| CCE-85274-9 |
auth_pam_login_smartcard_enforce |
Enforce Multifactor Authentication for Login |
The system _MUST_ be configured to enforce multifactor authentication. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login |
{'integer': 2} |
[source,bash] ---- /bin/cat > /etc/pam.d/login << LOGIN_END # login: auth account password session auth sufficient pam_smartcard.so auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass auth required pam_deny.so account required pam_nologin.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session required pam_uwtmp.so session optional pam_mount.so LOGIN_END /bin/chmod 644 /etc/pam.d/login /usr/sbin/chown root:wheel /etc/pam.d/login ---- |
IA-2(1) IA-2(2) IA-2(8) |
3.5.3 |
SRG-OS-000480-GPOS-00227 |
APPL-11-003050 |
CCI-000366 |
| CCE-85275-6 |
auth_pam_su_smartcard_enforce |
Enforce Multifactor Authentication for the su Command |
The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su |
{'integer': 2} |
[source,bash] ---- /bin/cat > /etc/pam.d/su << SU_END # su: auth account password session auth sufficient pam_smartcard.so auth required pam_rootok.so auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe account required pam_permit.so account required pam_opendirectory.so no_check_shell password required pam_opendirectory.so session required pam_launchd.so SU_END # Fix new file ownership and permissions /bin/chmod 644 /etc/pam.d/su /usr/sbin/chown root:wheel /etc/pam.d/su ---- |
IA-2(1) IA-2(2) IA-2(8) |
3.5.3 |
SRG-OS-000480-GPOS-00227 |
APPL-11-003051 |
CCI-000366 |
| CCE-85276-4 |
auth_pam_sudo_smartcard_enforce |
Enforce Multifactor Authentication for Privilege Escalation Through the sudo Command |
The system _MUST_ be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo |
{'integer': 2} |
[source,bash] ---- /bin/cat > /etc/pam.d/sudo << SUDO_END # sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so auth required pam_deny.so account required pam_permit.so password required pam_deny.so session required pam_permit.so SUDO_END /bin/chmod 444 /etc/pam.d/sudo /usr/sbin/chown root:wheel /etc/pam.d/sudo ---- |
IA-2(1) IA-2(2) IA-2(8) |
3.5.3 |
SRG-OS-000107-GPOS-00054 SRG-OS-000480-GPOS-00227 |
APPL-11-003052 |
CCI-000366 |
| CCE-85277-2 |
auth_smartcard_allow |
Allow Smartcard Authentication |
Smartcard authentication _MUST_ be allowed. The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. When enabled, the smartcard can be used for login, authorization, and screen saver unlocking. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('allowSmartCard').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>allowSmartCard</key> <true/> ---- |
IA-2(1) IA-2(2) IA-2(12) |
NaN |
SRG-OS-000376-GPOS-00161 |
NaN |
NaN |
| CCE-85278-0 |
auth_smartcard_certificate_trust_enforce_high |
Set Smartcard Certificate Trust to High |
The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smartcard certificate trust level to high, the system will execute a hard revocation, i.e., a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed. NOTE: Before applying this setting, please see the smartcard supplemental guidance. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('checkCertificateTrust').js EOS |
{'integer': 3} |
Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>checkCertificateTrust</key> <integer>3</integer> ---- |
IA-5(2) SC-17 |
NaN |
NaN |
NaN |
NaN |
| CCE-85279-8 |
auth_smartcard_certificate_trust_enforce_moderate |
Set Smartcard Certificate Trust to Moderate |
The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smartcard certificate trust level to moderate, the system will execute a soft revocation, i.e., if the OCSP/CRL server is unreachable, authentication will still succeed. NOTE: Before applying this setting, please see the smartcard supplemental guidance. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('checkCertificateTrust').js EOS |
{'integer': 2} |
Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>checkCertificateTrust</key> <integer>2</integer> ---- |
IA-5(2) SC-17 |
NaN |
SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162 SRG-OS-000384-GPOS-00167 SRG-OS-000403-GPOS-00182 SRG-OS-000067-GPOS-00035 |
APPL-11-001060 |
CCI-000186 CCI-002470 CCI-001991 CCI-001953 CCI-001954 |
| CCE-85280-6 |
auth_smartcard_enforce |
Enforce Smartcard Authentication |
Smartcard authentication _MUST_ be enforced. The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver. CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement. NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('enforceSmartCard').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>enforceSmartCard</key> <true/> ---- |
IA-2(1) IA-2(2) IA-2(6) IA-2 IA-5(2) IA-2(12) IA-2(8) |
3.5.1 3.5.2 3.5.3 |
SRG-OS-000068-GPOS-00036 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055 |
APPL-11-003020 |
CCI-000187 CCI-000767 CCI-000768 |
| CCE-85281-4 |
auth_ssh_password_authentication_disable |
Disable Password Authentication for SSH |
If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -Ec '^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)' /etc/ssh/sshd_config |
{'integer': 2} |
[source,bash] ---- /usr/bin/sed -i.bak_$(date "+%Y-%m-%d_%H:%M") "s\|#PasswordAuthentication yes\|PasswordAuthentication no\|; s\|#ChallengeResponseAuthentication yes\|ChallengeResponseAuthentication no\|" /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- |
IA-2(1) IA-2(2) IA-2(6) IA-2 IA-5(2) MA-4 IA-2(8) |
3.5.1 3.5.2 3.5.3 3.7.5 |
NaN |
NaN |
NaN |
| CCE-85251-7 |
audit_acls_files_configure |
Configure Audit Log Files to Not Contain Access Control Lists |
The audit log files _MUST_ not contain access control lists (ACLs). This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files. |
Script |
/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" |
{'integer': 0} |
[source,bash] ---- /bin/chmod -RN $(/usr/bin/awk -F: '/^dir/{print $2}' /etc/security/audit_control) ---- |
SI-11 AU-9 |
3.3.8 |
SRG-OS-000057-GPOS-00027 SRG-OS-000206-GPOS-00084 |
APPL-11-000030 |
CCI-000162 CCI-001314 |
| CCE-85252-5 |
audit_acls_folders_configure |
Configure Audit Log Folder to Not Contain Access Control Lists |
The audit log folder _MUST_ not contain access control lists (ACLs). Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs. |
Script |
/bin/ls -lde $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" |
{'integer': 0} |
[source,bash] ---- /bin/chmod -N $(/usr/bin/grep '^dir' /etc/security/audit_control \| /usr/bin/awk -F: '{print $2}') ---- |
AU-9 |
3.3.8 |
SRG-OS-000057-GPOS-00027 |
APPL-11-000031 |
CCI-000162 |
| CCE-85254-1 |
audit_auditd_enabled |
Enable Security Auditing |
The information system _MUST_ be configured to generate audit records. Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system start-up. NOTE: Security auditing is enabled by default on macOS. |
Script |
/bin/launchctl list | /usr/bin/grep -c com.apple.auditd |
{'integer': 1} |
[source,bash] ---- /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist ---- |
AU-3 AU-3(1) AU-8 AU-12 AU-12(1) AU-12(3) AU-14(1) MA-4(1) CM-5(1) |
3.3.1 3.3.2 3.3.7 |
SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000055-GPOS-00026 SRG-OS-000254-GPOS-00095 SRG-OS-000255-GPOS-00096 SRG-OS-000303-GPOS-00120 SRG-OS-000337-GPOS-00129 SRG-OS-000358-GPOS-00145 SRG-OS-000359-GPOS-00146 |
APPL-11-001003 |
CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000159 CCI-001464 CCI-001487 CCI-001889 CCI-001890 CCI-001914 CCI-002130 |
| CCE-85255-8 |
audit_configure_capacity_notify |
Configure Audit Capacity Warning |
The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs. |
Script |
/usr/bin/grep -c "^minfree:25" /etc/security/audit_control |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/sbin/audit -s ---- |
AU-5(1) |
NaN |
SRG-OS-000343-GPOS-00134 |
APPL-11-001030 |
CCI-001855 |
| CCE-85495-0 |
audit_control_acls_configure |
Configure Audit_Control to Not Contain Access Control Lists |
/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs). |
Script |
/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" |
{'integer': 0} |
[source,bash] ---- /bin/chmod -N /etc/security/audit_control ---- |
AU-9 |
NaN |
NaN |
NaN |
NaN |
| CCE-85496-8 |
audit_control_group_configure |
Configure Audit_Control Group to Wheel |
/etc/security/audit_control _MUST_ have the group set to wheel. |
Script |
/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}' |
{'integer': 0} |
[source,bash] ---- /usr/bin/chgrp wheel /etc/security/audit_control ---- |
AU-9 |
NaN |
NaN |
NaN |
NaN |
| CCE-85497-6 |
audit_control_mode_configure |
Configure Audit_Control Owner to Mode 440 or Less Permissive |
/etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel. |
Script |
/bin/ls -l /etc/security/audit_control | awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs |
{'integer': 0} |
[source,bash] ---- /bin/chmod 440 /etc/security/audit_control ---- |
AU-9 |
NaN |
NaN |
NaN |
NaN |
| CCE-85498-4 |
audit_control_owner_configure |
Configure Audit_Control Owner to Root |
/etc/security/audit_control _MUST_ have the owner set to root. |
Script |
/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}' |
{'integer': 0} |
[source,bash] ---- /usr/sbin/chown root /etc/security/audit_control ---- |
AU-9 |
NaN |
NaN |
NaN |
NaN |
| CCE-85257-4 |
audit_failure_halt |
Configure System to Shut Down Upon Audit Failure |
The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. |
Script |
/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s ---- |
AU-5 |
3.3.4 |
SRG-OS-000047-GPOS-00023 |
APPL-11-001010 |
CCI-000140 |
| CCE-85258-2 |
audit_files_group_configure |
Configure Audit Log Files Group to Wheel |
Audit log files _MUST_ have the group set to wheel. The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. |
Script |
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}' |
{'integer': 0} |
[source,bash] ---- /usr/bin/chgrp -R wheel $(/usr/bin/grep '^dir' /etc/security/audit_control \| /usr/bin/awk -F: '{print $2}')/* ---- |
AU-9 |
3.3.8 |
SRG-OS-000057-GPOS-00027 |
APPL-11-001014 |
CCI-000162 |
| CCE-85259-0 |
audit_files_mode_configure |
Configure Audit Log Files to Mode 440 or Less Permissive |
The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. |
Script |
/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' |
{'integer': 0} |
[source,bash] ---- /bin/chmod 440 $(/usr/bin/grep '^dir' /etc/security/audit_control \| /usr/bin/awk -F: '{print $2}')/* ---- |
AU-9 |
3.3.8 |
SRG-OS-000057-GPOS-00027 |
APPL-11-001016 |
CCI-000162 |
| CCE-85260-8 |
audit_files_owner_configure |
Configure Audit Log Files to be Owned by Root |
Audit log files _MUST_ be owned by root. The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. |
Script |
/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' |
{'integer': 0} |
[source,bash] ---- /usr/sbin/chown -R root $(/usr/bin/grep '^dir' /etc/security/audit_control \| /usr/bin/awk -F: '{print $2}')/* ---- |
AU-9 |
3.3.8 |
SRG-OS-000057-GPOS-00027 |
APPL-11-001012 |
CCI-000162 |
| CCE-85261-6 |
audit_flags_aa_configure |
Configure System to Audit All Authorization and Authentication Events |
The auditing system _MUST_ be configured to flag authorization and authentication (aa) events. Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter). |
Script |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa' |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control \|\| /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s ---- |
AC-2(12) AU-12 AU-2 MA-4(1) CM-5(1) |
3.3.1 3.3.2 |
SRG-OS-000470-GPOS-00214 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000475-GPOS-00220 |
APPL-11-001044 |
CCI-000172 |
| CCE-85262-4 |
audit_flags_ad_configure |
Configure System to Audit All Administrative Action Events |
The auditing system _MUST_ be configured to flag administrative action (ad) events. Administrative action events include changes made to the system (e.g. modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter). The information system audits the execution of privileged functions. NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag. |
Script |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad' |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control \|\| /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s ---- |
AC-2(12) AC-6(9) AU-12 AC-2(4) AU-2 MA-4(1) CM-5(1) |
3.1.7 3.3.1 3.3.2 |
SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000327-GPOS-00127 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 |
APPL-11-001001 |
CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002234 CCI-002884 |
| CCE-85499-2 |
audit_flags_configure |
Configure Audit Flags |
The auditing system _MUST_ be configured with at least the minimal flags of fm, ad, -ex, aa, -fr, lo, and -fw. |
Script |
/usr/bin/sed -n 's/^flags://p' /etc/security/audit_control | /usr/bin/grep -ce 'fm,ad,\-ex,aa,\-fr,lo,\-fw' |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i '' 's/^flags:.*/flags:fm,ad,\-ex,aa,\-fr,lo,\-fw/' /etc/security/audit_control; /usr/sbin/audit -s ---- NOTE: NOTE: This fix will replace the contents of the flags: line in `/etc/security/audit_control`, if you have customized the flags, your changes may be overwritten. |
AC-2(12) AU-12 AU-2 MA-4(1) CM-5(1) |
NaN |
NaN |
NaN |
NaN |
| CCE-85263-2 |
audit_flags_ex_configure |
Configure System to Audit All Failed Program Execution on the System |
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. |
Script |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control \|\| /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s ---- |
AC-2(12) AU-12 AU-2 CM-5(1) |
3.3.1 3.3.2 |
NaN |
NaN |
NaN |
| CCE-85264-0 |
audit_flags_fd_configure |
Configure System to Audit All Deletions of Object Attributes |
The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd). ***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. |
Script |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fd' |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control \|\| /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s ---- |
AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1) |
NaN |
SRG-OS-000365-GPOS-00152 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000474-GPOS-00219 SRG-OS-000057-GPOS-00027 |
APPL-11-001020 |
CCI-000172 CCI-001814 |
| CCE-85264-0 |
audit_flags_fm_configure |
Configure System to Audit All Failed Change of Object Attributes |
The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. |
Script |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fm' |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -qE "^flags.*-fm" /etc/security/audit_control \|\| /usr/bin/sed -i.bak '/^flags/ s/$/,-fm/' /etc/security/audit_control;/usr/sbin/audit -s ---- |
AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1) |
3.3.1 3.3.2 3.3.8 |
SRG-OS-000365-GPOS-00152 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000474-GPOS-00219 SRG-OS-000057-GPOS-00027 |
APPL-11-001020 |
CCI-000172 CCI-001814 |
| CCE-85265-7 |
audit_flags_fr_configure |
Configure System to Audit All Failed Read Actions on the System |
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. |
Script |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fr' |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control \|\| /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s ---- |
AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1) |
3.3.1 3.3.2 3.3.8 |
SRG-OS-000365-GPOS-00152 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000474-GPOS-00219 SRG-OS-000057-GPOS-00027 |
APPL-11-001020 |
CCI-000172 CCI-001814 |
| CCE-85266-5 |
audit_flags_fw_configure |
Configure System to Audit All Failed Write Actions on the System |
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. |
Script |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw' |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -qE "^flags.*-fw" /etc/security/audit_control \|\| /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s ---- |
AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1) |
3.3.1 3.3.2 3.3.8 |
SRG-OS-000365-GPOS-00152 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000474-GPOS-00219 SRG-OS-000057-GPOS-00027 |
APPL-11-001020 |
CCI-000162 |
| CCE-85267-3 |
audit_flags_lo_configure |
Configure System to Audit All Log In and Log Out Events |
The audit system _MUST_ be configured to record all attempts to log in and out of the system (lo). Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring login and logout events) mitigates this risk. The information system monitors login and logout events. |
Script |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^lo' |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -qE "^flags.*[^-]lo" /etc/security/audit_control \|\| /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s ---- |
AC-2(12) AU-12 AC-17(1) AU-2 MA-4(1) |
3.1.12 3.3.1 3.3.2 |
SRG-OS-000032-GPOS-00013 SRG-OS-000462-GPOS-00206 |
APPL-11-001002 |
CCI-000067 CCI-000172 |
| CCE-85268-1 |
audit_folder_group_configure |
Configure Audit Log Folders Group to Wheel |
Audit log files _MUST_ have the group set to wheel. The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. |
Script |
/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}' |
{'integer': 0} |
[source,bash] ---- /usr/bin/chgrp wheel $(/usr/bin/awk -F : '/^dir/{print $2}' /etc/security/audit_control) ---- |
AU-9 |
3.3.8 |
SRG-OS-000033-GPOS-00014 |
APPL-11-001015 |
CCI-000162 |
| CCE-85269-9 |
audit_folder_owner_configure |
Configure Audit Log Folders to be Owned by Root |
Audit log files _MUST_ be owned by root. The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. |
Script |
/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}' |
{'integer': 0} |
[source,bash] ---- /usr/sbin/chown root $(/usr/bin/awk -F : '/^dir/{print $2}' /etc/security/audit_control) ---- |
AU-9 |
3.3.8 |
SRG-OS-000057-GPOS-00027 |
APPL-11-001013 |
CCI-000162 |
| CCE-85270-7 |
audit_folders_mode_configure |
Configure Audit Log Folders to Mode 700 or Less Permissive |
The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. |
Script |
/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') |
{'integer': 700} |
[source,bash] ---- /bin/chmod 700 $(/usr/bin/grep '^dir' /etc/security/audit_control \| /usr/bin/awk -F: '{print $2}') ---- |
AU-9 |
3.3.8 |
SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000057-GPOS-00027 |
APPL-11-001017 |
CCI-000162 CCI-000163 CCI-000164 |
| CCE-85272-3 |
audit_retention_configure |
Configure Audit Retention to a Minimum of Seven Days |
The audit service _MUST_ be configured to require records be kept for seven days or longer before deletion, unless the system uses a central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old. |
Script |
/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control |
{'string': '7d'} |
[source,bash] ---- /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s ---- |
AU-11 AU-4 |
NaN |
SRG-OS-000341-GPOS-00132 |
APPL-11-001029 |
CCI-001849 |
| CCE-85500-7 |
audit_retention_configure_sixty_days |
Configure Audit Retention to a Minimum of Sixty Days or One Gigabyte |
The audit service _MUST_ be configured to require records be kept for sixty days or longer before deletion, unless the system uses a central audit record storage facility. When "expire-after" is set to "60d", the audit service will not delete audit logs until the log data is at least sixty days old. |
Script |
/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control |
{'string': '60d or 1G'} |
[source,bash] ---- /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:60d or 1G/' /etc/security/audit_control; /usr/sbin/audit -s ---- |
AU-11 AU-4 |
NaN |
NaN |
NaN |
NaN |
| CCE-85273-1 |
audit_settings_failure_notify |
Configure Audit Failure Notification |
The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. |
Script |
/usr/bin/grep -c "logger -s -p" /etc/security/audit_warn |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s ---- |
AU-5(2) AU-5 |
3.3.4 |
SRG-OS-000344-GPOS-00135 |
APPL-11-001031 |
CCI-001858 |
| CCE-85293-9 |
os_airdrop_disable |
Disable AirDrop |
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices. AirDrop allows users to share and receive files from other nearby Apple devices. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAirDrop').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAirDrop</key> <false/> ---- |
AC-3 AC-20 CM-7 CM-7(1) |
3.1.1 3.1.2 3.1.16 3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002009 |
CCI-000381 |
| CCE-85501-5 |
os_anti_virus_installed |
Must Use an Approved Antivirus Program |
An approved antivirus product _MUST_ be installed and configured to run. Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.' |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.mrt" => false' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl enable system/com.apple.mrt ---- |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
APPL-11-002070 |
CCI-000366 |
| CCE-85461-2 |
os_apple_mobile_file_integrity_enforce |
Enforce Apple Mobile File Integrity |
Apple Mobile File Integrity (AMFI) is a macOS kernel module that enforces the code-signing validation within Gatekeeper and library validation. AMFI checks the signatures of every app that is run. NOTE: AMFI is enabled by default on macOS systems. |
Script |
/usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" |
{'integer': 0} |
[source,bash] ---- /usr/sbin/nvram boot-args="" ---- |
SI-7(1) SI-3 |
NaN |
NaN |
NaN |
NaN |
| CCE-85296-2 |
os_appleid_prompt_disable |
Disable Apple ID Setup during Setup Assistant |
The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipCloudSetup').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipCloudSetup</key> <true/> ---- |
AC-20 |
3.1.20 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002035 |
CCI-000381 |
| CCE-85463-8 |
os_asl_log_files_owner_group_configure |
Configure Apple System Log Files Owned by Root and Group to Wheel |
The Apple System Logs (ASL) _MUST_ be owned by root. ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated. |
Script |
/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' |
{'integer': 0} |
[source,bash] ---- /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* \| /usr/bin/awk '{ print $2 }') 2> /dev/null \| /usr/bin/awk '!/^root:wheel:/{print $1}' \| /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') ---- |
SI-11 |
NaN |
SRG-OS-000206-GPOS-00084 |
APPL-11-004001 |
CCI-001314 |
| CCE-85465-3 |
os_asl_log_files_permissions_configure |
Configure Apple System Log Files To Mode 640 or Less Permissive |
The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. |
Script |
/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' |
{'integer': 0} |
[source,bash] ---- /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* \| /usr/bin/awk '{ print $2 }') 2> /dev/null \| /usr/bin/awk -F":" '!/640/{print $2}') ---- |
SI-11 |
NaN |
SRG-OS-000206-GPOS-00084 |
APPL-11-004002 |
CCI-001314 |
| CCE-85298-8 |
os_authenticated_root_enable |
Enable Authenticated Root |
Authenticated Root _MUST_ be enabled. When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. NOTE: Authenticated Root is enabled by default on macOS systems. |
Script |
/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' |
{'integer': 1} |
[source,bash] ---- /usr/bin/csrutil authenticated-root enable ---- NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. |
AC-3 CM-5 SC-34 SI-7(6) SI-7 MA-4(1) |
3.1.1 3.1.2 3.4.5 |
NaN |
NaN |
NaN |
| CCE-85540-3 |
os_blank_bluray_disable |
Disable Blank Blu Ray |
Blank Blu Ray media _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["blankbd"] EOS |
{'string': 'deny,eject'} |
Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> ---- |
MP-7 |
3.8.8 |
SRG-OS-000480-GPOS-00227 SRG-OS-000319-GPOS-00164 |
APPL-12-005051 |
NaN |
| CCE-85541-1 |
os_blank_cd_disable |
Disable Blank CD |
Blank CD media _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["blankcd"] EOS |
{'string': 'deny,eject'} |
Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> ---- |
MP-7 |
3.8.8 |
SRG-OS-000480-GPOS-00227 SRG-OS-000319-GPOS-00164 |
APPL-12-005051 |
NaN |
| CCE-85542-9 |
os_blank_dvd_disable |
Disable Blank DVD |
Blank DVD media _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["blankdvd"] EOS |
{'string': 'deny,eject'} |
Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> ---- |
MP-7 |
3.8.8 |
SRG-OS-000480-GPOS-00227 SRG-OS-000319-GPOS-00164 |
APPL-12-005051 |
NaN |
| CCE-85482-8 |
os_bluetooth_prefpane_disable |
Disable the Bluetooth System Preference Pane |
The Bluetooth System Preference pane _MUST_ be disabled to prevent access to the bluetooth configuration. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledPreferencePanes</key> <array> <string>com.apple.preferences.Bluetooth</string> </array> ---- |
NaN |
NaN |
SRG-OS-000481-GPOS-000481 |
APPL-11-002062 |
CCI-002418 |
| CCE-85543-7 |
os_bluray_read_only_enforce |
Enforce Blu Ray Read Only |
Blu Ray media _MUST_ be set to read only. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["bd"] EOS |
{'string': 'read-only'} |
Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> ---- |
MP-7 |
3.8.8 |
SRG-OS-000480-GPOS-00227 SRG-OS-000319-GPOS-00164 |
APPL-12-005051 |
NaN |
| CCE-85299-6 |
os_bonjour_disable |
Disable Bonjour Multicast |
Bonjour multicast advertising _MUST_ be disabled to prevent the system from broadcasting its presence and available services over network interfaces. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\ .objectForKey('NoMulticastAdvertisements').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.mDNSResponder) payload type: [source,xml] ---- <key>NoMulticastAdvertisements</key> <true/> ---- |
CM-7 CM-7(1) |
3.4.6 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002005 |
CCI-000381 |
| CCE-85544-5 |
os_burn_support_disable |
Disable Burn Support |
Burn support _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(ProhibitBurn = 0|BurnSupport = "off")' |
{'integer': 2} |
Create a configuration profile containing the following keys in the (com.apple.finder) payload type: [source,xml] ---- <key>ProhibitBurn</key> <true/> ---- Create a configuration profile containing the following keys in the (com.apple.DiscRecording) payload type: [source,xml] ---- <key>BurnSupport</key> <string>off</string> ---- |
MP-7 |
NaN |
SRG-OS-000480-GPOS-00227 |
APPL-12-005053 |
NaN |
| CCE-85300-2 |
os_calendar_app_disable |
Disable Calendar.app |
The macOS built-in Calendar.app _MUST_ be disabled as this application can establish a connection to non-approved services. This rule is in place to prevent inadvertent data transfers. [IMPORTANT] ==== Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -A 20 familyControlsEnabled | /usr/bin/grep -c "/Applications/Calendar.app" |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Applications/Calendar.app</string> </array> ---- |
AC-20 CM-7 CM-7(1) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002023 |
CCI-000381 |
| CCE-85301-0 |
os_camera_disable |
Disable Camera |
macOS _MUST_ be configured to disable the camera. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCamera').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCamera</key> <false/> ---- |
NaN |
NaN |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002017 |
CCI-000381 CCI-001150 CCI-001153 |
| CCE-85545-2 |
os_cd_read_only_enforce |
Enforce CD Read Only |
CD media _MUST_ be set to read only. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["cd"] EOS |
{'string': 'read-only'} |
Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> ---- |
MP-7 |
3.8.8 |
SRG-OS-000480-GPOS-00227 SRG-OS-000319-GPOS-00164 |
APPL-12-005051 |
NaN |
| CCE-85302-8 |
os_certificate_authority_trust |
Issue or Obtain Public Key Certificates from an Approved Service Provider |
The organization _MUST_ issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain. |
Manual |
/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}' |
{'string': 'a list containing approved root certificates'} |
Obtain the approved certificates from the appropriate authority and install them to the System Keychain. |
SC-17 |
NaN |
SRG-OS-000066-GPOS-00034 SRG-OS-000478-GPOS-00223 |
APPL-11-003001 |
CCI-000185 CCI-002450 |
| CCE-85466-1 |
os_config_data_install_enforce |
Enforce Installation of XProtect, MRT, and Gatekeeper Updates Automatically |
Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically. This setting enforces definition updates for XProtect, MRT, and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. link:https://support.apple.com/en-us/HT207005[] NOTE: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('ConfigDataInstall').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>ConfigDataInstall</key> <true/> ---- |
SI-3 SI-2(5) |
NaN |
NaN |
NaN |
NaN |
| CCE-85494-3 |
os_directory_services_configured |
Integrate System into a Directory Services Infrastructure |
The macOS system _MUST_ be integrated into a directory services infrastructure. A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system. |
Manual |
/usr/bin/dscl localhost -list . | /usr/bin/grep -vE '(Contact|Search|Local|^$)'; /bin/echo $? |
{'integer': 0} |
Integrate the system into an existing directory services infrastructure. |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
APPL-11-000016 |
CCI-000366 |
| CCE-85546-0 |
os_disk_image_disable |
Disable Disk Images |
Disk images _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["disk-image"] EOS |
{'string': 'deny,eject'} |
Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> ---- |
MP-7 |
3.8.8 |
SRG-OS-000480-GPOS-00227 SRG-OS-000319-GPOS-00164 |
APPL-12-005051 |
NaN |
| CCE-85547-8 |
os_dvdram_disable |
Disable Blank CD |
Blank CD media _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["dvdram"] EOS |
{'string': 'deny,eject'} |
Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> ---- |
MP-7 |
3.8.8 |
SRG-OS-000480-GPOS-00227 SRG-OS-000319-GPOS-00164 |
APPL-12-005051 |
NaN |
| CCE-85502-3 |
os_efi_integrity_validated |
Ensure Extensible Firmware Interface Version is Valid |
The macOS Extensible Firmware Interface (EFI) _MUST_ be checked to ensure it is a known good version from Apple. |
Manual |
if /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q AppleSEPManager; then echo "1"; else /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | /usr/bin/grep -c "No changes detected"; fi |
{'integer': 1} |
Install a known good version of macOS. |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85467-9 |
os_ess_installed |
Must Use Endpoint Security Solutions |
The approved Endpoint Security Solutions (ESS) _MUST_ be installed and configured to run. The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNET. |
Manual |
Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved ESS solution is loaded on the system. If the installed components of the ESS solution are not at the DoD approved minimal versions, this is a finding. |
NaN |
Install the approved ESS solution onto the system. |
NaN |
NaN |
SRG-OS-000191-GPOS-00080 |
APPL-11-000015 |
CCI-001233 |
| CCE-85308-5 |
os_facetime_app_disable |
Disable FaceTime.app |
The macOS built-in FaceTime.app _MUST_ be disabled. The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Applications/FaceTime.app" && pref1 == true ){ return("true") } } return("false") } EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Applications/FaceTime.app</string> </array> ---- |
AC-20 CM-7 CM-7(1) |
3.1.20 3.4.6 |
NaN |
NaN |
NaN |
| CCE-85311-9 |
os_filevault_authorized_users |
FileVault Authorized Users |
macOS _MUST_ be configured to only allow authorized users to unlock FileVault upon startup. |
Script |
/usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}' |
{'string': 'a list containing authorized users that can unlock FileVault'} |
Remove the user that is not authorized to unlock FileVault using the fdesetup command. [source,bash] ---- /usr/bin/fdesetup remove -user NOT_AUTHORIZED_USERNAME ---- |
AC-2(11) |
NaN |
SRG-OS-000480-GPOS-00227 |
APPL-11-000032 |
CCI-002143 |
| CCE-85310-1 |
os_filevault_autologin_disable |
Disable FileVault Automatic Login |
If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required. The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('DisableFDEAutoLogin').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>DisableFDEAutoLogin</key> <true/> ---- |
AC-3 IA-5(13) AC-2(11) |
3.1.1 3.1.2 |
SRG-OS-000480-GPOS-00227 |
APPL-11-000033 |
CCI-002143 |
| CCE-85312-7 |
os_firewall_default_deny_require |
Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy |
A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule. Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data. If you are using a third-party firewall solution, this setting does not apply. [IMPORTANT] ==== Configuring the built-in packet filter firewall to employ the default deny rule has the potential to interfere with applications on the system in an unpredictable manner. Information System Security Officers (ISSOs) may make the risk-based decision not to configure the built-in packet filter firewall to employ the default deny rule to avoid losing functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== |
Manual |
/sbin/pfctl -a '*' -sr &> /dev/null | /usr/bin/grep -c "block drop in all" |
{'integer': 1} |
NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule. |
AC-4 SC-7(5) |
3.1.3 3.13.6 |
NaN |
NaN |
NaN |
| CCE-85313-5 |
os_firewall_log_enable |
Enable Firewall Logging |
Firewall logging _MUST_ be enabled. Firewall logging ensures that malicious network activity will be logged to the system. NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem com.apple.alf and the data is marked as private. |
Script |
/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | /usr/bin/grep -c "Log mode is on" |
{'integer': 1} |
[source,bash] ---- /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on ---- |
AU-12 SC-7 |
3.3.1 3.3.2 3.13.1 3.13.2 3.13.5 |
NaN |
NaN |
NaN |
| CCE-85314-3 |
os_firmware_password_require |
Enable Firmware Password |
A firmware password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools. To set a firmware passcode use the following command: [source,bash] ---- /usr/sbin/firmwarepasswd -setpasswd ---- NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated. NOTE: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices. |
Manual |
/usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes" |
{'integer': 1} |
NOTE: See discussion on remediation and how to enable firmware password. |
AC-6 |
3.1.5 |
SRG-OS-000480-GPOS-00227 |
APPL-11-003013 |
CCI-000366 |
| CCE-85315-0 |
os_gatekeeper_enable |
Enable Gatekeeper |
Gatekeeper _MUST_ be enabled. Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party. Administrator users will still have the option to override these settings on a case-by-case basis. |
Script |
/usr/sbin/spctl --status | /usr/bin/grep -c "assessments enabled" |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempolicy.control) payload type: [source,xml] ---- <key>EnableAssessment</key> <true/> ---- |
CM-14 CM-5 SI-7(1) SI-7(15) SI-3 |
3.4.5 |
SRG-OS-000366-GPOS-00153 |
APPL-11-002064 |
CCI-001749 |
| CCE-85316-8 |
os_gatekeeper_rearm |
Enforce Gatekeeper 30 Day Automatic Rearm |
Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security')\ .objectForKey('GKAutoRearm').js EOS |
{'string': 'true'} |
NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types. Create a configuration profile containing the following keys in the (com.apple.security) payload type: [source,xml] ---- <key>GKAutoRearm</key> <true/> ---- |
CM-5 |
3.4.5 |
NaN |
NaN |
NaN |
| CCE-85503-1 |
os_guest_folder_removed |
Remove Guest Folder if Present |
The guest folder _MUST_ be deleted if present. |
Script |
/bin/ls /Users/ | /usr/bin/grep -c "Guest" |
{'integer': 0} |
[source,bash] ---- /bin/rm -Rf /Users/Guest ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85321-8 |
os_handoff_disable |
Disable Handoff |
Handoff _MUST_ be disabled. Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowActivityContinuation').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowActivityContinuation</key> <false/> ---- |
AC-3 AC-20 CM-7 CM-7(1) |
3.1.1 3.1.2 3.1.20 3.4.6 |
NaN |
NaN |
NaN |
| CCE-85504-9 |
os_hibernate_mode_destroyfvkeyonstandby_enable |
Enable DestroyFVKeyOnStandby on Hibernate |
DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('DestroyFVKeyOnStandby').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>DestroyFVKeyOnStandby</key> <true/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85505-6 |
os_hibernate_mode_enable |
Enable Hibernate Mode |
Hibernate mode _MUST_ be enabled. NOTE: Hibernate mode is not fully supported on Apple Silicon devices. This rule is only applicable to Intel devices. |
Script |
error_count=0 hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') macType=$(/usr/sbin/system_profiler SPHardwareDataType 2>&1 | /usr/bin/grep -c MacBook) if [[ "$macType" -ge 0 ]]; then if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 600 ]]; then ((error_count++)) fi if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 600 ]]; then ((error_count++)) fi if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then ((error_count++)) fi fi echo "$error_count" |
{'integer': 0} |
[source,bash] ---- /usr/bin/pmset -a standbydelayhigh 600 /usr/bin/pmset -a standbydelaylow 600 /usr/bin/pmset -a highstandbythreshold 90 ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85322-6 |
os_home_folders_secure |
Secure User's Home Folders |
The system _MUST_ be configured to prevent access to other users' home folders. The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within. |
Script |
/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d -perm -1 | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs |
{'integer': 0} |
[source,bash] ---- IFS=$'\n' for userDirs in $( /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d -perm -1 \| /usr/bin/grep -v "Shared" \| /usr/bin/grep -v "Guest" ); do /bin/chmod og-rwx "$userDirs" done unset IFS ---- |
AC-6 |
3.1.5 |
SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00230 |
APPL-11-002068 |
CCI-000366 |
| CCE-85323-4 |
os_httpd_disable |
Disable the Built-in Web Server |
The built-in web server is a non-essential service built into macOS and _MUST_ be disabled. NOTE: The built in web server service is disabled at startup by default macOS. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl disable system/org.apache.httpd ---- |
AC-3 AC-17 |
3.1.1 3.1.2 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002008 |
CCI-000381 |
| CCE-85324-2 |
os_icloud_storage_prompt_disable |
Disable iCloud Storage Setup during Setup Assistant |
The prompt to set up iCloud storage services during Setup Assistant _MUST_ be disabled. The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipiCloudStorageSetup').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipiCloudStorageSetup</key> <true/> ---- |
AC-20 |
3.1.20 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002037 |
CCI-000381 |
| CCE-85506-4 |
os_install_log_retention_configure |
Configure Install.log Retention to 365 Days or More |
The install.log _MUST_ be configured to require records be kept for 365 days or longer before deletion, unless the system uses a central audit record storage facility. |
Script |
/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}' |
{'string': 'Yes'} |
[source,bash] ---- /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install ---- NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. |
AU-11 AU-4 |
NaN |
NaN |
NaN |
NaN |
| CCE-85329-1 |
os_ir_support_disable |
Disable Infrared (IR) support |
Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. By default, if IR is enabled, the system will accept IR control from any remote device. NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.driver.AppleIRController')\ .objectForKey('DeviceEnabled').js EOS |
{'string': 'false'} |
NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types. Create a configuration profile containing the following keys in the (com.apple.driver.AppleIRController) payload type: [source,xml] ---- <key>DeviceEnabled</key> <false/> ---- |
AC-18 CM-7 CM-7(1) |
3.1.16 3.4.6 |
SRG-OS-000480-GPOS-00227 |
NaN |
CCI-000366 |
| CCE-85507-2 |
os_library_validation_enabled |
Enable Library Validation |
Library validation _MUST_ be enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.libraryvalidation')\ .objectForKey('DisableLibraryValidation').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.security.libraryvalidation) payload type: [source,xml] ---- <key>DisableLibraryValidation</key> <false/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85336-6 |
os_mail_app_disable |
Disable Mail App |
The macOS built-in Mail.app _MUST_ be disabled. The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place. [IMPORTANT] ==== Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Applications/Mail.app" && pref1 == true ){ return("true") } } return("false") } EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Applications/Mail.app</string> </array> ---- |
AC-20 CM-7 CM-7(1) |
3.1.20 3.4.6 |
NaN |
NaN |
NaN |
| CCE-85338-2 |
os_mdm_require |
Enforce Enrollment in Mobile Device Management |
You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software. User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include: * Allowed Kernel Extensions * Allowed Approved System Extensions * Privacy Preferences Policy Control Payload * ExtensibleSingleSignOn * FDEFileVault In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM: * Activation Lock Bypass * Access to Bootstrap Tokens * Scheduling Software Updates * Query list and delete local users |
Manual |
/usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)" |
{'integer': 1} |
Ensure that system is enrolled via UAMDM. |
CM-2 CM-6 |
3.4.1 3.4.2 |
NaN |
NaN |
NaN |
| CCE-85339-0 |
os_messages_app_disable |
Disable Messages App |
The macOS built-in Messages.app _MUST_ be disabled. The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Applications/Messages.app" && pref1 == true ){ return("true") } } return("false") } EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Applications/Messages.app</string> </array> ---- |
AC-20 CM-7 CM-7(1) |
3.1.20 3.4.6 |
NaN |
NaN |
NaN |
| CCE-85508-0 |
os_mobile_file_integrity_enable |
Enable Apple Mobile File Integrity |
Mobile file integrity _MUST_ be ebabled. |
Script |
/usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" |
{'integer': 0} |
[source,bash] ---- /usr/sbin/nvram boot-args="" ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85469-5 |
os_newsyslog_files_owner_group_configure |
Configure System Log Files Owned by Root and Group to Wheel |
The system log files _MUST_ be owned by root. System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. |
Script |
/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' |
{'integer': 0} |
[source,bash] ---- /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf \| /usr/bin/awk '{ print $1 }') 2> /dev/null \| /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') ---- |
SI-11 |
NaN |
SRG-OS-000206-GPOS-00084 |
APPL-11-004001 |
CCI-001314 |
| CCE-85470-3 |
os_newsyslog_files_permissions_configure |
Configure System Log Files to Mode 640 or Less Permissive |
The system logs _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. |
Script |
/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' |
{'integer': 0} |
[source,bash] ---- /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf \| /usr/bin/awk '{ print $1 }') 2> /dev/null \| /usr/bin/awk '!/640/{print $1}' \| awk -F":" '!/640/{print $2}') ---- |
SI-11 |
NaN |
SRG-OS-000206-GPOS-00084 |
APPL-11-004002 |
CCI-001314 |
| CCE-85342-4 |
os_nfsd_disable |
Disable Network File System Service |
Support for Network File Systems (NFS) services is non-essential and, therefore, _MUST_ be disabled. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.nfsd" => true' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl disable system/com.apple.nfsd ---- The system may need to be restarted for the update to take effect. |
AC-3 AC-17 |
3.1.1 3.1.2 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002003 |
CCI-000381 |
| CCE-85350-7 |
os_parental_controls_enable |
Enable Parental Controls |
Parental Controls _MUST_ be enabled. Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline. Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> ---- |
CM-7(2) |
3.4.7 |
SRG-OS-000362-GPOS-00149 SRG-OS-000368-GPOS-00154 |
NaN |
CCI-001812 CCI-001764 |
| CCE-85351-5 |
os_password_autofill_disable |
Disable Password Autofill |
Password Autofill _MUST_ be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowPasswordAutoFill').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordAutoFill</key> <false/> ---- |
IA-5(13) CM-7 CM-7(1) IA-11 IA-5 |
3.4.6 3.5.1 3.5.2 |
NaN |
NaN |
NaN |
| CCE-85509-8 |
os_password_hint_remove |
Remove Password Hint From User Accounts |
User accounts _MUST_ not contain password hints. |
Script |
/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs |
{'integer': 0} |
[source,bash] ---- for u in $(/usr/bin/dscl . -list /Users UniqueID \| /usr/bin/awk '$2 > 500 {print $1}'); do /usr/bin/dscl . -delete /Users/$u hint done ---- |
IA-6 |
3.5.11 |
NaN |
NaN |
NaN |
| CCE-85352-3 |
os_password_proximity_disable |
Disable Proximity Based Password Sharing Requests |
Proximity based password sharing requests _MUST_ be disabled. The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowPasswordProximityRequests').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordProximityRequests</key> <false/> ---- |
IA-5 |
3.5.1 3.5.2 |
NaN |
NaN |
NaN |
| CCE-85353-1 |
os_password_sharing_disable |
Disable Password Sharing |
Password Sharing _MUST_ be disabled. The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowPasswordSharing').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordSharing</key> <false/> ---- |
IA-5 |
3.5.1 3.5.2 |
NaN |
NaN |
NaN |
| CCE-85355-6 |
os_policy_banner_loginwindow_enforce |
Display Policy Banner at Login Window |
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder. NOTE: The banner text of the document _MUST_ read: "You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." |
Script |
/bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | /usr/bin/tr -d ' ' |
{'integer': 1} |
[source,bash] ---- bannerText="You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." /bin/mkdir /Library/Security/PolicyBanner.rtf /usr/bin/textutil -convert rtf -output /Library/Security/PolicyBanner.rtf/TXT.rtf -stdin <<EOF $bannerText EOF ---- |
AC-8 |
3.1.9 |
SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 |
APPL-11-000025 |
CCI-000048 CCI-000050 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 |
| CCE-85356-4 |
os_policy_banner_ssh_configure |
Display Policy Banner at Remote Login |
Remote login service _MUST_ be configured to display a policy banner at login. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. |
Script |
bannerText="You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." /usr/bin/grep -c "$bannerText" /etc/banner |
{'integer': 1} |
[source,bash] ---- bannerText="You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." /bin/echo "${bannerText}" > /etc/banner ---- |
AC-8 |
3.1.9 |
SRG-OS-000023-GPOS-00006 |
APPL-11-000023 |
CCI-000048 |
| CCE-85357-2 |
os_policy_banner_ssh_enforce |
Enforce SSH to Display Policy Banner |
SSH _MUST_ be configured to display a policy banner. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^Banner /etc/banner" /etc/ssh/sshd_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i.bak 's/^[\#]*Banner.*/Banner \/etc\/banner/' /etc/ssh/sshd_config ---- |
AC-8 |
3.1.9 |
SRG-OS-000023-GPOS-00006 |
APPL-11-000024 |
CCI-000048 CCI-000050 |
| CCE-85362-2 |
os_privacy_setup_prompt_disable |
Disable Privacy Setup Services During Setup Assistant |
The prompt for Privacy Setup services during Setup Assistant _MUST_ be disabled. Organizations _MUST_ apply organization-wide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organization-wide settings. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipPrivacySetup').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipPrivacySetup</key> <true/> ---- |
CM-7 CM-7(1) |
NaN |
SRG-OS-000095-GPOS-00049 |
APPL-11-002036 |
CCI-000381 |
| CCE-85483-6 |
os_recovery_lock_enable |
Enable Recovery Lock |
A recovery lock password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. NOTE: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices. NOTE: This feature was added in macOS Big Sur version 11.5. |
Manual |
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockedEnabled = 1" |
{'integer': 1} |
NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password. |
AC-6 |
3.1.5 |
NaN |
NaN |
NaN |
| CCE-85370-5 |
os_removable_media_disable |
Disable Removable Storage Devices |
Removable media, such as USB connected external hard drives, thumb drives, and optical media, _MUST_ be disabled for users. Disabling removable storage devices reduces the risks and known vulnerabilities of such devices (e.g., malicious code insertion) [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of media mount controls, using these controls may not work as expected. Third party software may be required to fullfill the compliance requirements. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["harddisk-external"] EOS |
{'string': 'deny,eject'} |
Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> ---- |
MP-7 |
3.8.8 |
SRG-OS-000480-GPOS-00227 |
APPL-11-005051 |
NaN |
| CCE-85374-7 |
os_root_disable |
Disable Root Login |
To assure individual accountability and prevent unauthorized access, logging in as root at the login window _MUST_ be disabled. The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. |
Script |
/usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false" |
{'integer': 1} |
[source,bash] ---- /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false ---- |
IA-2 IA-2(5) IA-5 |
3.5.1 3.5.2 |
NaN |
NaN |
NaN |
| CCE-85510-6 |
os_safari_open_safe_downloads_disable |
Disable Automatic Opening of Safe Files in Safari |
Open "safe" files after downloading _MUST_ be disabled in Safari. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.Safari) payload type: [source,xml] ---- <key>AutoOpenSafeDownloads</key> <false/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85375-4 |
os_screensaver_loginwindow_enforce |
Enforce Screen Saver at Login Window |
A default screen saver _MUST_ be configured to display at the login window and _MUST_ not display any sensitive information. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('loginWindowModulePath').js EOS |
{'string': '/System/Library/Screen Savers/Flurry.saver'} |
Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>loginWindowModulePath</key> <string>/System/Library/Screen Savers/Flurry.saver</string> ---- |
AC-11(1) |
3.1.10 |
SRG-OS-000031-GPOS-00012 |
APPL-11-000006 |
CCI-000060 |
| CCE-85376-2 |
os_secure_boot_verify |
Ensure Secure Boot Level Set to Full |
The Secure Boot security setting _MUST_ be set to full. Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. |
Manual |
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" |
{'integer': 1} |
NOTE: Boot into Recovery Mode and enable Full Secure Boot |
SI-7 SI-7(1) SI-7(5) SI-6 |
NaN |
SRG-OS-000446-GPOS-00200 |
NaN |
NaN |
| CCE-85511-4 |
os_show_filename_extensions_enable |
Enable Show All Filename Extensions |
Show all filename extensions _MUST_ be enabled in the Finder. [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] ---- CURRENT_USER=$( scutil <<< "show State:/Users/ConsoleUser" \| awk '/Name :/ && ! /loginwindow/ { print $3 }' ) ---- ==== |
Script |
/usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null |
{'boolean': 1} |
[source,bash] ---- /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85378-8 |
os_sip_enable |
Ensure System Integrity Protection is Enabled |
System Integrity Protection (SIP) _MUST_ be enabled. SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders. NOTE: SIP is enabled by default in macOS. |
Script |
/usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.' |
{'integer': 1} |
[source,bash] ---- /usr/bin/csrutil enable ---- NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command. |
AC-3 AU-9 AU-9(3) CM-5 CM-5(6) SC-4 SI-2 SI-7 |
3.1.1 3.1.2 3.3.6 3.3.8 3.4.5 3.13.4 |
SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000122-GPOS-00063 SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000259-GPOS-00100 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 |
APPL-11-005001 |
CCI-000154 CCI-000158 CCI-000169 CCI-001493 CCI-001494 CCI-001495 CCI-001499 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 |
| CCE-85379-6 |
os_siri_prompt_disable |
Disable Siri Setup during Setup Assistant |
The prompt for Siri during Setup Assistant _MUST_ be disabled. Organizations _MUST_ apply organization-wide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organization-wide settings. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipSiriSetup').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipSiriSetup</key> <true/> ---- |
AC-20 CM-7 CM-7(1) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002039 |
CCI-000381 CCI-001774 |
| CCE-85382-0 |
os_ssh_fips_140_ciphers |
Limit SSH to FIPS 140 Validated Ciphers |
SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/ssh_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -q '^Ciphers' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/ssh_config \|\| /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/ssh_config ---- |
AC-17(2) IA-7 SC-13 SC-8(1) |
3.1.13 3.13.8 3.13.11 |
NaN |
NaN |
NaN |
| CCE-85383-8 |
os_ssh_fips_140_macs |
Limit SSH to FIPS 140 Validated Message Authentication Code Algorithms |
SSH _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/ssh_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -q '^MACs' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/ssh_config \|\| /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/ssh_config ---- |
AC-17(2) IA-7 SC-13 SC-8(1) |
3.1.13 3.13.8 3.13.11 |
SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174 |
APPL-11-000055 |
CCI-000087 CCI-000068 CCI-000803 CCI-002890 CCI-003123 |
| CCE-85380-4 |
os_ssh_server_alive_count_max_configure |
Set SSH Active Server Alive Maximum to Zero |
SSH _MUST_ be configured with an Active Server Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^ServerAliveCountMax 0" /etc/ssh/ssh_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -q '^ServerAliveCountMax' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config \|\| /bin/echo 'ServerAliveCountMax 0' >> /etc/ssh/ssh_config ---- |
SC-10 |
3.13.9 |
NaN |
NaN |
NaN |
| CCE-85381-2 |
os_ssh_server_alive_interval_configure |
Configure SSH ServerAliveInterval option set to 900 or less |
SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900 or less. Setting the Active Server Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^ServerAliveInterval 900" /etc/ssh/ssh_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -q '^ServerAliveInterval' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config \|\| /bin/echo 'ServerAliveInterval 900' >> /etc/ssh/ssh_config ---- |
SC-10 AC-12 |
3.13.9 |
NaN |
NaN |
NaN |
| CCE-85456-2 |
os_sshd_client_alive_count_max_configure |
Set SSHD Active Client Alive Maximum to Zero |
If SSHD is enabled it _MUST_ be configured with an Active Client Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^ClientAliveCountMax 0" /etc/ssh/sshd_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- |
SC-10 |
3.13.9 |
SRG-OS-000163-GPOS-00072 |
APPL-11-000052 |
CCI-001133 |
| CCE-85457-0 |
os_sshd_client_alive_interval_configure |
Configure SSHD ClientAliveInterval option set to 900 or less |
If SSHD is enabled then it _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less. Setting the Active Client Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^ClientAliveInterval 900" /etc/ssh/sshd_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 900/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- |
SC-10 AC-12 |
3.13.9 |
SRG-OS-000163-GPOS-00072 |
APPL-11-000051 |
CCI-001133 |
| CCE-85454-7 |
os_sshd_fips_140_ciphers |
Limit SSHD to FIPS 140 Validated Ciphers |
If SSHD is enabled then it _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config \|\| /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- |
AC-17(2) IA-7 SC-13 SC-8(1) |
3.1.13 3.13.8 3.13.11 |
SRG-OS-000033-GPOS-00014 |
APPL-11-000054 |
CCI-000803 CCI-000068 CCI-000087 CCI-003123 CCI-002890 |
| CCE-85453-9 |
os_sshd_fips_140_macs |
Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms |
If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config \|\| /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- |
AC-17(2) IA-7 SC-13 SC-8(1) |
3.1.13 3.13.8 3.13.11 |
SRG-OS-000033-GPOS-00014 |
APPL-11-000055 |
CCI-000087 CCI-000068 CCI-000803 CCI-002890 CCI-003123 |
| CCE-85472-9 |
os_sshd_key_exchange_algorithm_configure |
Configure SSHD to Use Secure Key Exchange Algorithms |
Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. The implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are FIPS 140-2 approved, the module implementing them has not been validated. By specifying a Key Exchange Algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^KexAlgorithms diffie-hellman-group-exchange-sha256" /etc/ssh/sshd_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/grep -q '^KexAlgorithms' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config \|\| /bin/echo 'KexAlgorithms diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- |
AC-17(2) IA-7 MA-4(6) |
NaN |
SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174 |
APPL-11-000056 |
CCI-000803 CCI-000068 CCI-000087 CCI-003123 CCI-002890 |
| CCE-85384-6 |
os_sshd_login_grace_time_configure |
Set Login Grace Time to 30 or Less |
If SSHD is enabled then it _MUST_ be configured to wait only 30 seconds before timing out logon attempts. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^LoginGraceTime 30" /etc/ssh/sshd_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- |
SC-10 |
3.13.9 |
SRG-OS-000163-GPOS-00072 |
APPL-11-000053 |
CCI-001133 |
| CCE-85385-3 |
os_sshd_permit_root_login_configure |
Disable Root Login for SSH |
If SSH is enabled to assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled. The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
Script |
/usr/bin/grep -c "^PermitRootLogin no" /etc/ssh/sshd_config |
{'integer': 1} |
[source,bash] ---- /usr/bin/sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd ---- |
IA-2(5) |
NaN |
SRG-OS-000109-GPOS-00056 |
APPL-11-001100 |
CCI-000770 |
| CCE-85512-2 |
os_sudo_timeout_configure |
Configure Sudo Timeout Period to Zero |
The file /etc/sudoers _MUST_ include a timestamp_timout of zero. |
Script |
/usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+timestamp_timeout=0" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs |
{'integer': 1} |
[source,bash] ---- /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \; /bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85513-0 |
os_sudoers_timestamp_type_configure |
Configure Sudoers Timestamp Type |
The file /etc/sudoers _MUST_ be configured to not include a timestamp_type of global or ppid. This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. |
Script |
/usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E '(^Defaults\s+timestamp_type=global|^Defaults\s+timestamp_type=ppid)' '{}' \; | /usr/bin/wc -l | /usr/bin/xargs |
{'integer': 0} |
[source,bash] ---- /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_type/d' '{}' \; ---- |
CM-5(1) IA-11 |
NaN |
NaN |
NaN |
NaN |
| CCE-85387-9 |
os_sudoers_tty_configure |
Configure Sudoers to Authenticate Users on a Per -tty Basis |
The file /etc/sudoers _MUST_ be configured to include tty_tickets. This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Without the "tty_tickets" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window. |
Script |
/usr/bin/grep -Ec "^Defaults tty_tickets" /etc/sudoers |
{'integer': 1} |
[source,bash] ---- /bin/cp /etc/sudoers /etc/sudoers.bk; /bin/echo "Defaults tty_tickets" >> /etc/sudoers ---- |
CM-5(1) IA-11 |
NaN |
SRG-OS-000480-GPOS-00227 |
APPL-11-004021 |
CCI-000366 |
| CCE-85388-7 |
os_system_read_only |
Ensure System Volume is Read Only |
The System volume _MUST_ be mounted as read-only in order to ensure that configurations critical to the integrity of the macOS have not been compromised. System Integrity Protection (SIP) will prevent the system volume from being mounted as writable. NOTE: The system volume is read only by default in macOS. |
Manual |
/usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' |
{'string': 'No'} |
NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. |
SC-34 MA-4(1) SI-7 |
NaN |
NaN |
NaN |
NaN |
| CCE-85514-8 |
os_system_wide_applications_configure |
Ensure Appropriate Permissions Are Enabled for System Wide Applications |
Applications in the System Applications Directory (/Applications) _MUST_ not be world-writable. |
Script |
/usr/bin/find /Applications -iname "*\.app" -type d -perm -2 -ls | /usr/bin/wc -l | /usr/bin/xargs |
{'integer': 0} |
[source,bash] ---- IFS=$'\n' for apps in $( /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 ); do /bin/chmod -R o-w "$apps" done ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85515-5 |
os_terminal_secure_keyboard_enable |
Ensure Secure Keyboard Entry Terminal.app is Enabled |
Secure keyboard entry _MUST_ be enabled in Terminal.app. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\ .objectForKey('SecureKeyboardEntry').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.Terminal) payload type: [source,xml] ---- <key>SecureKeyboardEntry</key> <true/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85391-1 |
os_tftpd_disable |
Disable Trivial File Tansfer Protocol Service |
If the system does not require Trivial File Tansfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. NOTE: TFTP service is disabled at startup by default macOS. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => true' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl disable system/com.apple.tftpd ---- The system may need to be restarted for the update to take effect. |
AC-3 IA-5(1) AC-17 |
3.1.1 3.1.2 |
SRG-OS-000074-GPOS-00042 |
APPL-11-002038 |
CCI-000197 |
| CCE-85516-3 |
os_time_offset_limit_configure |
Ensure Time Offset Within Limits |
The macOS system time _MUST_ be monitored to not drift more than four minutes and thirty seconds. |
Script |
/usr/bin/sntp $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}') | /usr/bin/awk -F'.' '/\+\/\-/{if (substr($1,2) >= 270) {print "No"} else {print "Yes"}}' |
{'string': 'Yes'} |
[source,bash] ---- /usr/bin/sntp -Ss $(/usr/sbin/systemsetup -getnetworktimeserver \| /usr/bin/awk '{print $4}') ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85392-9 |
os_time_server_enabled |
Enable Time Synchronization Daemon |
The macOS time synchronization daemon (timed) _MUST_ be enabled for proper time synchronization to an authorized time server. NOTE: The time synchronization daemon is enabled by default on macOS. |
Script |
/bin/launchctl list | /usr/bin/grep -c com.apple.timed |
{'integer': 1} |
[source,bash] ---- /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist ---- |
AU-12(1) SC-45(1) |
3.3.7 |
SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 |
APPL-11-000014 |
CCI-001891 CCI-002046 |
| CCE-85393-7 |
os_touchid_prompt_disable |
Disable TouchID Prompt during Setup Assistant |
The prompt for TouchID during Setup Assistant _MUST_ be disabled. macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipTouchIDSetup').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipTouchIDSetup</key> <true/> ---- |
CM-6 |
3.4.1 3.4.2 |
SRG-OS-000480-GPOS-00227 |
NaN |
NaN |
| CCE-85395-2 |
os_unlock_active_user_session_disable |
Disable Login to Other User's Active and Locked Sessions |
The ability to log in to another user's active or locked session _MUST_ be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. |
Script |
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui' |
{'integer': 1} |
[source,bash] ---- /usr/bin/security authorizationdb write system.login.screensaver "use-login-window-ui" ---- |
IA-2 IA-2(5) |
3.5.1 3.5.2 |
NaN |
NaN |
NaN |
| CCE-85396-0 |
os_user_app_installation_prohibit |
Prohibit User Installation of Software into /Users/ |
Users _MUST_ not be allowed to install software into /Users/. Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){ return("true") } } return("false") } EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Users/</string> </array> ---- |
CM-11(2) |
NaN |
SRG-OS-000362-GPOS-00149 |
APPL-11-002067 |
CCI-001812 |
| CCE-85397-8 |
os_uucp_disable |
Disable Unix-to-Unix Copy Protocol Service |
The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active. UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. NOTE: UUCP service is disabled at startup by default macOS. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => true' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl disable system/com.apple.uucp ---- The system may need to be restarted for the update to take effect. |
AC-3 AC-17 |
3.1.1 3.1.2 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002006 |
CCI-000381 |
| CCE-85517-1 |
os_world_writable_library_folder_configure |
Ensure No World Writable Files Exist in the Library Folder |
Folders in /System/Volumes/Data/Library _MUST_ not be world-writable. NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment. |
Script |
/usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs |
{'integer': 0} |
[source,bash] ---- IFS=$'\n' for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 \| /usr/bin/grep -v Caches \| /usr/bin/grep -v /Preferences/Audio/Data ); do /bin/chmod -R o-w "$libPermissions" done ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85518-9 |
os_world_writable_system_folder_configure |
Ensure No World Writable Files Exist in the System Folder |
Folders in /System/Volumes/Data/System _MUST_ not be world-writable. |
Script |
/usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v "Drop Box" | /usr/bin/wc -l | /usr/bin/xargs |
{'integer': 0} |
[source,bash] ---- IFS=$'\n' for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 \| /usr/bin/grep -v "Drop Box" ); do /bin/chmod -R o-w "$sysPermissions" done ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85400-0 |
pwpolicy_60_day_enforce |
Restrict Maximum Password Lifetime to 60 Days |
The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('maxPINAgeInDays').js EOS |
{'integer': 60} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>maxPINAgeInDays</key> <integer>60</integer> ---- |
IA-5 |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000076-GPOS-00044 |
APPL-11-003008 |
CCI-000199 |
| CCE-85401-8 |
pwpolicy_account_inactivity_enforce |
Disable Accounts after 35 Days of Inactivity |
The macOS _MUST_ be configured to disable accounts after 35 days of inactivity. This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. |
Script |
/usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeInactiveDays"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' |
{'integer': 35} |
This setting may be enforced using local policy or by a directory service. To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following <dict> within the "policyCategoryAuthentication": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributeLastAuthenticationTime > policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)</string> <key>policyIdentifier</key> <string>Inactive Account</string> <key>policyParameters</key> <dict> <key>policyAttributeInactiveDays<key> <integer>35</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. |
AC-2(3) |
3.5.5 3.5.6 |
SRG-OS-000118-GPOS-00060 |
NaN |
CCI-000795 |
| CCE-85402-6 |
pwpolicy_account_lockout_enforce |
Limit Consecutive Failed Login Attempts to Three |
The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('maxFailedAttempts').js EOS |
{'integer': 3} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>maxFailedAttempts</key> <integer>3</integer> ---- |
AC-7 |
3.1.8 |
SRG-OS-000329-GPOS-00128 |
APPL-11-000022 |
CCI-002238 |
| CCE-85519-7 |
pwpolicy_account_lockout_enforce_five |
Limit Consecutive Failed Login Attempts to Five |
The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of five. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('maxFailedAttempts').js EOS |
{'integer': 5} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>maxFailedAttempts</key> <integer>5</integer> ---- |
AC-7 |
3.1.8 |
NaN |
NaN |
NaN |
| CCE-85403-4 |
pwpolicy_account_lockout_timeout_enforce |
Set Account Lockout Time to 15 Minutes |
The macOS _MUST_ be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('minutesUntilFailedLoginReset').js EOS |
{'integer': 15} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>minutesUntilFailedLoginReset</key> <integer>15</integer> ---- |
AC-7 |
3.1.8 |
SRG-OS-000329-GPOS-00128 |
APPL-11-000022 |
CCI-002238 |
| CCE-85404-2 |
pwpolicy_alpha_numeric_enforce |
Require Passwords Contain a Minimum of One Numeric Character |
The macOS _MUST_ be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('requireAlphanumeric').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>requireAlphanumeric</key> <true/> ---- |
IA-5(1) |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000071-GPOS-00039 |
APPL-11-003007 |
CCI-000194 |
| CCE-85407-5 |
pwpolicy_history_enforce |
Prohibit Password Reuse for a Minimum of Five Generations |
The macOS _MUST_ be configured to enforce a password history of at least five previous passwords when a password is created. This rule ensures that users are not allowed to re-use a password that was used in any of the five previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('pinHistory').js EOS |
{'integer': 5} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>pinHistory</key> <integer>5</integer> ---- |
IA-5(1) |
3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000077-GPOS-00045 |
APPL-11-003009 |
CCI-000200 |
| CCE-85520-5 |
pwpolicy_history_enforce_fifteen |
Prohibit Password Reuse for a Minimum of Fifteen Generations |
The macOS _MUST_ be configured to enforce a password history of at least fifteen previous passwords when a password is created. This rule ensures that users are not allowed to re-use a password that was used in any of the fifteen previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('pinHistory').js EOS |
{'integer': 15} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>pinHistory</key> <integer>15</integer> ---- |
IA-5(1) |
3.5.7 3.5.8 3.5.9 3.5.10 |
NaN |
NaN |
NaN |
| CCE-85408-3 |
pwpolicy_lower_case_character_enforce |
Require Passwords Contain a Minimum of One Lowercase Character |
The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Script |
/usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersLowerCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' |
{'integer': 1} |
This setting may be enforced using local policy or by a directory service. To set local policy to require at least 1 lowercase letter, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[a-z].*){1,}+'</string> <key>policyIdentifier</key> <string>Must have at least 1 lowercase letter</string> <key>policyParameters</key> <dict> <key>minimumAlphaCharactersLowerCase</key> <integer>1</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. |
IA-5(1) |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000070-GPOS-00038 |
NaN |
CCI-000193 |
| CCE-85409-1 |
pwpolicy_minimum_length_enforce |
Require a Minimum Password Length of 15 Characters |
The macOS _MUST_ be configured to require a minimum of 15 characters be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('minLength').js EOS |
{'integer': 15} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>minLength</key> <integer>15</integer> ---- |
IA-5(1) |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000078-GPOS-00046 |
APPL-11-003010 |
CCI-000205 |
| CCE-85410-9 |
pwpolicy_minimum_lifetime_enforce |
Set Minimum Password Lifetime to 24 Hours |
The macOS _MUST_ be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Script |
/usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeMinimumLifetimeHours"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' |
{'integer': 24} |
This setting may be enforced using local policy or by a directory service. To set local policy to require a minimum password lifetime, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributeLastPasswordChangeTime < policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)</string> <key>policyIdentifier</key> <string>Minimum Password Lifetime</string> <key>policyParameters</key> <dict> <key>policyAttributeMinimumLifetimeHours</key> <integer>24</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. |
IA-5 |
3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000075-GPOS-00043 |
NaN |
NaN |
| CCE-85412-5 |
pwpolicy_simple_sequence_disable |
Prohibit Repeating, Ascending, and Descending Character Sequences |
The macOS _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('allowSimple').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>allowSimple</key> <false/> ---- |
IA-5(1) |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000266-GPOS-00101 |
NaN |
NaN |
| CCE-85413-3 |
pwpolicy_special_character_enforce |
Require Passwords Contain a Minimum of One Special Character |
The macOS _MUST_ be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('minComplexChars').js EOS |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>minComplexChars</key> <integer>1</integer> ---- |
IA-5(1) |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000266-GPOS-00101 |
APPL-11-003011 |
CCI-001619 |
| CCE-85414-1 |
pwpolicy_temporary_or_emergency_accounts_disable |
Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours |
The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. If temporary or emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary or emergency accounts _MUST_ be set to 72 hours (or less) when the temporary or emergency account is created. If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary or emergency accounts defined on the system, this is Not Applicable. |
Manual |
Verify if a password policy is enforced by a directory service by asking the System Administrator (SA) or Information System Security Officer (ISSO). If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary or emergency accounts defined on the system, this is Not Applicable. To check if the password policy is configured to disable a temporary or emergency account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username: /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is no output, and password policy is not controlled by a directory service, this is a finding. Otherwise, look for the line "<key>policyCategoryAuthentication</key>". In the array that follows, there should be a <dict> section that contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds too great an amount of time to "policyAttributeCreationTime", this is a finding. |
NaN |
This setting may be enforced using local policy or by a directory service. To set local policy to disable a temporary or emergency user, create a plain text file containing the following: <dict> <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime < policyAttributeCreationTime+259299</string> <key>policyIdentifier</key> <string>Disable Tmp Accounts </string> </dict> </array> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file". /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file |
AC-2(2) |
NaN |
SRG-OS-000002-GPOS-00002 SRG-OS-000123-GPOS-00064 |
APPL-11-000012 |
CCI-000016 CCI-001682 |
| CCE-85415-8 |
pwpolicy_upper_case_character_enforce |
Require Passwords Contain a Minimum of One Uppercase Character |
The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. |
Script |
/usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersUpperCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' |
{'integer': 1} |
This setting may be enforced using local policy or by a directory service. To set local policy to require at least 1 lowercase letter, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string> <key>policyIdentifier</key> <string>Must have at least 1 uppercase letter</string> <key>policyParameters</key> <dict> <key>minimumAlphaCharactersUpperCase</key> <integer>1</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS. |
IA-5(1) |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000069-GPOS-00037 |
NaN |
CCI-000192 |
| CCE-85282-2 |
icloud_addressbook_disable |
Disable iCloud Address Book |
The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudAddressBook').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudAddressBook</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002014 |
CCI-000381 CCI-001774 |
| CCE-85283-0 |
icloud_appleid_prefpane_disable |
Disable the System Preference Pane for Apple ID |
The system preference pane for Apple ID _MUST_ be disabled. Disabling the system preference pane prevents login to Apple ID and iCloud. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.AppleID' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledPreferencePanes</key> <array> <string>com.apple.preferences.AppleIDPrefPane</string> </array> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) |
3.1.20 3.4.6 |
SRG-OS-000370-GPOS-00155 |
APPL-11-002031 |
CCI-001774 |
| CCE-85284-8 |
icloud_bookmarks_disable |
Disable iCloud Bookmarks |
The macOS built-in Safari.app bookmark synchronization via the iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudBookmarks').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudBookmarks</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002042 |
CCI-000381 CCI-001774 |
| CCE-85285-5 |
icloud_calendar_disable |
Disable the iCloud Calendar Services |
The macOS built-in Calendar.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudCalendar').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudCalendar</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002012 |
CCI-000381 CCI-001774 |
| CCE-85286-3 |
icloud_drive_disable |
Disable iCloud Document Sync |
The macOS built-in iCloud document synchronization service _MUST_ be disabled to prevent organizational data from being synchronized to personal or non-approved storage. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudDocumentSync').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudDocumentSync</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002041 |
CCI-000381 CCI-001774 |
| CCE-85287-1 |
icloud_keychain_disable |
Disable iCloud Keychain Sync |
The macOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudKeychainSync').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudKeychainSync</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002040 |
CCI-000381 CCI-001774 |
| CCE-85288-9 |
icloud_mail_disable |
Disable iCloud Mail |
The macOS built-in Mail.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudMail').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudMail</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002015 |
CCI-000381 CCI-001774 |
| CCE-85289-7 |
icloud_notes_disable |
Disable iCloud Notes |
The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudNotes').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudNotes</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002016 |
CCI-000381 CCI-001774 |
| CCE-85290-5 |
icloud_photos_disable |
Disable iCloud Photo Library |
The macOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudPhotoLibrary').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudPhotoLibrary</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002043 |
CCI-000381 CCI-001774 |
| CCE-85291-3 |
icloud_reminders_disable |
Disable iCloud Reminders |
The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudReminders').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudReminders</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002013 |
CCI-000381 CCI-001774 |
| CCE-85292-1 |
icloud_sync_disable |
Disable iCloud Desktop and Document Folder Sync |
The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudDesktopAndDocuments').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudDesktopAndDocuments</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
NaN |
NaN |
| CCE-85418-2 |
sysprefs_apple_watch_unlock_disable |
Prevent Apple Watch from Terminating a Session Lock |
Apple Watches are not an approved authenticator and their use _MUST_ be disabled. Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAutoUnlock').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAutoUnlock</key> <false/> ---- |
AC-11 |
3.1.10 |
SRG-OS-000028-GPOS-00009 |
APPL-11-000001 |
CCI-000056 |
| CCE-85419-0 |
sysprefs_automatic_login_disable |
Disable Unattended or Automatic Logon to the System |
Automatic logon _MUST_ be disabled. When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>com.apple.login.mcx.DisableAutoLoginClient</key> <true/> ---- |
IA-2 IA-5(13) |
3.5.1 3.5.2 |
SRG-OS-000480-GPOS-00229 |
APPL-11-002066 |
CCI-000366 |
| CCE-85424-0 |
sysprefs_automatic_logout_enforce |
Enforce Auto Logout After 24 Hours of Inactivity |
Auto logout _MUST_ be configured to automatically terminate a user session and log out the after 86400 seconds (24 hours) of inactivity. NOTE:The maximum that macOS can be configured for autologoff is 86400 seconds (24 hours). [IMPORTANT] ==== The 24-hour automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the 24-hour automatic logout setting. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\ .objectForKey('com.apple.autologout.AutoLogOutDelay').js EOS |
{'integer': 86400} |
Create a configuration profile containing the following keys in the (.GlobalPreferences) payload type: [source,xml] ---- <key>com.apple.autologout.AutoLogOutDelay</key> <integer>86400</integer> ---- |
AC-12 AC-2(5) |
3.1.11 |
SRG-OS-000279-GPOS-00109 |
NaN |
CCI-002361 |
| CCE-85420-8 |
sysprefs_bluetooth_disable |
Disable Bluetooth When no Approved Device is Connected |
The macOS system _MUST_ be configured to disable Bluetooth unless there is an approved device connected. [IMPORTANT] ==== Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\ .objectForKey('DisableBluetooth').js EOS |
{'string': 'true'} |
NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types. Create a configuration profile containing the following keys in the (com.apple.MCXBluetooth) payload type: [source,xml] ---- <key>DisableBluetooth</key> <true/> ---- |
AC-18 SC-8 AC-18(3) |
3.13.8 |
SRG-OS-000481-GPOS-000481 |
APPL-11-002062 |
CCI-002418 |
| CCE-85521-3 |
sysprefs_bluetooth_menu_enable |
Enable Bluetooth Menu |
The bluetooth menu _MUST_ be enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ .objectForKey('Bluetooth').js EOS |
{'integer': 18} |
Create a configuration profile containing the following keys in the (com.apple.controlcenter) payload type: [source,xml] ---- <key>Bluetooth</key> <integer>18</integer> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85492-7 |
sysprefs_bluetooth_prefpane_disable |
Disable the Bluetooth System Preference Pane |
The Bluetooth System Preference pane _MUST_ be disabled to prevent access to the bluetooth configuration. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>HiddenPreferencePanes</key> <array> <string>com.apple.preferences.Bluetooth</string> </array> ---- |
NaN |
NaN |
SRG-OS-000481-GPOS-000481 |
APPL-11-002062 |
CCI-002418 |
| CCE-85492-7 |
sysprefs_bluetooth_prefpane_hide |
Hide the Bluetooth System Preference Pane |
The Bluetooth System Preference pane _MUST_ be hidden to prevent access to the bluetooth configuration. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.Bluetooth' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>HiddenPreferencePanes</key> <array> <string>com.apple.preferences.Bluetooth</string> </array> ---- |
NaN |
NaN |
SRG-OS-000481-GPOS-000481 |
APPL-11-002062 |
CCI-002418 |
| CCE-85421-6 |
sysprefs_bluetooth_sharing_disable |
Disable Bluetooth Sharing |
Bluetooth Sharing _MUST_ be disabled. Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] ---- CURRENT_USER=$( scutil <<< "show State:/Users/ConsoleUser" \| awk '/Name :/ && ! /loginwindow/ { print $3 }' ) ---- ==== |
Script |
/usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled |
{'boolean': 0} |
[source,bash] ---- /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false ---- |
AC-3 AC-18(4) CM-7 CM-7(1) |
3.1.1 3.1.2 3.1.16 3.4.7 |
SRG-OS-000480-GPOS-00227 |
NaN |
NaN |
| CCE-85522-1 |
sysprefs_bluetooth_unpaired_disable |
Disable Bluetooth When No Devices are Paired |
Bluetooth _MUST_ be disabled when no devices are paired. |
Script |
isPaired=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -c 'Connected: Yes') if [[ "$isPaired" = "0" ]]; then powerState=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -c 'State: On') /bin/echo "$powerState" else /bin/echo "0" fi |
{'integer': 0} |
[source,bash] ---- /usr/bin/defaults write /private/var/root/Library/Preferences/com.apple.BTServer.plist defaultPoweredState off /usr/bin/killall -HUP bluetoothd ---- |
AC-18 SC-8 AC-18(3) |
NaN |
NaN |
NaN |
NaN |
| CCE-85523-9 |
sysprefs_cd_dvd_sharing_disable |
Disable CD/DVD Sharing |
CD/DVD Sharing _MUST_ be disabled. |
Script |
/usr/bin/pgrep -q ODSAgent; /bin/echo $? |
{'integer': 1} |
[source,bash] ---- /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.ODSAgent.plist ---- |
CM-7 CM-7(1) |
NaN |
NaN |
NaN |
NaN |
| CCE-85422-4 |
sysprefs_content_caching_disable |
Disable Content Caching Service |
Content caching _MUST_ be disabled. Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowContentCaching').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowContentCaching</key> <false/> ---- |
CM-7 CM-7(1) |
3.4.6 |
NaN |
NaN |
NaN |
| CCE-85459-6 |
sysprefs_critical_update_install_enforce |
Enforce Critical Security Updates to be Installed |
Ensure that security updates are installed as soon as they are available from Apple. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('CriticalUpdateInstall').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>CriticalUpdateInstall</key> <true/> ---- |
SI-2 |
NaN |
NaN |
NaN |
NaN |
| CCE-85423-2 |
sysprefs_diagnostics_reports_disable |
Disable Sending Diagnostic and Usage Data to Apple |
The ability to submit diagnostic data to Apple _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\ .objectForKey('AutoSubmit').js let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowDiagnosticSubmission').js if ( pref1 == false && pref2 == false ){ return("true") } else { return("false") } } EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SubmitDiagInfo) payload type: [source,xml] ---- <key>AutoSubmit</key> <false/> ---- Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowDiagnosticSubmission</key> <false/> ---- |
SI-11 AC-20 SC-7(10) |
3.1.20 |
SRG-OS-000096-GPOS-00050 |
APPL-11-002021 |
CCI-000382 |
| CCE-85425-7 |
sysprefs_filevault_enforce |
Enforce FileVault |
FileVault _MUST_ be enforced. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
Manual |
/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On." |
{'integer': 1} |
NOTE: See the FileVault supplemental to implement this rule. |
SC-28 SC-28(1) |
3.13.16 |
SRG-OS-000185-GPOS-00079 SRG-OS-000404-GPOS-00183 SRG-OS-000405-GPOS-00184 |
APPL-11-005020 |
CCI-001199 CCI-002475 CCI-002476 |
| CCE-85426-5 |
sysprefs_find_my_disable |
Disable Find My Service |
The Find My service _MUST_ be disabled. A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFindMyDevice')) let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFindMyFriends')) let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\ .objectForKey('DisableFMMiCloudSetting')) if ( pref1 == false && pref2 == false && pref3 == true ) { return("true") } else { return("false") } } EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowFindMyDevice</key> <false/> <key>allowFindMyFriends</key> <false/> ---- Create a configuration profile containing the following keys in the (com.apple.icloud.managed) payload type: [source,xml] ---- <key>DisableFMMiCloudSetting</key> <true/> ---- |
AC-20 CM-7 CM-7(1) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
NaN |
NaN |
| CCE-85427-3 |
sysprefs_firewall_enable |
Enable macOS Application Firewall |
The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. |
Script |
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | /usr/bin/grep -c "Firewall is enabled" |
{'integer': 1} |
[source,bash] ---- /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on ---- |
AC-4 SC-7(12) CM-7 CM-7(1) SC-7 |
3.1.3 3.1.5 3.1.18 3.4.6 3.13.1 3.13.2 3.13.5 |
SRG-OS-000480-GPOS-00232 |
APPL-11-005050 |
CCI-000366 |
| CCE-85428-1 |
sysprefs_firewall_stealth_mode_enable |
Enable Firewall Stealth Mode |
Firewall Stealth Mode _MUST_ be enabled. When stealth mode is enabled, the Mac will not respond to any probing requests, and only requests from authorized applications will still be authorized. [IMPORTANT] ==== Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. ==== |
Script |
/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | /usr/bin/grep -c "Stealth mode enabled" |
{'integer': 1} |
[source,bash] ---- /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on ---- |
CM-7 CM-7(1) SC-7(16) SC-7 |
3.4.6 3.13.1 3.13.2 3.13.5 |
SRG-OS-000480-GPOS-00232 |
APPL-11-005050 |
CCI-000366 |
| CCE-85429-9 |
sysprefs_gatekeeper_identified_developers_allowed |
Apply Gatekeeper Settings to Block Applications from Unidentified Developers |
The information system implements cryptographic mechanisms to authenticate software prior to installation. Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party. |
Script |
/usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled" |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempolicy.control) payload type: [source,xml] ---- <key>AllowIdentifiedDevelopers</key> <true/> <key>EnableAssessment</key> <true/> ---- |
CM-14 CM-5 SI-7(15) SI-7(1) |
3.4.5 |
SRG-OS-000480-GPOS-00227 |
APPL-11-002060 |
CCI-000366 |
| CCE-85430-7 |
sysprefs_gatekeeper_override_disallow |
Configure Gatekeeper to Disallow End User Override |
Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'DisableOverride = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempolicy.managed) payload type: [source,xml] ---- <key>DisableOverride</key> <true/> ---- |
CM-5 SI-7(15) |
3.4.5 |
NaN |
NaN |
NaN |
| CCE-85319-2 |
sysprefs_guest_access_smb_disable |
Disable Guest Access to Shared SMB Folders |
Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. Turning off guest access prevents anonymous users from accessing files shared via SMB. |
Script |
/usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess |
{'boolean': 0} |
[source,bash] ---- /usr/sbin/sysadminctl -smbGuestAccess off ---- |
AC-2(9) AC-2 |
3.5.1 3.5.2 |
NaN |
NaN |
NaN |
| CCE-85320-0 |
sysprefs_guest_account_disable |
Disable the Guest Account |
Guest access _MUST_ be disabled. Turning off guest access prevents anonymous users from accessing files. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('DisableGuestAccount').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>DisableGuestAccount</key> <true/> ---- |
AC-2 AC-2(9) |
3.5.1 3.5.2 |
SRG-OS-000364-GPOS-00151 |
APPL-11-002063 |
CCI-001813 |
| CCE-85431-5 |
sysprefs_hot_corners_disable |
Disable Hot Corners |
Hot corners _MUST_ be disabled. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '"wvous-bl-corner" = 0|"wvous-br-corner" = 0|"wvous-tl-corner" = 0|"wvous-tr-corner" = 0' |
{'integer': 4} |
NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types. Create a configuration profile containing the following keys in the (com.apple.dock) payload type: [source,xml] ---- <key>wvous-bl-corner</key> <integer>0</integer> <key>wvous-br-corner</key> <integer>0</integer> <key>wvous-tr-corner</key> <integer>0</integer> <key>wvous-tl-corner</key> <integer>0</integer> ---- |
AC-11(1) |
3.1.10 |
SRG-OS-000031-GPOS-00012 |
APPL-11-000007 |
CCI-000060 |
| CCE-85524-7 |
sysprefs_hot_corners_secure |
Secure Hot Corners |
Hot corners _MUST_ be secured. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. |
Script |
bl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null)" tl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null)" tr_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null)" br_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null)" if [[ "$bl_corner" != "6" ]] && [[ "$tl_corner" != "6" ]] && [[ "$tr_corner" != "6" ]] && [[ "$br_corner" != "6" ]]; then echo "0" fi |
{'integer': 0} |
[source,bash] ---- /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null ---- |
AC-11(1) |
NaN |
NaN |
NaN |
NaN |
| CCE-85432-3 |
sysprefs_improve_siri_dictation_disable |
Disable Sending Siri and Dictation Information to Apple |
The ability for Apple to store and review audio of your Siri and Dictation interactions _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\ .objectForKey('Siri Data Sharing Opt-In Status').js EOS |
{'integer': 2} |
Create a configuration profile containing the following keys in the (com.apple.assistant.support) payload type: [source,xml] ---- <key>Siri Data Sharing Opt-In Status</key> <integer>2</integer> ---- |
AC-20 CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
NaN |
NaN |
NaN |
| CCE-85525-4 |
sysprefs_install_macos_updates_enforce |
Enforce macOS Updates are Automatically Installed |
Software Update _MUST_ be configured to enforce automatic installation of macOS updates is enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticallyInstallMacOSUpdates').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>AutomaticallyInstallMacOSUpdates</key> <true/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85328-3 |
sysprefs_internet_accounts_prefpane_disable |
Disable the Internet Accounts System Preference Pane |
The Internet Accounts System Preference pane _MUST_ be disabled to prevent the addition of unauthorized internet accounts. [IMPORTANT] ==== Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledPreferencePanes</key> <array> <string>com.apple.preferences.internetaccounts</string> </array> ---- |
CM-7(5) AC-20 |
3.1.20 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002032 |
CCI-001774 CCI-000381 |
| CCE-85487-7 |
sysprefs_internet_accounts_prefpane_hide |
Hide the Internet Accounts System Preference Pane |
The Internet Accounts System Preference pane _MUST_ be hidden to prevent the addition of unauthorized internet accounts. [IMPORTANT] ==== Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>HiddenPreferencePanes</key> <array> <string>com.apple.preferences.internetaccounts</string> </array> ---- |
CM-7(5) AC-20 |
3.1.20 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002032 |
CCI-001774 CCI-000381 |
| CCE-85433-1 |
sysprefs_internet_sharing_disable |
Disable Internet Sharing |
If the system does not require Internet sharing, support for it is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling Internet sharing helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('forceInternetSharingOff').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>forceInternetSharingOff</key> <true/> ---- |
AC-4 AC-20 |
3.1.3 3.1.20 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002007 |
CCI-000381 |
| CCE-85526-2 |
sysprefs_location_services_audit |
Audit Location Services |
The organization _MUST_ audit which applications have access to location services. |
Manual |
sudo /usr/libexec/PlistBuddy -c print /var/db/locationd/clients.plist | grep Dict | awk '(NR>1) { print $1 }' |
{'string': 'a list containing approved applications.'} |
Review the list of applications and remove any unauthorized applications from System Prefrences->Security & Privacy->Privacy->Location Services. |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85434-9 |
sysprefs_location_services_disable |
Disable Location Services |
Location Services _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling Location Services helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling. |
Script |
/usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist LocationServicesEnabled |
{'boolean': 0} |
[source,bash] ---- /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false; /bin/launchctl kickstart -k system/com.apple.locationd ---- |
CM-7 CM-7(1) SC-7(10) |
3.4.6 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002004 |
CCI-000381 |
| CCE-85527-0 |
sysprefs_location_services_enable |
Enable Location Services |
Location Services _MUST_ be enabled. |
Script |
/usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist LocationServicesEnabled |
{'boolean': 1} |
[source,bash] ---- /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; /bin/launchctl kickstart -k system/com.apple.locationd ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85528-8 |
sysprefs_loginwindow_loginwindowtext_enable |
Configure Login Window to Show A Custom Message |
The login window _MUST_ be configured to show a custom access warning message. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('LoginwindowText').js EOS |
{'string': 'Approved message goes here'} |
Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>LoginwindowText</key> <string>Approved message goes here</string> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85435-6 |
sysprefs_loginwindow_prompt_username_password_enforce |
Configure Login Window to Prompt for Username and Password |
The login window _MUST_ be configured to prompt all users for both a username and a password. By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('SHOWFULLNAME').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>SHOWFULLNAME</key> <true/> ---- |
IA-2 |
3.5.1 3.5.2 |
SRG-OS-000480-GPOS-00229 |
NaN |
NaN |
| CCE-85436-4 |
sysprefs_media_sharing_disabled |
Disable Media Sharing |
Media sharing _MUST_ be disabled. When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('homeSharingUIStatus')) let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('legacySharingUIStatus')) let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('mediaSharingUIStatus')) if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) { return("true") } else { return("false") } } EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.preferences.sharing.SharingPrefsExtension) payload type: [source,xml] ---- <key>homeSharingUIStatus</key> <integer>0</integer> <key>legacySharingUIStatus</key> <integer>0</integer> <key>mediaSharingUIStatus</key> <integer>0</integer> ---- |
AC-3 AC-17 |
3.1.1 3.1.2 |
SRG-OS-000480-GPOS-00227 |
NaN |
NaN |
| CCE-85437-2 |
sysprefs_password_hints_disable |
Disable Password Hints |
Password hints _MUST_ be disabled. Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('RetriesUntilHint').js EOS |
{'integer': 0} |
Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>RetriesUntilHint</key> <integer>0</integer> ---- |
IA-6 |
3.5.11 |
SRG-OS-000480-GPOS-00227 |
APPL-11-003012 |
CCI-000366 |
| CCE-85438-0 |
sysprefs_personalized_advertising_disable |
Disable Personalized Advertising |
Ad tracking and targeted ads _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.AdLib')\ .objectForKey('allowApplePersonalizedAdvertising').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.AdLib) payload type: [source,xml] ---- <key>allowApplePersonalizedAdvertising</key> <false/> ---- |
AC-20 CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
NaN |
NaN |
NaN |
| CCE-85439-8 |
sysprefs_power_nap_disable |
Disable Power Nap |
Power Nap _MUST_ be disabled. Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices to stop functioning until a reboot and must therefore be disabled on all applicable systems. The following Macs support Power Nap: * MacBook (Early 2015 and later) * MacBook Air (Late 2010 and later) * MacBook Pro (all models with Retina display) * Mac mini (Late 2012 and later) * iMac (Late 2012 and later) * Mac Pro (Late 2013 and later) |
Script |
/usr/bin/pmset -g custom | /usr/bin/awk '/powernap/ { sum+=$2 } END {print sum}' |
{'integer': 0} |
[source,bash] ---- /usr/bin/pmset -a powernap 0 ---- |
CM-7 CM-7(1) |
3.4.6 |
NaN |
NaN |
NaN |
| CCE-85529-6 |
sysprefs_printer_sharing_disable |
Disable Printer Sharing |
Printer Sharing _MUST_ be disabled. |
Script |
/usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0" |
{'boolean': 1} |
[source,bash] ---- /usr/sbin/cupsctl --no-share-printers /usr/bin/lpstat -p \| awk '{print $2}'\| /usr/bin/xargs -I{} lpadmin -p {} -o printer-is-shared=false ---- |
CM-7 CM-7(1) |
NaN |
NaN |
NaN |
NaN |
| CCE-85440-6 |
sysprefs_rae_disable |
Disable Remote Apple Events |
If the system does not require Remote Apple Events, support for Apple Remote Events is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AEServer" => true' |
{'integer': 1} |
[source,bash] ---- /usr/sbin/systemsetup -setremoteappleevents off /bin/launchctl disable system/com.apple.AEServer ---- NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires UAMDM. |
AC-3 AC-17 |
3.1.1 3.1.2 |
SRG-OS-000096-GPOS-00050 |
APPL-11-002022 |
CCI-000382 |
| CCE-85530-4 |
sysprefs_remote_management_disable |
Disable Remote Management |
Remote Management _MUST_ be disabled. |
Script |
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0" |
{'integer': 1} |
[source,bash] ---- /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop ---- |
CM-7 CM-7(1) |
NaN |
NaN |
NaN |
NaN |
| CCE-85441-4 |
sysprefs_screen_sharing_disable |
Disable Screen Sharing and Apple Remote Desktop |
Support for both Screen Sharing and Apple Remote Desktop (ARD) is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" => true' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl disable system/com.apple.screensharing ---- NOTE - This will apply to the whole system |
AC-3 AC-17 |
3.1.1 3.1.2 |
SRG-OS-000480-GPOS-00227 |
APPL-11-002050 |
CCI-000366 |
| CCE-85442-2 |
sysprefs_screensaver_ask_for_password_delay_enforce |
Enforce Session Lock After Screen Saver is Started |
A screen saver _MUST_ be enabled and the system _MUST_ be configured to require a password to unlock once the screensaver has been on for a maximum of five seconds. An unattended system with an excessive grace period is vulnerable to a malicious user. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('askForPasswordDelay').js EOS |
{'integer': 5} |
Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>askForPasswordDelay</key> <integer>5</integer> ---- |
AC-11 |
3.1.10 |
SRG-OS-000028-GPOS-00009 |
APPL-11-000003 |
CCI-000056 |
| CCE-85443-0 |
sysprefs_screensaver_password_enforce |
Enforce Screen Saver Password |
Users _MUST_ authenticate when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('askForPassword').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>askForPassword</key> <true/> ---- |
AC-11 |
3.1.10 |
SRG-OS-000028-GPOS-00009 |
APPL-11-000002 |
CCI-000056 |
| CCE-85444-8 |
sysprefs_screensaver_timeout_enforce |
Enforce Screen Saver Timeout |
The screen saver timeout _MUST_ be set to 15 minutes or a shorter length of time. This rule ensures that a full session lock is triggered within no more than 15 minutes of inactivity. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('idleTime').js EOS |
{'integer': 1200} |
Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>idleTime</key> <integer>900</integer> ---- |
AC-11 IA-11 |
3.1.10 |
SRG-OS-000029-GPOS-00010 |
APPL-11-000004 |
CCI-000057 |
| CCE-85445-5 |
sysprefs_siri_disable |
Disable Siri |
Support for Siri is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.ironwood.support')\ .objectForKey('Ironwood Allowed').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.ironwood.support) payload type: [source,xml] ---- <key>Ironwood Allowed</key> <false/> ---- |
AC-20 CM-7 CM-7(1) SC-7(10) |
3.1.20 3.4.6 |
SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155 |
APPL-11-002020 |
CCI-000381 CCI-001774 |
| CCE-85539-5 |
sysprefs_siri_prefpane_disable |
Disable the System Preference Pane for Siri |
The system preference pane for Siri _MUST_ be disabled. Disabling the system preference pane prevents the users from configuring Siri. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledPreferencePanes</key> <array> <string>com.apple.preferences.speech</string> </array> ---- |
CM-7 CM-7(5) |
NaN |
SRG-OS-000095-GPOS-00049 |
APPL-11-002053 |
CCI-001774 CCI-000381 |
| CCE-85491-9 |
sysprefs_siri_prefpane_hide |
Hide the System Preference Pane for Siri |
The system preference pane for Siri _MUST_ be hidden. HIding the system preference pane prevents the users from configuring Siri. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>HiddenPreferencePanes</key> <array> <string>com.apple.preferences.speech</string> </array> ---- |
CM-7 CM-7(5) |
NaN |
SRG-OS-000095-GPOS-00049 |
APPL-11-002053 |
CCI-001774 CCI-000381 |
| CCE-85446-3 |
sysprefs_smbd_disable |
Disable Server Message Block Sharing |
Support for Server Message Block (SMB) file sharing is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.smbd" => true' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl disable system/com.apple.smbd ---- The system may need to be restarted for the update to take effect. |
AC-3 AC-17 |
3.1.1 3.1.2 |
SRG-OS-000095-GPOS-00049 |
APPL-11-002001 |
CCI-000381 |
| CCE-85531-2 |
sysprefs_software_update_app_update_enforce |
Enforce Software Update App Update Updates Automatically |
Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticallyInstallAppUpdates').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>AutomaticallyInstallAppUpdates</key> <true/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85532-0 |
sysprefs_software_update_download_enforce |
Enforce Software Update Downloads Updates Automatically |
Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticDownload').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>AutomaticDownload</key> <true/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85533-8 |
sysprefs_software_update_enforce |
Enforce Software Update Automatically |
Software Update _MUST_ be configured to enforce automatic update is enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticCheckEnabled').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>AutomaticCheckEnabled</key> <true/> ---- |
SI-2(5) |
NaN |
NaN |
NaN |
NaN |
| CCE-85534-6 |
sysprefs_softwareupdate_current |
Ensure Software Update is Updated and Current |
Make sure Software Update is updated and current. NOTE: Automatic fix can cause unplanned restarts and may lose work. |
Script |
softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s") thirty_days_epoch=$(/bin/date -v -30d "+%s") if [[ $softwareupdate_date_epoch -lt $thirty_days_epoch ]]; then /bin/echo "0" else /bin/echo "1" fi |
{'integer': 1} |
[source,bash] ---- /usr/sbin/softwareupdate -i -a -R ---- NOTE - This will apply to the whole system |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85447-1 |
sysprefs_ssh_disable |
Disable SSH Server for Remote Access Sessions |
SSH service _MUST_ be disabled for remote access. Remote access sessions _MUST_ use FIPS validated encrypted methods to protect unauthorized individuals from gaining access. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl disable system/com.openssh.sshd ---- |
IA-2(8) AC-3 CM-7 CM-7(1) AC-17 |
3.1.1 3.1.2 3.4.6 3.5.4 |
SRG-OS-000250-GPOS-00093 SRG-OS-000033-GPOS-00014 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174 SRG-OS-000112-GPOS-00057 SRG-OS-000113-GPOS-00058 SRG-OS-000423-GPOS-00187 SRG-OS-000424-GPOS-00188 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190 |
APPL-11-000011 |
NaN |
| CCE-85447-1 |
sysprefs_ssh_enable |
Enable SSH Server for Remote Access Sessions |
Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. |
Script |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => false' |
{'integer': 1} |
[source,bash] ---- /bin/launchctl enable system/com.openssh.sshd ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85389-5 |
sysprefs_system_wide_preferences_configure |
Require Administrator Password to Modify System-Wide Preferences |
The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. Some Preference Panes in System Preferences contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations. |
Script |
/usr/bin/security authorizationdb read system.preferences 2> /dev/null | /usr/bin/grep -A 1 "<key>shared</key>" | /usr/bin/grep -c "<false/>" |
{'integer': 1} |
[source,bash] ---- /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist ---- |
AC-6 AC-6(2) AC-6(1) |
3.1.5 3.1.6 |
SRG-OS-000378-GPOS-00163 |
APPL-11-002069 |
CCI-001958 |
| CCE-85535-3 |
sysprefs_time_machine_auto_backup_enable |
Configure Time Machine for Automatic Backups |
Automatic backups _MUST_ be enabled when using Time Machine. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\ .objectForKey('AutoBackup').js EOS |
{'string': 'true'} |
Create a configuration profile containing the following keys in the (com.apple.TimeMachine) payload type: [source,xml] ---- <key>AutoBackup</key> <true/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85536-1 |
sysprefs_time_machine_encrypted_configure |
Ensure Time Machine Volumes are Encrypted |
Time Machine volumes _MUST_ be encrypted. |
Manual |
error_count=0 for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do tmMounted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/Mounted/{print $2}') tmEncrypted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/FileVault/{print $2}') if [[ "$tmMounted" = "Yes" && "$tmEncrypted" = "No" ]]; then ((error_count++)) fi done echo "$error_count" |
{'integer': 0} |
. Go to System Preferences -> Time Machine . Click *Select Disk* . Select existing Backup Disk under *Available Disks* . Click *Encrypt Backups* . Click *Use Disk* |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85448-9 |
sysprefs_time_server_configure |
Configure macOS to Use an Authorized Time Server |
Approved time servers _MUST_ be the only servers configured for use. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('timeServer').js EOS |
{'string': 'time-a.nist.gov,time-b.nist.gov'} |
Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>timeServer</key> <string>time-a.nist.gov,time-b.nist.gov</string> ---- |
AU-12(1) SC-45(1) |
3.3.7 |
SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 |
APPL-11-000014 |
CCI-001891 CCI-002046 |
| CCE-85449-7 |
sysprefs_time_server_enforce |
Enable macOS Time Synchronization Daemon (timed) |
The timed service _MUST_ be enabled on all networked systems and configured to set time automatically from the approved time server. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.timed')\ .objectForKey('TMAutomaticTimeOnlyEnabled').js EOS |
{'string': 'true'} |
NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types. Create a configuration profile containing the following keys in the (com.apple.timed) payload type: [source,xml] ---- <key>TMAutomaticTimeOnlyEnabled</key> <true/> ---- |
AU-12(1) SC-45(1) |
3.3.7 |
SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 |
APPL-11-000014 |
CCI-001891 CCI-002046 |
| CCE-85450-5 |
sysprefs_token_removal_enforce |
Configure User Session Lock When a Smart Token is Removed |
The screen lock _MUST_ be configured to initiate automatically when the smart token is removed from the system. Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absences. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token. [IMPORTANT] ==== Information System Security Officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed, so as to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization. ==== |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('tokenRemovalAction').js EOS |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>tokenRemovalAction</key> <integer>1</integer> ---- |
AC-11 |
3.1.10 |
SRG-OS-000030-GPOS-00011 |
APPL-11-000005 |
CCI-000058 |
| CCE-85488-5 |
sysprefs_touchid_prefpane_disable |
Disable the System Preference Pane for Touch ID |
The system preference pane for Touch ID _MUST_ be disabled. Disabling the system preference pane prevents the users from configuring Touch ID. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledPreferencePanes</key> <array> <string>com.apple.preferences.password</string> </array> ---- |
CM-7 CM-7(5) |
NaN |
SRG-OS-000095-GPOS-00049 |
APPL-11-002051 |
CCI-001774 CCI-000381 |
| CCE-85489-3 |
sysprefs_touchid_prefpane_hide |
Hide the System Preference Pane for Touch ID |
The system preference pane for Touch ID _MUST_ be hidden. Hiding the system preference pane prevents the users from configuring Touch ID. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>HiddenPreferencePanes</key> <array> <string>com.apple.preferences.password</string> </array> ---- |
CM-7 CM-7(5) |
NaN |
SRG-OS-000095-GPOS-00049 |
APPL-11-002051 |
CCI-001774 CCI-000381 |
| CCE-85451-3 |
sysprefs_touchid_unlock_disable |
Disable TouchID for Unlocking the Device |
TouchID enables the ability to unlock a Mac system with a user's fingerprint. TouchID _MUST_ be disabled for "Unlocking your Mac" on all macOS devices that are capable of using Touch ID. The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFingerprintForUnlock').js EOS |
{'string': 'false'} |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowFingerprintForUnlock</key> <false/> ---- |
AC-11 |
3.1.10 |
SRG-OS-000028-GPOS-00009 |
NaN |
CCI-000056 |
| CCE-85537-9 |
sysprefs_wake_network_access_disable |
Ensure Wake for Network Access Is Disabled |
Wake for network access _MUST_ be disabled. |
Script |
/usr/bin/pmset -g custom | /usr/bin/awk '/womp/{print $2}' |
{'integer': 0} |
[source,bash] ---- /usr/bin/pmset -a womp 0 ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85485-1 |
sysprefs_wallet_applepay_prefpane_disable |
Disable the System Preference Pane for Wallet and Apple Pay |
The system preference pane for Wallet and Apple Pay _MUST_ be disabled. Disabling the system preference pane prevents the users from configuring Wallet and Apple Pay. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledPreferencePanes</key> <array> <string>com.apple.preferences.wallet</string> </array> ---- |
CM-7 CM-7(5) |
NaN |
SRG-OS-000095-GPOS-00049 |
APPL-11-002052 |
CCI-001774 CCI-000381 |
| CCE-85486-9 |
sysprefs_wallet_applepay_prefpane_hide |
Hide the System Preference Pane for Wallet and Apple Pay |
The system preference pane for Wallet and Apple Pay _MUST_ be hidden. Hiding the system preference pane prevents the users from configuring Wallet and Apple Pay. |
Configuration Profile |
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' |
{'integer': 1} |
Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>HiddenPreferencePanes</key> <array> <string>com.apple.preferences.wallet</string> </array> ---- |
CM-7 CM-7(5) |
NaN |
SRG-OS-000095-GPOS-00049 |
APPL-11-002052 |
CCI-001774 CCI-000381 |
| CCE-85473-7 |
sysprefs_wifi_disable |
Disable Wi-Fi Interface |
The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit.Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. |
Script |
/usr/sbin/networksetup -listallnetworkservices | /usr/bin/grep -c "*Wi-Fi" |
{'integer': 1} |
To disable Wi-Fi on a macOS system, run the following command. [source,bash] ---- /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off ---- |
AC-4 AC-18 AC-18(1) AC-18(3) |
NaN |
SRG-OS-000299-GPOS-00117 SRG-OS-000300-GPOS-00118 SRG-OS-000379-GPOS-00164 |
APPL-11-000008 |
NaN |
| CCE-85538-7 |
sysprefs_wifi_menu_enable |
Enable Wifi Menu |
The WiFi menu _MUST_ be enabled. |
Configuration Profile |
/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ .objectForKey('WiFi').js EOS |
{'integer': 18} |
Create a configuration profile containing the following keys in the (com.apple.controlcenter) payload type: [source,xml] ---- <key>WiFi</key> <integer>18</integer> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85461-2 |
audit_record_reduction_report_generation |
Audit Record Reduction and Report Generation |
The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP). |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AU-7 |
NaN |
NaN |
NaN |
NaN |
| CCE-85294-7 |
os_allow_info_passed |
Allow Information Transfer with Other Operating Systems |
The information system _IS_ configured to allow the transfer of information to and from other operating systems and users. The macOS is a UNIX 03-compliant operating system, which allows owners of object to have discretion over who should be authorized to access information. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-3(4) |
NaN |
SRG-OS-000312-GPOS-00122 |
NaN |
CCI-002165 |
| CCE-85474-5 |
os_application_sandboxing |
Ensure Seperate Execution Domain for Processes |
The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[] link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SC-39 |
NaN |
NaN |
NaN |
NaN |
| CCE-85303-6 |
os_change_security_attributes |
Allow Administrators to Modify Security Settings and System Attributes |
The information system _IS_ configured to allow administrators to modify security settings and system attributes. The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-3(4) |
NaN |
SRG-OS-000312-GPOS-00124 |
NaN |
CCI-002165 |
| CCE-85305-1 |
os_crypto_audit |
Protect Audit Integrity with Cryptographic Mechanisms |
The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. link:https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf[] NOTE: This will only apply to a Mac that includes a T2 security chip. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AU-9(3) |
NaN |
SRG-OS-000278-GPOS-00108 |
NaN |
CCI-001496 |
| CCE-85306-9 |
os_enforce_access_restrictions |
Enforce Access Restrictions |
The information system _IS_ configured to enforce access restrictions and support auditing of the enforcement actions. The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
CM-5(1) |
NaN |
SRG-OS-000364-GPOS-00151 |
NaN |
CCI-001813 |
| CCE-85307-7 |
os_error_message |
Generate Error Messages without Exploitable Information |
The information system _IS_ configured to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
NaN |
NaN |
SRG-OS-000205-GPOS-00083 |
NaN |
CCI-001312 |
| CCE-85309-3 |
os_fail_secure_state |
Configure System to Fail to a Known Safe State if System Initialization, Shutdown, or Abort Fails |
The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. link:https://developer.apple.com/videos/play/wwdc2017/715/[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SC-24 |
NaN |
SRG-OS-000184-GPOS-00078 SRG-OS-000269-GPOS-00103 |
NaN |
CCI-001190 CCI-001665 |
| CCE-85317-6 |
os_grant_privs |
Allow Administrators to Promote Other Users to Administrator Status |
The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users. link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-3(4) |
NaN |
SRG-OS-000312-GPOS-00123 |
NaN |
CCI-002165 |
| CCE-85326-7 |
os_implement_cryptography |
Configure the System to Implement Approved Cryptography to Protect Information |
The information system _IS_ configured to implement approved cryptography to protect information. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. macOS Big Sur has been submitted to the National Institute of Standards and Technology (NIST) and is in review for the cryptographic module for FIPS 140-3 validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List[] link:https://support.apple.com/en-us/HT201159[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SC-13 |
3.13.11 |
SRG-OS-000396-GPOS-00176 |
NaN |
CCI-002450 |
| CCE-85327-5 |
os_implement_memory_protection |
Configure the System to Protect Memory from Unauthorized Code Execution |
The information system _IS_ configured to implement non-executable data to protect memory from code execution. Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection. link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[] link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[] link:https://www.apple.com/macos/security/[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SI-16 |
NaN |
SRG-OS-000433-GPOS-00192 SRG-OS-000433-GPOS-00193 |
NaN |
CCI-002824 |
| CCE-85330-9 |
os_isolate_security_functions |
Configure the System to Separate User and System Functionality |
The information system _IS_ configured to isolate security functions from non-security functions. link:https://support.apple.com/guide/security/welcome/web[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SC-3 |
NaN |
SRG-OS-000134-GPOS-00068 |
NaN |
CCI-001084 |
| CCE-85331-7 |
os_limit_auditable_events |
Only allow authorized users to select auditable events |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
NaN |
NaN |
SRG-OS-000063-GPOS-00032 |
NaN |
CCI-000171 |
| CCE-85333-3 |
os_limit_gui_sessions |
Limit Concurrent GUI Sessions to 10 for all Accounts |
The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user helps reduce the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-10 |
NaN |
SRG-OS-000027-GPOS-00008 |
NaN |
CCI-000054 |
| CCE-85334-1 |
os_logical_access |
Enforce Approved Authorization for Logical Access |
The information system _IS_ configured to enforce an approved authorization process before granting users logical access. The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-3 |
3.1.1 3.1.2 |
SRG-OS-000080-GPOS-00048 |
NaN |
CCI-000213 |
| CCE-85335-8 |
os_logoff_capability_and_message |
Display logoff capability and message to prevent exploitation |
Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to the system. Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-12(1) AC-12(2) |
NaN |
SRG-OS-000280-GPOS-00110 SRG-OS-000281-GPOS-00111 |
NaN |
CCI-002363 CCI-002364 |
| CCE-85468-7 |
os_malicious_code_prevention |
Ensure the System Implements Malicious Code Protection Mechanisms |
The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention. 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: *\tThe Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. *\tXProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. *\tIn macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when: *\tan app is first launched, *\tan app has been changed (in the file system), and *\tXProtect signatures are updated. *\tYARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. *\tGatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running. *\tNotarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: *\tXProtect (defined above). *\tGatekeeper (defined above). *\tNotarization (defined above). 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: *\tApple's Malware Removal Tool (MRT): a technology included on all macOS systems. MRT is an agent that remediates based on automatic updates delivered from Apple. MRT will remove the malware upon receiving updated information and check for malware on restart and login. link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SI-3 |
NaN |
NaN |
NaN |
NaN |
| CCE-85337-4 |
os_map_pki_identity |
Map identity for PKI based authentication |
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. |
The control cannot be configured out of compliance. |
For directory bound systems, the technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
For directory bound systems, the technology inherently meets this requirement. No fix is required. |
NaN |
NaN |
SRG-OS-000068-GPOS-00036 |
NaN |
CCI-000187 |
| CCE-85340-8 |
os_mfa_network_access |
Enforce multifactor authentication for network access to privileged accounts |
The information system implements multifactor authentication for network access to privileged accounts. |
The control cannot be configured out of compliance. |
For directory bound systems: The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
For directory bound systems, the technology inherently meets this requirement. No fix is required. |
NaN |
NaN |
SRG-OS-000105-GPOS-00052 |
NaN |
CCI-000765 |
| CCE-85341-6 |
os_mfa_network_non-priv |
Enforce multifactor authentication for network access to non-privileged accounts |
The information system implements multifactor authentication for network access to non-privileged accounts. |
The control cannot be configured out of compliance. |
For directory bound systems: The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
For directory bound systems, the technology inherently meets this requirement. No fix is required. |
NaN |
NaN |
SRG-OS-000106-GPOS-00053 |
NaN |
CCI-000766 |
| CCE-85349-9 |
os_obscure_password |
Obscure Passwords |
The information system _IS_ configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals. The inherent configuration of a macOS uses NSSecureTextField for any text field that receives a password, which automatically obscures text which is entered. link:https://developer.apple.com/documentation/appkit/nssecuretextfield[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
IA-6 IA-5 |
3.5.1 3.5.2 3.5.11 |
SRG-OS-000079-GPOS-00047 |
NaN |
CCI-000206 |
| CCE-85354-9 |
os_peripherals_identify |
The macOS system must uniquely identify peripherals before establishing a connection. |
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85358-0 |
os_predictable_behavior |
Must behave in predictable and documented manner |
The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SI-10(3) |
NaN |
SRG-OS-000432-GPOS-00191 |
NaN |
CCI-002754 |
| CCE-85359-8 |
os_prevent_priv_execution |
Prevent Software From Executing at Higher Privilege Levels than Users Executing The Software |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-6(8) |
3.1.7 |
SRG-OS-000326-GPOS-00126 |
NaN |
CCI-002233 |
| CCE-85360-6 |
os_prevent_priv_functions |
Configure the System to Block Non-Privileged Users from Executing Privileged Functions |
The information system _IS_ configured to block standard users from executing privileged functions. Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-6(10) |
3.1.7 |
SRG-OS-000324-GPOS-00125 |
NaN |
CCI-002235 |
| CCE-85361-4 |
os_prevent_unauthorized_disclosure |
Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources |
The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SC-4 |
3.13.4 |
SRG-OS-000138-GPOS-00069 |
NaN |
CCI-001090 |
| CCE-85365-5 |
os_provide_disconnect_remote_access |
Provide Ability to Disconnect or Disable Remote Access |
Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., SSH) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-17(9) |
NaN |
SRG-OS-000298-GPOS-00116 |
NaN |
CCI-002322 |
| CCE-85367-1 |
os_reauth_privilege |
Require users to reauthenticate for privilege escalation |
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
IA-11 |
NaN |
SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 |
NaN |
CCI-002038 |
| CCE-85368-9 |
os_reauth_users_change_authenticators |
Require users to reauthenticate when changing authenticators |
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change user authenticators, it is critical the user reauthenticate. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
IA-11 |
NaN |
SRG-OS-000373-GPOS-00158 |
NaN |
CCI-002038 |
| CCE-85369-7 |
os_remote_access_methods |
Control remote access methods |
The information system monitors and controls remote access methods. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
NaN |
NaN |
SRG-OS-000297-GPOS-00115 |
NaN |
CCI-002314 |
| CCE-85371-3 |
os_remove_software_components_after_updates |
Must remove all software components after updated versions installed |
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SI-2(6) |
NaN |
SRG-OS-000437-GPOS-00194 |
NaN |
CCI-002617 |
| CCE-85373-9 |
os_required_crypto_module |
Ensure all Federal Laws, Executive Orders, Directives, Policies, Regulations, Standards, and Guidance for Authentication to a Cryptographic Module are Met |
The inherent configuration of the macOS _IS_ in compliance by implementing mechanisms for authentication to a cryptographic module that meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. macOS Big Sur is in process of testing from an accredited laboratory to submit the National Institute of Standards and Technology (NIST) for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[] link:https://support.apple.com/en-us/HT201159[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
IA-7 |
NaN |
SRG-OS-000120-GPOS-00061 |
NaN |
CCI-000803 |
| CCE-85471-1 |
os_secure_enclave |
Protected Storage for Cryptographic Keys |
A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard. Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. |
The control cannot be configured out of compliance. |
/usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q 'AppleSEPManager'; /bin/echo $? |
{'integer': 0} |
The hardware does not support the requirement. |
SC-28(3) |
NaN |
NaN |
NaN |
NaN |
| CCE-85377-0 |
os_separate_functionality |
Configure the System to Separate User and System Functionality |
The information system _IS_ configured to separate user and system functionality. Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
SC-2 MA-4(1) |
3.13.3 |
SRG-OS-000132-GPOS-00067 |
NaN |
CCI-001082 |
| CCE-85386-1 |
os_store_encrypted_passwords |
Encrypt Stored Passwords |
The information system _IS_ configured to encrypt stored passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. link:https://developer.apple.com/documentation/opendirectory/kodattributetypeauthenticationauthority[] |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
IA-5(1) IA-5(1)(c) |
3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000073-GPOS-00041 |
NaN |
CCI-000196 |
| CCE-85390-3 |
os_terminate_session |
Terminate all sessions and network connections when maintenance is completed |
Terminates session and network connections when nonlocal maintenance is completed. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
NaN |
NaN |
SRG-OS-000126-GPOS-00066 |
NaN |
CCI-000879 |
| CCE-85394-5 |
os_unique_identification |
Uniquely Identify Users and Processes |
The macOS is a UNIX 03-compliant operating system. The system uniquely identifies and authenticates organizational users or processes. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
IA-4 |
NaN |
SRG-OS-000104-GPOS-00051 |
NaN |
CCI-000764 |
| CCE-85398-6 |
os_verify_remote_disconnection |
Verify remote disconnection of sessions |
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
MA-4(7) |
NaN |
SRG-OS-000395-GPOS-00175 |
NaN |
CCI-002891 |
| CCE-85405-9 |
pwpolicy_emergency_accounts_disable |
Automatically Remove or Disable Emergency Accounts within 72 Hours |
The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-2(2) |
NaN |
NaN |
NaN |
NaN |
| CCE-85406-7 |
pwpolicy_force_password_change |
Force Password Change at Next Logon |
The macOS is able to be configured to force users to change their password at next logon. Temporary passwords are often used for new users when accounts are created. However, once logged in to the system, users must be immediately prompted to change to a permanent password of their creation. For a user to change their password at next logon, run the following command: [source,bash] ---- /usr/bin/pwpolicy -u [USER] -setpolicy "newPasswordRequired=1" ---- NOTE: Replace [USER] with the username that must change the password at next logon |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
IA-5(1) |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000380-GPOS-00165 |
NaN |
CCI-002041 |
| CCE-85414-1 |
pwpolicy_temporary_accounts_disable |
Automatically Remove or Disable Temporary User Accounts within 72 Hours |
The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created. If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary accounts defined on the system, this is Not Applicable. |
The control cannot be configured out of compliance. |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. |
NaN |
The technology inherently meets this requirement. No fix is required. |
AC-2(2) |
NaN |
NaN |
NaN |
NaN |
| CCE-85253-3 |
audit_alert_processing_fail |
Alert Audit Processing Failure |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
NaN |
NaN |
SRG-OS-000046-GPOS-00022 |
NaN |
CCI-000139 |
| CCE-85256-6 |
audit_enforce_dual_auth |
Enforce Dual Authorization for Movement and Deletion of Audit Information |
All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed. An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation. To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
AU-9(5) |
NaN |
SRG-OS-000360-GPOS-00147 |
NaN |
CCI-000366 CCI-001896 |
| CCE-85271-5 |
audit_off_load_records |
Off-Load Audit Records |
Audit records should be off-loaded onto a different system or media from the system being audited. Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
AU-4(1) |
NaN |
SRG-OS-000479-GPOS-00224 SRG-OS-000342-GPOS-00133 |
NaN |
CCI-001851 |
| CCE-85462-0 |
audit_records_processing |
Audit Record Reduction and Report Generation |
The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields. Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
AU-7(1) |
NaN |
NaN |
NaN |
NaN |
| CCE-85297-0 |
os_auth_peripherals |
Must authenticate peripherals before establishing a connection |
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does support this requirement, however, third party solutions are required to implement at an infrastructure level. |
NaN |
This requirement is a permanent finding and can be fixed by implementing a third party solution. |
IA-3 |
3.5.1 3.5.2 |
SRG-OS-000378-GPOS-00163 |
NaN |
CCI-001958 |
| CCE-85304-4 |
os_continuous_monitoring |
Configure Automated Flaw Remediation |
The macOS system _MUST_ be configured to determine the state of system components with regard to flaw remediation. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
SI-2(2) |
NaN |
SRG-OS-000191-GPOS-00080 |
APPL-11-000015 |
CCI-001233 |
| CCE-85332-5 |
os_limit_dos_attacks |
Limit Impact of Denial of Service Attacks |
The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
SC-5(2) |
NaN |
SRG-OS-000142-GPOS-00071 |
NaN |
CCI-001095 |
| CCE-85343-2 |
os_notify_account_created |
Configure the System to Notify upon Account Created Actions |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when new accounts are created. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
NaN |
NaN |
SRG-OS-000274-GPOS-00104 |
NaN |
CCI-001683 |
| CCE-85344-0 |
os_notify_account_disabled |
Configure the System to Notify upon Account Disabled Actions |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are disabled. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account disabling actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
NaN |
NaN |
SRG-OS-000276-GPOS-00106 |
NaN |
CCI-001685 |
| CCE-85345-7 |
os_notify_account_enable |
Configure the System to Notify upon Account Enabled Actions |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
NaN |
NaN |
SRG-OS-000304-GPOS-00121 |
NaN |
CCI-002132 |
| CCE-85346-5 |
os_notify_account_modified |
Configure the System to Notify upon Account Modified Actions |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
NaN |
NaN |
SRG-OS-000275-GPOS-00105 |
NaN |
CCI-001684 |
| CCE-85347-3 |
os_notify_account_removal |
Configure the System to Notify upon Account Removed Actions |
The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are removed. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account removal actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
NaN |
NaN |
SRG-OS-000277-GPOS-00107 |
NaN |
CCI-001686 |
| CCE-85348-1 |
os_notify_unauthorized_baseline_change |
Configure the System to Notify upon Baseline Configuration Changes |
The macOS should be configured to automatically notify system administrators, Information System Security Officers (ISSOs), and (IMOs) when baseline configurations are modified. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
CM-3(5) |
NaN |
SRG-OS-000363-GPOS-00150 |
NaN |
CCI-001744 |
| CCE-85480-2 |
os_prohibit_remote_activation_collab_devices |
Prohibit Remote Activation of Collaborative Computing Devices |
The inherent configuration of the macOS _IS_ in partial compliance as Apple has implemented a green light physically next to your camera that will glow when the camera is activated. There are no indicators when the system's microphone is listening or activated. This requires additional software to be installed. The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device. link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[] link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[] link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/11.0/mac/11.0[] |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology partially supports this requirement and cannot be configured to be in full compliance. |
NaN |
The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance. |
SC-15 |
NaN |
NaN |
NaN |
NaN |
| CCE-85363-0 |
os_protect_dos_attacks |
Protect Against Denial of Service Attacks by Ensuring Rate-Limiting Measures on Network Interfaces |
The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To prevent DoS attacks by ensuring rate-limiting measures on network interfaces, many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
SC-5 |
NaN |
SRG-OS-000420-GPOS-00186 |
NaN |
CCI-002385 |
| CCE-85364-8 |
os_provide_automated_account_management |
Employ Automated Mechanisms for Account Management Functions |
The organization should employ automated mechanisms to support the management of information system accounts. The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management. To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
AC-2(1) |
NaN |
SRG-OS-000001-GPOS-00001 |
NaN |
CCI-000015 |
| CCE-85366-3 |
os_reauth_devices_change_authenticators |
Require Devices to Reauthenticate when Changing Authenticators |
The macOS should be configured to require users to reauthenticate when the device authenticator is changed. Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
IA-11 |
NaN |
SRG-OS-000374-GPOS-00159 |
NaN |
CCI-002039 |
| CCE-85372-1 |
os_secure_name_resolution |
Secure Name Address Resolution Service |
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. NOTE: macOS supports encrypted DNS settings with the com.apple.dnsSettings.managed payload, however, the system must be integrated with a DNS server that supports encrypted DNS. link:https://developer.apple.com/documentation/devicemanagement/dnssettings[] |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
SC-21 |
NaN |
SRG-OS-000399-GPOS-00178 SRG-OS-000400-GPOS-00179 SRG-OS-000401-GPOS-00180 SRG-OS-000402-GPOS-00181 |
NaN |
CCI-002465 CCI-002466 CCI-002467 CCI-002468 |
| CCE-85399-4 |
pwpolicy_50_percent |
Require a Minimum of Fifty Percent Character Change in New Passwords |
The macOS should be configured to require users to change at least 50% of the characters when setting a new password. If the operating system allows users to consecutively reuse extensive portions of passwords, this increases the window of opportunity for a malicious user to guess the password. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
NaN |
3.5.1 3.5.2 3.5.7 3.5.8 3.5.9 3.5.10 |
SRG-OS-000072-GPOS-00040 |
NaN |
CCI-000195 |
| CCE-85411-7 |
pwpolicy_prevent_dictionary_words |
Prevent the Use of Dictionary Words for Passwords |
The macOS should be configured to forbid users to use dictionary words for passwords. If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. To prevent users from using dictionary words for passwords, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
For systems not requiring mandatory smart card authentication or those that are not bound to a directory, the technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
NaN |
NaN |
SRG-OS-000480-GPOS-00225 |
NaN |
CCI-000366 |
| CCE-85452-1 |
sysprefs_wifi_disable_when_connected_to_ethernet |
Disable Wi-Fi When Connected to Ethernet |
The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. |
The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control. |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
AC-4 AC-18(1) AC-18(3) |
3.1.3 3.1.17 |
NaN |
NaN |
NaN |
| CCE-85464-6 |
os_access_control_mobile_devices |
Access Control for Mobile Devices |
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. |
Manual |
The technology does not support this requirement. This is an applicable-does not meet finding. |
NaN |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed. |
AC-19 |
NaN |
NaN |
NaN |
NaN |
| CCE-85325-9 |
os_identify_non-org_users |
Configure the System to Uniquely Identify and Authenticate Non-Organizational Users |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
Manual |
This requirement is NA for this technology. |
NaN |
The requirement is NA. No fix is required. |
IA-8 |
NaN |
SRG-OS-000121-GPOS-00062 |
NaN |
CCI-000804 |
| CCE-85476-0 |
os_information_validation |
Information Input Validation |
Check the validity of the following information inputs: organization-defined information inputs to the systems. Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks. |
Manual |
This requirement is NA for this technology. |
NaN |
The requirement is NA. No fix is required. |
SI-10 |
NaN |
NaN |
NaN |
NaN |
| CCE-85477-8 |
os_managed_access_control_points |
Managed Access Control Points |
Route remote accesses through authorized and managed network access control points. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces. |
Manual |
This requirement is NA for this technology. |
NaN |
The requirement is NA. No fix is required. |
AC-17(3) |
NaN |
NaN |
NaN |
NaN |
| CCE-85481-0 |
os_non_repudiation |
Non-Repudiation |
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed organization-defined actions to be covered by non-repudiation. Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts. |
Manual |
This requirement is NA for this technology. |
NaN |
The requirement is NA. No fix is required. |
AU-10 |
NaN |
NaN |
NaN |
NaN |
| CCE-85458-8 |
os_nonlocal_maintenance |
Configure the System for Nonlocal Maintenance |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. |
Manual |
This requirement is NA for this technology. |
NaN |
The requirement is NA. No fix is required. |
MA-4 |
3.7.5 |
NaN |
NaN |
NaN |
| CCE-85475-2 |
os_pii_deidentification |
Remove Elements of Personally Identifiable Information from Datasets |
Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification. De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk. |
Manual |
This requirement is NA for this technology. |
NaN |
The requirement is NA. No fix is required. |
SI-19 |
NaN |
NaN |
NaN |
NaN |
| CCE-85478-6 |
os_pii_quality_control |
Personally Identifiable Information Quality Operations |
Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle organization-defined frequency; and correct or delete inaccurate or outdated personally identifiable information. Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes. |
Manual |
This requirement is NA for this technology. |
NaN |
The requirement is NA. No fix is required. |
SI-18 |
NaN |
NaN |
NaN |
NaN |
| CCE-85479-4 |
os_privacy_principle_minimization |
Implement the Privacy Principle of Minimization |
Implement the privacy principle of minimization using organization-defined processes. The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization. |
Manual |
This requirement is NA for this technology. |
NaN |
The requirement is NA. No fix is required. |
SA-8(33) |
NaN |
NaN |
NaN |
NaN |