev. 5 :: IA-2 (2)
- 800-53A :: IA-2 (2).1
CCI-001941Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.
- 800-53 Rev. 4 :: IA-2 (8)
- 800-53 Rev. 5 :: IA-2 (8)
CCI-001953Accepts Personal Identity Verification-compliant credentials.
- 800-53 Rev. 4 :: IA-2 (12)
- 800-53 Rev. 5 :: IA-2 (12)
CCI-004046Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
- 800-53 Rev. 5 :: IA-2 (6) (a)
CCI-004047Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements.
- 800-53 Rev. 5 :: IA-2 (6) (b)
- Group Title
- SRG-OS-000068-GPOS-00036
- Group ID
- V-268543
- Rule Version
- APPL-15-003030
- Rule Title
- The macOS system must allow smart card authentication.
- Rule ID
- SV-268543r1034569_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Smart card authentication must be allowed.
The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access.
When enabled, the smart card can be used for login, authorization, and screen saver unlocking.
Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000376-GPOS-00161
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to allow smart card authentication with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
.objectForKey('allowSmartCard').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72573r1034567_chk
- Fix Reference
- F-72474r1034568_fix
- Fix Text
-
Configure the macOS system to enforce multifactor authentication by installing the "com.apple.security.smartcard" configuration profile.
NOTE: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.
- Identities
-
CCI-000187
For public key-based authentication, map the authenticated identity to the account of the individual or group.
- 800-53 :: IA-5 (2)
- 800-53 Rev. 4 :: IA-5 (2) (c)
- 800-53 Rev. 5 :: IA-5 (2) (a) (2)
- 800-53A :: IA-5 (2).1
CCI-000765Implement multifactor authentication for network access to privileged accounts.
- 800-53 :: IA-2 (1)
- 800-53 Rev. 4 :: IA-2 (1)
- 800-53 Rev. 5 :: IA-2 (1)
- 800-53A :: IA-2 (1).1
CCI-000766Implement multifactor authentication for network access to non-privileged accounts.
- 800-53 :: IA-2 (2)
- 800-53 Rev. 4 :: IA-2 (2)
- 800-53 Rev. 5 :: IA-2 (2)
- 800-53A :: IA-2 (2).1
CCI-001941Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.
- 800-53 Rev. 4 :: IA-2 (8)
- 800-53 Rev. 5 :: IA-2 (8)
CCI-001953Accepts Personal Identity Verification-compliant credentials.
- 800-53 Rev. 4 :: IA-2 (12)
- 800-53 Rev. 5 :: IA-2 (12)
- Group Title
- SRG-OS-000105-GPOS-00052
- Group ID
- V-268544
- Rule Version
- APPL-15-003050
- Rule Title
- The macOS system must enforce multifactor authentication for login.
- Rule ID
- SV-268544r1034572_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must be configured to enforce multifactor authentication.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.
NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000705-GPOS-00150
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce multifactor authentication for login with the following command:
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login
If the result is not "2", this is a finding.
- Check System
- C-72574r1034570_chk
- Fix Reference
- F-72475r1034571_fix
- Fix Text
-
Configure the macOS system to enforce multifactor authentication for login with the following commands:
/bin/cat > /etc/pam.d/login << LOGIN_END
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_deny.so
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
LOGIN_END
/bin/chmod 644 /etc/pam.d/login
/usr/sbin/chown root:wheel /etc/pam.d/login
- Identities
-
CCI-000765
Implement multifactor authentication for network access to privileged accounts.
- 800-53 :: IA-2 (1)
- 800-53 Rev. 4 :: IA-2 (1)
- 800-53 Rev. 5 :: IA-2 (1)
- 800-53A :: IA-2 (1).1
CCI-000766Implement multifactor authentication for network access to non-privileged accounts.
- 800-53 :: IA-2 (2)
- 800-53 Rev. 4 :: IA-2 (2)
- 800-53 Rev. 5 :: IA-2 (2)
- 800-53A :: IA-2 (2).1
CCI-001941Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.
- 800-53 Rev. 4 :: IA-2 (8)
- 800-53 Rev. 5 :: IA-2 (8)
CCI-004047Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements.
- 800-53 Rev. 5 :: IA-2 (6) (b)
- Group Title
- SRG-OS-000105-GPOS-00052
- Group ID
- V-268545
- Rule Version
- APPL-15-003051
- Rule Title
- The macOS system must enforce multifactor authentication for the su command.
- Rule ID
- SV-268545r1034575_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must be configured such that, when the su command is used, multifactor authentication is enforced.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.
NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000705-GPOS-00150
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce multifactor authentication for the su command with the following command:
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su
If the result is not "2", this is a finding.
- Check System
- C-72575r1034573_chk
- Fix Reference
- F-72476r1034574_fix
- Fix Text
-
Configure the macOS system to enforce multifactor authentication for the su command with the following commands:
/bin/cat > /etc/pam.d/su << SU_END
# su: auth account password session
auth sufficient pam_smartcard.so
auth required pam_rootok.so
auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_permit.so
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so
SU_END
# Fix new file ownership and permissions
/bin/chmod 644 /etc/pam.d/su
/usr/sbin/chown root:wheel /etc/pam.d/su
- Identities
-
CCI-000765
Implement multifactor authentication for network access to privileged accounts.
- 800-53 :: IA-2 (1)
- 800-53 Rev. 4 :: IA-2 (1)
- 800-53 Rev. 5 :: IA-2 (1)
- 800-53A :: IA-2 (1).1
CCI-000766Implement multifactor authentication for network access to non-privileged accounts.
- 800-53 :: IA-2 (2)
- 800-53 Rev. 4 :: IA-2 (2)
- 800-53 Rev. 5 :: IA-2 (2)
- 800-53A :: IA-2 (2).1
CCI-001941Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.
- 800-53 Rev. 4 :: IA-2 (8)
- 800-53 Rev. 5 :: IA-2 (8)
CCI-004047Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements.
- 800-53 Rev. 5 :: IA-2 (6) (b)
- Group Title
- SRG-OS-000105-GPOS-00052
- Group ID
- V-268546
- Rule Version
- APPL-15-003052
- Rule Title
- The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
- Rule ID
- SV-268546r1034578_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.
NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000705-GPOS-00150
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce multifactor authentication for privilege escalation through the sudo command with the following command:
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo
If the result is not "2", this is a finding.
- Check System
- C-72576r1034576_chk
- Fix Reference
- F-72477r1034577_fix
- Fix Text
-
Configure the macOS system to enforce multifactor authentication for privilege escalation through the sudo command with the following commands:
/bin/cat > /etc/pam.d/sudo << SUDO_END
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
SUDO_END
/bin/chmod 444 /etc/pam.d/sudo
/usr/sbin/chown root:wheel /etc/pam.d/sudo
- Identities
-
CCI-000765
Implement multifactor authentication for network access to privileged accounts.
- 800-53 :: IA-2 (1)
- 800-53 Rev. 4 :: IA-2 (1)
- 800-53 Rev. 5 :: IA-2 (1)
- 800-53A :: IA-2 (1).1
CCI-000766Implement multifactor authentication for network access to non-privileged accounts.
- 800-53 :: IA-2 (2)
- 800-53 Rev. 4 :: IA-2 (2)
- 800-53 Rev. 5 :: IA-2 (2)
- 800-53A :: IA-2 (2).1
CCI-001941Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.
- 800-53 Rev. 4 :: IA-2 (8)
- 800-53 Rev. 5 :: IA-2 (8)
CCI-004047Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements.
- 800-53 Rev. 5 :: IA-2 (6) (b)
- Group Title
- SRG-OS-000069-GPOS-00037
- Group ID
- V-268547
- Rule Version
- APPL-15-003060
- Rule Title
- The macOS system must require that passwords contain a minimum of one lowercase character and one uppercase character.
- Rule ID
- SV-268547r1034581_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS must be configured to require that at least one lowercase character and one uppercase character be used when a password is created.
This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B states that complexity rules should be organizationally defined. The values defined are based on common complexity values, but each organization may define its own password complexity rules.
NOTE: The configuration profile generated must be installed from a Mobile Device Management (MDM) server.
Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000730-GPOS-00190
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to require that passwords contain a minimum of one lowercase character and one uppercase character with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$'\''")])' -
If the result is not "true", this is a finding.
- Check System
- C-72577r1034579_chk
- Fix Reference
- F-72478r1034580_fix
- Fix Text
-
Configure the macOS system to require at least one lowercase character and one uppercase character in password complexity by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.
- Identities
-
CCI-004065
For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.
- 800-53 Rev. 5 :: IA-5 (1) (g)
CCI-004066For password-based authentication, enforce organization-defined composition and complexity rules.
- 800-53 Rev. 5 :: IA-5 (1) (h)
- Group Title
- SRG-OS-000075-GPOS-00043
- Group ID
- V-268548
- Rule Version
- APPL-15-003070
- Rule Title
- The macOS system must set minimum password lifetime to 24 hours.
- Rule ID
- SV-268548r1034796_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS must be configured to enforce a minimum password lifetime limit of 24 hours.
This rule discourages users from cycling through their previous passwords to get back to a preferred one.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B states that complexity rules should be organizationally defined. The values defined are based on common complexity values, but each organization may define its own password complexity rules.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set minimum password lifetime to 24 hours with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= 24 ) {print "yes"} else {print "no"}}'
If the result is not "yes", this is a finding.
- Check System
- C-72578r1034582_chk
- Fix Reference
- F-72479r1034795_fix
- Fix Text
-
Configure the macOS system to set minimum password lifetime to 24 hours.
This setting may be enforced using local policy or by a directory service.
To set local policy to require a minimum password lifetime, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent":
[source,xml]
----
<dict>
<key>policyContent</key>
<string>policyAttributeLastPasswordChangeTime < policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)</string>
<key>policyIdentifier</key>
<string>Minimum Password Lifetime</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeMinimumLifetimeHours</key>
<integer>24</integer>
</dict>
</dict>
----
After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file".
[source,bash]
----
/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file
----
- Identities
-
CCI-004066
For password-based authentication, enforce organization-defined composition and complexity rules.
- 800-53 Rev. 5 :: IA-5 (1) (h)
- Group Title
- SRG-OS-000118-GPOS-00060
- Group ID
- V-268549
- Rule Version
- APPL-15-003080
- Rule Title
- The macOS system must disable accounts after 35 days of inactivity.
- Rule ID
- SV-268549r1034798_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS must be configured to disable accounts after 35 days of inactivity.
This rule prevents malicious users from employing unused accounts to gain access to the system while avoiding detection.
Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable accounts after 35 days of inactivity with the following command:
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeInactiveDays"]/following-sibling::integer[1]/text()' -
If the result is not "35", this is a finding.
- Check System
- C-72579r1034585_chk
- Fix Reference
- F-72480r1034797_fix
- Fix Text
-
Configure the macOS system to disable accounts after 35 days of inactivity with the following command:
This setting may be enforced using local policy or by a directory service.
To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following <dict> within the "policyCategoryAuthentication":
[source,xml]
----
<dict>
<key>policyContent</key>
<string>policyAttributeLastAuthenticationTime > policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)</string>
<key>policyIdentifier</key>
<string>Inactive Account</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeInactiveDays</key>
<integer>35</integer>
</dict>
</dict>
----
After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file".
[source,bash]
----
/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file
----
- Identities
-
CCI-003627
Disable accounts when the accounts have expired.
- 800-53 Rev. 5 :: AC-2 (3) (a)
CCI-003628Disable accounts when the accounts are no longer associated to a user.
- 800-53 Rev. 5 :: AC-2 (3) (b)
- Group Title
- SRG-OS-000205-GPOS-00083
- Group ID
- V-268550
- Rule Version
- APPL-15-004001
- Rule Title
- The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel.
- Rule ID
- SV-268550r1034590_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The Apple System Logs must be owned by root.
ASLs contain sensitive data about the system and users. Setting ASL files to be readable and writable only by system administrators mitigates the risk.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000206-GPOS-00084
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with ASL files owned by root and group to wheel with the following command:
/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
If the result is not "0", this is a finding.
- Check System
- C-72580r1034588_chk
- Fix Reference
- F-72481r1034589_fix
- Fix Text
-
Configure the macOS system with ASL files owned by root and group to wheel with the following command:
/usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')
- Identities
-
CCI-001312
Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited.
- 800-53 :: SI-11 b
- 800-53 Rev. 4 :: SI-11 a
- 800-53 Rev. 5 :: SI-11 a
- 800-53A :: SI-11.1 (iii)
CCI-001314Reveal error messages only to organization-defined personnel or roles.
- 800-53 :: SI-11 c
- 800-53 Rev. 4 :: SI-11 b
- 800-53 Rev. 5 :: SI-11 b
- 800-53A :: SI-11.1 (iv)
- Group Title
- SRG-OS-000205-GPOS-00083
- Group ID
- V-268551
- Rule Version
- APPL-15-004002
- Rule Title
- The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive.
- Rule ID
- SV-268551r1034593_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The Apple System Logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL files must be configured to mode 640 permissive or less, thereby preventing normal users from reading, modifying, or deleting audit logs.
System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000206-GPOS-00084
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with ASL files to mode 640 or less permissive with the following command:
/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
If the result is not "0", this is a finding.
- Check System
- C-72581r1034591_chk
- Fix Reference
- F-72482r1034592_fix
- Fix Text
-
Configure the macOS system with ASL files to mode 640 with the following command:
/bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}')
- Identities
-
CCI-001312
Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited.
- 800-53 :: SI-11 b
- 800-53 Rev. 4 :: SI-11 a
- 800-53 Rev. 5 :: SI-11 a
- 800-53A :: SI-11.1 (iii)
CCI-001314Reveal error messages only to organization-defined personnel or roles.
- 800-53 :: SI-11 c
- 800-53 Rev. 4 :: SI-11 b
- 800-53 Rev. 5 :: SI-11 b
- 800-53A :: SI-11.1 (iv)
- Group Title
- SRG-OS-000205-GPOS-00083
- Group ID
- V-268552
- Rule Version
- APPL-15-004030
- Rule Title
- The macOS system must configure system log files owned by root and group to wheel.
- Rule ID
- SV-268552r1034596_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system log files must be owned by root.
System logs contain sensitive data about the system and users. Setting log files to be readable and writable only by system administrators mitigates the risk.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000206-GPOS-00084
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with system log files owned by root and group to wheel with the following command:
/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
If the result is not "0", this is a finding.
- Check System
- C-72582r1034594_chk
- Fix Reference
- F-72483r1034595_fix
- Fix Text
-
Configure the macOS system with system log files owned by root and group to wheel with the following command:
/usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')
- Identities
-
CCI-001312
Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited.
- 800-53 :: SI-11 b
- 800-53 Rev. 4 :: SI-11 a
- 800-53 Rev. 5 :: SI-11 a
- 800-53A :: SI-11.1 (iii)
CCI-001314Reveal error messages only to organization-defined personnel or roles.
- 800-53 :: SI-11 c
- 800-53 Rev. 4 :: SI-11 b
- 800-53 Rev. 5 :: SI-11 b
- 800-53A :: SI-11.1 (iv)
- Group Title
- SRG-OS-000205-GPOS-00083
- Group ID
- V-268553
- Rule Version
- APPL-15-004040
- Rule Title
- The macOS system must configure system log files to mode 640 or less permissive.
- Rule ID
- SV-268553r1034599_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files must be configured to mode 640 permissive or less, thereby preventing normal users from reading, modifying, or deleting audit logs.
System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000206-GPOS-00084
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with system log files set to mode 640 or less permissive with the following command:
/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
If the result is not "0", this is a finding.
- Check System
- C-72583r1034597_chk
- Fix Reference
- F-72484r1034598_fix
- Fix Text
-
Configure the macOS system with system log files set to mode 640 or less permissive with the following command:
/bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F":" '!/640/{print $2}')
- Identities
-
CCI-001312
Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited.
- 800-53 :: SI-11 b
- 800-53 Rev. 4 :: SI-11 a
- 800-53 Rev. 5 :: SI-11 a
- 800-53A :: SI-11.1 (iii)
CCI-001314Reveal error messages only to organization-defined personnel or roles.
- 800-53 :: SI-11 c
- 800-53 Rev. 4 :: SI-11 b
- 800-53 Rev. 5 :: SI-11 b
- 800-53A :: SI-11.1 (iv)
- Group Title
- SRG-OS-000341-GPOS-00132
- Group ID
- V-268554
- Rule Version
- APPL-15-004050
- Rule Title
- The macOS system must configure install.log retention to 365.
- Rule ID
- SV-268554r1034602_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility.
Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with install.log retention to 365 with the following command:
/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'
If the result is not "yes", this is a finding.
- Check System
- C-72584r1034600_chk
- Fix Reference
- F-72485r1034601_fix
- Fix Text
-
Configure the macOS system with install.log retention to 365 with the following command:
/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install
NOTE: If multiple configuration files in /etc/asl are set to process the file /var/log/install.log, these files must be manually removed.
- Identities
-
CCI-001849
Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.
- 800-53 Rev. 4 :: AU-4
- 800-53 Rev. 5 :: AU-4
- Group Title
- SRG-OS-000051-GPOS-00024
- Group ID
- V-268555
- Rule Version
- APPL-15-005001
- Rule Title
- The macOS system must ensure System Integrity Protection is enabled.
- Rule ID
- SV-268555r1034605_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
System Integrity Protection is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents nonprivileged users from granting other users direct access to the contents of their home directories and folders.
NOTE: System Integrity Protection is enabled by default in macOS.
Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000062-GPOS-00031, SRG-OS-000080-GPOS-00048, SRG-OS-000122-GPOS-00063, SRG-OS-000138-GPOS-00069, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000259-GPOS-00100, SRG-OS-000278-GPOS-00108, SRG-OS-000350-GPOS-00138
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable System Integrity Protection with the following command:
/usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.'
If the result is not "1", this is a finding.
- Check System
- C-72585r1034603_chk
- Fix Reference
- F-72486r1034604_fix
- Fix Text
-
Configure the macOS system to enable System Integrity Protection by booting into "Recovery" mode, launching "Terminal" from the "Utilities" menu, and running the following command:
/usr/bin/csrutil enable
- Identities
-
CCI-000154
Provide the capability to centrally review and analyze audit records from multiple components within the system.
- 800-53 :: AU-6 (4)
- 800-53 Rev. 4 :: AU-6 (4)
- 800-53 Rev. 5 :: AU-6 (4)
- 800-53A :: AU-6 (4).1
CCI-000158Provide the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.
- 800-53 :: AU-7 (1)
- 800-53 Rev. 4 :: AU-7 (1)
- 800-53 Rev. 5 :: AU-7 (1)
- 800-53A :: AU-7 (1).1
CCI-000162Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000169Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a. on organization-defined information system components.
- 800-53 :: AU-12 a
- 800-53 Rev. 4 :: AU-12 a
- 800-53 Rev. 5 :: AU-12 a
- 800-53A :: AU-12.1 (ii)
CCI-000213Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
CCI-001090Prevent unauthorized and unintended information transfer via shared system resources.
- 800-53 :: SC-4
- 800-53 Rev. 4 :: SC-4
- 800-53 Rev. 5 :: SC-4
- 800-53A :: SC-4.1
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001496Implement cryptographic mechanisms to protect the integrity of audit tools.
- 800-53 :: AU-9 (3)
- 800-53 Rev. 4 :: AU-9 (3)
- 800-53 Rev. 5 :: AU-9 (3)
- 800-53A :: AU-9 (3).1
CCI-001499Limit privileges to change software resident within software libraries.
- 800-53 :: CM-5 (6)
- 800-53 Rev. 4 :: CM-5 (6)
- 800-53 Rev. 5 :: CM-5 (6)
- 800-53A :: CM-5 (6).1
CCI-001876Provide an audit reduction capability that supports on-demand reporting requirements.
- 800-53 Rev. 4 :: AU-7 a
- 800-53 Rev. 5 :: AU-7 a
CCI-001878Provide a report generation capability that supports on-demand audit review and analysis.
- 800-53 Rev. 4 :: AU-7 a
- 800-53 Rev. 5 :: AU-7 a
- Group Title
- SRG-OS-000185-GPOS-00079
- Group ID
- V-268556
- Rule Version
- APPL-15-005020
- Rule Title
- The macOS system must enforce FileVault.
- Rule ID
- SV-268556r1034608_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce FileVault with the following command:
dontAllowDisable=$(/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('dontAllowFDEDisable').js
EOS
)
fileVault=$(/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On.")
if [[ "$dontAllowDisable" == "true" ]] && [[ "$fileVault" == 1 ]]; then
echo "1"
else
echo "0"
fi
If the result is not "1", this is a finding.
- Check System
- C-72586r1034606_chk
- Fix Reference
- F-72487r1034607_fix
- Fix Text
-
Refer to the FileVault supplemental to implement this rule.
- Identities
-
CCI-001199
Protects the confidentiality and/or integrity of organization-defined information at rest.
- 800-53 :: SC-28
- 800-53 Rev. 4 :: SC-28
- 800-53 Rev. 5 :: SC-28
- 800-53A :: SC-28.1
CCI-002475Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information when at rest on organization-defined system components.
- 800-53 Rev. 4 :: SC-28 (1)
- 800-53 Rev. 5 :: SC-28 (1)
CCI-002476Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components.
- 800-53 Rev. 4 :: SC-28 (1)
- 800-53 Rev. 5 :: SC-28 (1)
- Group Title
- SRG-OS-000480-GPOS-00232
- Group ID
- V-268557
- Rule Version
- APPL-15-005050
- Rule Title
- The macOS system must enable macOS Application Firewall.
- Rule ID
- SV-268557r1034611_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled.
When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable the Application Firewall with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableFirewall').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72587r1034609_chk
- Fix Reference
- F-72488r1034610_fix
- Fix Text
-
Configure the macOS system to enable the Application Firewall by installing the "com.apple.security.firewall" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000104-GPOS-00051
- Group ID
- V-268558
- Rule Version
- APPL-15-005052
- Rule Title
- The macOS system must configure the login window to prompt for username and password.
- Rule ID
- SV-268558r1034614_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The login window must be configured to prompt all users for both a username and a password.
By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prompt for username and password at the login window with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('SHOWFULLNAME').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72588r1034612_chk
- Fix Reference
- F-72489r1034613_fix
- Fix Text
-
Configure the macOS system to prompt for username and password at the login window by installing the "com.apple.loginwindow" configuration profile.
- Identities
-
CCI-000764
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
- 800-53 :: IA-2
- 800-53 Rev. 4 :: IA-2
- 800-53 Rev. 5 :: IA-2
- 800-53A :: IA-2.1
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268559
- Rule Version
- APPL-15-005054
- Rule Title
- The macOS system must disable the TouchID prompt during Setup Assistant.
- Rule ID
- SV-268559r1034617_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The prompt for TouchID during Setup Assistant must be disabled.
macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, must be disabled to prevent the risk of individuals electing to enable TouchID to override organizationwide settings.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the TouchID prompt during Setup Assistant with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
.objectForKey('SkipTouchIDSetup').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72589r1034615_chk
- Fix Reference
- F-72490r1034616_fix
- Fix Text
-
Configure the macOS system to disable the TouchID prompt during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268560
- Rule Version
- APPL-15-005055
- Rule Title
- The macOS system must disable the Screen Time prompt during Setup Assistant.
- Rule ID
- SV-268560r1034620_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The prompt for Screen Time setup during Setup Assistant must be disabled.
Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable the Screen Time prompt during Setup Assistant with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
.objectForKey('SkipScreenTime').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72590r1034618_chk
- Fix Reference
- F-72491r1034619_fix
- Fix Text
-
Configure the macOS system to disable the Screen Time prompt during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268561
- Rule Version
- APPL-15-005056
- Rule Title
- The macOS system must disable Unlock with Apple Watch during Setup Assistant.
- Rule ID
- SV-268561r1034623_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The prompt for Apple Watch unlock setup during Setup Assistant must be disabled.
Disabling Apple watches is a necessary step to ensuring the information system retains a session lock until the user reestablishes access using authorized identification and authentication procedures.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Unlock with Apple Watch during Setup Assistant with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\
.objectForKey('SkipUnlockWithWatch').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72591r1034621_chk
- Fix Reference
- F-72492r1034622_fix
- Fix Text
-
Configure the macOS system to disable Unlock with Apple Watch during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268562
- Rule Version
- APPL-15-005058
- Rule Title
- The macOS system must disable Handoff.
- Rule ID
- SV-268562r1034626_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Handoff must be disabled.
Handoff allows users to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices.
Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Handoff with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowActivityContinuation').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72592r1034624_chk
- Fix Reference
- F-72493r1034625_fix
- Fix Text
-
Configure the macOS system to disable Handoff by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
CCI-000381Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
CCI-001443Protect wireless access to the system using authentication of users and/or devices.
- 800-53 :: AC-18 (1)
- 800-53 Rev. 4 :: AC-18 (1)
- 800-53 Rev. 5 :: AC-18 (1)
- 800-53A :: AC-18 (1).1
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268563
- Rule Version
- APPL-15-005060
- Rule Title
- The macOS system must disable proximity-based password sharing requests.
- Rule ID
- SV-268563r1034629_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Proximity-based password sharing requests must be disabled.
The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature must be disabled to prevent passwords from being shared.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable proximity-based password sharing requests with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowPasswordProximityRequests').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72593r1034627_chk
- Fix Reference
- F-72494r1034628_fix
- Fix Text
-
Configure the macOS system to disable proximity-based password sharing requests by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268564
- Rule Version
- APPL-15-005061
- Rule Title
- The macOS system must disable Erase Content and Settings.
- Rule ID
- SV-268564r1034632_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Erase Content and Settings must be disabled.
Without disabling the Erase Content and Settings configuration, forensics data could be lost if this feature is activated on a compromised system.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Erase Content and Settings with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowEraseContentAndSettings').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72594r1034630_chk
- Fix Reference
- F-72495r1034631_fix
- Fix Text
-
Configure the macOS system to disable Erase Content and Settings by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000080-GPOS-00048
- Group ID
- V-268565
- Rule Version
- APPL-15-005070
- Rule Title
- The macOS system must enable Authenticated Root.
- Rule ID
- SV-268565r1034635_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Authenticated Root must be enabled.
When Authenticated Root is enabled, the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enable authenticated root with the following command:
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;"
If the result is not "1", this is a finding.
- Check System
- C-72595r1034633_chk
- Fix Reference
- F-72496r1034634_fix
- Fix Text
-
Configure the macOS system to enable authenticated root with the following command:
/usr/bin/csrutil authenticated-root enable
NOTE: To reenable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
- Identities
-
CCI-000213
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- 800-53 :: AC-3
- 800-53 Rev. 4 :: AC-3
- 800-53 Rev. 5 :: AC-3
- 800-53A :: AC-3.1
- Group Title
- SRG-OS-000362-GPOS-00149
- Group ID
- V-268566
- Rule Version
- APPL-15-005080
- Rule Title
- The macOS system must prohibit user installation of software into /users/.
- Rule ID
- SV-268566r1034638_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Users must not be allowed to install software into /users/.
Allowing regular users without explicit privileges to install software presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.
[IMPORTANT]
====
Apple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.
====
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prohibit user installation of software into /users/ with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
.objectForKey('familyControlsEnabled'))
let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\
.objectForKey('pathBlackList').js
for ( let app in pathlist ) {
if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){
return("true")
}
}
return("false")
}
EOS
If the result is not "true", this is a finding.
- Check System
- C-72596r1034636_chk
- Fix Reference
- F-72497r1034637_fix
- Fix Text
-
Configure the macOS system to prohibit user installation of software into /users/ by installing the "com.apple.applicationaccess.new" configuration profile.
- Identities
-
CCI-003980
Allow user installation of software only with explicit privileged status.
- 800-53 Rev. 5 :: CM-11 (2)
- Group Title
- SRG-OS-000378-GPOS-00163
- Group ID
- V-268567
- Rule Version
- APPL-15-005090
- Rule Title
- The macOS system must authorize USB devices before allowing connection.
- Rule ID
- SV-268567r1034641_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
USB devices connected to a Mac must be authorized.
[IMPORTANT]
====
This feature is removed if a smart card is paired or smart card attribute mapping is configured.
====
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Satisfies: SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to authorize USB devices before allowing connection with the following command:
/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowUSBRestrictedMode'))
if ( pref1 == false ) {
return("false")
} else {
return("true")
}
}
EOS
If the result is not "true", this is a finding.
- Check System
- C-72597r1034639_chk
- Fix Reference
- F-72498r1034640_fix
- Fix Text
-
Configure the macOS system to authorize USB devices before allowing connection by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-001958
Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.
- 800-53 Rev. 4 :: IA-3
- 800-53 Rev. 5 :: IA-3
CCI-003959Prohibit the use or connection of unauthorized hardware components.
- 800-53 Rev. 5 :: CM-7 (9) (b)
- Group Title
- SRG-OS-000445-GPOS-00199
- Group ID
- V-268568
- Rule Version
- APPL-15-005100
- Rule Title
- The macOS system must ensure Secure Boot level is set to "full".
- Rule ID
- SV-268568r1034644_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The Secure Boot security setting must be set to "full".
Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot.
NOTE: This will only return a proper result on a T2 or Apple Silicon Macs.
Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to ensure Secure Boot level is set to "full" using the following command:
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full"
If the result is not "1", this is a finding.
- Check System
- C-72598r1034642_chk
- Fix Reference
- F-72499r1034643_fix
- Fix Text
-
Configure the macOS system to ensure Secure Boot level is set to "full" by booting into Recovery Mode and enabling Full Secure Boot.
- Identities
-
CCI-002696
Verify correct operation of organization-defined security functions.
- 800-53 Rev. 4 :: SI-6 a
- 800-53 Rev. 5 :: SI-6 a
CCI-002699Perform verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.
- 800-53 Rev. 4 :: SI-6 b
- 800-53 Rev. 5 :: SI-6 b
CCI-002702Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.
- 800-53 Rev. 4 :: SI-6 d
- 800-53 Rev. 5 :: SI-6 d
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-268569
- Rule Version
- APPL-15-005110
- Rule Title
- The macOS system must enforce enrollment in Mobile Device Management (MDM).
- Rule ID
- SV-268569r1034647_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Users must enroll their Mac in MDM software.
User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently, these include:
* Allowed Kernel Extensions.
* Allowed Approved System Extensions.
* Privacy Preferences Policy Control Payload.
* ExtensibleSingleSignOn.
* FDEFileVault.
* Activation Lock Bypass.
* Access to Bootstrap Tokens.
* Scheduling Software Updates.
* Query list and delete local users.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce enrollment in mobile device management with the following command:
/usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)"
If the result is not "1", this is a finding.
- Check System
- C-72599r1034645_chk
- Fix Reference
- F-72500r1034646_fix
- Fix Text
-
Configure the macOS system by ensuring that the system is enrolled via UAMDM.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-268570
- Rule Version
- APPL-15-005120
- Rule Title
- The macOS system must enable Recovery Lock.
- Rule ID
- SV-268570r1034650_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
A Recovery Lock password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools.
IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices.
- Documentable
- False
- Check Content
-
For non-Apple Silicon systems, this is not applicable.
Verify the macOS system is configured with Recovery Lock with the following command:
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1"
If the result is not "1", this is a finding.
- Check System
- C-72600r1034648_chk
- Fix Reference
- F-72501r1034649_fix
- Fix Text
-
Configure the macOS system with Recovery Lock with the SetRecoveryLock command. This can be used to set a Recovery Lock password and must be from the MDM.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000480-GPOS-00227
- Group ID
- V-268571
- Rule Version
- APPL-15-005130
- Rule Title
- The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
- Rule ID
- SV-268571r1034653_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Software Update must be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect Remediator and Gatekeeper. With this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.
https://support.apple.com/en-us/HT207005
NOTE: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to enforce installation of XProtect Remediator and Gatekeeper updates automatically with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
.objectForKey('ConfigDataInstall').js
EOS
If the result is not "true", this is a finding.
- Check System
- C-72601r1034651_chk
- Fix Reference
- F-72502r1034652_fix
- Fix Text
-
Configure the macOS system to enforce installation of XProtect Remediator and Gatekeeper updates automatically by installing the "com.apple.SoftwareUpdate" configuration profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268572
- Rule Version
- APPL-15-005140
- Rule Title
- The macOS system must disable Genmoji.
- Rule ID
- SV-268572r1034656_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Apple Intelligence features that use off-device Artificial Intelligence (AI) must be disabled.
Use of off-device AI poses a data loss risk.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Genmoji with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowGenmoji').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72602r1034654_chk
- Fix Reference
- F-72503r1034655_fix
- Fix Text
-
Configure the macOS system to disable Genmoji by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268573
- Rule Version
- APPL-15-005150
- Rule Title
- The macOS system must disable Apple Intelligence Image Generation.
- Rule ID
- SV-268573r1034659_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Apple Intelligence features that use off-device artificial intelligence must be disabled.
Use of off-device AI poses a data loss risk.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Apple Intelligence Image Generation with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowImagePlayground').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72603r1034657_chk
- Fix Reference
- F-72504r1034658_fix
- Fix Text
-
Configure the macOS system to disable Apple Intelligence Image Generation by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-268574
- Rule Version
- APPL-15-005160
- Rule Title
- The macOS system must disable Apple Intelligence Writing Tools.
- Rule ID
- SV-268574r1034662_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Apple Intelligence features that use off device Artificial Intelligence must be disabled.
Use of off-device AI poses a data loss risk.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable Apple Intelligence Writing Tools with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowWritingTools').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-72604r1034660_chk
- Fix Reference
- F-72505r1034661_fix
- Fix Text
-
Configure the macOS system to disable Apple Intelligence Writing Tools by installing the "com.apple.applicationaccess" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000439-GPOS-00195
- Group ID
- V-268575
- Rule Version
- APPL-15-999999
- Rule Title
- The macOS system must be a supported release.
- Rule ID
- SV-268575r1034665_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
- Documentable
- False
- Check Content
-
Verify the operating system version.
Click the Apple icon on the menu at the top left corner of the screen and select the "About This Mac" option.
The name of the macOS release installed appears on the Overview tab in the resulting window. The precise version number installed is displayed below that.
If the installed version of macOS 15 is not supported, this is a finding.
- Check System
- C-72605r1034663_chk
- Fix Reference
- F-72506r1034664_fix
- Fix Text
-
Upgrade to a supported version of the operating system.
- Identities
-
CCI-002605
Install security-relevant software updates within an organization-defined time period of the release of the updates.
- 800-53 Rev. 4 :: SI-2 c
- 800-53 Rev. 5 :: SI-2 c
- Group Title
- SRG-OS-000023-GPOS-00006
- Group ID
- V-269093
- Rule Version
- APPL-15-000024
- Rule Title
- The macOS system must enforce SSH to display a policy banner.
- Rule ID
- SV-269093r1034754_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
SSH must be configured to display a policy banner.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to display the contents of "/etc/banner" before granting access to the system with the following command:
/usr/sbin/sshd -G | /usr/bin/grep -c "^banner /etc/banner"
If the command does not return "1", this is a finding.
- Check System
- C-73123r1034752_chk
- Fix Reference
- F-73024r1034753_fix
- Fix Text
-
Configure the macOS system to display the contents of "/etc/banner" before granting access to the system with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'banner /etc/banner' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "banner /etc/banner" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
CCI-000050Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.
- 800-53 :: AC-8 b
- 800-53 Rev. 4 :: AC-8 b
- 800-53 Rev. 5 :: AC-8 b
- 800-53A :: AC-8.1 (iii)
- Group Title
- SRG-OS-000365-GPOS-00152
- Group ID
- V-269094
- Rule Version
- APPL-15-001024
- Rule Title
- The macOS system must be configured to audit all failed program execution on the system.
- Rule ID
- SV-269094r1034757_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes).
This configuration ensures that audit lists include events in which program execution has failed.
Without auditing the enforcement of program execution, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
Satisfies: SRG-OS-000365-GPOS-00152, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit all failed program execution on the system with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex'
If the result is not "1", this is a finding.
- Check System
- C-73124r1034755_chk
- Fix Reference
- F-73025r1034756_fix
- Fix Text
-
Configure the macOS system to audit all failed program execution on the system with the following command:
/usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s
- Identities
-
CCI-000172
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
- Group Title
- SRG-OS-000057-GPOS-00027
- Group ID
- V-269095
- Rule Version
- APPL-15-001140
- Rule Title
- The macOS system must configure audit_control to not contain access control lists (ACLs).
- Rule ID
- SV-269095r1034760_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
/etc/security/audit_control must not contain ACLs.
/etc/security/audit_control contains sensitive configuration data about the audit service. This rule ensures that the audit service is configured to be readable and writable only by system administrators to prevent normal users from manipulating audit logs.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
- Documentable
- False
- Check Content
-
Verify the macOS system is configured without ACLs applied to audit_control with the following command:
/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
If the result is not "0", this is a finding.
- Check System
- C-73125r1034758_chk
- Fix Reference
- F-73026r1034759_fix
- Fix Text
-
Configure the macOS system without ACLs applied to audit_control with the following command:
/bin/chmod -N /etc/security/audit_control
- Identities
-
CCI-000162
Protect audit information from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000163Protect audit information from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000164Protect audit information from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-000171Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system.
- 800-53 :: AU-12 b
- 800-53 Rev. 4 :: AU-12 b
- 800-53 Rev. 5 :: AU-12 b
- 800-53A :: AU-12.1 (iii)
CCI-001493Protect audit tools from unauthorized access.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9 a
- 800-53A :: AU-9.1
CCI-001494Protect audit tools from unauthorized modification.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
CCI-001495Protect audit tools from unauthorized deletion.
- 800-53 :: AU-9
- 800-53 Rev. 4 :: AU-9
- 800-53 Rev. 5 :: AU-9
- 800-53A :: AU-9.1
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-269096
- Rule Version
- APPL-15-002023
- Rule Title
- The macOS system must disable sending audio recordings and transcripts to Apple.
- Rule ID
- SV-269096r1034785_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The ability for Apple to store and review audio recordings and transcripts of vocal shortcuts and voice control interactions must be disabled.
The information system must be configured to provide only essential capabilities. Disabling the submission of this information will mitigate the risk of unwanted data being sent to Apple.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable sending audio recordings and transcripts with the following command:
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Accessibility')\
.objectForKey('AXSAudioDonationSiriImprovementEnabled').js
EOS
If the result is not "false", this is a finding.
- Check System
- C-73126r1034782_chk
- Fix Reference
- F-73027r1034783_fix
- Fix Text
-
Configure the macOS system to disable sending audio recordings and transcripts by installing the "com.apple.accessibility" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- SRG-OS-000095-GPOS-00049
- Group ID
- V-269566
- Rule Version
- APPL-15-002024
- Rule Title
- The macOS system must disable sending search data from Spotlight to Apple.
- Rule ID
- SV-269566r1034793_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Sending data to Apple to help improve search must be disabled.
The information system must be configured to provide only essential capabilities. Disabling the submission of search data will mitigate the risk of unwanted data being sent to Apple.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable sending search data from Spotlight with the following command:
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\
.objectForKey('Search Queries Data Sharing Status').js
EOS
If the result is not "2", this is a finding.
- Check System
- C-73599r1034791_chk
- Fix Reference
- F-73500r1034792_fix
- Fix Text
-
Configure the macOS system to disable sending search data from Spotlight by installing the "com.apple.assistant.support" configuration profile.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)