CCE	Rule ID	Title	Discussion	Mechanism	Check	Check Result	Fix	800-53r5	800-171	SRG	SFR	DISA STIG	CIS Benchmark	CIS v8	CMMC	indigo	CCI	Severity	Modified Rule
CCE-92701-2	audit_acls_files_configure	Configure Audit Log Files to Not Contain Access Control Lists	The audit log files _MUST_ not contain access control lists (ACLs). This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.	Script	/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"	{'integer': 0}	[source,bash] ---- /bin/chmod -RN /var/audit ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-000030	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-001314 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92702-0	audit_acls_folders_configure	Configure Audit Log Folder to Not Contain Access Control Lists	The audit log folder _MUST_ not contain access control lists (ACLs). Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.	Script	/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"	{'integer': 0}	[source,bash] ---- /bin/chmod -N /var/audit ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-000031	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000162 CCI-000163 CCI-000164 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92704-6	audit_auditd_enabled	Enable Security Auditing	The information system _MUST_ be configured to generate audit records. Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system start-up. NOTE: Security auditing is NOT enabled by default on macOS Sonoma.	Script	LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING") if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then echo "pass" else echo "fail" fi	{'string': 'pass'}	[source,bash] ---- if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then /bin/cp /etc/security/audit_control.example /etc/security/audit_control fi /bin/launchctl enable system/com.apple.auditd /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist /usr/sbin/audit -i ----	AU-3 AU-3(1) AU-8 AU-12 AU-12(1) AU-12(3) AU-14(1) MA-4(1) CM-5(1)	03.03.02 03.03.03 03.03.07	SRG-OS-000255-GPOS-00096 SRG-OS-000474-GPOS-00219 SRG-OS-000465-GPOS-00209 SRG-OS-000473-GPOS-00218 SRG-OS-000337-GPOS-00129 SRG-OS-000359-GPOS-00146 SRG-OS-000472-GPOS-00217 SRG-OS-000257-GPOS-00098 SRG-OS-000466-GPOS-00210 SRG-OS-000042-GPOS-00020 SRG-OS-000468-GPOS-00212 SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000039-GPOS-00017 SRG-OS-000467-GPOS-00211 SRG-OS-000470-GPOS-00214 SRG-OS-000461-GPOS-00205 SRG-OS-000258-GPOS-00099 SRG-OS-000471-GPOS-00215 SRG-OS-000458-GPOS-00203 SRG-OS-000037-GPOS-00015 SRG-OS-000040-GPOS-00018 SRG-OS-000471-GPOS-00216 SRG-OS-000476-GPOS-00221 SRG-OS-000254-GPOS-00095 SRG-OS-000042-GPOS-00021 SRG-OS-000358-GPOS-00145 SRG-OS-000477-GPOS-00222 SRG-OS-000365-GPOS-00152 SRG-OS-000475-GPOS-00220 SRG-OS-000041-GPOS-00019 SRG-OS-000038-GPOS-00016 SRG-OS-000462-GPOS-00206 SRG-OS-000055-GPOS-00026	NaN	APPL-14-001003	3.1 (level 1)	8.2 8.5	AU.L2-3.3.2 AU.L2-3.3.6	NaN	CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000159 CCI-001464 CCI-001487 CCI-001889 CCI-001890 CCI-001914 CCI-002130	medium	NaN
CCE-92705-3	audit_configure_capacity_notify	Configure Audit Capacity Warning	The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.	Script	/usr/bin/awk -F: '/^minfree/{print $2}' /etc/security/audit_control	{'integer': 25}	[source,bash] ---- /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/sbin/audit -s ----	AU-5(1)	NaN	SRG-OS-000046-GPOS-00022 SRG-OS-000343-GPOS-00134	NaN	APPL-14-001030	NaN	NaN	NaN	NaN	CCI-000139 CCI-001855	low	NaN
CCE-92706-1	audit_control_acls_configure	Configure Audit_Control to Not Contain Access Control Lists	/etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs).	Script	/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"	{'integer': 0}	[source,bash] ---- /bin/chmod -N /etc/security/audit_control ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000063-GPOS-00032 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001140	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-000171 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92707-9	audit_control_group_configure	Configure Audit_Control Group to Wheel	/etc/security/audit_control _MUST_ have the group set to wheel.	Script	/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'	{'integer': 0}	[source,bash] ---- /usr/bin/chgrp wheel /etc/security/audit_control ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000063-GPOS-00032 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001110	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-000171 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92708-7	audit_control_mode_configure	Configure Audit_Control Owner to Mode 440 or Less Permissive	/etc/security/audit_control _MUST_ be configured so that it is readable only by the root user and group wheel.	Script	/bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs	{'integer': 0}	[source,bash] ---- /bin/chmod 440 /etc/security/audit_control ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000063-GPOS-00032 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001130	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-000171 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92709-5	audit_control_owner_configure	Configure Audit_Control Owner to Root	/etc/security/audit_control _MUST_ have the owner set to root.	Script	/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'	{'integer': 0}	[source,bash] ---- /usr/sbin/chown root /etc/security/audit_control ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000063-GPOS-00032 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001120	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-000171 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92711-1	audit_failure_halt	Configure System to Shut Down Upon Audit Failure	The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.	Script	/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'	{'integer': 1}	[source,bash] ---- /usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s ----	AU-5	03.03.04	SRG-OS-000047-GPOS-00023	NaN	APPL-14-001010	NaN	NaN	AU.L2-3.3.4	NaN	CCI-000140	medium	NaN
CCE-92712-9	audit_files_group_configure	Configure Audit Log Files Group to Wheel	Audit log files _MUST_ have the group set to wheel. The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.	Script	/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'	{'integer': 0}	[source,bash] ---- /usr/bin/chgrp -R wheel /var/audit/* ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001014	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92713-7	audit_files_mode_configure	Configure Audit Log Files to Mode 440 or Less Permissive	The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.	Script	/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '	{'integer': 0}	[source,bash] ---- /bin/chmod 440 /var/audit/* ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001016	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92714-5	audit_files_owner_configure	Configure Audit Log Files to be Owned by Root	Audit log files _MUST_ be owned by root. The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.	Script	/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'	{'integer': 0}	[source,bash] ---- /usr/sbin/chown -R root /var/audit/* ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001012	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92715-2	audit_flags_aa_configure	Configure System to Audit All Authorization and Authentication Events	The auditing system _MUST_ be configured to flag authorization and authentication (aa) events. Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter).	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s ----	AC-2(12) AU-12 AU-2 MA-4(1) CM-5(1)	03.03.01 03.03.03	SRG-OS-000392-GPOS-00172 SRG-OS-000365-GPOS-00152 SRG-OS-000475-GPOS-00220 SRG-OS-000463-GPOS-00207 SRG-OS-000467-GPOS-00211 SRG-OS-000465-GPOS-00209 SRG-OS-000477-GPOS-00222 SRG-OS-000471-GPOS-00216 SRG-OS-000466-GPOS-00210 SRG-OS-000471-GPOS-00215 SRG-OS-000458-GPOS-00203 SRG-OS-000468-GPOS-00212	NaN	APPL-14-001044	3.2 (level 2)	3.14 8.2 8.5	AU.L2-3.3.3 AU.L2-3.3.6 SI.L2-3.14.3	NaN	CCI-000172 CCI-001814 CCI-002884	medium	NaN
CCE-92716-0	audit_flags_ad_configure	Configure System to Audit All Administrative Action Events	The auditing system _MUST_ be configured to flag administrative action (ad) events. Administrative action events include changes made to the system (e.g. modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter). The information system audits the execution of privileged functions. NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag.	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s ----	AC-2(12) AC-6(9) AU-12 AC-2(4) AU-2 MA-4(1) CM-5(1)	03.01.07 03.03.01 03.03.03	SRG-OS-000304-GPOS-00121 SRG-OS-000365-GPOS-00152 SRG-OS-000392-GPOS-00172 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000004-GPOS-00004 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000327-GPOS-00127 SRG-OS-000471-GPOS-00216 SRG-OS-000476-GPOS-00221 SRG-OS-000471-GPOS-00215 SRG-OS-000458-GPOS-00203 SRG-OS-000303-GPOS-00120	NaN	APPL-14-001001	3.2 (level 2)	3.14 8.2 8.5	AU.L2-3.3.3 AU.L2-3.3.6 SI.L2-3.14.3	NaN	CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001814 CCI-002234 CCI-002884	medium	NaN
CCE-92717-8	audit_flags_ex_configure	Configure System to Audit All Failed Program Execution on the System	The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s ----	AC-2(12) AU-12 AU-2 CM-5(1)	03.03.01 03.03.03	SRG-OS-000365-GPOS-00152 SRG-OS-000465-GPOS-00209 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207	NaN	APPL-14-001024	3.2 (level 2)	3.14 8.2 8.5	AU.L2-3.3.3 AU.L2-3.3.6 SI.L2-3.14.3	NaN	CCI-000172 CCI-001814	medium	NaN
CCE-92718-6	audit_flags_fd_configure	Configure System to Audit All Deletions of Object Attributes	The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd). ***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fd'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s ----	AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1)	03.03.01 03.03.03 03.03.08	SRG-OS-000392-GPOS-00172 SRG-OS-000256-GPOS-00097 SRG-OS-000365-GPOS-00152 SRG-OS-000057-GPOS-00027 SRG-OS-000064-GPOS-00033 SRG-OS-000463-GPOS-00207 SRG-OS-000467-GPOS-00211 SRG-OS-000465-GPOS-00209 SRG-OS-000468-GPOS-00212 SRG-OS-000466-GPOS-00210 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000458-GPOS-00203 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001020	NaN	NaN	AU.L2-3.3.3 AU.L2-3.3.6 AU.L2-3.3.8 SI.L2-3.14.3	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-000172 CCI-001493 CCI-001494 CCI-001495 CCI-001814 CCI-002884	medium	NaN
CCE-92719-4	audit_flags_fm_configure	Configure System to Audit All Changes of Object Attributes	The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s ----	AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1)	03.03.01 03.03.03 03.03.08	SRG-OS-000392-GPOS-00172 SRG-OS-000256-GPOS-00097 SRG-OS-000365-GPOS-00152 SRG-OS-000057-GPOS-00027 SRG-OS-000064-GPOS-00033 SRG-OS-000463-GPOS-00207 SRG-OS-000467-GPOS-00211 SRG-OS-000465-GPOS-00209 SRG-OS-000468-GPOS-00212 SRG-OS-000466-GPOS-00210 SRG-OS-000059-GPOS-00029 SRG-OS-000462-GPOS-00206 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000458-GPOS-00203 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001021	NaN	NaN	AU.L2-3.3.3 AU.L2-3.3.6 AU.L2-3.3.8 SI.L2-3.14.3	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-000172 CCI-001493 CCI-001494 CCI-001495 CCI-001814 CCI-002884	medium	NaN
CCE-92720-2	audit_flags_fm_failed_configure	Configure System to Audit All Failed Change of Object Attributes	The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fm'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*-fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fm/' /etc/security/audit_control;/usr/sbin/audit -s ----	AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1)	03.03.01 03.03.03 03.03.08	NaN	NaN	NaN	3.2 (level 2)	3.14 8.2 8.5	AU.L2-3.3.3 AU.L2-3.3.6 AU.L2-3.3.8 SI.L2-3.14.3	NaN	NaN	medium	NaN
CCE-92721-0	audit_flags_fr_configure	Configure System to Audit All Failed Read Actions on the System	The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fr'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s ----	AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1)	03.03.01 03.03.03 03.03.08	SRG-OS-000392-GPOS-00172 SRG-OS-000256-GPOS-00097 SRG-OS-000365-GPOS-00152 SRG-OS-000474-GPOS-00219 SRG-OS-000057-GPOS-00027 SRG-OS-000064-GPOS-00033 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000461-GPOS-00205 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000458-GPOS-00203 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001022	3.2 (level 2)	3.14 8.2 8.5	AU.L2-3.3.3 AU.L2-3.3.6 AU.L2-3.3.8 SI.L2-3.14.3	NaN	CCI-000172 CCI-001814	medium	NaN
CCE-92722-8	audit_flags_fw_configure	Configure System to Audit All Failed Write Actions on the System	The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*-fw" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s ----	AC-2(12) AU-12 AU-2 AU-9 CM-5(1) MA-4(1)	03.03.01 03.03.03 03.03.08	SRG-OS-000392-GPOS-00172 SRG-OS-000256-GPOS-00097 SRG-OS-000365-GPOS-00152 SRG-OS-000057-GPOS-00027 SRG-OS-000064-GPOS-00033 SRG-OS-000463-GPOS-00207 SRG-OS-000467-GPOS-00211 SRG-OS-000465-GPOS-00209 SRG-OS-000468-GPOS-00212 SRG-OS-000466-GPOS-00210 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000458-GPOS-00203 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001023	3.2 (level 2)	3.14 8.2 8.5	AU.L2-3.3.3 AU.L2-3.3.6 AU.L2-3.3.8 SI.L2-3.14.3	NaN	CCI-000172 CCI-001814	medium	NaN
CCE-92723-6	audit_flags_lo_configure	Configure System to Audit All Log In and Log Out Events	The audit system _MUST_ be configured to record all attempts to log in and out of the system (lo). Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring login and logout events) mitigates this risk. The information system monitors login and logout events.	Script	/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^lo'	{'integer': 1}	[source,bash] ---- /usr/bin/grep -qE "^flags.*[^-]lo" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s ----	AC-2(12) AU-12 AC-17(1) AU-2 MA-4(1)	03.03.01 03.03.03	SRG-OS-000032-GPOS-00013 SRG-OS-000392-GPOS-00172 SRG-OS-000064-GPOS-00033 SRG-OS-000473-GPOS-00218 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000471-GPOS-00215 SRG-OS-000458-GPOS-00203	NaN	APPL-14-001002	3.2 (level 2)	3.14 8.2 8.5	AC.L2-3.1.12 AU.L2-3.3.3 AU.L2-3.3.6 SI.L2-3.14.3	NaN	CCI-000067 CCI-000172 CCI-002884	medium	NaN
CCE-92724-4	audit_folder_group_configure	Configure Audit Log Folders Group to Wheel	Audit log files _MUST_ have the group set to wheel. The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.	Script	/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'	{'integer': 0}	[source,bash] ---- /usr/bin/chgrp wheel /var/audit ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001015	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92725-1	audit_folder_owner_configure	Configure Audit Log Folders to be Owned by Root	Audit log folders _MUST_ be owned by root. The audit service _MUST_ be configured to create log folders with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated.	Script	/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'	{'integer': 0}	[source,bash] ---- /usr/sbin/chown root /var/audit ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001013	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92726-9	audit_folders_mode_configure	Configure Audit Log Folders to Mode 700 or Less Permissive	The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.	Script	/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')	{'integer': 700}	[source,bash] ---- /bin/chmod 700 /var/audit ----	AU-9	03.03.08	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000059-GPOS-00029 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000058-GPOS-00028	NaN	APPL-14-001017	3.5 (level 1)	3.3	AU.L2-3.3.8	NaN	CCI-000162 CCI-000163 CCI-000164 CCI-001493 CCI-001494 CCI-001495	medium	NaN
CCE-92730-1	audit_retention_configure	Configure Audit Retention to 7d	The audit service _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.	Script	/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control	{'string': '7d'}	[source,bash] ---- /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s ----	AU-11 AU-4	03.03.03	SRG-OS-000341-GPOS-00132	NaN	APPL-14-001029	3.4 (level 1)	8.1 8.3	AU.L2-3.3.1	NaN	CCI-001849	low	NaN
CCE-92731-9	audit_settings_failure_notify	Configure Audit Failure Notification	The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected.	Script	/usr/bin/grep -c "logger -s -p" /etc/security/audit_warn	{'integer': 1}	[source,bash] ---- /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s ----	AU-5(2) AU-5	03.03.04	SRG-OS-000047-GPOS-00023 SRG-OS-000344-GPOS-00135	NaN	APPL-14-001031	NaN	NaN	AU.L2-3.3.4	NaN	CCI-000140 CCI-001858	medium	NaN
CCE-92732-7	auth_pam_login_smartcard_enforce	Enforce Multifactor Authentication for Login	The system _MUST_ be configured to enforce multifactor authentication. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login	{'integer': 2}	[source,bash] ---- /bin/cat > /etc/pam.d/login << LOGIN_END # login: auth account password session auth sufficient pam_smartcard.so auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass auth required pam_deny.so account required pam_nologin.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session required pam_uwtmp.so session optional pam_mount.so LOGIN_END /bin/chmod 644 /etc/pam.d/login /usr/sbin/chown root:wheel /etc/pam.d/login ----	IA-2(1) IA-2(2) IA-2(8)	03.05.03 03.05.04	SRG-OS-000107-GPOS-00054 SRG-OS-000112-GPOS-00057 SRG-OS-000108-GPOS-00055 SRG-OS-000106-GPOS-00053 SRG-OS-000105-GPOS-00052	NaN	APPL-14-003050	NaN	6.3 6.4 6.5	IA.L2-3.5.3 IA.L2-3.5.4	NaN	CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-001941	medium	NaN
CCE-92733-5	auth_pam_su_smartcard_enforce	Enforce Multifactor Authentication for the su Command	The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su	{'integer': 2}	[source,bash] ---- /bin/cat > /etc/pam.d/su << SU_END # su: auth account password session auth sufficient pam_smartcard.so auth required pam_rootok.so auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe account required pam_permit.so account required pam_opendirectory.so no_check_shell password required pam_opendirectory.so session required pam_launchd.so SU_END # Fix new file ownership and permissions /bin/chmod 644 /etc/pam.d/su /usr/sbin/chown root:wheel /etc/pam.d/su ----	IA-2(1) IA-2(2) IA-2(8)	03.05.03 03.05.04	SRG-OS-000107-GPOS-00054 SRG-OS-000112-GPOS-00057 SRG-OS-000108-GPOS-00055 SRG-OS-000106-GPOS-00053 SRG-OS-000105-GPOS-00052	NaN	APPL-14-003051	NaN	6.3 6.4 6.5	IA.L2-3.5.3 IA.L2-3.5.4	NaN	CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-001941	medium	NaN
CCE-92734-3	auth_pam_sudo_smartcard_enforce	Enforce Multifactor Authentication for Privilege Escalation Through the sudo Command	The system _MUST_ be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo	{'integer': 2}	[source,bash] ---- /bin/cat > /etc/pam.d/sudo << SUDO_END # sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so auth required pam_deny.so account required pam_permit.so password required pam_deny.so session required pam_permit.so SUDO_END /bin/chmod 444 /etc/pam.d/sudo /usr/sbin/chown root:wheel /etc/pam.d/sudo ----	IA-2(1) IA-2(2) IA-2(8)	03.05.03 03.05.04	SRG-OS-000107-GPOS-00054 SRG-OS-000112-GPOS-00057 SRG-OS-000108-GPOS-00055 SRG-OS-000106-GPOS-00053 SRG-OS-000105-GPOS-00052	NaN	APPL-14-003052	NaN	6.3 6.4 6.5	IA.L2-3.5.3 IA.L2-3.5.4	NaN	CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-001941	medium	NaN
CCE-92735-0	auth_smartcard_allow	Allow Smartcard Authentication	Smartcard authentication _MUST_ be allowed. The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. When enabled, the smartcard can be used for login, authorization, and screen saver unlocking.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('allowSmartCard').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>allowSmartCard</key> <true/> ----	IA-2(1) IA-2(2) IA-2(12)	03.05.03	SRG-OS-000107-GPOS-00054 SRG-OS-000112-GPOS-00057 SRG-OS-000108-GPOS-00055 SRG-OS-000106-GPOS-00053 SRG-OS-000376-GPOS-00161 SRG-OS-000105-GPOS-00052 SRG-OS-000068-GPOS-00036	NaN	APPL-14-003030	NaN	6.3 6.4 6.5	IA.L1-3.5.1 IA.L1-3.5.2 IA.L2-3.5.3	NaN	CCI-000187 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-001941 CCI-001953	medium	NaN
CCE-92736-8	auth_smartcard_certificate_trust_enforce_high	Set Smartcard Certificate Trust to High	The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smartcard certificate trust level to high, the system will execute a hard revocation, i.e., a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed. NOTE: Before applying this setting, please see the smartcard supplemental guidance.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('checkCertificateTrust').js EOS	{'integer': 3}	Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>checkCertificateTrust</key> <integer>3</integer> ----	IA-5(2) SC-17	NaN	NaN	NaN	NaN	NaN	NaN	SC.L2-3.13.10	NaN	NaN	NaN	NaN
CCE-92737-6	auth_smartcard_certificate_trust_enforce_moderate	Set Smartcard Certificate Trust to Moderate	The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smartcard certificate trust level to moderate, the system will execute a soft revocation, i.e., if the OCSP/CRL server is unreachable, authentication will still succeed. NOTE: Before applying this setting, please see the smartcard supplemental guidance.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('checkCertificateTrust').js EOS	{'integer': 2}	Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>checkCertificateTrust</key> <integer>2</integer> ----	IA-5(2) SC-17	NaN	SRG-OS-000384-GPOS-00167 SRG-OS-000403-GPOS-00182 SRG-OS-000377-GPOS-00162 SRG-OS-000066-GPOS-00034	NaN	APPL-14-001060	NaN	NaN	SC.L2-3.13.10	NaN	CCI-000186 CCI-001953 CCI-001954 CCI-001991 CCI-002470	medium	NaN
CCE-92738-4	auth_smartcard_enforce	Enforce Smartcard Authentication	Smartcard authentication _MUST_ be enforced. The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. When enforceSmartCard is set to "true", the smartcard must be used for login, authorization, and unlocking the screensaver. CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement. NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('enforceSmartCard').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>enforceSmartCard</key> <true/> <key>allowSmartCard</key> <true/> ----	IA-2(1) IA-2(2) IA-2(6) IA-2 IA-5(2) IA-2(12) IA-2(8)	03.05.01 03.05.03 03.05.04	SRG-OS-000107-GPOS-00054 SRG-OS-000112-GPOS-00057 SRG-OS-000067-GPOS-00035 SRG-OS-000108-GPOS-00055 SRG-OS-000106-GPOS-00053 SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000105-GPOS-00052	NaN	APPL-14-003020	NaN	6.3 6.4 6.5	IA.L1-3.5.1 IA.L1-3.5.2 IA.L2-3.5.3 IA.L2-3.5.4	NaN	CCI-000186 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-001941 CCI-001948 CCI-001953	medium	NaN
CCE-92739-2	auth_ssh_password_authentication_disable	Disable Password Authentication for SSH	If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)'	{'integer': 2}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi echo "passwordauthentication no" >> "${include_dir}01-mscp-sshd.conf" echo "kbdinteractiveauthentication no" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	IA-2(1) IA-2(2) IA-2(6) IA-2 IA-5(2) MA-4 IA-2(8)	03.05.01 03.05.03 03.05.04 03.07.05	SRG-OS-000107-GPOS-00054 SRG-OS-000112-GPOS-00057 SRG-OS-000067-GPOS-00035 SRG-OS-000108-GPOS-00055 SRG-OS-000125-GPOS-00065 SRG-OS-000106-GPOS-00053 SRG-OS-000375-GPOS-00160 SRG-OS-000105-GPOS-00052	NaN	APPL-14-001150	NaN	6.3 6.4 6.5	IA.L1-3.5.1 IA.L1-3.5.2 IA.L2-3.5.3 IA.L2-3.5.4 MA.L2-3.7.5	NaN	CCI-000186 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000877 CCI-001941 CCI-001948	high	NaN
CCE-92740-0	icloud_addressbook_disable	Disable iCloud Address Book	The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudAddressBook').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudAddressBook</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002014	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92742-6	icloud_appleid_system_settings_disable	Disable the System Setting for Apple ID	The system setting for Apple ID _MUST_ be disabled. Disabling the system setting prevents login to Apple ID and iCloud.	Configuration Profile	/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.systempreferences.AppleIDSettings"	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledSystemSettings</key> <array> <string>com.apple.systempreferences.AppleIDSettings</string> </array> ----	AC-20 AC-20(1) CM-7 CM-7(1)	03.01.20 03.04.06	NaN	NaN	NaN	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	NaN	high	NaN
CCE-92743-4	icloud_bookmarks_disable	Disable iCloud Bookmarks	The macOS built-in Safari.app bookmark synchronization via the iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudBookmarks').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudBookmarks</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002042	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92744-2	icloud_calendar_disable	Disable the iCloud Calendar Services	The macOS built-in Calendar.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudCalendar').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudCalendar</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002012	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92745-9	icloud_drive_disable	Disable iCloud Document Sync	The macOS built-in iCloud document synchronization service _MUST_ be disabled to prevent organizational data from being synchronized to personal or non-approved storage. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudDocumentSync').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudDocumentSync</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002041	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92746-7	icloud_freeform_disable	Disable the iCloud Freeform Services	The macOS built-in Freeform.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudFreeform').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudFreeform</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002270	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92747-5	icloud_game_center_disable	Disable iCloud Game Center	This works only with supervised devices (MDM) and allows to disable Apple Game Center. The rationale is Game Center is using Apple ID and will shared data on AppleID based services, therefore, Game Center _MUST_ be disabled. This setting also prohibits functionality of adding friends to Game Center.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowGameCenter').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowGameCenter</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002160	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92748-3	icloud_keychain_disable	Disable iCloud Keychain Sync	The macOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudKeychainSync').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudKeychainSync</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002040	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-001774 CCI-000381	medium	NaN
CCE-92749-1	icloud_mail_disable	Disable iCloud Mail	The macOS built-in Mail.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudMail').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudMail</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002015	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92750-9	icloud_notes_disable	Disable iCloud Notes	The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudNotes').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudNotes</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002016	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92751-7	icloud_photos_disable	Disable iCloud Photo Library	The macOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudPhotoLibrary').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudPhotoLibrary</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002043	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92752-5	icloud_private_relay_disable	Disable iCloud Private Relay	Enterprise networks may be required to audit all network traffic by policy, therefore, iCloud Private Relay _MUST_ be disabled. Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudPrivateRelay').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudPrivateRelay</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002170	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92753-3	icloud_reminders_disable	Disable iCloud Reminders	The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudReminders').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudReminders</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002013	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92754-1	icloud_sync_disable	Disable iCloud Desktop and Document Folder Sync	The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudDesktopAndDocuments').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudDesktopAndDocuments</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002150	2.1.1.3 (level 2)	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-93012-3	os_account_modification_disable	Disable AppleID and Internet Account Modifications	The system _MUST_ disable account modification. Account modification includes adding additional or modifying internet accounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane. This prevents the addition of unauthorized accounts. [IMPORTANT] ==== Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAccountModification').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAccountModification</key> <false/> ----	AC-20 AC-20(1) CM-7 CM-7(1)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002120	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92756-6	os_airdrop_disable	Disable AirDrop	AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices. AirDrop allows users to share and receive files from other nearby Apple devices.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAirDrop').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAirDrop</key> <false/> ----	AC-3 AC-20 CM-7 CM-7(1)	03.01.02 03.01.20 03.04.06	SRG-OS-000300-GPOS-00118 SRG-OS-000080-GPOS-00048 SRG-OS-000095-GPOS-00049	NaN	APPL-14-002009	2.3.1.1 (level 1)	4.1 4.8 6.7	AC.L1-3.1.1 AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000213 CCI-000381 CCI-001443	medium	NaN
CCE-92758-2	os_anti_virus_installed	Must Use an Approved Antivirus Program	An approved antivirus product _MUST_ be installed and configured to run. Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'	Script	/bin/launchctl list | /usr/bin/grep -cE "(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)"	{'integer': 2}	[source,bash] ---- /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.plist /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.PluginService.plist ---- NOTE: These services cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled.	NaN	NaN	NaN	NaN	NaN	5.10 (level 1)	10.5 10.1 10.2	NaN	NaN	CCI-000366	high	NaN
CCE-92759-0	os_appleid_prompt_disable	Disable Apple ID Setup during Setup Assistant	The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipCloudSetup').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipCloudSetup</key> <true/> ----	AC-20	03.01.20	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002035	NaN	4.1 4.8	AC.L1-3.1.20	NaN	CCI-000381	medium	NaN
CCE-92761-6	os_asl_log_files_owner_group_configure	Configure Apple System Log Files Owned by Root and Group to Wheel	The Apple System Logs (ASL) _MUST_ be owned by root. ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated.	Script	/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '	{'integer': 0}	[source,bash] ---- /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') ----	SI-11	NaN	SRG-OS-000206-GPOS-00084 SRG-OS-000205-GPOS-00083	NaN	APPL-14-004001	NaN	NaN	NaN	NaN	CCI-001312 CCI-001314	medium	NaN
CCE-92762-4	os_asl_log_files_permissions_configure	Configure Apple System Log Files To Mode 640 or Less Permissive	The Apple System Logs (ASL) _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.	Script	/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '	{'integer': 0}	[source,bash] ---- /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}') ----	SI-11	NaN	SRG-OS-000206-GPOS-00084 SRG-OS-000205-GPOS-00083	NaN	APPL-14-004002	NaN	NaN	NaN	NaN	CCI-001312 CCI-001314	medium	NaN
CCE-92764-0	os_authenticated_root_enable	Enable Authenticated Root	Authenticated Root _MUST_ be enabled. When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. NOTE: Authenticated Root is enabled by default on macOS systems. WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.	Script	/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'	{'integer': 1}	[source,bash] ---- /usr/bin/csrutil authenticated-root enable ---- NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.	AC-3 CM-5 SC-34 SI-7(6) SI-7 MA-4(1)	03.01.02 03.04.05	SRG-OS-000080-GPOS-00048	NaN	APPL-14-005070	5.1.4 (level 1)	3.6 3.11	AC.L1-3.1.1 CM.L2-3.4.5 SC.L2-3.13.11	NaN	CCI-000213	medium	NaN
CCE-92765-7	os_blank_bluray_disable	Disable Blank Blu Ray	Blank Blu Ray media _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["blankbd"] EOS	{'string': 'deny'}	Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> <dict> <array> <string>alert</string> <string>eject</string> </array> </dict> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	medium	NaN
CCE-92766-5	os_blank_cd_disable	Disable Blank CD	Blank CD media _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["blankcd"] EOS	{'string': 'deny'}	Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> <dict> <array> <string>alert</string> <string>eject</string> </array> </dict> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	medium	NaN
CCE-92767-3	os_blank_dvd_disable	Disable Blank DVD	Blank DVD media _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["blankdvd"] EOS	{'string': 'deny'}	Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> <dict> <array> <string>alert</string> <string>eject</string> </array> </dict> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	medium	NaN
CCE-92768-1	os_bluray_read_only_enforce	Enforce Blu Ray Read Only	Blu Ray media _MUST_ be set to read only. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["bd"] EOS	{'string': 'read-only'}	Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> <dict> <array> <string>read-only</string> </array> </dict> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	medium	NaN
CCE-92769-9	os_bonjour_disable	Disable Bonjour Multicast	Bonjour multicast advertising _MUST_ be disabled to prevent the system from broadcasting its presence and available services over network interfaces.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\ .objectForKey('NoMulticastAdvertisements').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.mDNSResponder) payload type: [source,xml] ---- <key>NoMulticastAdvertisements</key> <true/> ----	CM-7 CM-7(1)	03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002005	4.1 (level 2)	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92770-7	os_burn_support_disable	Disable Burn Support	Burn support _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ====	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(BurnSupport = off;|ProhibitBurn = 1;)'	{'integer': 2}	Create a configuration profile containing the following keys in the (com.apple.finder) payload type: [source,xml] ---- <key>ProhibitBurn</key> <true/> ---- Create a configuration profile containing the following keys in the (com.apple.DiscRecording) payload type: [source,xml] ---- <key>BurnSupport</key> <string>off</string> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	low	NaN
CCE-92771-5	os_calendar_app_disable	Disable Calendar.app	The macOS built-in Calendar.app _MUST_ be disabled as this application can establish a connection to non-approved services. This rule is in place to prevent inadvertent data transfers. [IMPORTANT] ==== Some organizations allow the use of the built-in Calendar.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Calendar.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Applications/Calendar.app" && pref1 == true ){ return("true") } } return("false") } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Applications/Calendar.app</string> </array> ----	AC-20 CM-7 CM-7(1)	03.01.20 03.04.06	NaN	NaN	NaN	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	NaN	medium	NaN
CCE-92772-3	os_camera_disable	Disable Camera	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants carry out the disconnect activity without having to go through complex and tedious procedures. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding. For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. If the camera is not disconnected, covered, or physically disabled, the following configuration is required.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCamera').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCamera</key> <false/> ----	NaN	NaN	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002017	NaN	NaN	NaN	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92773-1	os_cd_read_only_enforce	Enforce CD Read Only	CD media _MUST_ be set to read only. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["cd"] EOS	{'string': 'read-only'}	Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> <dict> <array> <string>read-only</string> </array> </dict> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	medium	NaN
CCE-92774-9	os_certificate_authority_trust	Issue or Obtain Public Key Certificates from an Approved Service Provider	The organization _MUST_ issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain.	Manual	/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}'	{'string': 'a list containing approved root certificates'}	Obtain the approved certificates from the appropriate authority and install them to the System Keychain.	SC-17	NaN	SRG-OS-000403-GPOS-00182	NaN	APPL-14-003001	NaN	NaN	SC.L2-3.13.10	NaN	CCI-002470 CCI-000185 CCI-002450	high	NaN
CCE-92776-4	os_config_data_install_enforce	Enforce Installation of XProtect Remediator and Gatekeeper Updates Automatically	Software Update _MUST_ be configured to update XProtect Remediator and Gatekeeper automatically. This setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. link:https://support.apple.com/en-us/HT207005[] NOTE: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('ConfigDataInstall').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>ConfigDataInstall</key> <true/> ----	SI-3 SI-2(5)	03.14.02	SRG-OS-000480-GPOS-00227	NaN	APPL-14-005130	1.6 (level 1)	7.3 7.4 7.7	SI.L1-3.14.1 SI.L1-3.14.2 SI.L1-3.14.4	NaN	CCI-000366	medium	NaN
CCE-92777-2	os_config_profile_ui_install_disable	Disable Installation of Configuration Profiles through the User Interface	Installation of configuration profiles through the user interface _MUST_ be disabled and only be permitted through an authorized MDM server.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowUIConfigurationProfileInstallation').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowUIConfigurationProfileInstallation</key> <false/> ----	CM-5	03.04.05	NaN	NaN	NaN	NaN	NaN	CM.L2-3.4.5	NaN	NaN	NaN	NaN
CCE-93017-2	os_dictation_disable	Disable Dictation	Dictation _MUST_ be disabled on Intel based Macs as the feature On Device Dictation is only available on Apple Silicon devices.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowDictation').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowDictation</key> <false/> ----	AC-20 CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002230	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92780-6	os_directory_services_configured	Integrate System into a Directory Services Infrastructure	The macOS system _MUST_ be integrated into a directory services infrastructure. A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system.	Manual	/usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $?	{'integer': 0}	Integrate the system into an existing directory services infrastructure.	NaN	NaN	SRG-OS-000480-GPOS-00227	NaN	NaN	NaN	6.7	NaN	NaN	CCI-000366	medium	NaN
CCE-92781-4	os_disk_image_disable	Disable Disk Images	Disk images _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["disk-image"] EOS	{'string': 'deny'}	Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> <dict> <array> <string>alert</string> <string>eject</string> </array> </dict> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	medium	NaN
CCE-92782-2	os_dvdram_disable	Disable DVD-RAM	DVD-RAM media _MUST_ be disabled. [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["dvdram"] EOS	{'string': 'deny'}	Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> <dict> <array> <string>alert</string> <string>eject</string> </array> </dict> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	medium	NaN
CCE-92785-5	os_erase_content_and_settings_disable	Disable Erase Content and Settings	Erase Content and Settings _MUST_ be disabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowEraseContentAndSettings').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowEraseContentAndSettings</key> <false/> ----	CM-7 CM-7(1)	03.04.06	SRG-OS-000480-GPOS-00227 SRG-OS-000095-GPOS-00049	NaN	APPL-14-005061	NaN	NaN	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000366 CCI-000381	medium	NaN
CCE-92787-1	os_ess_installed	Must Use ESS	The approved ESS solution _MUST_ be installed and configured to run. The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNET.	Manual	Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved ESS solution is loaded on the system. If the installed components of the ESS solution are not at the DoD approved minimal versions, this is a finding.	NaN	Install the approved ESS solution onto the system.	NaN	NaN	SRG-OS-000191-GPOS-00080	NaN	APPL-14-000015	NaN	NaN	NaN	NaN	CCI-001233	medium	NaN
CCE-92788-9	os_facetime_app_disable	Disable FaceTime.app	The macOS built-in FaceTime.app _MUST_ be disabled. The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Applications/FaceTime.app" && pref1 == true ){ return("true") } } return("false") } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Applications/FaceTime.app</string> </array> ----	AC-20 CM-7 CM-7(1)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002010	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92790-5	os_filevault_authorized_users	FileVault Authorized Users	macOS _MUST_ be configured to only allow authorized users to unlock FileVault upon startup.	Script	/usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}'	{'string': 'a list containing authorized users that can unlock FileVault'}	Remove the user that is not authorized to unlock FileVault using the fdesetup command. [source,bash] ---- /usr/bin/fdesetup remove -user NOT_AUTHORIZED_USERNAME ----	AC-2(11)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	medium	NaN
CCE-92791-3	os_filevault_autologin_disable	Disable FileVault Automatic Login	If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required. The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('DisableFDEAutoLogin').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>DisableFDEAutoLogin</key> <true/> ----	AC-3 IA-5(13) AC-2(11)	03.01.02	SRG-OS-000080-GPOS-00048	NaN	APPL-14-000033	NaN	3.3 6.7	AC.L1-3.1.1	NaN	CCI-000213 CCI-000366	medium	NaN
CCE-92792-1	os_firewall_default_deny_require	Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule. Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data. If you are using a third-party firewall solution, this setting does not apply. [IMPORTANT] ==== Configuring the built-in packet filter firewall to employ the default deny rule has the potential to interfere with applications on the system in an unpredictable manner. Information System Security Officers (ISSOs) may make the risk-based decision not to configure the built-in packet filter firewall to employ the default deny rule to avoid losing functionality, but they are advised to first fully weigh the potential risks posed to their organization. ====	Manual	/sbin/pfctl -a '*' -sr &> /dev/null | /usr/bin/grep -c "block drop in all"	{'integer': 1}	NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule.	AC-4 SC-7(5)	03.01.03 03.13.06	NaN	NaN	NaN	NaN	NaN	AC.L2-3.1.3 SC.L2-3.13.6	NaN	NaN	NaN	NaN
CCE-92793-9	os_firewall_log_enable	Enable Firewall Logging	Firewall logging _MUST_ be enabled. Firewall logging ensures that malicious network activity will be logged to the system. NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableLogging').js let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('LoggingOption').js if ( pref1 == true && pref2 == "detail" ){ return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.security.firewall) payload type: [source,xml] ---- <key>EnableLogging</key> <true/> <key>LoggingOption</key> <string>detail</string> ----	AU-12 SC-7	03.03.03 03.13.01	NaN	NaN	NaN	3.6 (level 1)	4.5 8.2 8.5	AU.L2-3.3.6 SC.L1-3.13.1	NaN	NaN	NaN	NaN
CCE-92794-7	os_firmware_password_require	Enable Firmware Password	A firmware password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools. To set a firmware passcode use the following command: [source,bash] ---- /usr/sbin/firmwarepasswd -setpasswd ---- NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated. NOTE: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices.	Manual	/usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes"	{'integer': 1}	NOTE: See discussion on remediation and how to enable firmware password.	AC-6	03.01.05	SRG-OS-000480-GPOS-00227	NaN	APPL-14-003013	NaN	NaN	AC.L1-3.1.1 AC.L2-3.1.5	NaN	CCI-000366	medium	NaN
CCE-92795-4	os_gatekeeper_enable	Enable Gatekeeper	Gatekeeper _MUST_ be enabled. Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party. Administrator users will still have the option to override these settings on a case-by-case basis.	Script	/usr/sbin/spctl --status | /usr/bin/grep -c "assessments enabled"	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.systempolicy.control) payload type: [source,xml] ---- <key>EnableAssessment</key> <true/> ----	CM-14 CM-5 SI-7(1) SI-7(15) SI-3	03.14.02	SRG-OS-000366-GPOS-00153	NaN	APPL-14-002064	2.6.5 (level 1)	10.1 10.2 10.5	CM.L2-3.4.5 SI.L1-3.14.1 SI.L1-3.14.2 SI.L1-3.14.4	NaN	CCI-001749	high	NaN
CCE-92796-2	os_gatekeeper_rearm	Enforce Gatekeeper 30 Day Automatic Rearm	Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security')\ .objectForKey('GKAutoRearm').js EOS	{'string': 'true'}	NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types. Create a configuration profile containing the following keys in the (com.apple.security) payload type: [source,xml] ---- <key>GKAutoRearm</key> <true/> ----	CM-5	03.04.05	NaN	NaN	NaN	NaN	10.5	SI.L1-3.14.1 SI.L1-3.14.2 SI.L1-3.14.4 CM.L2-3.4.5	NaN	NaN	NaN	NaN
CCE-92798-8	os_guest_folder_removed	Remove Guest Folder if Present	The guest folder _MUST_ be deleted if present.	Script	/bin/ls /Users/ | /usr/bin/grep -c "Guest"	{'integer': 0}	[source,bash] ---- /bin/rm -Rf /Users/Guest ----	NaN	NaN	NaN	NaN	NaN	5.9 (level 1)	4.1	NaN	NaN	NaN	NaN	NaN
CCE-92799-6	os_handoff_disable	Disable Handoff	Handoff _MUST_ be disabled. Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowActivityContinuation').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowActivityContinuation</key> <false/> ----	AC-3 AC-20 CM-7 CM-7(1)	03.01.02 03.01.20 03.04.06	SRG-OS-000300-GPOS-00118 SRG-OS-000080-GPOS-00048 SRG-OS-000095-GPOS-00049	NaN	APPL-14-005058	NaN	4.1 4.8	AC.L1-3.1.1 AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000213 CCI-000381 CCI-001443	medium	NaN
CCE-92801-0	os_hibernate_mode_destroyfvkeyonstandby_enable	Enable DestroyFVKeyOnStandby on Hibernate	DestroyFVKeyOnStandby on hibernate _MUST_ be enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('DestroyFVKeyOnStandby').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>DestroyFVKeyOnStandby</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92802-8	os_hibernate_mode_intel_enable	Enable Hibernate Mode (Intel)	Hibernate mode _MUST_ be enabled. This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack.	Script	error_count=0 if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then ((error_count++)) fi if [[ "$hibernateStandbyHighValue" == "" ]] || [[ "$hibernateStandbyHighValue" -gt 900 ]]; then ((error_count++)) fi if [[ "$hibernateStandbyThreshValue" == "" ]] || [[ "$hibernateStandbyThreshValue" -lt 90 ]]; then ((error_count++)) fi if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then ((error_count++)) fi fi echo "$error_count"	{'integer': 0}	[source,bash] ---- /usr/bin/pmset -a standbydelaylow 900 /usr/bin/pmset -a standbydelayhigh 900 /usr/bin/pmset -a highstandbythreshold 90 /usr/bin/pmset -a hibernatemode 25 ----	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92803-6	os_home_folders_default	Configure User's Home Folders to Apple's Default	The system _MUST_ be configured to prevent access to other user's home folders. Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures.	Manual	Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands: /bin/ls -le /Users This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as \"staff\". The plus(+) sign indicates an associated Access Control List, which must be: 0: group:everyone deny delete For every authorized user account, also run the following command: /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be: drwx------+ 0: group:everyone deny delete The exception is the \"Public\" directory, whose permissions must match the following: drwxr-xr-x+ 0: group:everyone deny delete If the permissions returned by either of these checks differ from what is shown, this is a finding.	NaN	Configure the macOS system to set the appropriate permissions for each user on the system with the following command: `/usr/sbin/diskutil resetUserPermissions / DeviceNode UID`, where "DeviceNode UID" is the ID number for the user whose home directory permissions need to be repaired. NOTE: Using the `/usr/sbin/diskutil resetUserPermissions` command will only reset the permissions on the default folder set. Other folders in the home directory will not be affected.	AC-6	03.01.05	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	medium	NaN
CCE-92804-4	os_home_folders_secure	Secure User's Home Folders	The system _MUST_ be configured to prevent access to other user's home folders. The default behavior of macOS is to allow all valid users access to the top level of every other user's home folder while restricting access only to the Apple default folders within.	Script	/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs	{'integer': 0}	[source,bash] ---- IFS=$'\n' for userDirs in $( /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" ); do /bin/chmod og-rwx "$userDirs" done unset IFS ----	AC-6	03.01.05	SRG-OS-000480-GPOS-00230	NaN	APPL-14-002068	5.1.1 (level 1)	3.3	AC.L1-3.1.1 AC.L2-3.1.5	NaN	CCI-000366	medium	NaN
CCE-92805-1	os_httpd_disable	Disable the Built-in Web Server	The built-in web server is a non-essential service built into macOS and _MUST_ be disabled. NOTE: The built in web server service is disabled at startup by default macOS.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => disabled'	{'integer': 1}	[source,bash] ---- /bin/launchctl disable system/org.apache.httpd ----	AC-3 AC-17 CM-7	03.01.02 03.04.06	SRG-OS-000080-GPOS-00048	NaN	APPL-14-002008	4.2 (level 1)	4.1 4.8	AC.L1-3.1.1	NaN	CCI-000213	medium	NaN
CCE-92806-9	os_icloud_storage_prompt_disable	Disable iCloud Storage Setup during Setup Assistant	The prompt to set up iCloud storage services during Setup Assistant _MUST_ be disabled. The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipiCloudStorageSetup').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipiCloudStorageSetup</key> <true/> ----	AC-20 CM-7	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002037	NaN	4.1 4.8	AC.L1-3.1.20	NaN	CCI-000381	medium	NaN
CCE-92811-9	os_install_log_retention_configure	Configure Install.log Retention to 365	The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.	Script	/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'	{'string': 'Yes'}	[source,bash] ---- /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install ---- NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed.	AU-11 AU-4	03.03.03	SRG-OS-000341-GPOS-00132	NaN	APPL-14-004050	3.3 (level 1)	8.1 8.3	AU.L2-3.3.1	NaN	CCI-001849	medium	NaN
CCE-92812-7	os_ir_support_disable	Disable Infrared (IR) support	Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. By default, if IR is enabled, the system will accept IR control from any remote device. NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.driver.AppleIRController')\ .objectForKey('DeviceEnabled').js EOS	{'string': 'false'}	NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types. Create a configuration profile containing the following keys in the (com.apple.driver.AppleIRController) payload type: [source,xml] ---- <key>DeviceEnabled</key> <false/> ----	AC-18 CM-7 CM-7(1)	03.01.16 03.04.06	NaN	NaN	NaN	NaN	4.1 4.8 12.6	AC.L2-3.1.16 CM.L2-3.4.6 CM.L2-3.4.7	NaN	NaN	NaN	NaN
CCE-92814-3	os_library_validation_enabled	Enable Library Validation	Library validation _MUST_ be enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.libraryvalidation')\ .objectForKey('DisableLibraryValidation').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.security.libraryvalidation) payload type: [source,xml] ---- <key>DisableLibraryValidation</key> <false/> ----	NaN	NaN	NaN	NaN	NaN	NaN	2.3 2.6	NaN	NaN	NaN	NaN	NaN
CCE-93018-0	os_loginwindow_adminhostinfo_undefined	Prevent AdminHostInfo from Being Available at LoginWindow	The system _MUST_ be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, IP Address, and operating system version and build to be displayed.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectIsForcedForKey('AdminHostInfo') EOS	{'string': 'false'}	This is implemented by a Configuration Profile.	AC-11(1)	03.01.10	SRG-OS-000031-GPOS-00012	NaN	APPL-14-000009	NaN	NaN	NaN	NaN	CCI-000060	medium	NaN
CCE-92820-0	os_mail_app_disable	Disable Mail App	The macOS built-in Mail.app _MUST_ be disabled. The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place. [IMPORTANT] ==== Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Applications/Mail.app" && pref1 == true ){ return("true") } } return("false") } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Applications/Mail.app</string> </array> ----	AC-20 CM-7 CM-7(1)	03.01.20 03.04.06	NaN	NaN	NaN	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	NaN	medium	NaN
CCE-92824-2	os_mdm_require	Enforce Enrollment in Mobile Device Management	You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software. User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include: * Allowed Kernel Extensions * Allowed Approved System Extensions * Privacy Preferences Policy Control Payload * ExtensibleSingleSignOn * FDEFileVault In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM: * Activation Lock Bypass * Access to Bootstrap Tokens * Scheduling Software Updates * Query list and delete local users	Manual	/usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)"	{'integer': 1}	Ensure that system is enrolled via UAMDM.	CM-2 CM-6	03.04.01 03.04.02	SRG-OS-000480-GPOS-00227	NaN	APPL-14-005110	1.8 (level 1)	4.1 5.1	CM.L2-3.4.2	NaN	CCI-000366	medium	NaN
CCE-92825-9	os_messages_app_disable	Disable Messages App	The macOS built-in Messages.app _MUST_ be disabled. The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Applications/Messages.app" && pref1 == true ){ return("true") } } return("false") } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Applications/Messages.app</string> </array> ----	AC-20 CM-7 CM-7(1)	03.01.20 03.04.06	NaN	NaN	NaN	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	NaN	low	NaN
CCE-92828-3	os_mobile_file_integrity_enable	Enable Apple Mobile File Integrity	Mobile file integrity _MUST_ be enabled.	Script	/usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"	{'integer': 0}	[source,bash] ---- /usr/sbin/nvram boot-args="" ----	NaN	NaN	NaN	NaN	NaN	5.1.3 (level 1)	2.3 2.6	NaN	NaN	NaN	NaN	NaN
CCE-92829-1	os_newsyslog_files_owner_group_configure	Configure System Log Files Owned by Root and Group to Wheel	The system log files _MUST_ be owned by root. System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.	Script	/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '	{'integer': 0}	[source,bash] ---- /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') ----	SI-11	NaN	SRG-OS-000206-GPOS-00084 SRG-OS-000205-GPOS-00083	NaN	APPL-14-004030	NaN	NaN	NaN	NaN	CCI-001312 CCI-001314	medium	NaN
CCE-92830-9	os_newsyslog_files_permissions_configure	Configure System Log Files to Mode 640 or Less Permissive	The system logs _MUST_ be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files _MUST_ be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.	Script	/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '	{'integer': 0}	[source,bash] ---- /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F":" '!/640/{print $2}') ----	SI-11	NaN	SRG-OS-000206-GPOS-00084 SRG-OS-000205-GPOS-00083	NaN	APPL-14-004040	NaN	NaN	NaN	NaN	CCI-001312 CCI-001314	medium	NaN
CCE-92831-7	os_nfsd_disable	Disable Network File System Service	Support for Network File Systems (NFS) services is non-essential and, therefore, _MUST_ be disabled.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.nfsd" => disabled'	{'integer': 1}	[source,bash] ---- /bin/launchctl disable system/com.apple.nfsd ---- The system may need to be restarted for the update to take effect.	AC-3 AC-17 CM-7	03.01.02 03.04.06	SRG-OS-000080-GPOS-00048	NaN	APPL-14-002003	4.3 (level 1)	4.1 4.8	AC.L1-3.1.1	NaN	CCI-000213	medium	NaN
CCE-92841-6	os_on_device_dictation_enforce	Enforce On Device Dictation	Dictation _MUST_ be restricted to on device only to prevent potential data exfiltration. The information system _MUST_ be configured to provide only essential capabilities.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('forceOnDeviceOnlyDictation').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceOnDeviceOnlyDictation</key> <true/> ----	AC-20 CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002220	2.18.1 (level 1)	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92842-4	os_parental_controls_enable	Enable Parental Controls	Parental Controls _MUST_ be enabled. Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline. Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> ----	CM-7(2)	03.04.06	NaN	NaN	NaN	NaN	4.8	NaN	NaN	NaN	NaN	NaN
CCE-92843-2	os_password_autofill_disable	Disable Password Autofill	Password Autofill _MUST_ be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowPasswordAutoFill').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordAutoFill</key> <false/> ----	CM-7	03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002190	NaN	NaN	CM.L2-3.4.6 CM.L2-3.4.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000381	medium	NaN
CCE-92844-0	os_password_hint_remove	Remove Password Hint From User Accounts	User accounts _MUST_ not contain password hints.	Script	HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }') if [ -z "$HINT" ]; then echo "PASS" else echo "FAIL" fi	{'string': 'PASS'}	[source,bash] ---- for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do /usr/bin/dscl . -delete /Users/$u hint done ----	IA-6	03.05.11	SRG-OS-000079-GPOS-00047	NaN	APPL-14-003014	2.11.1 (level 1)	5.2	IA.L2-3.5.11	NaN	CCI-000206	medium	NaN
CCE-92845-7	os_password_proximity_disable	Disable Proximity Based Password Sharing Requests	Proximity based password sharing requests _MUST_ be disabled. The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowPasswordProximityRequests').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordProximityRequests</key> <false/> ----	IA-5	03.05.12	SRG-OS-000095-GPOS-00049	NaN	APPL-14-005060	NaN	4.1 4.8	IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000381	medium	NaN
CCE-92846-5	os_password_sharing_disable	Disable Password Sharing	Password Sharing _MUST_ be disabled. The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowPasswordSharing').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordSharing</key> <false/> ----	IA-5	03.05.12	NaN	NaN	NaN	NaN	4.1 4.8	IA.L2-3.5.8 IA.L2-3.5.9	NaN	NaN	NaN	NaN
CCE-92850-7	os_policy_banner_loginwindow_enforce	Display Policy Banner at Login Window	Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder. The banner text of the document _MUST_ read: [source,text] ---- You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning. ----	Script	/bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | /usr/bin/tr -d ' '	{'integer': 1}	[source,bash] ---- bannerText="You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." /bin/mkdir /Library/Security/PolicyBanner.rtfd /usr/bin/textutil -convert rtf -output /Library/Security/PolicyBanner.rtfd/TXT.rtf -stdin <<EOF $bannerText EOF ----	AC-8	03.01.09	SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006	NaN	APPL-14-000025	5.8 (level 2)	4.1	AC.L2-3.1.9	NaN	CCI-000048 CCI-000050 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388	medium	NaN
CCE-92851-5	os_policy_banner_ssh_configure	Display Policy Banner at Remote Login	Remote login service _MUST_ be configured to display a policy banner at login. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.	Script	bannerText="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." test "$(cat /etc/banner)" = "$bannerText" && echo "1" || echo "0"	{'integer': 1}	[source,bash] ---- bannerText="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." /bin/echo "${bannerText}" > /etc/banner ----	AC-8	03.01.09	SRG-OS-000024-GPOS-00007 SRG-OS-000023-GPOS-00006	NaN	APPL-14-000023	NaN	NaN	AC.L2-3.1.9	NaN	CCI-000048 CCI-000050	medium	NaN
CCE-92852-3	os_policy_banner_ssh_enforce	Enforce SSH to Display Policy Banner	SSH _MUST_ be configured to display a policy banner. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/sbin/sshd -G | /usr/bin/grep -c "^banner /etc/banner"	{'integer': 1}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'banner /etc/banner' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "banner /etc/banner" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	AC-8	03.01.09	SRG-OS-000024-GPOS-00007 SRG-OS-000023-GPOS-00006	NaN	APPL-14-000024	NaN	NaN	AC.L2-3.1.9	NaN	CCI-000048 CCI-000050	medium	NaN
CCE-92853-1	os_power_nap_disable	Disable Power Nap	Power Nap _MUST_ be disabled. NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems. The following Macs support Power Nap: * MacBook (Early 2015 and later) * MacBook Air (Late 2010 and later) * MacBook Pro (all models with Retina display) * Mac mini (Late 2012 and later) * iMac (Late 2012 and later) * Mac Pro (Late 2013 and later)	Script	/usr/bin/pmset -g custom | /usr/bin/awk '/powernap/ { sum+=$2 } END {print sum}'	{'integer': 0}	[source,bash] ---- /usr/bin/pmset -a powernap 0 ----	CM-7 CM-7(1)	03.04.06	NaN	NaN	NaN	2.9.2 (level 1)	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	NaN	NaN	NaN
CCE-92854-9	os_power_nap_enable	Enable Power Nap	Power Nap _MUST_ be enabled. NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot. The following Macs support Power Nap: * MacBook (Early 2015 and later) * MacBook Air (Late 2010 and later) * MacBook Pro (all models with Retina display) * Mac mini (Late 2012 and later) * iMac (Late 2012 and later) * Mac Pro (Late 2013 and later)	Script	/usr/bin/pmset -g custom | /usr/bin/awk '/powernap/ { sum+=$2 } END {print sum}'	{'integer': 1}	[source,bash] ---- /usr/bin/pmset -a powernap 1 ----	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92860-6	os_privacy_setup_prompt_disable	Disable Privacy Setup Services During Setup Assistant	The prompt for Privacy Setup services during Setup Assistant _MUST_ be disabled. Organizations _MUST_ apply organization-wide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organization-wide settings.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipPrivacySetup').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipPrivacySetup</key> <true/> ----	CM-7 CM-7(1)	03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002036	NaN	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92865-5	os_rapid_security_response_allow	Enforce Rapid Security Response Mechanism	Rapid security response mechanism _MUST_ be enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowRapidSecurityResponseInstallation').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowRapidSecurityResponseInstallation</key> <true/> ----	SI-2 SI-2(5) SI-3	03.14.01 03.14.02	NaN	NaN	NaN	NaN	NaN	SI.L1-3.14.1 SI.L1-3.14.2 SI.L1-3.14.4	NaN	NaN	NaN	NaN
CCE-92866-3	os_rapid_security_response_removal_disable	Disable User Ability from Being Able to Undo Rapid Security Responses	Rapid security response (RSR) mechanism _MUST_ be enabled and the ability for the user to disable RSR _MUST_ be disabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowRapidSecurityResponseRemoval').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowRapidSecurityResponseRemoval</key> <false/> ----	SI-2 SI-2(5) SI-3	03.14.01 03.14.02	NaN	NaN	NaN	NaN	NaN	SI.L1-3.14.1 SI.L1-3.14.2 SI.L1-3.14.4	NaN	NaN	NaN	NaN
CCE-92870-5	os_recovery_lock_enable	Enable Recovery Lock	A recovery lock password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices.	Manual	/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1"	{'integer': 1}	NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM.	AC-6	03.01.05	SRG-OS-000480-GPOS-00227	NaN	APPL-14-005120	NaN	NaN	AC.L1-3.1.1 AC.L2-3.1.5	NaN	CCI-000366	medium	NaN
CCE-92872-1	os_removable_media_disable	Disable Removable Storage Devices	Removable media, such as USB connected external hard drives, thumb drives, and optical media, _MUST_ be disabled for users. Disabling removable storage devices reduces the risks and known vulnerabilities of such devices (e.g., malicious code insertion) [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.systemuiserver.yaml#L4-L8[media mount controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systemuiserver')\ .objectForKey('mount-controls'))["harddisk-external"] EOS	{'string': 'deny'}	Create a configuration profile containing the following keys in the (com.apple.systemuiserver) payload type: [source,xml] ---- <key>mount-controls</key> <dict> <array> <string>alert</string> <string>eject</string> </array> </dict> ----	MP-7	03.08.07	NaN	NaN	NaN	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	NaN	medium	NaN
CCE-92875-4	os_root_disable	Disable Root Login	To assure individual accountability and prevent unauthorized access, logging in as root at the login window _MUST_ be disabled. The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root.	Script	/usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false"	{'integer': 1}	[source,bash] ---- /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false ----	IA-2 IA-2(5)	03.05.01	SRG-OS-000364-GPOS-00151 SRG-OS-000109-GPOS-00056 SRG-OS-000104-GPOS-00051	NaN	APPL-14-000100	5.6 (level 1)	5.4	IA.L1-3.5.1 IA.L1-3.5.2	NaN	CCI-000764 CCI-000770 CCI-001813	medium	NaN
CCE-92876-2	os_safari_advertising_privacy_protection_enable	Ensure Advertising Privacy Protection in Safari Is Enabled	Allow privacy-preserving measurement of ad effectiveness _MUST_ be enabled in Safari.	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"WebKitPreferences.privateClickMeasurementEnabled" = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.Safari) payload type: [source,xml] ---- <key>WebKitPreferences.privateClickMeasurementEnabled</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	6.3.6 (level 1)	9.1	NaN	NaN	NaN	NaN	NaN
CCE-92877-0	os_safari_open_safe_downloads_disable	Disable Automatic Opening of Safe Files in Safari	Open "safe" files after downloading _MUST_ be disabled in Safari.	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.Safari) payload type: [source,xml] ---- <key>AutoOpenSafeDownloads</key> <false/> ----	NaN	NaN	NaN	NaN	NaN	6.3.1 (level 1)	9.1 9.6	NaN	NaN	NaN	NaN	NaN
CCE-93014-9	os_safari_popups_disabled	Ensure Pop-Up Windows are Blocked in Safari	Safari _MUST_ be configured to block Pop-Up windows.	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'safariAllowPopups = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.Safari) payload type: [source,xml] ---- <key>safariAllowPopups</key> <false/> ----	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92878-8	os_safari_prevent_cross-site_tracking_enable	Ensure Prevent Cross-site Tracking in Safari Is Enabled	Prevent cross-site tracking _MUST_ be enabled in Safari.	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -cE '"WebKitPreferences.storageBlockingPolicy" = 1|"WebKitStorageBlockingPolicy" = 1|"BlockStoragePolicy" =2' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.Safari) payload type: [source,xml] ---- <key>WebKitPreferences.storageBlockingPolicy</key> <integer>1</integer> <key>WebKitStorageBlockingPolicy</key> <integer>1</integer> <key>BlockStoragePolicy</key> <integer>2</integer> ----	NaN	NaN	NaN	NaN	NaN	6.3.4 (level 1)	9.1 9.3	NaN	NaN	NaN	NaN	NaN
CCE-92879-6	os_safari_show_full_website_address_enable	Ensure Show Full Website Address in Safari Is Enabled	Show full website address _MUST_ be enabled in Safari.	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ShowFullURLInSmartSearchField = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.Safari) payload type: [source,xml] ---- <key>ShowFullURLInSmartSearchField</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	6.3.7 (level 1)	9.1	NaN	NaN	NaN	NaN	NaN
CCE-93015-6	os_safari_show_status_bar_enabled	Ensure Show Safari shows the Status Bar is Enabled	Safari _MUST_ be configured to show the status bar.	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ShowOverlayStatusBar = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.Safari) payload type: [source,xml] ---- <key>ShowOverlayStatusBar</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	6.3.10 (level 1)	9.1	NaN	NaN	NaN	NaN	NaN
CCE-92880-4	os_safari_warn_fraudulent_website_enable	Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled	Warn when visiting a fraudulent website _MUST_ be enabled in Safari.	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WarnAboutFraudulentWebsites = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.Safari) payload type: [source,xml] ---- <key>WarnAboutFraudulentWebsites</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	6.3.3 (level 1)	9.1 9.3	NaN	NaN	NaN	NaN	NaN
CCE-92881-2	os_screensaver_loginwindow_enforce	Enforce Screen Saver at Login Window	A default screen saver _MUST_ be configured to display at the login window and _MUST_ not display any sensitive information.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('moduleName').js EOS	{'string': 'Sonoma'}	Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>moduleName</key> <string>Sonoma</string> ----	AC-11(1)	03.01.10	NaN	NaN	NaN	NaN	NaN	AC.L2-3.1.10	NaN	CCI-000060	medium	NaN
CCE-92882-0	os_screensaver_timeout_loginwindow_enforce	Enforce Screen Saver Timeout at LoginWindow	The screen saver timeout at LoginWindow _MUST_ be set to 1200 seconds or a shorter length of time. This rule ensures that a full session lock is triggered within no more than 1200 seconds of inactivity.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('loginWindowIdleTime')) if ( timeout <= 1200 ) { return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>loginWindowIdleTime</key> <integer>1200</integer> ----	NaN	NaN	NaN	NaN	NaN	NaN	4.3	AC.L2-3.1.10	NaN	CCI-000057	medium	NaN
CCE-92883-8	os_secure_boot_verify	Ensure Secure Boot Level Set to Full	The Secure Boot security setting _MUST_ be set to full. Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. NOTE: This will only return a proper result on a T2 or Apple Silicon Macs.	Manual	/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full"	{'integer': 1}	NOTE: Boot into Recovery Mode and enable Full Secure Boot	SI-7 SI-7(1) SI-7(5) SI-6	NaN	SRG-OS-000447-GPOS-00201 SRG-OS-000445-GPOS-00199 SRG-OS-000446-GPOS-00200	NaN	APPL-14-005100	NaN	NaN	NaN	NaN	CCI-002696 CCI-002699 CCI-002702	medium	NaN
CCE-92887-9	os_setup_assistant_filevault_enforce	Enforce FileVault in Setup Assistant	FileVault _MUST_ be enforced in Setup Assistant. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.	Manual	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX.FileVault2')\ .objectForKey('ForceEnableInSetupAssistant') EOS	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.MCX.FileVault2) payload type: [source,xml] ---- <key>ForceEnableInSetupAssistant</key> <true/> ----	SC-28 SC-28(1)	03.13.08	NaN	NaN	NaN	NaN	3.6 3.11	SC.L2-3.13.16	NaN	NaN	high	NaN
CCE-92888-7	os_show_filename_extensions_enable	Enable Show All Filename Extensions	Show all filename extensions _MUST_ be enabled in the Finder. [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] ---- CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' ) ---- ====	Script	/usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults read .GlobalPreferences AppleShowAllExtensions 2>/dev/null	{'boolean': 1}	[source,bash] ---- /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults write /Users/"$CURRENT_USER"/Library/Preferences/.GlobalPreferences AppleShowAllExtensions -bool true ----	NaN	NaN	NaN	NaN	NaN	6.1.1 (level 1)	2.3	NaN	NaN	NaN	NaN	NaN
CCE-92889-5	os_sip_enable	Ensure System Integrity Protection is Enabled	System Integrity Protection (SIP) _MUST_ be enabled. SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders. NOTE: SIP is enabled by default in macOS.	Script	/usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.'	{'integer': 1}	[source,bash] ---- /usr/bin/csrutil enable ---- NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.	AC-3 AU-9 AU-9(3) CM-5 CM-5(6) SC-4 SI-7	03.01.02 03.03.08 03.04.05 03.13.04	SRG-OS-000256-GPOS-00097 SRG-OS-000057-GPOS-00027 SRG-OS-000062-GPOS-00031 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000278-GPOS-00108 SRG-OS-000080-GPOS-00048 SRG-OS-000059-GPOS-00029 SRG-OS-000138-GPOS-00069 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000259-GPOS-00100 SRG-OS-000122-GPOS-00063 SRG-OS-000058-GPOS-00028	NaN	APPL-14-005001	5.1.2 (level 1)	2.3 2.6 10.5	AC.L1-3.1.1 AU.L2-3.3.8 CM.L2-3.4.5 SC.L2-3.13.4 SI.L1-3.14.1 SI.L1-3.14.4	NaN	CCI-000154 CCI-000158 CCI-000169 CCI-001493 CCI-001494 CCI-001495 CCI-001499 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882	high	NaN
CCE-92890-3	os_siri_prompt_disable	Disable Siri Setup during Setup Assistant	The prompt for Siri during Setup Assistant _MUST_ be disabled. Organizations _MUST_ apply organization-wide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organization-wide settings.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipSiriSetup').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipSiriSetup</key> <true/> ----	AC-20 CM-7 CM-7(1)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002039	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-92891-1	os_skip_screen_time_prompt_enable	Disable Screen Time Prompt During Setup Assistant	The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipScreenTime').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipScreenTime</key> <true/> ----	CM-7 CM-7(1)	03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-005055	NaN	NaN	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	low	NaN
CCE-92892-9	os_skip_unlock_with_watch_enable	Disable Unlock with Apple Watch During Setup Assistant	The prompt for Apple Watch unlock setup during Setup Assistant _MUST_ be disabled. Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipUnlockWithWatch').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipUnlockWithWatch</key> <true/> ----	AC-20 CM-7	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-005056	NaN	4.1	AC.L1-3.1.20	NaN	CCI-000381	medium	NaN
CCE-92800-2	os_sleep_and_display_sleep_apple_silicon_enable	Ensure Sleep and Display Sleep Is Enabled on Apple Silicon Devices	Apple Silicon MacBooks should set sleep timeout to 15 minutes (900 seconds) or less and the display sleep timeout should be 10 minutes (600 seconds) or less but less than the sleep setting.	Script	error_count=0 if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then ((error_count++)) fi if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -gt "$sleepMode" ]]; then ((error_count++)) fi fi echo "$error_count"	{'integer': 0}	[source,bash] ---- /usr/bin/pmset -a sleep 15 /usr/bin/pmset -a displaysleep 10 ----	NaN	NaN	NaN	NaN	NaN	2.9.1.2 (level 2)	4.1	NaN	NaN	NaN	NaN	NaN
CCE-92893-7	os_software_update_deferral	Ensure Software Update Deferment Is Less Than or Equal to 30 Days	Software updates _MUST_ be deferred for 30 days or less.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('enforcedSoftwareUpdateDelay')) || 0 if ( timeout <= 30 ) { return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>enforcedSoftwareUpdateDelay</key> <integer>30</integer> ----	NaN	NaN	NaN	NaN	NaN	1.7 (level 1)	7.3 7.4	NaN	NaN	NaN	NaN	NaN
CCE-92894-5	os_ssh_fips_compliant	Limit SSH to FIPS Compliant Connections	SSH _MUST_ be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.	Script	fips_ssh_config="Host * Ciphers aes128-gcm@openssh.com HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com KexAlgorithms ecdh-sha2-nistp256 MACs hmac-sha2-256 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256" /usr/bin/grep -c "$fips_ssh_config" /etc/ssh/ssh_config.d/fips_ssh_config	{'integer': 8}	[source,bash] ---- fips_ssh_config="Host * Ciphers aes128-gcm@openssh.com HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com KexAlgorithms ecdh-sha2-nistp256 MACs hmac-sha2-256 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256" /bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config ----	AC-17(2) IA-7 SC-13 SC-8(1)	03.13.08 03.13.11	SRG-OS-000250-GPOS-00093 SRG-OS-000120-GPOS-00061 SRG-OS-000424-GPOS-00188 SRG-OS-000478-GPOS-00223 SRG-OS-000033-GPOS-00014 SRG-OS-000396-GPOS-00176	NaN	APPL-14-000057	NaN	NaN	AC.L2-3.1.13 MP.L2-3.8.6 SC.L2-3.13.8 SC.L2-3.13.11	NaN	CCI-000068 CCI-000803 CCI-001453 CCI-002421 CCI-002450	high	NaN
CCE-92895-2	os_ssh_server_alive_count_max_configure	Set SSH Active Server Alive Maximum to 0	SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	ret="pass" for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0") if [[ "$sshCheck" == "0" ]]; then ret="fail" break fi done /bin/echo $ret	{'string': 'pass'}	[source,bash] ---- for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' "$c" || /bin/echo 'ServerAliveCountMax 0' >> "$c" done done ----	SC-10	03.13.09	SRG-OS-000163-GPOS-00072	NaN	APPL-14-000140	NaN	NaN	SC.L2-3.13.9	NaN	CCI-001133	medium	NaN
CCE-92896-0	os_ssh_server_alive_interval_configure	Configure SSH ServerAliveInterval option set to 900	SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900. Setting the Active Server Alive Maximum Count to 900 will log users out after a 900 seconds interval of inactivity. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	ret="pass" for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveraliveinterval 900") if [[ "$sshCheck" == "0" ]]; then ret="fail" break fi done /bin/echo $ret	{'string': 'pass'}	[source,bash] ---- for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' "$c" || /bin/echo 'ServerAliveInterval 900' >> "$c" done done ----	SC-10 AC-12	03.01.11 03.13.09	SRG-OS-000163-GPOS-00072	NaN	APPL-14-000110	NaN	NaN	AC.L2-3.1.11 SC.L2-3.13.9	NaN	CCI-001133	medium	NaN
CCE-92897-8	os_sshd_channel_timeout_configure	Configure SSHD Channel Timeout to 900	If SSHD is enabled it _MUST_ be configured with session ChannelTime out set to 900. This will set the time out when the session is inactive. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/sbin/sshd -G | /usr/bin/awk -F "=" '/channeltimeout session:*/{print $2}'	{'integer': 900}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'channeltimeout session:*=900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "channeltimeout session:*=900" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	SC-10 AC-12	03.01.11 03.13.09	SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109	NaN	APPL-14-000120	NaN	NaN	AC.L2-3.1.11 SC.L2-3.13.9	NaN	CCI-001133 CCI-002361	medium	NaN
CCE-92898-6	os_sshd_client_alive_count_max_configure	Configure SSHD ClientAliveCountMax to 0	If SSHD is enabled it _MUST_ be configured with the Client Alive Maximum Count set to 0. This will set the number of client alive messages which may be sent without the SSH server receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, the SSH server will disconnect the client, terminating the session. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. NOTE: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/sbin/sshd -G | /usr/bin/awk '/clientalivecountmax/{print $2}'	{'integer': 0}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'clientalivecountmax 0' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "clientalivecountmax 0" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	SC-10	03.13.09	SRG-OS-000163-GPOS-00072	NaN	APPL-14-000052	NaN	NaN	SC.L2-3.13.9	NaN	CCI-001133	medium	NaN
CCE-92899-4	os_sshd_client_alive_interval_configure	Configure SSHD ClientAliveInterval to 900	If SSHD is enabled then it _MUST_ be configured with the Client Alive Interval set to 900. Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. This setting works in conjunction with ClientAliveCountMax to determine the termination of the connection after the threshold has been reached. NOTE: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/sbin/sshd -G | /usr/bin/awk '/clientaliveinterval/{print $2}'	{'integer': 900}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'clientaliveinterval 900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "clientaliveinterval 900" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	SC-10 AC-12	03.01.11 03.13.09	SRG-OS-000163-GPOS-00072	NaN	APPL-14-000051	NaN	NaN	AC.L2-3.1.11 SC.L2-3.13.9	NaN	CCI-001133	medium	NaN
CCE-92902-6	os_sshd_fips_compliant	Limit SSHD to FIPS Compliant Connections	If SSHD is enabled then it _MUST_ be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information.	Script	fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") total=0 for config in $fips_sshd_config; do total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total) done echo $total	{'integer': 7}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") for config in $fips_sshd_config; do /usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf" done for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	AC-17(2) IA-7 SC-13 SC-8(1)	03.13.08 03.13.11	SRG-OS-000250-GPOS-00093 SRG-OS-000120-GPOS-00061 SRG-OS-000424-GPOS-00188 SRG-OS-000394-GPOS-00174 SRG-OS-000478-GPOS-00223 SRG-OS-000033-GPOS-00014 SRG-OS-000393-GPOS-00173 SRG-OS-000396-GPOS-00176	NaN	APPL-14-000054	NaN	NaN	AC.L2-3.1.13 MP.L2-3.8.6 SC.L2-3.13.8 SC.L2-3.13.11	NaN	CCI-000068 CCI-000803 CCI-001453 CCI-002421 CCI-002450 CCI-002890 CCI-003123	high	NaN
CCE-92904-2	os_sshd_login_grace_time_configure	Set Login Grace Time to 30	If SSHD is enabled then it _MUST_ be configured to wait only 30 seconds before timing out logon attempts. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}'	{'integer': 30}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'logingracetime 30' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "logingracetime 30" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	SC-10	03.13.09	SRG-OS-000163-GPOS-00072	NaN	APPL-14-000053	NaN	NaN	SC.L2-3.13.9	NaN	CCI-001133	medium	NaN
CCE-92905-9	os_sshd_permit_root_login_configure	Disable Root Login for SSH	If SSH is enabled to assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled. The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/sbin/sshd -G | /usr/bin/awk '/permitrootlogin/{print $2}'	{'string': 'no'}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'permitrootlogin no' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "permitrootlogin no" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	IA-2(5)	NaN	SRG-OS-000364-GPOS-00151 SRG-OS-000109-GPOS-00056	NaN	APPL-14-001100	NaN	NaN	NaN	NaN	CCI-000770 CCI-001813	medium	NaN
CCE-92906-7	os_sshd_unused_connection_timeout_configure	Configure SSHD Unused Connection Timeout to 900	If SSHD is enabled it _MUST_ be configured with unused connection timeout set to 900. This will set the time out when there are no open channels within an session. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.	Script	/usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectiontimeout/{print $2}'	{'integer': 900}	[source,bash] ---- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'unusedconnectiontimeout 900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "unusedconnectiontimeout 900" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done ----	SC-10 AC-12	03.01.11 03.13.09	SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109	NaN	APPL-14-000130	NaN	NaN	AC.L2-3.1.11 SC.L2-3.13.9	NaN	CCI-001133 CCI-002361	medium	NaN
CCE-92908-3	os_sudo_timeout_configure	Configure Sudo Timeout Period to 0	The file /etc/sudoers _MUST_ include a timestamp_timeout of 0.	Script	/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes"	{'integer': 1}	[source,bash] ---- /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \; /bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp ----	NaN	NaN	SRG-OS-000373-GPOS-00156	NaN	APPL-14-004022	5.4 (level 1)	4.3	NaN	NaN	CCI-002038	medium	NaN
CCE-92909-1	os_sudoers_timestamp_type_configure	Configure Sudoers Timestamp Type	The file /etc/sudoers _MUST_ be configured to not include a timestamp_type of global or ppid and be configured for timestamp record types of tty. This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement.	Script	/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/awk -F": " '/Type of authentication timestamp record/{print $2}'	{'string': 'tty'}	[source,bash] ---- /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_type/d; /!tty_tickets/d' '{}' \; ----	CM-5(1) IA-11	03.05.01	SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00156	NaN	APPL-14-004060	5.5 (level 1)	4.3	NaN	NaN	CCI-002038	medium	NaN
CCE-92910-9	os_system_read_only	Ensure System Volume is Read Only	The System volume _MUST_ be mounted as read-only in order to ensure that configurations critical to the integrity of the macOS have not been compromised. System Integrity Protection (SIP) will prevent the system volume from being mounted as writable. NOTE: The system volume is read only by default in macOS.	Manual	/usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}'	{'string': 'No'}	NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only.	SC-34 MA-4(1) SI-7	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92911-7	os_system_wide_applications_configure	Ensure Appropriate Permissions Are Enabled for System Wide Applications	Applications in the System Applications Directory (/Applications) _MUST_ not be world-writable.	Script	/usr/bin/find /Applications -iname "*\.app" -type d -perm -2 -ls | /usr/bin/wc -l | /usr/bin/xargs	{'integer': 0}	[source,bash] ---- IFS=$'\n' for apps in $( /usr/bin/find /Applications -iname "*\.app" -type d -perm -2 ); do /bin/chmod -R o-w "$apps" done ----	NaN	NaN	NaN	NaN	NaN	5.1.5 (level 1)	3.3	NaN	NaN	NaN	NaN	NaN
CCE-92912-5	os_terminal_secure_keyboard_enable	Ensure Secure Keyboard Entry Terminal.app is Enabled	Secure keyboard entry _MUST_ be enabled in Terminal.app.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\ .objectForKey('SecureKeyboardEntry').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.Terminal) payload type: [source,xml] ---- <key>SecureKeyboardEntry</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	6.4.1 (level 1)	4.8	NaN	NaN	NaN	NaN	NaN
CCE-92914-1	os_tftpd_disable	Disable Trivial File Transfer Protocol Service	If the system does not require Trivial File Transfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. NOTE: TFTP service is disabled at startup by default macOS.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => disabled'	{'integer': 1}	[source,bash] ---- /bin/launchctl disable system/com.apple.tftpd ---- The system may need to be restarted for the update to take effect.	AC-3 AC-17 CM-7 IA-5(1)	03.01.02 03.04.06 03.05.07	SRG-OS-000080-GPOS-00048 SRG-OS-000074-GPOS-00042	NaN	APPL-14-002038	NaN	3.3 3.1 5.2	AC.L1-3.1.1 IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000197 CCI-000213	high	NaN
CCE-92915-8	os_time_offset_limit_configure	Ensure Time Offset Within Limits	The macOS system time _MUST_ be monitored to not drift more than four minutes and thirty seconds.	Script	/usr/bin/sntp $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}') | /usr/bin/awk -F'.' '/\+\/\-/{if (substr($1,2) >= 270) {print "No"} else {print "Yes"}}'	{'string': 'Yes'}	[source,bash] ---- /usr/bin/sntp -Ss $(/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/awk '{print $4}') ----	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92916-6	os_time_server_enabled	Enable Time Synchronization Daemon	The macOS time synchronization daemon (timed) _MUST_ be enabled for proper time synchronization to an authorized time server. NOTE: The time synchronization daemon is enabled by default on macOS.	Script	/bin/launchctl list | /usr/bin/grep -c com.apple.timed	{'integer': 1}	[source,bash] ---- /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist ---- NOTE: The service `timed` cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled.	AU-12(1) SC-45(1)	03.03.07	SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144	NaN	APPL-14-000180	2.3.2.2 (level 1)	8.4	AU.L2-3.3.7	NaN	CCI-002046 CCI-001891	medium	NaN
CCE-92917-4	os_touchid_prompt_disable	Disable TouchID Prompt during Setup Assistant	The prompt for TouchID during Setup Assistant _MUST_ be disabled. macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, _MUST_ be disabled to prevent against the risk of individuals electing to enable TouchID to override organization-wide settings.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipTouchIDSetup').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SetupAssistant.managed) payload type: [source,xml] ---- <key>SkipTouchIDSetup</key> <true/> ----	CM-6	03.04.02	SRG-OS-000095-GPOS-00049	NaN	APPL-14-005054	NaN	4.1	CM.L2-3.4.2	NaN	CCI-000381	medium	NaN
CCE-92919-0	os_unlock_active_user_session_disable	Disable Login to Other User's Active and Locked Sessions	The ability to log in to another user's active or locked session _MUST_ be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. To restore the user experience and allow TouchID to unlock the screensaver, you can run `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`. This setting can also be deployed with a configuration profile.	Script	/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>'	{'integer': 1}	[source,bash] ---- /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner" ----	IA-2 IA-2(5)	03.05.01	SRG-OS-000109-GPOS-00056 SRG-OS-000104-GPOS-00051	NaN	APPL-14-000090	5.7 (level 1)	4.3	IA.L1-3.5.1 IA.L1-3.5.2	NaN	CCI-000764 CCI-000770	medium	NaN
CCE-92920-8	os_user_app_installation_prohibit	Prohibit User Installation of Software into /Users/	Users _MUST_ not be allowed to install software into /Users/. Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. [IMPORTANT] ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){ return("true") } } return("false") } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess.new) payload type: [source,xml] ---- <key>familyControlsEnabled</key> <true/> <key>pathBlackList</key> <array> <string>/Users/</string> </array> ----	CM-11(2)	NaN	SRG-OS-000362-GPOS-00149	NaN	APPL-14-005080	NaN	NaN	CM.L2-3.4.9	NaN	CCI-001812	medium	NaN
CCE-92921-6	os_uucp_disable	Disable Unix-to-Unix Copy Protocol Service	The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active. UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. NOTE: UUCP service is disabled at startup by default macOS.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => disabled'	{'integer': 1}	[source,bash] ---- /bin/launchctl disable system/com.apple.uucp ---- The system may need to be restarted for the update to take effect.	AC-3 AC-17 CM-7	03.01.02 03.04.06	SRG-OS-000080-GPOS-00048	NaN	APPL-14-002006	NaN	3.3 4.1 4.8	AC.L1-3.1.1	NaN	CCI-000213	medium	NaN
CCE-92923-2	os_world_writable_library_folder_configure	Ensure No World Writable Files Exist in the Library Folder	Folders in /System/Volumes/Data/Library _MUST_ not be world-writable. NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment.	Script	/usr/bin/find /System/Volumes/Data/Library -type d -perm -2 -ls 2>&1 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data | /usr/bin/wc -l | /usr/bin/xargs	{'integer': 0}	[source,bash] ---- IFS=$'\n' for libPermissions in $( /usr/bin/find /System/Volumes/Data/Library -type d -perm -2 2>&1 | /usr/bin/grep -v Caches | /usr/bin/grep -v /Preferences/Audio/Data ); do /bin/chmod -R o-w "$libPermissions" done ----	NaN	NaN	NaN	NaN	NaN	5.1.7 (level 2)	3.3	NaN	NaN	NaN	NaN	NaN
CCE-92924-0	os_world_writable_system_folder_configure	Ensure No World Writable Files Exist in the System Folder	Folders in /System/Volumes/Data/System _MUST_ not be world-writable.	Script	/usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -vE "downloadDir|locks" | /usr/bin/wc -l | /usr/bin/xargs	{'integer': 0}	[source,bash] ---- IFS=$'\n' for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -vE "downloadDir|locks" ); do /bin/chmod -R o-w "$sysPermissions" done ----	NaN	NaN	NaN	NaN	NaN	5.1.6 (level 1)	3.3	NaN	NaN	NaN	NaN	NaN
CCE-92926-5	pwpolicy_account_inactivity_enforce	Disable Accounts after 35 Days of Inactivity	The macOS _MUST_ be configured to disable accounts after 35 days of inactivity. This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection.	Script	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeInactiveDays"]/following-sibling::integer[1]/text()' -	{'integer': 35}	This setting may be enforced using local policy or by a directory service. To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following <dict> within the "policyCategoryAuthentication": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributeLastAuthenticationTime > policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)</string> <key>policyIdentifier</key> <string>Inactive Account</string> <key>policyParameters</key> <dict> <key>policyAttributeInactiveDays</key> <integer>35</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.	AC-2(3)	03.01.01	SRG-OS-000118-GPOS-00060	NaN	APPL-14-003080	NaN	5.3	IA.L2-3.5.6	NaN	CCI-000795	medium	NaN
CCE-92927-3	pwpolicy_account_lockout_enforce	Limit Consecutive Failed Login Attempts to 3	The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of 3. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= 3) {print "yes"} else {print "no"}}' | /usr/bin/uniq	{'string': 'yes'}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>maxFailedAttempts</key> <integer>3</integer> ----	AC-7	03.01.08	SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005	NaN	APPL-14-000022	5.2.1 (level 1)	6.2	AC.L2-3.1.8	NaN	CCI-000044 CCI-002238	medium	NaN
CCE-92928-1	pwpolicy_account_lockout_timeout_enforce	Set Account Lockout Time to 15 Minutes	The macOS _MUST_ be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= 15 ) {print "yes"} else {print "no"}}' | /usr/bin/uniq	{'string': 'yes'}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>minutesUntilFailedLoginReset</key> <integer>15</integer> ----	AC-7	03.01.08	SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005	NaN	APPL-14-000060	5.2.1 (level 1)	6.2	AC.L2-3.1.8	NaN	CCI-002238 CCI-000044	medium	NaN
CCE-92929-9	pwpolicy_alpha_numeric_enforce	Require Passwords Contain a Minimum of One Numeric Character	The macOS _MUST_ be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyIdentifier"]/following-sibling::*[1]/text()' - | /usr/bin/grep "requireAlphanumeric" -c	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>requireAlphanumeric</key> <true/> ----	IA-5(1)	03.05.07	SRG-OS-000071-GPOS-00039	NaN	APPL-14-003007	5.2.3 (level 2)5.2.4 (level 2)	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000194	medium	NaN
CCE-93011-5	pwpolicy_custom_regex_enforce	Require Passwords to Match the Defined Custom Regular Expression	The macOS _MUST_ be configured to meet complexity requirements defined in ^(?=.*[A-Z])(?=.*[a-z]).*$. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. NOTE: The configuration profile generated must be installed from an MDM server.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''^(?=.*[A-Z])(?=.*[a-z]).*$'\''")])' -	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>customRegex</key> <dict> <key>passwordContentRegex</key> <string>^(?=.*[A-Z])(?=.*[a-z]).*$</string> <key>passwordContentDescription</key> <dict> <key>default</key> <string>Password must match custom regex.</string> </dict> </dict> ----	IA-5(1)	03.05.07	SRG-OS-000070-GPOS-00038 SRG-OS-000069-GPOS-00037	NaN	APPL-14-003060	5.2.6 (level 2)	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000192 CCI-000193	medium	NaN
CCE-92932-3	pwpolicy_history_enforce	Prohibit Password Reuse for a Minimum of 5 Generations	The macOS _MUST_ be configured to enforce a password history of at least 5 previous passwords when a password is created. This rule ensures that users are not allowed to re-use a password that was used in any of the 5 previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 >= 5 ) {print "yes"} else {print "no"}}' | /usr/bin/uniq	{'string': 'yes'}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>pinHistory</key> <integer>5</integer> ----	IA-5(1)	03.05.07	SRG-OS-000077-GPOS-00045	NaN	APPL-14-003009	5.2.8 (level 1)	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000200	medium	NaN
CCE-92933-1	pwpolicy_lower_case_character_enforce	Require Passwords Contain a Minimum of One Lowercase Character	The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*.	Script	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= 1 ) {print "yes"} else {print "no"}}'	{'string': 'yes'}	This setting may be enforced using local policy or by a directory service. To set local policy to require at least 1 lowercase letter, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[a-z].*){1,}+'</string> <key>policyIdentifier</key> <string>Must have at least 1 lowercase letter</string> <key>policyParameters</key> <dict> <key>minimumAlphaCharactersLowerCase</key> <integer>1</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.	IA-5(1)	03.05.07	NaN	NaN	NaN	NaN	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	NaN	NaN	NaN
CCE-92935-6	pwpolicy_max_lifetime_enforce	Restrict Maximum Password Lifetime to 60 Days	The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require use of special characters or regular rotation.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeExpiresEveryNDays"]/following-sibling::*[1]/text()' -	{'integer': 60}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>maxPINAgeInDays</key> <integer>60</integer> ----	IA-5	03.05.12	SRG-OS-000076-GPOS-00044	NaN	APPL-14-003008	5.2.7 (level 1)	5.3	IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000199	medium	NaN
CCE-92936-4	pwpolicy_minimum_length_enforce	Require a Minimum Password Length of 15 Characters	The macOS _MUST_ be configured to require a minimum of 15 characters be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{15,}'\''")])' -	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>minLength</key> <integer>15</integer> ----	IA-5(1)	03.05.07	SRG-OS-000078-GPOS-00046	NaN	APPL-14-003010	5.2.2 (level 1)	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000205	medium	NaN
CCE-92937-2	pwpolicy_minimum_lifetime_enforce	Set Minimum Password Lifetime to 24 Hours	The macOS _MUST_ be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.	Script	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= 24 ) {print "yes"} else {print "no"}}'	{'string': 'yes'}	This setting may be enforced using local policy or by a directory service. To set local policy to require a minimum password lifetime, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributeLastPasswordChangeTime < policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)</string> <key>policyIdentifier</key> <string>Minimum Password Lifetime</string> <key>policyParameters</key> <dict> <key>policyAttributeMinimumLifetimeHours</key> <integer>24</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.	IA-5	03.05.12	SRG-OS-000075-GPOS-00043	NaN	APPL-14-003070	NaN	4.7	IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-000198	medium	NaN
CCE-92939-8	pwpolicy_simple_sequence_disable	Prohibit Repeating, Ascending, and Descending Character Sequences	The macOS _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyIdentifier"]/following-sibling::*[1]/text()' - | /usr/bin/grep "allowSimple" -c	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>allowSimple</key> <false/> ----	IA-5(1)	03.05.07	NaN	NaN	NaN	NaN	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	NaN	NaN	NaN
CCE-92940-6	pwpolicy_special_character_enforce	Require Passwords Contain a Minimum of One Special Character	The macOS _MUST_ be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require use of special characters or regular rotation.	Configuration Profile	/usr/bin/pwpolicy -getaccountpolicies 2>/dev/null | /usr/bin/tail -n +2 | /usr/bin/xmllint --xpath "//string[contains(text(), \"policyAttributePassword matches '(.*[^a-zA-Z0-9].*){\")]" - 2>/dev/null | /usr/bin/awk -F"{|}" '{if ($2 >= 1) {print "true"} else {print "false"}}'	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>minComplexChars</key> <integer>1</integer> ----	IA-5(1)	03.05.07	SRG-OS-000266-GPOS-00101	NaN	APPL-14-003011	5.2.5 (level 2)	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	CCI-001619	medium	NaN
CCE-92942-2	pwpolicy_temporary_or_emergency_accounts_disable	Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours	The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. If temporary or emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary or emergency accounts _MUST_ be set to 72 hours (or less) when the temporary or emergency account is created. If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary or emergency accounts defined on the system, this is Not Applicable.	Manual	Verify if a password policy is enforced by a directory service by asking the System Administrator (SA) or Information System Security Officer (ISSO). If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary or emergency accounts defined on the system, this is Not Applicable. To check if the password policy is configured to disable a temporary or emergency account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username: /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is no output, and password policy is not controlled by a directory service, this is a finding. Otherwise, look for the line "<key>policyCategoryAuthentication</key>". In the array that follows, there should be a <dict> section that contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds too great an amount of time to "policyAttributeCreationTime", this is a finding.	NaN	This setting may be enforced using local policy or by a directory service. To set local policy to disable a temporary or emergency user, create a plain text file containing the following: <dict> <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime < policyAttributeCreationTime+259299</string> <key>policyIdentifier</key> <string>Disable Tmp Accounts </string> </dict> </array> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file". /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file	AC-2(2)	NaN	SRG-OS-000002-GPOS-00002 SRG-OS-000123-GPOS-00064	NaN	APPL-14-000012	NaN	NaN	NaN	NaN	CCI-001682 CCI-000016	medium	NaN
CCE-92943-0	pwpolicy_upper_case_character_enforce	Require Passwords Contain a Minimum of One Uppercase Character	The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*.	Script	/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= 1 ) {print "yes"} else {print "no"}}'	{'string': 'yes'}	This setting may be enforced using local policy or by a directory service. To set local policy to require at least 1 lowercase letter, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string> <key>policyIdentifier</key> <string>Must have at least 1 uppercase letter</string> <key>policyParameters</key> <dict> <key>minimumAlphaCharactersUpperCase</key> <integer>1</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.	IA-5(1)	03.05.07	NaN	NaN	NaN	NaN	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	NaN	NaN	NaN
CCE-92944-8	system_settings_airplay_receiver_disable	Disable Airplay Receiver	Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. Support for Airplay Receiver is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAirPlayIncomingRequests').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAirPlayIncomingRequests</key> <false/> ----	CM-7 CM-7(1)	03.04.06	SRG-OS-000300-GPOS-00118 SRG-OS-000095-GPOS-00049	NaN	APPL-14-002080	2.3.1.2 (level 1)	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001443	medium	NaN
CCE-92945-5	system_settings_apple_watch_unlock_disable	Prevent Apple Watch from Terminating a Session Lock	Apple Watches are not an approved authenticator and their use _MUST_ be disabled. Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. NOTE: Unlocking the system with an Apple Watch is not an approved authenticator for US Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAutoUnlock').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAutoUnlock</key> <false/> ----	IA-5	03.05.12	SRG-OS-000028-GPOS-00009	NaN	APPL-14-000001	NaN	NaN	AC.L2-3.1.10	NaN	CCI-000056	medium	NaN
CCE-92947-1	system_settings_automatic_login_disable	Disable Unattended or Automatic Logon to the System	Automatic logon _MUST_ be disabled. When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>com.apple.login.mcx.DisableAutoLoginClient</key> <true/> ----	IA-2 IA-5(13)	03.05.01	SRG-OS-000480-GPOS-00229 SRG-OS-000104-GPOS-00051	NaN	APPL-14-002066	2.12.3 (level 1)	4.7	IA.L1-3.5.1 IA.L1-3.5.2	NaN	CCI-000366	medium	NaN
CCE-92948-9	system_settings_automatic_logout_enforce	Enforce Auto Logout After 86400 Seconds of Inactivity	Auto logout _MUST_ be configured to automatically terminate a user session and log out the after 86400 seconds of inactivity. NOTE:The maximum that macOS can be configured for autologoff is 86400 seconds. [IMPORTANT] ==== The automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the automatic logout setting. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\ .objectForKey('com.apple.autologout.AutoLogOutDelay').js EOS	{'integer': 86400}	Create a configuration profile containing the following keys in the (.GlobalPreferences) payload type: [source,xml] ---- <key>com.apple.autologout.AutoLogOutDelay</key> <integer>86400</integer> ----	AC-12 AC-2(5)	03.01.01 03.01.11	SRG-OS-000279-GPOS-00109	NaN	APPL-14-000160	NaN	NaN	AC.L2-3.1.10 AC.L2-3.1.11	NaN	CCI-002361	medium	NaN
CCE-92949-7	system_settings_bluetooth_disable	Disable Bluetooth When no Approved Device is Connected	The macOS system _MUST_ be configured to disable Bluetooth unless there is an approved device connected. [IMPORTANT] ==== Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\ .objectForKey('DisableBluetooth').js EOS	{'string': 'true'}	NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types. Create a configuration profile containing the following keys in the (com.apple.MCXBluetooth) payload type: [source,xml] ---- <key>DisableBluetooth</key> <true/> ----	AC-18 SC-8 AC-18(3)	03.01.16 03.13.08	SRG-OS-000423-GPOS-00187 SRG-OS-000481-GPOS-00481	NaN	APPL-14-002062	NaN	4.8 12.6 13.9	AC.L2-3.1.16	NaN	CCI-001967 CCI-002418	high	NaN
CCE-92950-5	system_settings_bluetooth_menu_enable	Enable Bluetooth Menu	The bluetooth menu _MUST_ be enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ .objectForKey('Bluetooth').js EOS	{'integer': 18}	Create a configuration profile containing the following keys in the (com.apple.controlcenter) payload type: [source,xml] ---- <key>Bluetooth</key> <integer>18</integer> ----	NaN	NaN	NaN	NaN	NaN	2.4.2 (level 1)	4.8 13.9	NaN	NaN	NaN	NaN	NaN
CCE-93016-4	system_settings_bluetooth_settings_disable	Disable the Bluetooth System Settings Pane	The Bluetooth System Setting pane _MUST_ be disabled to prevent access to the bluetooth configuration.	Configuration Profile	/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.BluetoothSettings	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledSystemSettings</key> <array> <string>com.apple.BluetoothSettings</string> </array> ----	CM-7 CM-7(1)	03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002260	NaN	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92952-1	system_settings_bluetooth_sharing_disable	Disable Bluetooth Sharing	Bluetooth Sharing _MUST_ be disabled. Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] ---- CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' ) ---- ====	Script	/usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled	{'boolean': 0}	[source,bash] ---- /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false ----	AC-3 AC-18(4) CM-7 CM-7(1)	03.04.06	SRG-OS-000080-GPOS-00048 SRG-OS-000095-GPOS-00049	NaN	APPL-14-002110	2.3.3.11 (level 1)	3.3 4.1	AC.L1-3.1.1 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000213 CCI-000381	medium	NaN
CCE-92954-7	system_settings_content_caching_disable	Disable Content Caching Service	Content caching _MUST_ be disabled. Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowContentCaching').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowContentCaching</key> <false/> ----	CM-7 CM-7(1)	03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002140	2.3.3.9 (level 2)	4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92955-4	system_settings_critical_update_install_enforce	Enforce Critical Security Updates to be Installed	Ensure that security updates are installed as soon as they are available from Apple.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('CriticalUpdateInstall').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>CriticalUpdateInstall</key> <true/> ----	SI-2	03.14.01	NaN	NaN	NaN	1.6 (level 1)	7.3 7.4 7.7	SI.L1-3.14.1 SI.L1-3.14.4	NaN	NaN	NaN	NaN
CCE-92956-2	system_settings_diagnostics_reports_disable	Disable Sending Diagnostic and Usage Data to Apple	The ability to submit diagnostic data to Apple _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\ .objectForKey('AutoSubmit').js let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowDiagnosticSubmission').js if ( pref1 == false && pref2 == false ){ return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SubmitDiagInfo) payload type: [source,xml] ---- <key>AutoSubmit</key> <false/> ---- Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowDiagnosticSubmission</key> <false/> ----	SI-11 AC-20 SC-7(10)	03.01.20	SRG-OS-000206-GPOS-00084 SRG-OS-000205-GPOS-00083	NaN	APPL-14-002021	2.6.3 (level 2)	4.1 4.8	AC.L1-3.1.20	NaN	CCI-001312 CCI-001314	medium	NaN
CCE-92957-0	system_settings_filevault_enforce	Enforce FileVault	FileVault _MUST_ be enforced. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.	Manual	dontAllowDisable=$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('dontAllowFDEDisable').js EOS ) fileVault=$(/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On.") if [[ "$dontAllowDisable" == "true" ]] && [[ "$fileVault" == 1 ]]; then echo "1" else echo "0" fi	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>dontAllowFDEDisable</key> <true/> ----	SC-28 SC-28(1)	03.13.08	SRG-OS-000185-GPOS-00079 SRG-OS-000405-GPOS-00184 SRG-OS-000404-GPOS-00183	NaN	APPL-14-005020	2.6.6 (level 1)	3.6 3.11	SC.L2-3.13.16	NaN	CCI-001199 CCI-002475 CCI-002476	high	NaN
CCE-92958-8	system_settings_find_my_disable	Disable Find My Service	The Find My service _MUST_ be disabled. A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFindMyDevice')) let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFindMyFriends')) let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\ .objectForKey('DisableFMMiCloudSetting')) if ( pref1 == false && pref2 == false && pref3 == true ) { return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowFindMyDevice</key> <false/> <key>allowFindMyFriends</key> <false/> ---- Create a configuration profile containing the following keys in the (com.apple.icloud.managed) payload type: [source,xml] ---- <key>DisableFMMiCloudSetting</key> <true/> ----	AC-20 CM-7 CM-7(1)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002180	NaN	4.1 4.8 15.3	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92959-6	system_settings_firewall_enable	Enable macOS Application Firewall	The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.	Script	profile="$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableFirewall').js EOS )" plist="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null)" if [[ "$profile" == "true" ]] && [[ "$plist" =~ [1,2] ]]; then echo "true" else echo "false" fi	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.security.firewall) payload type: [source,xml] ---- <key>EnableFirewall</key> <true/> ----	AC-4 SC-7(12) CM-7 CM-7(1) SC-7	03.01.03 03.04.06 03.13.01	SRG-OS-000480-GPOS-00232	NaN	APPL-14-005050	2.2.1 (level 1)	4.1 4.5 13.1	AC.L2-3.1.3 CM.L2-3.4.6 CM.L2-3.4.7 SC.L1-3.13.1	NaN	CCI-000366	medium	NaN
CCE-92960-4	system_settings_firewall_stealth_mode_enable	Enable Firewall Stealth Mode	Firewall Stealth Mode _MUST_ be enabled. When stealth mode is enabled, the Mac will not respond to any probing requests, and only requests from authorized applications will still be authorized. [IMPORTANT] ==== Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. ====	Script	profile="$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableStealthMode').js EOS )" plist=$(/usr/bin/defaults read /Library/Preferences/com.apple.alf stealthenabled 2>/dev/null) if [[ "$profile" == "true" ]] && [[ $plist == 1 ]]; then echo "true" else echo "false" fi	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.security.firewall) payload type: [source,xml] ---- <key>EnableStealthMode</key> <true/> <key>EnableFirewall</key> <true/> ----	CM-7 CM-7(1) SC-7(16) SC-7	03.04.06 03.13.01	NaN	NaN	NaN	2.2.2 (level 1)	4.1 4.5 4.8	CM.L2-3.4.6 CM.L2-3.4.7 SC.L1-3.13.1	NaN	NaN	medium	NaN
CCE-92961-2	system_settings_gatekeeper_identified_developers_allowed	Apply Gatekeeper Settings to Block Applications from Unidentified Developers	The information system implements cryptographic mechanisms to authenticate software prior to installation. Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party.	Script	/usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled"	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.systempolicy.control) payload type: [source,xml] ---- <key>AllowIdentifiedDevelopers</key> <true/> <key>EnableAssessment</key> <true/> ----	CM-14 SI-7(15) SI-7(1)	03.14.02	SRG-OS-000366-GPOS-00153	NaN	APPL-14-002060	NaN	NaN	CM.L2-3.4.5	NaN	CCI-001749	high	NaN
CCE-92962-0	system_settings_gatekeeper_override_disallow	Configure Gatekeeper to Disallow End User Override	Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\ .objectForKey('DisableOverride').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.systempolicy.managed) payload type: [source,xml] ---- <key>DisableOverride</key> <true/> ----	SI-7(15)	03.14.02	NaN	NaN	NaN	NaN	NaN	CM.L2-3.4.5	NaN	NaN	medium	NaN
CCE-92963-8	system_settings_guest_access_smb_disable	Disable Guest Access to Shared SMB Folders	Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. Turning off guest access prevents anonymous users from accessing files shared via SMB.	Script	/usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess	{'boolean': 0}	[source,bash] ---- /usr/sbin/sysadminctl -smbGuestAccess off ----	NaN	03.01.01	NaN	NaN	NaN	2.12.2 (level 1)	3.3	AC.L1-3.1.2	NaN	NaN	NaN	NaN
CCE-92964-6	system_settings_guest_account_disable	Disable the Guest Account	Guest access _MUST_ be disabled. Turning off guest access prevents anonymous users from accessing files.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('DisableGuestAccount')) let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('EnableGuestAccount')) if ( pref1 == true && pref2 == false ) { return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>DisableGuestAccount</key> <true/> <key>EnableGuestAccount</key> <false/> ----	AC-2 AC-2(9)	03.01.01	SRG-OS-000364-GPOS-00151	NaN	APPL-14-002063	2.12.1 (level 1)	5.2 6.2 6.8	AC.L1-3.1.2	NaN	CCI-001813	medium	NaN
CCE-92965-3	system_settings_hot_corners_disable	Disable Hot Corners	Hot corners _MUST_ be disabled. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.	Configuration Profile	/usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '"wvous-bl-corner" = 0|"wvous-br-corner" = 0|"wvous-tl-corner" = 0|"wvous-tr-corner" = 0'	{'integer': 4}	NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types. Create a configuration profile containing the following keys in the (com.apple.dock) payload type: [source,xml] ---- <key>wvous-bl-corner</key> <integer>0</integer> <key>wvous-br-corner</key> <integer>0</integer> <key>wvous-tr-corner</key> <integer>0</integer> <key>wvous-tl-corner</key> <integer>0</integer> ----	AC-11(1)	03.01.10	SRG-OS-000031-GPOS-00012	NaN	APPL-14-000007	NaN	NaN	AC.L2-3.1.10	NaN	CCI-000060	medium	NaN
CCE-92966-1	system_settings_hot_corners_secure	Secure Hot Corners	Hot corners _MUST_ be secured. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.	Script	bl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null)" tl_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null)" tr_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null)" br_corner="$(/usr/bin/defaults read /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null)" if [[ "$bl_corner" != "6" ]] && [[ "$tl_corner" != "6" ]] && [[ "$tr_corner" != "6" ]] && [[ "$br_corner" != "6" ]]; then echo "0" fi	{'integer': 0}	[source,bash] ---- /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-bl-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tl-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-tr-corner 2>/dev/null /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults delete /Users/"$CURRENT_USER"/Library/Preferences/com.apple.dock wvous-br-corner 2>/dev/null ----	AC-11(1)	03.01.10	NaN	NaN	NaN	2.7.1 (level 2)	4.3	AC.L2-3.1.10	NaN	NaN	NaN	NaN
CCE-92967-9	system_settings_improve_siri_dictation_disable	Disable Sending Siri and Dictation Information to Apple	The ability for Apple to store and review audio of your Siri and Dictation interactions _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\ .objectForKey('Siri Data Sharing Opt-In Status').js EOS	{'integer': 2}	Create a configuration profile containing the following keys in the (com.apple.assistant.support) payload type: [source,xml] ---- <key>Siri Data Sharing Opt-In Status</key> <integer>2</integer> ----	AC-20 CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002210	2.6.3 (level 2)	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92968-7	system_settings_install_macos_updates_enforce	Enforce macOS Updates are Automatically Installed	Software Update _MUST_ be configured to enforce automatic installation of macOS updates is enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticallyInstallMacOSUpdates').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>AutomaticallyInstallMacOSUpdates</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	1.4 (level 1)	7.3 7.4	NaN	NaN	NaN	NaN	NaN
CCE-92969-5	system_settings_internet_accounts_disable	Disable the Internet Accounts System Preference Pane	The Internet Accounts System Setting _MUST_ be disabled to prevent the addition of unauthorized internet accounts. [IMPORTANT] ==== Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ====	Configuration Profile	/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.Internet-Accounts-Settings.extension	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledSystemSettings</key> <array> <string>com.apple.Internet-Accounts-Settings.extension</string> </array> ----	CM-7 CM-7(1) CM-7(5) AC-20	03.01.20 03.04.06 03.04.08	NaN	NaN	NaN	NaN	4.8 15.2	AC.L1-3.1.20 CM.L2-3.4.8	NaN	CCI-000381	medium	NaN
CCE-92971-1	system_settings_internet_sharing_disable	Disable Internet Sharing	If the system does not require Internet sharing, support for it is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling Internet sharing helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('forceInternetSharingOff').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>forceInternetSharingOff</key> <true/> ----	AC-4 AC-20	03.01.03 03.01.20	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002007	2.3.3.8 (level 1)	4.1 4.8	AC.L1-3.1.20 AC.L2-3.1.3	NaN	CCI-000381	medium	NaN
CCE-92972-9	system_settings_location_services_disable	Disable Location Services	Location Services _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling Location Services helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling.	Script	/usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\ .objectForKey('LocationServicesEnabled').js EOS	{'string': 'false'}	[source,bash] ---- /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false; pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }') kill -9 $pid ----	CM-7 CM-7(1) SC-7(10)	03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002004	NaN	NaN	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92973-7	system_settings_location_services_enable	Enable Location Services	Location Services _MUST_ be enabled.	Script	/usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\ .objectForKey('LocationServicesEnabled').js EOS	{'string': 'true'}	[source,bash] ---- /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }') kill -9 $pid ----	NaN	NaN	NaN	NaN	NaN	2.6.1.1 (level 2)	4.1 4.8	NaN	NaN	NaN	NaN	NaN
CCE-92974-5	system_settings_location_services_menu_enforce	Ensure Location Services Is In the Menu Bar	Location Services menu item _MUST_ be enabled.	Script	/usr/bin/defaults read /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices	{'boolean': 1}	[source,bash] ---- /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true ----	NaN	NaN	NaN	NaN	NaN	2.6.1.2 (level 2)	4.1 4.8	NaN	NaN	NaN	NaN	NaN
CCE-92975-2	system_settings_loginwindow_loginwindowtext_enable	Configure Login Window to Show A Custom Message	The login window _MUST_ be configured to show a custom access warning message.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS | /usr/bin/base64 $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('LoginwindowText').js EOS	{'base64': 'Center for Internet Security Test Message'}	Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>LoginwindowText</key> <string>Center for Internet Security Test Message</string> ----	NaN	NaN	NaN	NaN	NaN	2.10.3 (level 1)	4.1	NaN	NaN	NaN	NaN	NaN
CCE-92976-0	system_settings_loginwindow_prompt_username_password_enforce	Configure Login Window to Prompt for Username and Password	The login window _MUST_ be configured to prompt all users for both a username and a password. By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('SHOWFULLNAME').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>SHOWFULLNAME</key> <true/> ----	IA-2	03.05.01	SRG-OS-000104-GPOS-00051	NaN	APPL-14-005052	2.10.4 (level 1)	4.1	IA.L1-3.5.1 IA.L1-3.5.2	NaN	CCI-000764	medium	NaN
CCE-92977-8	system_settings_media_sharing_disabled	Disable Media Sharing	Media sharing _MUST_ be disabled. When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('homeSharingUIStatus')) let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('legacySharingUIStatus')) let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('mediaSharingUIStatus')) if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) { return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.preferences.sharing.SharingPrefsExtension) payload type: [source,xml] ---- <key>homeSharingUIStatus</key> <integer>0</integer> <key>legacySharingUIStatus</key> <integer>0</integer> <key>mediaSharingUIStatus</key> <integer>0</integer> ----	AC-3 AC-17 CM-7	03.01.02 03.04.06	SRG-OS-000080-GPOS-00048	NaN	APPL-14-002100	2.3.3.10 (level 2)	4.1 4.8	AC.L1-3.1.1	NaN	CCI-000213	medium	NaN
CCE-92978-6	system_settings_password_hints_disable	Disable Password Hints	Password hints _MUST_ be disabled. Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('RetriesUntilHint').js EOS	{'integer': 0}	Create a configuration profile containing the following keys in the (com.apple.loginwindow) payload type: [source,xml] ---- <key>RetriesUntilHint</key> <integer>0</integer> ----	IA-6	03.05.11	SRG-OS-000079-GPOS-00047	NaN	APPL-14-003012	2.10.5 (level 1)	4.1	IA.L2-3.5.11	NaN	CCI-000206	medium	NaN
CCE-92979-4	system_settings_personalized_advertising_disable	Disable Personalized Advertising	Ad tracking and targeted ads _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowApplePersonalizedAdvertising').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowApplePersonalizedAdvertising</key> <false/> ----	AC-20 CM-7 CM-7(1) SC-7(10)	03.01.20 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002200	2.6.4 (level 1)	4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92980-2	system_settings_printer_sharing_disable	Disable Printer Sharing	Printer Sharing _MUST_ be disabled.	Script	/usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0"	{'boolean': 1}	[source,bash] ---- /usr/sbin/cupsctl --no-share-printers /usr/bin/lpstat -p | awk '{print $2}'| /usr/bin/xargs -I{} lpadmin -p {} -o printer-is-shared=false ----	CM-7 CM-7(1)	03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002240	2.3.3.4 (level 1)	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92981-0	system_settings_rae_disable	Disable Remote Apple Events	If the system does not require Remote Apple Events, support for Apple Remote Events is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AEServer" => disabled'	{'integer': 1}	[source,bash] ---- /usr/sbin/systemsetup -setremoteappleevents off /bin/launchctl disable system/com.apple.AEServer ---- NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision.	AC-3 AC-17 CM-7	03.01.02 03.04.06	SRG-OS-000080-GPOS-00048 SRG-OS-000096-GPOS-00050	NaN	APPL-14-002022	2.3.3.7 (level 1)	4.1 4.8	AC.L1-3.1.1	NaN	CCI-000213 CCI-000382	medium	NaN
CCE-92982-8	system_settings_remote_management_disable	Disable Remote Management	Remote Management _MUST_ be disabled.	Script	/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0"	{'integer': 1}	[source,bash] ---- /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop ----	AC-3 AC-17 CM-7 CM-7(1)	03.01.02 03.04.06	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002250	2.3.3.6 (level 1)	4.1 4.8 5.4	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-92983-6	system_settings_screen_sharing_disable	Disable Screen Sharing and Apple Remote Desktop	Support for both Screen Sharing and Apple Remote Desktop (ARD) is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" => disabled'	{'integer': 1}	[source,bash] ---- /bin/launchctl disable system/com.apple.screensharing ---- NOTE - This will apply to the whole system	AC-3 AC-17 CM-7	03.01.02 03.04.06	SRG-OS-000080-GPOS-00048	NaN	APPL-14-002050	2.3.3.2 (level 1)	4.1 4.8	AC.L1-3.1.1	NaN	CCI-000213	medium	NaN
CCE-92984-4	system_settings_screensaver_ask_for_password_delay_enforce	Enforce Session Lock After Screen Saver is Started	A screen saver _MUST_ be enabled and the system _MUST_ be configured to require a password to unlock once the screensaver has been on for a maximum of 5 seconds. An unattended system with an excessive grace period is vulnerable to a malicious user.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('askForPasswordDelay')) if ( delay <= 5 ) { return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>askForPasswordDelay</key> <integer>5</integer> ----	AC-11	03.01.10	SRG-OS-000028-GPOS-00009	NaN	APPL-14-000003	2.10.2 (level 1)	4.7	AC.L2-3.1.10	NaN	CCI-000056	medium	NaN
CCE-92985-1	system_settings_screensaver_password_enforce	Enforce Screen Saver Password	Users _MUST_ authenticate when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('askForPassword').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>askForPassword</key> <true/> ----	AC-11 IA-11	03.01.10 03.05.01	SRG-OS-000028-GPOS-00009	NaN	APPL-14-000002	NaN	NaN	AC.L2-3.1.10	NaN	CCI-000056	medium	NaN
CCE-92986-9	system_settings_screensaver_timeout_enforce	Enforce Screen Saver Timeout	The screen saver timeout _MUST_ be set to 1200 seconds or a shorter length of time. This rule ensures that a full session lock is triggered within no more than 1200 seconds of inactivity.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('idleTime')) if ( timeout <= 1200 ) { return("true") } else { return("false") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.screensaver) payload type: [source,xml] ---- <key>idleTime</key> <integer>1200</integer> ----	AC-11 IA-11	03.01.10 03.05.01	SRG-OS-000029-GPOS-00010	NaN	APPL-14-000070	2.10.1 (level 1)	4.3	AC.L2-3.1.10	NaN	CCI-000057	medium	NaN
CCE-92987-7	system_settings_siri_disable	Disable Siri	Support for Siri is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAssistant').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAssistant</key> <false/> ----	AC-20 CM-7 CM-7(1) CM-7(5) SC-7(10)	03.01.20 03.04.06 03.04.08	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002020	NaN	4.1 4.8	AC.L1-3.1.20 CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381 CCI-001774	medium	NaN
CCE-93022-2	system_settings_siri_listen_disable	Ensure Siri Listen For is Disabled	Siri has the ability to listen for "Hey Siri" or "Siri". Listen for _MUST_ be disabled.	Configuration Profile	/usr/bin/sudo /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Siri')\ .objectForKey('VoiceTriggerUserEnabled').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.Siri) payload type: [source,xml] ---- <key>VoiceTriggerUserEnabled</key> <false/> ----	NaN	NaN	NaN	NaN	NaN	2.5.2 (level 1)	4.1 4.8	NaN	NaN	NaN	NaN	NaN
CCE-93019-8	system_settings_siri_settings_disable	Disable the System Settings Pane for Siri	The System Settings pane for Siri _MUST_ be hidden. Hiding the System Settings pane prevents the users from configuring Siri.	Configuration Profile	/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.Siri-Settings.extension	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledSystemSettings</key> <array> <string>com.apple.Siri-Settings.extension</string> </array> ----	CM-7 CM-7(1) CM-7(5)	03.04.06 03.04.08	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002053	NaN	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-93023-0	system_settings_sleep_enforce	Enforce Display Sleep (Apple Silicon)	Display Sleep _MUST_ be enforced on Apple Silicon MacBooks.	Script	error_count=0 if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then ((error_count++)) fi if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then ((error_count++)) fi fi echo "$error_count"	{'integer': 0}	[source,bash] ---- /usr/bin/pmset -a sleep 15 /usr/bin/pmset -a displaysleep 10 ----	NaN	NaN	NaN	NaN	NaN	2.9.1.2 (level 2)	4.1	NaN	NaN	NaN	NaN	NaN
CCE-92989-3	system_settings_smbd_disable	Disable Server Message Block Sharing	Support for Server Message Block (SMB) file sharing is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.smbd" => disabled'	{'integer': 1}	[source,bash] ---- /bin/launchctl disable system/com.apple.smbd ---- The system may need to be restarted for the update to take effect.	AC-3 AC-17 CM-7	03.01.02 03.04.06	SRG-OS-000080-GPOS-00048	NaN	APPL-14-002001	2.3.3.3 (level 1)	4.1 4.8 5.4	AC.L1-3.1.1	NaN	CCI-000213	medium	NaN
CCE-92990-1	system_settings_software_update_app_update_enforce	Enforce Software Update App Update Updates Automatically	Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticallyInstallAppUpdates').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>AutomaticallyInstallAppUpdates</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	1.5 (level 1)	7.3 7.4	NaN	NaN	NaN	NaN	NaN
CCE-92991-9	system_settings_software_update_download_enforce	Enforce Software Update Downloads Updates Automatically	Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticDownload').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>AutomaticDownload</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	1.3 (level 1)	7.3 7.4	NaN	NaN	NaN	NaN	NaN
CCE-92992-7	system_settings_software_update_enforce	Enforce Software Update Automatically	Software Update _MUST_ be configured to enforce automatic update is enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('AutomaticCheckEnabled').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.SoftwareUpdate) payload type: [source,xml] ---- <key>AutomaticCheckEnabled</key> <true/> ----	SI-2(5)	03.14.01 03.14.02 03.13.03	NaN	NaN	NaN	1.2 (level 1)	7.3 7.4	NaN	NaN	NaN	NaN	NaN
CCE-92993-5	system_settings_softwareupdate_current	Ensure Software Update is Updated and Current	Make sure Software Update is updated and current. NOTE: Automatic fix can cause unplanned restarts and may lose work.	Script	softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s") thirty_days_epoch=$(/bin/date -v -30d "+%s") if [[ $softwareupdate_date_epoch -lt $thirty_days_epoch ]]; then /bin/echo "0" else /bin/echo "1" fi	{'integer': 1}	[source,bash] ---- /usr/sbin/softwareupdate -i -a ---- NOTE - This will apply to the whole system	NaN	NaN	NaN	NaN	NaN	1.1 (level 1)	7.3 7.4	NaN	NaN	NaN	medium	NaN
CCE-92994-3	system_settings_ssh_disable	Disable SSH Server for Remote Access Sessions	SSH service _MUST_ be disabled for remote access.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'	{'integer': 1}	[source,bash] ---- /usr/sbin/systemsetup -f -setremotelogin off >/dev/null /bin/launchctl disable system/com.openssh.sshd ---- NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision.	CM-7 CM-7(1) AC-17	03.01.02 03.04.06	NaN	NaN	NaN	2.3.3.5 (level 1)	4.1 4.8	AC.L1-3.1.1 CM.L2-3.4.6 CM.L2-3.4.7	NaN	NaN	high	NaN
CCE-92995-0	system_settings_ssh_enable	Enable SSH Server for Remote Access Sessions	Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access.	Script	/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => enabled'	{'integer': 1}	[source,bash] ---- /bin/launchctl enable system/com.openssh.sshd ----	IA-2(8) AC-3 CM-7 CM-7(1) AC-17	03.01.02 03.05.04	SRG-OS-000080-GPOS-00048 SRG-OS-000113-GPOS-00058 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190	NaN	NaN	NaN	NaN	AC.L1-3.1.1 CM.L2-3.4.6 CM.L2-3.4.7 IA.L2-3.5.4	NaN	CCI-000213 CCI-001942 CCI-002420 CCI-002422	medium	NaN
CCE-92996-8	system_settings_system_wide_preferences_configure	Require Administrator Password to Modify System-Wide Preferences	The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Settings. Some Preference Panes in System Settings contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations.	Script	authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine") result="1" for section in ${authDBs[@]}; do if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "shared")]/following-sibling::*[1])' -) != "false" ]]; then result="0" fi if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath '//*[contains(text(), "group")]/following-sibling::*[1]/text()' - ) != "admin" ]]; then result="0" fi if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "authenticate-user")]/following-sibling::*[1])' -) != "true" ]]; then result="0" fi if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "session-owner")]/following-sibling::*[1])' -) != "false" ]]; then result="0" fi done echo $result	{'integer': 1}	[source,bash] ---- authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine") for section in ${authDBs[@]}; do /usr/bin/security -q authorizationdb read "$section" > "/tmp/$section.plist" class_key_value=$(/usr/libexec/PlistBuddy -c "Print :class" "/tmp/$section.plist" 2>&1) if [[ "$class_key_value" == *"Does Not Exist"* ]]; then /usr/libexec/PlistBuddy -c "Add :class string user" "/tmp/$section.plist" else /usr/libexec/PlistBuddy -c "Set :class user" "/tmp/$section.plist" fi key_value=$(/usr/libexec/PlistBuddy -c "Print :shared" "/tmp/$section.plist" 2>&1) \t if [[ "$key_value" == *"Does Not Exist"* ]]; then /usr/libexec/PlistBuddy -c "Add :shared bool false" "/tmp/$section.plist" else /usr/libexec/PlistBuddy -c "Set :shared false" "/tmp/$section.plist" fi auth_user_key=$(/usr/libexec/PlistBuddy -c "Print :authenticate-user" "/tmp/$section.plist" 2>&1) \t if [[ "$auth_user_key" == *"Does Not Exist"* ]]; then /usr/libexec/PlistBuddy -c "Add :authenticate-user bool true" "/tmp/$section.plist" else /usr/libexec/PlistBuddy -c "Set :authenticate-user true" "/tmp/$section.plist" fi session_owner_key=$(/usr/libexec/PlistBuddy -c "Print :session-owner" "/tmp/$section.plist" 2>&1) \t if [[ "$session_owner_key" == *"Does Not Exist"* ]]; then /usr/libexec/PlistBuddy -c "Add :session-owner bool false" "/tmp/$section.plist" else /usr/libexec/PlistBuddy -c "Set :session-owner false" "/tmp/$section.plist" fi group_key=$(/usr/libexec/PlistBuddy -c "Print :group" "/tmp/$section.plist" 2>&1) if [[ "$group_key" == *"Does Not Exist"* ]]; then /usr/libexec/PlistBuddy -c "Add :group string admin" "/tmp/$section.plist" else /usr/libexec/PlistBuddy -c "Set :group admin" "/tmp/$section.plist" fi /usr/bin/security -q authorizationdb write "$section" < "/tmp/$section.plist" done ----	AC-6 AC-6(2) AC-6(1)	03.01.07	SRG-OS-000324-GPOS-00125	NaN	APPL-14-002069	2.6.8 (level 1)	4.1	AC.L1-3.1.1 AC.L2-3.1.5 AC.L2-3.1.6	NaN	CCI-002235	high	NaN
CCE-92997-6	system_settings_time_machine_auto_backup_enable	Configure Time Machine for Automatic Backups	Automatic backups _MUST_ be enabled when using Time Machine.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\ .objectForKey('AutoBackup').js EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.TimeMachine) payload type: [source,xml] ---- <key>AutoBackup</key> <true/> ----	NaN	NaN	NaN	NaN	NaN	2.3.4.1 (level 2)	11.2	NaN	NaN	NaN	NaN	NaN
CCE-92998-4	system_settings_time_machine_encrypted_configure	Ensure Time Machine Volumes are Encrypted	Time Machine volumes _MUST_ be encrypted.	Manual	error_count=0 for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do tmMounted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/Mounted/{print $2}') tmEncrypted=$(/usr/sbin/diskutil info "${tm}" 2>/dev/null | /usr/bin/awk '/FileVault/{print $2}') if [[ "$tmMounted" = "Yes" && "$tmEncrypted" = "No" ]]; then ((error_count++)) fi done echo "$error_count"	{'integer': 0}	. Go to System Settings -> Time Machine . Click *Select Disk* . Select existing Backup Disk under *Available Disks* . Click *Encrypt Backups* . Click *Use Disk*	NaN	NaN	NaN	NaN	NaN	2.3.4.2 (level 1)	3.6 3.11 11.3	NaN	NaN	NaN	NaN	NaN
CCE-92999-2	system_settings_time_server_configure	Configure macOS to Use an Authorized Time Server	Approved time server _MUST_ be the only server configured for use. As of macOS 10.13 only one time server is supported. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('timeServer').js EOS	{'string': 'time.nist.gov'}	Create a configuration profile containing the following keys in the (com.apple.MCX) payload type: [source,xml] ---- <key>timeServer</key> <string>time.nist.gov</string> ----	AU-12(1) SC-45(1)	03.03.07	SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144	NaN	APPL-14-000170	2.3.2.1 (level 1)	8.4	AU.L2-3.3.7	NaN	CCI-001891 CCI-002046	medium	NaN
CCE-93000-8	system_settings_time_server_enforce	Enforce macOS Time Synchronization	Time synchronization _MUST_ be enforced on all networked systems. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.timed')\ .objectForKey('TMAutomaticTimeOnlyEnabled').js EOS	{'string': 'true'}	NOTE: The following settings are in the (com.apple.ManagedClient.preferences) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types. Create a configuration profile containing the following keys in the (com.apple.timed) payload type: [source,xml] ---- <key>TMAutomaticTimeOnlyEnabled</key> <true/> ----	AU-12(1) SC-45(1)	03.03.07	SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144	NaN	APPL-14-000014	2.3.2.1 (level 1)	8.4	AU.L2-3.3.7	NaN	CCI-001891 CCI-002046	medium	NaN
CCE-93001-6	system_settings_token_removal_enforce	Configure User Session Lock When a Smart Token is Removed	The screen lock _MUST_ be configured to initiate automatically when the smart token is removed from the system. Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absences. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token. [IMPORTANT] ==== Information System Security Officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed, so as to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('tokenRemovalAction').js EOS	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.security.smartcard) payload type: [source,xml] ---- <key>tokenRemovalAction</key> <integer>1</integer> ----	AC-11	03.01.10	SRG-OS-000030-GPOS-00011	NaN	APPL-14-000005	NaN	NaN	AC.L2-3.1.10	NaN	CCI-000058	medium	NaN
CCE-93020-6	system_settings_touch_id_settings_disable	Disable the Touch ID System Settings Pane	The System Settings pane for Touch ID _MUST_ be disabled. Disabling the System Settings pane prevents the users from configuring Touch ID.	Configuration Profile	/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.Touch-ID-Settings.extension"	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledSystemSettings</key> <array> <string>com.apple.Touch-ID-Settings.extension</string> </array> ----	CM-7 CM-7(1) CM-7(5)	03.04.06 03.04.08	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002051	NaN	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-93003-2	system_settings_touchid_unlock_disable	Disable TouchID for Unlocking the Device	TouchID enables the ability to unlock a Mac system with a user's fingerprint. TouchID _MUST_ be disabled for "Unlocking your Mac" on all macOS devices that are capable of using Touch ID. The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method. NOTE: TouchID is not an approved biometric authenticator for US Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFingerprintForUnlock').js EOS	{'string': 'false'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowFingerprintForUnlock</key> <false/> ----	IA-5	03.05.12	SRG-OS-000028-GPOS-00009	NaN	APPL-14-002090	NaN	NaN	AC.L2-3.1.10	NaN	CCI-000056	medium	NaN
CCE-93004-0	system_settings_usb_restricted_mode	USB Devices Must be Authorized Before Allowing	USB devices connected to a Mac _MUST_ be authorized. [IMPORTANT] ==== This feature is removed if a smartcard is paired or smartcard attribute mapping is configured. ====	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowUSBRestrictedMode')) if ( pref1 == false ) { return("false") } else { return("true") } } EOS	{'string': 'true'}	Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowUSBRestrictedMode</key> <true/> ----	MP-7 SC-41	03.08.07	SRG-OS-000378-GPOS-00163	NaN	APPL-14-005090	NaN	NaN	MP.L2-3.8.7 MP.L2-3.8.8	NaN	CCI-001958	medium	NaN
CCE-93005-7	system_settings_wake_network_access_disable	Ensure Wake for Network Access Is Disabled	Wake for network access _MUST_ be disabled.	Script	/usr/bin/pmset -g custom | /usr/bin/awk '/womp/ { sum+=$2 } END {print sum}'	{'integer': 0}	[source,bash] ---- /usr/bin/pmset -a womp 0 ----	NaN	NaN	NaN	NaN	NaN	2.9.3 (level 1)	4.8	NaN	NaN	NaN	NaN	NaN
CCE-93021-4	system_settings_wallet_applepay_settings_disable	Disable the System Settings Pane for Wallet and Apple Pay	The System Settings pane for Wallet and Apple Pay _MUST_ be disabled. Disabling the System Settings pane prevents the users from configuring Wallet and Apple Pay.	Configuration Profile	/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.WalletSettingsExtension"	{'integer': 1}	Create a configuration profile containing the following keys in the (com.apple.systempreferences) payload type: [source,xml] ---- <key>DisabledSystemSettings</key> <array> <string>com.apple.WalletSettingsExtension</string> </array> ----	CM-7 CM-7(1) CM-7(5)	03.04.06 03.04.08	SRG-OS-000095-GPOS-00049	NaN	APPL-14-002052	NaN	4.1 4.8	CM.L2-3.4.6 CM.L2-3.4.7	NaN	CCI-000381	medium	NaN
CCE-93008-1	system_settings_wifi_disable	Disable Wi-Fi Interface	The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit. Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable.	Script	/usr/sbin/networksetup -listallnetworkservices | /usr/bin/grep -c "*Wi-Fi"	{'integer': 1}	To disable Wi-Fi on a macOS system, run the following command. [source,bash] ---- /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off ----	AC-4 AC-18 AC-18(1) AC-18(3)	03.01.03 03.01.16	NaN	NaN	NaN	NaN	4.2 12.6	AC.L2-3.1.3 AC.L2-3.1.16 AC.L2-3.1.17	NaN	NaN	medium	NaN
CCE-93010-7	system_settings_wifi_menu_enable	Enable Wifi Menu	The WiFi menu _MUST_ be enabled.	Configuration Profile	/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ .objectForKey('WiFi').js EOS	{'integer': 18}	Create a configuration profile containing the following keys in the (com.apple.controlcenter) payload type: [source,xml] ---- <key>WiFi</key> <integer>18</integer> ----	NaN	NaN	NaN	NaN	NaN	2.4.1 (level 1)	4.8 12.6	NaN	NaN	NaN	NaN	NaN
CCE-92728-5	audit_record_reduction_report_generation	Audit Record Reduction and Report Generation	The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP).	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AU-7	03.03.06	SRG-OS-000351-GPOS-00139 SRG-OS-000349-GPOS-00137 SRG-OS-000348-GPOS-00136 SRG-OS-000354-GPOS-00142 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000122-GPOS-00063	NaN	NaN	NaN	NaN	AU.L2-3.3.6	NaN	NaN	NaN	NaN
CCE-92757-4	os_allow_info_passed	Allow Information Transfer with Other Operating Systems	The information system _IS_ configured to allow the transfer of information to and from other operating systems and users. The macOS is a UNIX 03-compliant operating system, which allows owners of object to have discretion over who should be authorized to access information. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-3(4)	NaN	SRG-OS-000312-GPOS-00122	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92760-8	os_application_sandboxing	Ensure Separate Execution Domain for Processes	The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[] link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SC-39	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92775-6	os_change_security_attributes	Allow Administrators to Modify Security Settings and System Attributes	The information system _IS_ configured to allow administrators to modify security settings and system attributes. The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-3(4)	NaN	SRG-OS-000312-GPOS-00123	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92779-8	os_crypto_audit	Protect Audit Integrity with Cryptographic Mechanisms	The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. link:https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf[] NOTE: This will only apply to a Mac that includes a T2 security chip.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AU-9(3)	NaN	SRG-OS-000278-GPOS-00108	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92784-8	os_enforce_access_restrictions	Enforce Access Restrictions	The information system _IS_ configured to enforce access restrictions and support auditing of the enforcement actions. The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	CM-5(1)	NaN	SRG-OS-000364-GPOS-00151	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92786-3	os_error_message	Generate Error Messages without Exploitable Information	The information system _IS_ configured to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92789-7	os_fail_secure_state	Configure System to Fail to a Known Safe State if System Initialization, Shutdown, or Abort Fails	The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. link:https://developer.apple.com/videos/play/wwdc2017/715/[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SC-24	NaN	SRG-OS-000269-GPOS-00103 SRG-OS-000184-GPOS-00078	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92797-0	os_grant_privs	Allow Administrators to Promote Other Users to Administrator Status	The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users. link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-3(4)	NaN	SRG-OS-000312-GPOS-00124	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92808-5	os_implement_cryptography	Configure the System to Implement Approved Cryptography to Protect Information	The information system _IS_ configured to implement approved cryptography to protect information. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] link:https://support.apple.com/en-us/HT201159[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules.	NaN	The technology inherently meets this requirement. No fix is required.	SC-13	03.13.11	SRG-OS-000478-GPOS-00223 SRG-OS-000033-GPOS-00014 SRG-OS-000396-GPOS-00176	NaN	NaN	NaN	NaN	MP.L2-3.8.6 SC.L2-3.13.11	NaN	NaN	NaN	NaN
CCE-92809-3	os_implement_memory_protection	Configure the System to Protect Memory from Unauthorized Code Execution	The information system _IS_ configured to implement non-executable data to protect memory from code execution. Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection. link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[] link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[] link:https://www.apple.com/macos/security/[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SI-16	NaN	SRG-OS-000433-GPOS-00193 SRG-OS-000433-GPOS-00192	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92813-5	os_isolate_security_functions	Configure the System to Separate User and System Functionality	The information system _IS_ configured to isolate security functions from non-security functions. link:https://support.apple.com/guide/security/welcome/web[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SC-3	NaN	SRG-OS-000134-GPOS-00068	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92815-0	os_limit_auditable_events	Only allow authorized users to select auditable events	Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92817-6	os_limit_gui_sessions	Limit Concurrent GUI Sessions to 10 for all Accounts	The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user helps reduce the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-10	NaN	SRG-OS-000027-GPOS-00008	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92818-4	os_logical_access	Enforce Approved Authorization for Logical Access	The information system _IS_ configured to enforce an approved authorization process before granting users logical access. The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-3	03.01.02	SRG-OS-000080-GPOS-00048	NaN	NaN	NaN	3.3 6.7	AC.L1-3.1.1	NaN	NaN	NaN	NaN
CCE-92819-2	os_logoff_capability_and_message	Display logoff capability and message to prevent exploitation	Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to the system. Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-12(1) AC-12(2)	NaN	SRG-OS-000280-GPOS-00110 SRG-OS-000281-GPOS-00111	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92821-8	os_malicious_code_prevention	Ensure the System Implements Malicious Code Protection Mechanisms	The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention. 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: *\tThe Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. *\tXProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. *\tIn macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when: *\tan app is first launched, *\tan app has been changed (in the file system), and *\tXProtect signatures are updated. *\tYARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. *\tGatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running. *\tNotarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: *\tXProtect (defined above). *\tGatekeeper (defined above). *\tNotarization (defined above). 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: *\tApple's XProtect: a technology included on all macOS systems. XProtect will remediate infections upon receiving updated information delivered and when infections are detected link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SI-3	03.14.02	NaN	NaN	NaN	NaN	10.1 10.2 10.5	SI.L1-3.14.1 SI.L1-3.14.2 SI.L1-3.14.4	NaN	NaN	NaN	NaN
CCE-92823-4	os_map_pki_identity	Map identity for PKI based authentication	Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.	The control cannot be configured out of compliance.	For directory bound systems, the technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	For directory bound systems, the technology inherently meets this requirement. No fix is required.	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92826-7	os_mfa_network_access	Enforce multifactor authentication for network access to privileged accounts	The information system implements multifactor authentication for network access to privileged accounts.	The control cannot be configured out of compliance.	For directory bound systems: The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	For directory bound systems, the technology inherently meets this requirement. No fix is required.	NaN	NaN	NaN	NaN	NaN	NaN	5.6	NaN	NaN	NaN	NaN	NaN
CCE-92827-5	os_mfa_network_non-priv	Enforce multifactor authentication for network access to non-privileged accounts	The information system implements multifactor authentication for network access to non-privileged accounts.	The control cannot be configured out of compliance.	For directory bound systems: The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	For directory bound systems, the technology inherently meets this requirement. No fix is required.	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92840-8	os_obscure_password	Obscure Passwords	The information system _IS_ configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals. The inherent configuration of a macOS uses NSSecureTextField for any text field that receives a password, which automatically obscures text which is entered. link:https://developer.apple.com/documentation/appkit/nssecuretextfield[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	IA-6 IA-5	03.05.11	SRG-OS-000079-GPOS-00047	NaN	NaN	NaN	4.1	IA.L2-3.5.8 IA.L2-3.5.9 IA.L2-3.5.11	NaN	NaN	NaN	NaN
CCE-92847-3	os_peripherals_identify	The macOS system must uniquely identify peripherals before establishing a connection.	Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92855-6	os_predictable_behavior	Must behave in predictable and documented manner	The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SI-10(3)	NaN	SRG-OS-000432-GPOS-00191	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92856-4	os_prevent_priv_execution	Prevent Software From Executing at Higher Privilege Levels than Users Executing The Software	In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-6(8)	03.01.07	SRG-OS-000326-GPOS-00126	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92857-2	os_prevent_priv_functions	Configure the System to Block Non-Privileged Users from Executing Privileged Functions	The information system _IS_ configured to block standard users from executing privileged functions. Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-6(10)	03.01.07	SRG-OS-000324-GPOS-00125	NaN	NaN	NaN	NaN	AC.L2-3.1.7	NaN	NaN	NaN	NaN
CCE-92858-0	os_prevent_unauthorized_disclosure	Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources	The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SC-4	03.13.04	SRG-OS-000138-GPOS-00069	NaN	NaN	NaN	NaN	SC.L2-3.13.4	NaN	NaN	NaN	NaN
CCE-92861-4	os_prohibit_remote_activation_collab_devices	Prohibit Remote Activation of Collaborative Computing Devices	The inherent configuration of the macOS _IS_ in compliance. Apple has implemented a green light physically next to your camera that will glow when the camera is activated. There is an orange dot indicator by the Control Center pull down menu item to indicate when the system's microphone is listening or activated. The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device. link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[] link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[] link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/12.0/mac/12.0[]	The control cannot be configured out of compliance.	The technology partially supports this requirement and cannot be configured to be in full compliance.	NaN	The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance.	SC-15	03.13.12	NaN	NaN	NaN	NaN	NaN	SC.L2-3.13.12	NaN	NaN	NaN	NaN
CCE-92864-8	os_provide_disconnect_remote_access	Provide Ability to Disconnect or Disable Remote Access	Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.The remote access functionality (e.g., SSH) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-17(9)	NaN	SRG-OS-000298-GPOS-00116	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92868-9	os_reauth_privilege	Require users to reauthenticate for privilege escalation	Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	IA-11	03.05.01	SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00156	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92869-7	os_reauth_users_change_authenticators	Require users to reauthenticate when changing authenticators	Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change user authenticators, it is critical the user reauthenticate.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	IA-11	03.05.01	SRG-OS-000373-GPOS-00158	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92871-3	os_remote_access_methods	Control remote access methods	The information system monitors and controls remote access methods.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92873-9	os_remove_software_components_after_updates	Must remove all software components after updated versions installed	Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SI-2(6)	NaN	SRG-OS-000437-GPOS-00194	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92874-7	os_required_crypto_module	Ensure all Federal Laws, Executive Orders, Directives, Policies, Regulations, Standards, and Guidance for Authentication to a Cryptographic Module are Met	The inherent configuration of the macOS _IS_ in compliance by implementing mechanisms for authentication to a cryptographic module that meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] link:https://support.apple.com/en-us/HT201159[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	IA-7	NaN	SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92884-6	os_secure_enclave	Protected Storage for Cryptographic Keys	A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard. Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] NOTE: This will only return a proper result on a T2 or Apple Silicon Macs.	The control cannot be configured out of compliance.	/usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q 'AppleSEPManager'; /bin/echo $?	{'integer': 0}	The hardware does not support the requirement.	SC-28(3)	NaN	SRG-OS-000404-GPOS-00183 SRG-OS-000405-GPOS-00184	NaN	NaN	NaN	NaN	SC.L2-3.13.10	NaN	NaN	NaN	NaN
CCE-92886-1	os_separate_functionality	Configure the System to Separate User and System Functionality	The information system _IS_ configured to separate user and system functionality. Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	SC-2 MA-4(1)	03.01.03 03.01.05 03.01.07	SRG-OS-000132-GPOS-00067	NaN	NaN	NaN	NaN	SC.L2-3.13.3	NaN	NaN	NaN	NaN
CCE-92907-5	os_store_encrypted_passwords	Encrypt Stored Passwords	The information system _IS_ configured to encrypt stored passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. link:https://developer.apple.com/documentation/opendirectory/kodattributetypeauthenticationauthority[]	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	IA-5(1) IA-5(1)(c)	03.05.07	SRG-OS-000073-GPOS-00041	NaN	NaN	NaN	3.11	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	NaN	NaN	NaN
CCE-92913-3	os_terminate_session	Terminate all sessions and network connections when maintenance is completed	Terminates session and network connections when non-local maintenance is completed.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92918-2	os_unique_identification	Uniquely Identify Users and Processes	The macOS is a UNIX 03-compliant operating system. The system uniquely identifies and authenticates organizational users or processes.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	IA-4	03.05.05	NaN	NaN	NaN	NaN	5.1 6.1	IA.L2-3.5.5	NaN	NaN	NaN	NaN
CCE-92922-4	os_verify_remote_disconnection	Verify remote disconnection of sessions	The information system implements remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	MA-4(7)	NaN	SRG-OS-000395-GPOS-00175	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92930-7	pwpolicy_emergency_accounts_disable	Automatically Remove or Disable Emergency Accounts within 72 Hours	The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-2(2)	NaN	SRG-OS-000002-GPOS-00002 SRG-OS-000123-GPOS-00064	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92931-5	pwpolicy_force_password_change	Force Password Change at Next Logon	The macOS is able to be configured to force users to change their password at next logon. Temporary passwords are often used for new users when accounts are created. However, once logged in to the system, users must be immediately prompted to change to a permanent password of their creation. For a user to change their password at next logon, run the following command: [source,bash] ---- /usr/bin/pwpolicy -u [USER] -setpolicy "newPasswordRequired=1" ---- NOTE: Replace [USER] with the username that must change the password at next logon	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	IA-5(1)	03.05.07	SRG-OS-000380-GPOS-00165	NaN	NaN	NaN	5.2	IA.L2-3.5.7 IA.L2-3.5.8 IA.L2-3.5.9	NaN	NaN	NaN	NaN
CCE-92941-4	pwpolicy_temporary_accounts_disable	Automatically Remove or Disable Temporary User Accounts within 72 Hours	The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created. If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary accounts defined on the system, this is Not Applicable.	The control cannot be configured out of compliance.	The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.	NaN	The technology inherently meets this requirement. No fix is required.	AC-2(2)	NaN	SRG-OS-000002-GPOS-00002 SRG-OS-000123-GPOS-00064	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92703-8	audit_alert_processing_fail	Alert Audit Processing Failure	It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92710-3	audit_enforce_dual_auth	Enforce Dual Authorization for Movement and Deletion of Audit Information	All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed. An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation. To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	AU-9(5)	NaN	SRG-OS-000360-GPOS-00147	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92727-7	audit_off_load_records	Off-Load Audit Records	Audit records should be off-loaded onto a different system or media from the system being audited. Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	AU-4(1)	NaN	SRG-OS-000479-GPOS-00224 SRG-OS-000342-GPOS-00133	NaN	NaN	NaN	8.9	NaN	NaN	NaN	NaN	NaN
CCE-92729-3	audit_records_processing	Audit Record Reduction and Report Generation	The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields. Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	AU-7(1)	NaN	SRG-OS-000350-GPOS-00138 SRG-OS-000054-GPOS-00025	NaN	NaN	NaN	NaN	AU.L2-3.3.6	NaN	NaN	NaN	NaN
CCE-92763-2	os_auth_peripherals	Must Authenticate Before Establishing a Connection	Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does support this requirement, however, third party solutions are required to implement at an infrastructure level.	NaN	This requirement is a permanent finding and can be fixed by implementing a third party solution.	IA-3	03.05.02	SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163	NaN	NaN	NaN	13.9	IA.L1-3.5.2	NaN	NaN	NaN	NaN
CCE-92778-0	os_continuous_monitoring	Configure Automated Flaw Remediation	The macOS system _MUST_ be configured to determine the state of system components with regard to flaw remediation.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	SI-2(2)	NaN	SRG-OS-000191-GPOS-00080	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92816-8	os_limit_dos_attacks	Limit Impact of Denial of Service Attacks	The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	SC-5(2)	NaN	SRG-OS-000142-GPOS-00071	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92834-1	os_notify_account_created	Configure the System to Notify upon Account Created Actions	The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when new accounts are created. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	NaN	NaN	SRG-OS-000304-GPOS-00121 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000004-GPOS-00004 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107 SRG-OS-000303-GPOS-00120	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92835-8	os_notify_account_disabled	Configure the System to Notify upon Account Disabled Actions	The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are disabled. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account disabling actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	NaN	NaN	SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000004-GPOS-00004 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92836-6	os_notify_account_enable	Configure the System to Notify upon Account Enabled Actions	The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	NaN	NaN	SRG-OS-000304-GPOS-00121 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000004-GPOS-00004 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107 SRG-OS-000303-GPOS-00120	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92837-4	os_notify_account_modified	Configure the System to Notify upon Account Modified Actions	The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	NaN	NaN	SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000004-GPOS-00004 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92838-2	os_notify_account_removal	Configure the System to Notify upon Account Removed Actions	The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are removed. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account removal actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	NaN	NaN	SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000004-GPOS-00004 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92839-0	os_notify_unauthorized_baseline_change	Configure the System to Notify upon Baseline Configuration Changes	The macOS should be configured to automatically notify system administrators, Information System Security Officers (ISSOs), and (IMOs) when baseline configurations are modified. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	CM-3(5)	NaN	SRG-OS-000363-GPOS-00150	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92862-2	os_protect_dos_attacks	Protect Against Denial of Service Attacks by Ensuring Rate-Limiting Measures on Network Interfaces	The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To prevent DoS attacks by ensuring rate-limiting measures on network interfaces, many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	SC-5	NaN	SRG-OS-000420-GPOS-00186	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92863-0	os_provide_automated_account_management	Employ Automated Mechanisms for Account Management Functions	The organization should employ automated mechanisms to support the management of information system accounts. The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management. To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	AC-2(1)	NaN	SRG-OS-000001-GPOS-00001	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92867-1	os_reauth_devices_change_authenticators	Require Devices to Reauthenticate when Changing Authenticators	The macOS should be configured to require users to reauthenticate when the device authenticator is changed. Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	IA-11	03.05.01	SRG-OS-000374-GPOS-00159	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92885-3	os_secure_name_resolution	Secure Name Address Resolution Service	The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. NOTE: macOS supports encrypted DNS settings with the com.apple.dnsSettings.managed payload, however, the system must be integrated with a DNS server that supports encrypted DNS. link:https://developer.apple.com/documentation/devicemanagement/dnssettings[]	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	SC-21	NaN	NaN	NaN	NaN	NaN	4.9	NaN	NaN	NaN	NaN	NaN
CCE-92925-7	pwpolicy_50_percent	Require a Minimum of Fifty Percent Character Change in New Passwords	The macOS should be configured to require users to change at least 50% of the characters when setting a new password. If the operating system allows users to consecutively reuse extensive portions of passwords, this increases the window of opportunity for a malicious user to guess the password. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	NaN	03.05.07	SRG-OS-000072-GPOS-00040	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92938-0	pwpolicy_prevent_dictionary_words	Prevent the Use of Dictionary Words for Passwords	The macOS should be configured to forbid users to use dictionary words for passwords. If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. To prevent users from using dictionary words for passwords, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	For systems not requiring mandatory smart card authentication or those that are not bound to a directory, the technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	NaN	NaN	SRG-OS-000480-GPOS-00225	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-93009-9	system_settings_wifi_disable_when_connected_to_ethernet	Disable Wi-Fi When Connected to Ethernet	The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable.	The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control.	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	AC-4 AC-18(1) AC-18(3)	03.01.03 03.01.16	NaN	NaN	NaN	NaN	NaN	AC.L2-3.1.3 AC.L2-3.1.17	NaN	NaN	NaN	NaN
CCE-92755-8	os_access_control_mobile_devices	Access Control for Mobile Devices	A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system.	Manual	The technology does not support this requirement. This is an applicable-does not meet finding.	NaN	This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.	AC-19	03.01.18	NaN	NaN	NaN	NaN	6.4	AC.L2-3.1.18	NaN	NaN	NaN	NaN
CCE-92807-7	os_identify_non-org_users	Configure the System to Uniquely Identify and Authenticate Non-Organizational Users	The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).	Manual	This requirement is NA for this technology.	NaN	The requirement is NA. No fix is required.	IA-8	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92810-1	os_information_validation	Information Input Validation	Check the validity of the following information inputs: organization-defined information inputs to the systems. Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.	Manual	This requirement is NA for this technology.	NaN	The requirement is NA. No fix is required.	SI-10	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92822-6	os_managed_access_control_points	Managed Access Control Points	Route remote accesses through authorized and managed network access control points. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.	Manual	This requirement is NA for this technology.	NaN	The requirement is NA. No fix is required.	AC-17(3)	03.01.12	NaN	NaN	NaN	NaN	NaN	AC.L2-3.1.14	NaN	NaN	NaN	NaN
CCE-92832-5	os_non_repudiation	Non-Repudiation	Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed organization-defined actions to be covered by non-repudiation. Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.	Manual	This requirement is NA for this technology.	NaN	The requirement is NA. No fix is required.	AU-10	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92833-3	os_nonlocal_maintenance	Configure the System for Non-local Maintenance	Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network.	Manual	This requirement is NA for this technology.	NaN	The requirement is NA. No fix is required.	MA-4	03.07.05	NaN	NaN	NaN	NaN	NaN	MA.L2-3.7.5	NaN	NaN	NaN	NaN
CCE-92848-1	os_pii_deidentification	Remove Elements of Personally Identifiable Information from Datasets	Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information and evaluate organization-defined frequency for effectiveness of de-identification. De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk.	Manual	This requirement is NA for this technology.	NaN	The requirement is NA. No fix is required.	SI-19	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92849-9	os_pii_quality_control	Personally Identifiable Information Quality Operations	Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle organization-defined frequency; and correct or delete inaccurate or outdated personally identifiable information. Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes.	Manual	This requirement is NA for this technology.	NaN	The requirement is NA. No fix is required.	SI-18	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-92859-8	os_privacy_principle_minimization	Implement the Privacy Principle of Minimization	Implement the privacy principle of minimization using organization-defined processes. The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization.	Manual	This requirement is NA for this technology.	NaN	The requirement is NA. No fix is required.	SA-8(33)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN