From 5acbdbd21e8397cdb0a6fb80e7b1dc5c3397b7c0 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Thu, 14 Sep 2023 14:21:06 -0400 Subject: [PATCH] chore: clean up extraneous trailing whitespace --- CONTRIBUTING.adoc | 16 +- LICENSE.md | 22 +- README.adoc | 6 +- baselines/all_rules.yaml | 2 +- includes/enablePF-mscp.sh | 8 +- includes/mscp-data.yaml | 12 +- includes/supported_payloads.yaml | 2 +- rules/audit/audit_auditd_enabled.yaml | 2 +- .../audit_configure_capacity_notify.yaml | 8 +- rules/audit/audit_control_acls_configure.yaml | 2 +- rules/audit/audit_enforce_dual_auth.yaml | 6 +- rules/audit/audit_failure_halt.yaml | 20 +- rules/audit/audit_files_group_configure.yaml | 2 +- rules/audit/audit_files_mode_configure.yaml | 2 +- rules/audit/audit_files_owner_configure.yaml | 4 +- rules/audit/audit_flags_aa_configure.yaml | 22 +- rules/audit/audit_flags_ex_configure.yaml | 10 +- rules/audit/audit_flags_fm_configure.yaml | 4 +- .../audit_flags_fm_failed_configure.yaml | 14 +- rules/audit/audit_folder_group_configure.yaml | 2 +- rules/audit/audit_folder_owner_configure.yaml | 2 +- rules/audit/audit_folders_mode_configure.yaml | 4 +- rules/audit/audit_off_load_records.yaml | 4 +- ...it_record_reduction_report_generation.yaml | 8 +- rules/audit/audit_records_processing.yaml | 6 +- rules/auth/auth_smartcard_allow.yaml | 6 +- ...rtcard_certificate_trust_enforce_high.yaml | 8 +- ...rd_certificate_trust_enforce_moderate.yaml | 4 +- ...h_ssh_password_authentication_disable.yaml | 12 +- rules/icloud/icloud_addressbook_disable.yaml | 2 +- ...cloud_appleid_preference_pane_disable.yaml | 2 +- rules/icloud/icloud_game_center_disable.yaml | 16 +- rules/icloud/icloud_notes_disable.yaml | 2 +- .../icloud/icloud_private_relay_disable.yaml | 16 +- rules/icloud/icloud_reminders_disable.yaml | 2 +- rules/icloud/icloud_sync_disable.yaml | 4 +- rules/os/os_airdrop_disable.yaml | 2 +- rules/os/os_appleid_prompt_disable.yaml | 2 +- rules/os/os_application_sandboxing.yaml | 4 +- rules/os/os_auth_peripherals.yaml | 4 +- rules/os/os_authenticated_root_enable.yaml | 8 +- rules/os/os_calendar_app_disable.yaml | 4 +- rules/os/os_change_security_attributes.yaml | 6 +- .../os_config_profile_ui_install_disable.yaml | 6 +- rules/os/os_continuous_monitoring.yaml | 2 +- rules/os/os_crypto_audit.yaml | 12 +- .../os/os_directory_services_configured.yaml | 4 +- rules/os/os_enforce_access_restrictions.yaml | 4 +- rules/os/os_facetime_app_disable.yaml | 8 +- rules/os/os_fail_secure_state.yaml | 6 +- rules/os/os_filevault_autologin_disable.yaml | 2 +- .../os/os_firewall_default_deny_require.yaml | 4 +- rules/os/os_firewall_log_enable.yaml | 10 +- rules/os/os_gatekeeper_rearm.yaml | 4 +- rules/os/os_grant_privs.yaml | 4 +- rules/os/os_guest_folder_removed.yaml | 6 +- ...s_hibernate_mode_apple_silicon_enable.yaml | 6 +- ...ate_mode_destroyfvkeyonstandby_enable.yaml | 4 +- rules/os/os_hibernate_mode_intel_enable.yaml | 4 +- rules/os/os_home_folders_default.yaml | 16 +- rules/os/os_home_folders_secure.yaml | 2 +- rules/os/os_implement_cryptography.yaml | 6 +- rules/os/os_implement_memory_protection.yaml | 6 +- rules/os/os_information_validation.yaml | 2 +- .../os_install_log_retention_configure.yaml | 4 +- rules/os/os_ir_support_disable.yaml | 12 +- rules/os/os_isolate_security_functions.yaml | 4 +- rules/os/os_library_validation_enabled.yaml | 4 +- rules/os/os_limit_dos_attacks.yaml | 4 +- rules/os/os_limit_gui_sessions.yaml | 2 +- rules/os/os_logical_access.yaml | 4 +- rules/os/os_mail_app_disable.yaml | 10 +- rules/os/os_malicious_code_prevention.yaml | 22 +- rules/os/os_mdm_require.yaml | 8 +- rules/os/os_messages_app_disable.yaml | 6 +- rules/os/os_mobile_file_integrity_enable.yaml | 4 +- rules/os/os_nonlocal_maintenance.yaml | 2 +- rules/os/os_notify_account_created.yaml | 4 +- rules/os/os_notify_account_disabled.yaml | 2 +- rules/os/os_notify_account_enable.yaml | 4 +- rules/os/os_notify_account_modified.yaml | 4 +- rules/os/os_notify_account_removal.yaml | 4 +- ...s_notify_unauthorized_baseline_change.yaml | 4 +- rules/os/os_parental_controls_enable.yaml | 8 +- rules/os/os_password_autofill_disable.yaml | 2 +- rules/os/os_password_hint_remove.yaml | 4 +- rules/os/os_password_proximity_disable.yaml | 4 +- rules/os/os_password_sharing_disable.yaml | 4 +- rules/os/os_peripherals_identify.yaml | 4 +- .../os_policy_banner_loginwindow_enforce.yaml | 12 +- rules/os/os_policy_banner_ssh_configure.yaml | 14 +- rules/os/os_policy_banner_ssh_enforce.yaml | 16 +- rules/os/os_power_nap_disable.yaml | 2 +- rules/os/os_power_nap_enable.yaml | 4 +- rules/os/os_prevent_priv_execution.yaml | 6 +- rules/os/os_prevent_priv_functions.yaml | 8 +- .../os_prevent_unauthorized_disclosure.yaml | 6 +- ...ibit_remote_activation_collab_devices.yaml | 6 +- rules/os/os_protect_dos_attacks.yaml | 6 +- ..._provide_automated_account_management.yaml | 2 +- .../os/os_rapid_security_response_allow.yaml | 8 +- ...pid_security_response_removal_disable.yaml | 10 +- ..._reauth_devices_change_authenticators.yaml | 4 +- rules/os/os_recovery_lock_enable.yaml | 16 +- rules/os/os_required_crypto_module.yaml | 4 +- rules/os/os_root_disable.yaml | 4 +- ...advertising_privacy_protection_enable.yaml | 2 +- ...os_safari_open_safe_downloads_disable.yaml | 2 +- ...fari_show_full_website_address_enable.yaml | 2 +- ...safari_warn_fraudulent_website_enable.yaml | 2 +- .../os_screensaver_loginwindow_enforce.yaml | 10 +- rules/os/os_secure_boot_verify.yaml | 4 +- rules/os/os_secure_enclave.yaml | 6 +- rules/os/os_separate_functionality.yaml | 10 +- .../os_show_filename_extensions_enable.yaml | 4 +- rules/os/os_software_update_deferral.yaml | 2 +- rules/os/os_ssh_fips_compliant.yaml | 8 +- ..._ssh_server_alive_count_max_configure.yaml | 8 +- ...s_ssh_server_alive_interval_configure.yaml | 10 +- .../os/os_sshd_channel_timeout_configure.yaml | 10 +- ...sshd_client_alive_count_max_configure.yaml | 8 +- ..._sshd_client_alive_interval_configure.yaml | 12 +- rules/os/os_sshd_fips_compliant.yaml | 10 +- ...d_unused_connection_timeout_configure.yaml | 10 +- .../os_sudoers_timestamp_type_configure.yaml | 6 +- rules/os/os_system_read_only.yaml | 4 +- .../os_terminal_secure_keyboard_enable.yaml | 4 +- rules/os/os_tftpd_disable.yaml | 2 +- rules/os/os_time_offset_limit_configure.yaml | 8 +- ...os_unlock_active_user_session_disable.yaml | 4 +- .../os/os_user_app_installation_prohibit.yaml | 6 +- rules/os/os_uucp_disable.yaml | 2 +- rules/pwpolicy/pwpolicy_50_percent.yaml | 8 +- .../pwpolicy_account_inactivity_enforce.yaml | 12 +- .../pwpolicy_emergency_accounts_disable.yaml | 6 +- ...pwpolicy_lower_case_character_enforce.yaml | 16 +- ...cy_lower_upper_case_character_enforce.yaml | 10 +- .../pwpolicy_minimum_length_enforce.yaml | 2 +- .../pwpolicy_minimum_lifetime_enforce.yaml | 14 +- .../pwpolicy_prevent_dictionary_words.yaml | 8 +- .../pwpolicy_special_character_enforce.yaml | 6 +- .../pwpolicy_temporary_accounts_disable.yaml | 2 +- ...pwpolicy_upper_case_character_enforce.yaml | 18 +- .../supplemental/supplemental_cis_manual.yaml | 14 +- rules/supplemental/supplemental_controls.yaml | 32 +- .../supplemental/supplemental_filevault.yaml | 2 +- .../supplemental_firewall_pf.yaml | 18 +- .../supplemental_password_policy.yaml | 12 +- ...tem_settings_airplay_receiver_disable.yaml | 8 +- ...m_settings_apple_watch_unlock_disable.yaml | 10 +- ...tem_settings_automatic_logout_enforce.yaml | 4 +- ...system_settings_bluetooth_menu_enable.yaml | 8 +- ...em_settings_bluetooth_sharing_disable.yaml | 12 +- ...ystem_settings_cd_dvd_sharing_disable.yaml | 10 +- ...stem_settings_content_caching_disable.yaml | 6 +- ...tings_critical_update_install_enforce.yaml | 6 +- ..._settings_diagnostics_reports_disable.yaml | 2 +- .../system_settings_find_my_disable.yaml | 8 +- .../system_settings_firewall_enable.yaml | 24 +- ...ekeeper_identified_developers_allowed.yaml | 14 +- ...settings_gatekeeper_override_disallow.yaml | 22 +- ...tem_settings_guest_access_smb_disable.yaml | 12 +- .../system_settings_hot_corners_disable.yaml | 10 +- .../system_settings_hot_corners_secure.yaml | 8 +- ...ettings_install_macos_updates_enforce.yaml | 6 +- ...em_settings_location_services_disable.yaml | 14 +- ...tem_settings_location_services_enable.yaml | 14 +- ...ttings_location_services_menu_enforce.yaml | 12 +- ...gs_loginwindow_loginwindowtext_enable.yaml | 12 +- ...ystem_settings_media_sharing_disabled.yaml | 2 +- ...ystem_settings_password_hints_disable.yaml | 2 +- ...ings_personalized_advertising_disable.yaml | 8 +- ...stem_settings_printer_sharing_disable.yaml | 10 +- ...em_settings_remote_management_disable.yaml | 10 +- ...settings_screensaver_password_enforce.yaml | 10 +- ...system_settings_siri_prefpane_disable.yaml | 2 +- ...gs_software_update_app_update_enforce.yaml | 2 +- ...ings_software_update_download_enforce.yaml | 2 +- ...stem_settings_software_update_enforce.yaml | 2 +- ...ystem_settings_softwareupdate_current.yaml | 4 +- .../system_settings_ssh_enable.yaml | 20 +- ...tings_time_machine_auto_backup_enable.yaml | 12 +- ...ings_time_machine_encrypted_configure.yaml | 12 +- .../system_settings_time_server_enforce.yaml | 6 +- ...system_settings_token_removal_enforce.yaml | 10 +- ...system_settings_touch_id_pane_disable.yaml | 2 +- .../system_settings_usb_restricted_mode.yaml | 4 +- ..._settings_wake_network_access_disable.yaml | 2 +- ...ings_wallet_applepay_prefpane_disable.yaml | 2 +- .../system_settings_wifi_disable.yaml | 6 +- ...fi_disable_when_connected_to_ethernet.yaml | 6 +- .../system_settings_wifi_menu_enable.yaml | 6 +- scripts/generate_baseline.py | 62 +- scripts/generate_guidance.py | 16 +- scripts/generate_mapping.py | 118 +- scripts/generate_scap.py | 1132 ++++++++--------- sections/authentication.yaml | 2 +- sections/passwordpolicy.yaml | 2 +- templates/adoc_acronyms.adoc | 2 +- templates/adoc_additional_docs.adoc | 4 +- templates/adoc_foreword.adoc | 2 +- templates/mscp-theme.yml | 4 +- 202 files changed, 1359 insertions(+), 1359 deletions(-) diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc index 36a780806..91d5bc7dc 100644 --- a/CONTRIBUTING.adoc +++ b/CONTRIBUTING.adoc @@ -7,15 +7,15 @@ Contribute new content, share feedback and ask questions about resources in the These operating rules describe and govern NIST’s management of this repository and contributors’ responsibilities. NIST reserves the right to modify this policy at any time. === Criteria for Contributions and Feedback -This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file. +This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file. -NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: -* states or implies NIST endorsement of any entities, services, or products; -* is inaccurate; -* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content; -* is clearly "off topic"; +NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: +* states or implies NIST endorsement of any entities, services, or products; +* is inaccurate; +* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content; +* is clearly "off topic"; * makes unsupported accusations; -* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or, +* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or, * contains .exe or .jar file types. _These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._ @@ -28,4 +28,4 @@ NIST also reserves the right to reject or remove contributions from the reposito * responding to NIST representatives in a timely manner; * keeping contributions and contributor GitHub username up to date -*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page]. +*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page]. diff --git a/LICENSE.md b/LICENSE.md index 84660b481..5170c6467 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -51,9 +51,9 @@ By exercising the Licensed Rights (defined below), You accept and agree to be bo 5. _Downstream recipients._ **A.** _Offer from the Licensor_ – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. - + **B.** _No downstream restrictions._ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. - + 6. _No endorsement._ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). ## b. Other rights. @@ -75,17 +75,17 @@ Your exercise of the Licensed Rights is expressly made subject to the following **i.** identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); **ii.** a copyright notice; - + **iii.** a notice that refers to this Public License; - + **iv.** a notice that refers to the disclaimer of warranties; - + **v.** a URI or hyperlink to the Licensed Material to the extent reasonably practicable; - + **B.** indicate if You modified the Licensed Material and retain an indication of any previous modifications; and - + **C.** indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. - + **2.** You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. **3.** If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. @@ -116,11 +116,11 @@ For the avoidance of doubt, this Section 4 supplements and does not replace Your **a.** This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. **b.** Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: - + **1.** automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or - + **2.** upon express reinstatement by the Licensor. - + For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. **c.** For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. diff --git a/README.adoc b/README.adoc index a3e771520..95635302a 100644 --- a/README.adoc +++ b/README.adoc @@ -1,7 +1,7 @@ image::templates/images/mscp_banner_outline.png[] // settings: :idprefix: -:idseparator: - +:idseparator: - ifndef::env-github[:icons: font] ifdef::env-github[] :status: @@ -29,7 +29,7 @@ This project is the technical implementation of NIST Special Publication, 800-21 Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page. -This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. +This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. To learn more about the project, please see the {uri-repo}/wiki[wiki]. @@ -61,7 +61,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta == Changelog -Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes. +Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes. == NIST Disclaimer diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index 0d136322b..b56752450 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -324,7 +324,7 @@ profile: - pwpolicy_prevent_dictionary_words - system_settings_wifi_disable_when_connected_to_ethernet - section: "not_applicable" - rules: + rules: - os_access_control_mobile_devices - os_identify_non-org_users - os_information_validation diff --git a/includes/enablePF-mscp.sh b/includes/enablePF-mscp.sh index ade198661..f47035c90 100644 --- a/includes/enablePF-mscp.sh +++ b/includes/enablePF-mscp.sh @@ -4,9 +4,9 @@ enable_macos_application_firewall () { /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on - /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail + /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on - /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on + /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on } @@ -35,7 +35,7 @@ enable_pf_firewall_with_macsec_rules () { launchctl enable system/macsec.pfctl launchctl bootstrap system $macsec_pfctl_plist - pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules) + pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules) } @@ -147,7 +147,7 @@ block log proto tcp to any port 540 ENDCONFIG } -#### +#### enable_macos_application_firewall create_macsec_pf_anchors diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 3f636b503..cc0d8ce4e 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -1,6 +1,6 @@ --- authors: - all_rules: + all_rules: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration @@ -10,7 +10,7 @@ authors: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - 800-53r5_moderate: + 800-53r5_moderate: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration @@ -20,12 +20,12 @@ authors: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - 800-171: + 800-171: names: - Bob Gendler|National Institute of Standards and Technology - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - cis_lvl1: + cis_lvl1: preamble: The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®) names: - Edward Byrd|Center for Internet Security @@ -72,10 +72,10 @@ authors: - Ekkehard Koch| - Bob Gendler|National Institute of Standards and Technology stig: - names: + names: - Dan Brodjieski|National Aeronautics and Space Administration - Allen Golbig|Jamf - - Bob Gendler|National Institute of Standards and Technology + - Bob Gendler|National Institute of Standards and Technology titles: all_rules: All Rules 800-53r5_high: NIST SP 800-53 Rev 5 High Impact diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml index 033c86d99..e927999b7 100644 --- a/includes/supported_payloads.yaml +++ b/includes/supported_payloads.yaml @@ -1,4 +1,4 @@ -payloads_types: +payloads_types: - com.apple.ADCertificate.managed - com.apple.AIM.account - com.apple.AssetCache.managed diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml index 5216c8185..fe5a78dc6 100644 --- a/rules/audit/audit_auditd_enabled.yaml +++ b/rules/audit/audit_auditd_enabled.yaml @@ -60,7 +60,7 @@ references: - AU-12(3) - AU-14(1) - MA-4(1) - - CM-5(1) + - CM-5(1) 800-53r4: - AU-3 - AU-3(1) diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml index afff5c5ee..382f02bf4 100644 --- a/rules/audit/audit_configure_capacity_notify.yaml +++ b/rules/audit/audit_configure_capacity_notify.yaml @@ -1,7 +1,7 @@ id: audit_configure_capacity_notify title: "Configure Audit Capacity Warning" discussion: | - The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. + The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs. check: | @@ -11,7 +11,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: @@ -20,7 +20,7 @@ references: - CCI-001855 800-53r5: - AU-5(1) - 800-53r4: + 800-53r4: - AU-5(1) srg: - SRG-OS-000343-GPOS-00134 @@ -33,7 +33,7 @@ odv: recommended: 25 stig: 25 tags: - - 800-53r5_high + - 800-53r5_high - 800-53r4_high - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml index 0f0dc1631..5f4ac8bef 100644 --- a/rules/audit/audit_control_acls_configure.yaml +++ b/rules/audit/audit_control_acls_configure.yaml @@ -4,7 +4,7 @@ discussion: | /etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs). check: | /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" -result: +result: integer: 0 fix: | [source,bash] diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml index f915fccd7..a9d7742fb 100644 --- a/rules/audit/audit_enforce_dual_auth.yaml +++ b/rules/audit/audit_enforce_dual_auth.yaml @@ -2,10 +2,10 @@ id: audit_enforce_dual_auth title: "Enforce Dual Authorization for Movement and Deletion of Audit Information" discussion: | All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed. - + An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation. - - To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + + To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml index 6981bad54..3a83c20bc 100644 --- a/rules/audit/audit_failure_halt.yaml +++ b/rules/audit/audit_failure_halt.yaml @@ -1,11 +1,11 @@ id: audit_failure_halt title: "Configure System to Shut Down Upon Audit Failure" discussion: | - The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. + The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. - Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. check: | - /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' + /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' result: integer: 1 fix: | @@ -33,13 +33,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml index 722a9fb64..8f53435df 100644 --- a/rules/audit/audit_files_group_configure.yaml +++ b/rules/audit/audit_files_group_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Log Files Group to Wheel" discussion: | Audit log files _MUST_ have the group set to wheel. - The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. + The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. check: | diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml index 2c37e9573..548774014 100644 --- a/rules/audit/audit_files_mode_configure.yaml +++ b/rules/audit/audit_files_mode_configure.yaml @@ -1,7 +1,7 @@ id: audit_files_mode_configure title: "Configure Audit Log Files to Mode 440 or Less Permissive" discussion: | - The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. + The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. check: | /bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' result: diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml index abf5fb074..2cc9eeb60 100644 --- a/rules/audit/audit_files_owner_configure.yaml +++ b/rules/audit/audit_files_owner_configure.yaml @@ -1,5 +1,5 @@ id: audit_files_owner_configure -title: "Configure Audit Log Files to be Owned by Root" +title: "Configure Audit Log Files to be Owned by Root" discussion: | Audit log files _MUST_ be owned by root. @@ -7,7 +7,7 @@ discussion: | Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. check: | - /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' + /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' result: integer: 0 fix: | diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml index 11090587c..2d4e11c0a 100644 --- a/rules/audit/audit_flags_aa_configure.yaml +++ b/rules/audit/audit_flags_aa_configure.yaml @@ -2,9 +2,9 @@ id: audit_flags_aa_configure title: "Configure System to Audit All Authorization and Authentication Events" discussion: | The auditing system _MUST_ be configured to flag authorization and authentication (aa) events. - - Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. - + + Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. + Audit records can be generated from various components within the information system (e.g., via a module or policy filter). check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa' @@ -54,14 +54,14 @@ references: macOS: - "14.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cis_lvl2 - cisv8 - cnssi-1253_moderate diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml index f9942576d..69a96ae74 100644 --- a/rules/audit/audit_flags_ex_configure.yaml +++ b/rules/audit/audit_flags_ex_configure.yaml @@ -3,9 +3,9 @@ title: "Configure System to Audit All Failed Program Execution on the System" discussion: | The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. - Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). - - This configuration ensures that audit lists include events in which program execution has failed. + Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). + + This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' @@ -20,7 +20,7 @@ references: cce: - CCE-92717-8 cci: - - N/A + - N/A 800-53r5: - AC-2(12) - AU-12 @@ -47,7 +47,7 @@ references: cmmc: - AU.L2-3.3.3 - AU.L2-3.3.6 - - SI.L2-3.14.3 + - SI.L2-3.14.3 macOS: - "14.0" tags: diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml index 1c61e4ec8..fe72171e1 100644 --- a/rules/audit/audit_flags_fm_configure.yaml +++ b/rules/audit/audit_flags_fm_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fm_configure title: "Configure System to Audit All Changes of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). + The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions). - This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. + This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml index 46d660e8d..dc12ed328 100644 --- a/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/rules/audit/audit_flags_fm_failed_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fm_failed_configure title: "Configure System to Audit All Failed Change of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). + The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). - Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). - - This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. + Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). + + This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | @@ -29,13 +29,13 @@ references: - AU-9 - CM-5(1) - MA-4(1) - 800-53r4: - - AU-2 + 800-53r4: + - AU-2 - AU-12 - AU-9 - CM-5(1) - MA-4(1) - srg: + srg: - N/A disa_stig: - N/A diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml index d132b0332..dd88df81f 100644 --- a/rules/audit/audit_folder_group_configure.yaml +++ b/rules/audit/audit_folder_group_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Log Folders Group to Wheel" discussion: | Audit log files _MUST_ have the group set to wheel. - The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. + The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. check: | diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml index 42ad8c27b..5a8b6d61f 100644 --- a/rules/audit/audit_folder_owner_configure.yaml +++ b/rules/audit/audit_folder_owner_configure.yaml @@ -1,5 +1,5 @@ id: audit_folder_owner_configure -title: "Configure Audit Log Folders to be Owned by Root" +title: "Configure Audit Log Folders to be Owned by Root" discussion: | Audit log folders _MUST_ be owned by root. diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml index fe88d7500..727f172c4 100644 --- a/rules/audit/audit_folders_mode_configure.yaml +++ b/rules/audit/audit_folders_mode_configure.yaml @@ -1,9 +1,9 @@ id: audit_folders_mode_configure title: "Configure Audit Log Folders to Mode 700 or Less Permissive" discussion: | - The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. + The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. - Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. + Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. check: | /usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') result: diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml index 0ae127397..9511bb94a 100644 --- a/rules/audit/audit_off_load_records.yaml +++ b/rules/audit/audit_off_load_records.yaml @@ -3,9 +3,9 @@ title: "Off-Load Audit Records" discussion: | Audit records should be off-loaded onto a different system or media from the system being audited. - Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. + Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml index b333b9bc4..21ba6043a 100644 --- a/rules/audit/audit_record_reduction_report_generation.yaml +++ b/rules/audit/audit_record_reduction_report_generation.yaml @@ -1,8 +1,8 @@ id: audit_record_reduction_report_generation title: "Audit Record Reduction and Report Generation" discussion: | - The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. - + The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. + Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP). @@ -13,11 +13,11 @@ fix: | references: cce: - CCE-92728-5 - cci: + cci: - N/A 800-53r5: - AU-7 - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml index 86c177fef..3618de308 100644 --- a/rules/audit/audit_records_processing.yaml +++ b/rules/audit/audit_records_processing.yaml @@ -2,7 +2,7 @@ id: audit_records_processing title: "Audit Record Reduction and Report Generation" discussion: | The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields. - + Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. check: | The technology does not support this requirement. This is an applicable-does not meet finding. @@ -11,11 +11,11 @@ fix: | references: cce: - CCE-92729-3 - cci: + cci: - N/A 800-53r5: - AU-7(1) - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml index 908624b15..c0153ef36 100644 --- a/rules/auth/auth_smartcard_allow.yaml +++ b/rules/auth/auth_smartcard_allow.yaml @@ -1,10 +1,10 @@ id: auth_smartcard_allow title: "Allow Smartcard Authentication" discussion: | - Smartcard authentication _MUST_ be allowed. + Smartcard authentication _MUST_ be allowed. The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. - + When enabled, the smartcard can be used for login, authorization, and screen saver unlocking. check: | /usr/bin/osascript -l JavaScript << EOS @@ -26,7 +26,7 @@ references: - IA-2(1) - IA-2(2) - IA-2(12) - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(11) srg: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index ace343ea4..0aaf5fc7f 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -1,8 +1,8 @@ id: auth_smartcard_certificate_trust_enforce_high title: "Set Smartcard Certificate Trust to High" discussion: | - The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). - + The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). + To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smartcard certificate trust level to high, the system will execute a hard revocation, i.e., a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed. @@ -20,12 +20,12 @@ fix: | references: cce: - CCE-92736-8 - cci: + cci: - N/A 800-53r5: - IA-5(2) - SC-17 - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(2) srg: diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index 4f5d6587b..f2d86b439 100644 --- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -45,8 +45,8 @@ references: macOS: - "14.0" tags: - - 800-53r4_moderate - - 800-53r5_moderate + - 800-53r4_moderate + - 800-53r5_moderate - cnssi-1253_moderate - cnssi-1253_low - cmmc_lvl2 diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml index b4b4105e4..c195756bc 100644 --- a/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -80,12 +80,12 @@ macOS: - "14.0" tags: - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cisv8 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml index ded9d995b..6a4938272 100644 --- a/rules/icloud/icloud_addressbook_disable.yaml +++ b/rules/icloud/icloud_addressbook_disable.yaml @@ -1,7 +1,7 @@ id: icloud_addressbook_disable title: "Disable iCloud Address Book" discussion: | - The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. check: | diff --git a/rules/icloud/icloud_appleid_preference_pane_disable.yaml b/rules/icloud/icloud_appleid_preference_pane_disable.yaml index b6f5e64c9..c9ed5dac6 100644 --- a/rules/icloud/icloud_appleid_preference_pane_disable.yaml +++ b/rules/icloud/icloud_appleid_preference_pane_disable.yaml @@ -1,7 +1,7 @@ id: icloud_appleid_preference_pane_disable title: "Disable the Preference Pane for Apple ID" discussion: | - This is required for compliance with the DISA STIG for macOS. + This is required for compliance with the DISA STIG for macOS. The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml index 773f43da7..63b018139 100644 --- a/rules/icloud/icloud_game_center_disable.yaml +++ b/rules/icloud/icloud_game_center_disable.yaml @@ -22,7 +22,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -49,14 +49,14 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high - 800-171 - - cisv8 + - cisv8 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml index debcca2c9..52bef441e 100644 --- a/rules/icloud/icloud_notes_disable.yaml +++ b/rules/icloud/icloud_notes_disable.yaml @@ -1,7 +1,7 @@ id: icloud_notes_disable title: "Disable iCloud Notes" discussion: | - The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. check: | diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml index 512e1ce6d..fe05db63d 100644 --- a/rules/icloud/icloud_private_relay_disable.yaml +++ b/rules/icloud/icloud_private_relay_disable.yaml @@ -23,7 +23,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -50,13 +50,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml index 6752fdc0b..52e243cbb 100644 --- a/rules/icloud/icloud_reminders_disable.yaml +++ b/rules/icloud/icloud_reminders_disable.yaml @@ -1,7 +1,7 @@ id: icloud_reminders_disable title: "Disable iCloud Reminders" discussion: | - The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. check: | diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml index 7498bc9c6..39b61e25e 100644 --- a/rules/icloud/icloud_sync_disable.yaml +++ b/rules/icloud/icloud_sync_disable.yaml @@ -3,7 +3,7 @@ title: "Disable iCloud Desktop and Document Folder Sync" discussion: | The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled. - Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -23,7 +23,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml index 81776bdad..f4597b121 100644 --- a/rules/os/os_airdrop_disable.yaml +++ b/rules/os/os_airdrop_disable.yaml @@ -3,7 +3,7 @@ title: "Disable AirDrop" discussion: AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices. - AirDrop allows users to share and receive files from other nearby Apple devices. + AirDrop allows users to share and receive files from other nearby Apple devices. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml index eb46bf4bb..4f08f0771 100644 --- a/rules/os/os_appleid_prompt_disable.yaml +++ b/rules/os/os_appleid_prompt_disable.yaml @@ -2,7 +2,7 @@ id: os_appleid_prompt_disable title: "Disable Apple ID Setup during Setup Assistant" discussion: | The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. - + macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml index 15348d776..adf5f6f34 100644 --- a/rules/os/os_application_sandboxing.yaml +++ b/rules/os/os_application_sandboxing.yaml @@ -1,8 +1,8 @@ id: os_application_sandboxing title: "Ensure Seperate Execution Domain for Processes" discussion: | - The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. - + The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. + link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[] link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[] diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml index 8ec44bf61..35bab5edc 100644 --- a/rules/os/os_auth_peripherals.yaml +++ b/rules/os/os_auth_peripherals.yaml @@ -5,7 +5,7 @@ discussion: | check: | The technology does support this requirement, however, third party solutions are required to implement at an infrastructure level. fix: | - This requirement is a permanent finding and can be fixed by implementing a third party solution. + This requirement is a permanent finding and can be fixed by implementing a third party solution. references: cce: - CCE-92763-2 @@ -24,7 +24,7 @@ references: - 3.5.2 cis: benchmark: - - N/A + - N/A controls v8: - 13.9 macOS: diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml index e48fd115b..27e96a5c4 100644 --- a/rules/os/os_authenticated_root_enable.yaml +++ b/rules/os/os_authenticated_root_enable.yaml @@ -1,12 +1,12 @@ id: os_authenticated_root_enable title: "Enable Authenticated Root" discussion: | - Authenticated Root _MUST_ be enabled. - + Authenticated Root _MUST_ be enabled. + When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. NOTE: Authenticated Root is enabled by default on macOS systems. - + WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input. check: | /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' @@ -21,7 +21,7 @@ fix: | references: cce: - CCE-92764-0 - cci: + cci: - N/A 800-53r5: - AC-3 diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml index de9894cfc..91a86f901 100644 --- a/rules/os/os_calendar_app_disable.yaml +++ b/rules/os/os_calendar_app_disable.yaml @@ -34,7 +34,7 @@ fix: | references: cce: - CCE-92771-5 - cci: + cci: - N/A 800-53r5: - AC-20 @@ -72,5 +72,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Calendar.app diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml index b450f5c5b..966b50bd1 100644 --- a/rules/os/os_change_security_attributes.yaml +++ b/rules/os/os_change_security_attributes.yaml @@ -1,9 +1,9 @@ id: os_change_security_attributes title: "Allow Administrators to Modify Security Settings and System Attributes" discussion: | - The information system _IS_ configured to allow administrators to modify security settings and system attributes. - - The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . + The information system _IS_ configured to allow administrators to modify security settings and system attributes. + + The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] check: | diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml index db00e8d74..eee79dc3f 100644 --- a/rules/os/os_config_profile_ui_install_disable.yaml +++ b/rules/os/os_config_profile_ui_install_disable.yaml @@ -15,7 +15,7 @@ references: cce: - CCE-92777-2 cci: - - N/A + - N/A 800-53r5: - CM-5 800-171r2: @@ -30,8 +30,8 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml index 9a843dbda..42e158f47 100644 --- a/rules/os/os_continuous_monitoring.yaml +++ b/rules/os/os_continuous_monitoring.yaml @@ -26,7 +26,7 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - permanent + - permanent - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml index 575d3b300..65d4abe9d 100644 --- a/rules/os/os_crypto_audit.yaml +++ b/rules/os/os_crypto_audit.yaml @@ -1,13 +1,13 @@ id: os_crypto_audit title: "Protect Audit Integrity with Cryptographic Mechanisms" discussion: | - The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. - - The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. - + The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. + + The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. + link:https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf[] - - NOTE: This will only apply to a Mac that includes a T2 security chip. + + NOTE: This will only apply to a Mac that includes a T2 security chip. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml index f035f5620..bd13d64da 100644 --- a/rules/os/os_directory_services_configured.yaml +++ b/rules/os/os_directory_services_configured.yaml @@ -1,13 +1,13 @@ id: os_directory_services_configured title: "Integrate System into a Directory Services Infrastructure" discussion: | - The macOS system _MUST_ be integrated into a directory services infrastructure. + The macOS system _MUST_ be integrated into a directory services infrastructure. A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system. check: | /usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $? result: - integer: 0 + integer: 0 fix: | Integrate the system into an existing directory services infrastructure. references: diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml index a19c3700d..3ba26a568 100644 --- a/rules/os/os_enforce_access_restrictions.yaml +++ b/rules/os/os_enforce_access_restrictions.yaml @@ -2,8 +2,8 @@ id: os_enforce_access_restrictions title: "Enforce Access Restrictions" discussion: | The information system _IS_ configured to enforce access restrictions and support auditing of the enforcement actions. - - The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. + + The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] check: | diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml index 5c5f62cce..13addb48b 100644 --- a/rules/os/os_facetime_app_disable.yaml +++ b/rules/os/os_facetime_app_disable.yaml @@ -1,7 +1,7 @@ id: os_facetime_app_disable title: "Disable FaceTime.app" discussion: | - The macOS built-in FaceTime.app _MUST_ be disabled. + The macOS built-in FaceTime.app _MUST_ be disabled. The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. @@ -9,7 +9,7 @@ discussion: | ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== -check: | +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -31,7 +31,7 @@ fix: | references: cce: - CCE-92788-9 - cci: + cci: - N/A 800-53r5: - AC-20 @@ -69,5 +69,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/FaceTime.app diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml index 64816a732..81090220c 100644 --- a/rules/os/os_fail_secure_state.yaml +++ b/rules/os/os_fail_secure_state.yaml @@ -1,11 +1,11 @@ id: os_fail_secure_state title: "Configure System to Fail to a Known Safe State if System Initialization, Shutdown, or Abort Fails" discussion: | - The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. + The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. - Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. + Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. - Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. + Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. link:https://developer.apple.com/videos/play/wwdc2017/715/[] check: | diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml index 1e0ec730f..8ccbf107a 100644 --- a/rules/os/os_filevault_autologin_disable.yaml +++ b/rules/os/os_filevault_autologin_disable.yaml @@ -3,7 +3,7 @@ title: "Disable FileVault Automatic Login" discussion: | If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required. - The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. + The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. check: | diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml index 70279f003..8c7571d19 100644 --- a/rules/os/os_firewall_default_deny_require.yaml +++ b/rules/os/os_firewall_default_deny_require.yaml @@ -1,13 +1,13 @@ id: os_firewall_default_deny_require title: "Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy" discussion: | - A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. + A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule. Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data. - If you are using a third-party firewall solution, this setting does not apply. + If you are using a third-party firewall solution, this setting does not apply. [IMPORTANT] ==== diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index 84f5ca4b4..0408a07b8 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -1,11 +1,11 @@ id: os_firewall_log_enable title: "Enable Firewall Logging" discussion: | - Firewall logging _MUST_ be enabled. + Firewall logging _MUST_ be enabled. - Firewall logging ensures that malicious network activity will be logged to the system. + Firewall logging ensures that malicious network activity will be logged to the system. - NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. + NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -27,12 +27,12 @@ fix: | references: cce: - CCE-92793-9 - cci: + cci: - N/A 800-53r5: - AU-12 - SC-7 - 800-53r4: + 800-53r4: - SC-7 - AU-12 srg: diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml index 0324b93c7..11a6d7a9f 100644 --- a/rules/os/os_gatekeeper_rearm.yaml +++ b/rules/os/os_gatekeeper_rearm.yaml @@ -14,11 +14,11 @@ fix: | references: cce: - CCE-92796-2 - cci: + cci: - N/A 800-53r5: - CM-5 - 800-53r4: + 800-53r4: - CM-5 - SI-3 srg: diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml index 581e84eba..3bc7b9040 100644 --- a/rules/os/os_grant_privs.yaml +++ b/rules/os/os_grant_privs.yaml @@ -1,8 +1,8 @@ id: os_grant_privs title: "Allow Administrators to Promote Other Users to Administrator Status" discussion: | - The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. - + The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. + The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users. link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac[] diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml index 791ff11e1..02c3ac502 100644 --- a/rules/os/os_guest_folder_removed.yaml +++ b/rules/os/os_guest_folder_removed.yaml @@ -1,6 +1,6 @@ id: os_guest_folder_removed title: "Remove Guest Folder if Present" -discussion: | +discussion: | The guest folder _MUST_ be deleted if present. check: | /bin/ls /Users/ | /usr/bin/grep -c "Guest" @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92798-8 - cci: + cci: - N/A 800-53r5: - N/A @@ -29,7 +29,7 @@ references: cis: benchmark: - 5.10 (level 1) - controls v8: + controls v8: - 4.1 macOS: - "14.0" diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml index 9aaa9708e..aeb824c04 100644 --- a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml +++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml @@ -1,11 +1,11 @@ id: os_hibernate_mode_apple_silicon_enable title: "Enable Hibernate Mode (Apple Silicon)" discussion: | - Hibernate mode _MUST_ be enabled. + Hibernate mode _MUST_ be enabled. This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. - Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. + Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting. This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time. NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops. @@ -15,7 +15,7 @@ check: | hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') - + if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then ((error_count++)) fi diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index 05914aec7..dc6224099 100644 --- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -1,7 +1,7 @@ id: os_hibernate_mode_destroyfvkeyonstandby_enable title: "Enable DestroyFVKeyOnStandby on Hibernate" discussion: | - DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. + DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ @@ -29,7 +29,7 @@ references: cis: benchmark: - 2.9.1.3 (level 2) - controls v8: + controls v8: - 4.1 macOS: - "14.0" diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml index e0851eff3..cb2414eb1 100644 --- a/rules/os/os_hibernate_mode_intel_enable.yaml +++ b/rules/os/os_hibernate_mode_intel_enable.yaml @@ -1,7 +1,7 @@ id: os_hibernate_mode_intel_enable title: "Enable Hibernate Mode (Intel)" discussion: | - Hibernate mode _MUST_ be enabled. + Hibernate mode _MUST_ be enabled. This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack. @@ -12,7 +12,7 @@ check: | hibernateStandbyLowValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelaylow 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyHighValue=$(/usr/bin/pmset -g | /usr/bin/grep standbydelayhigh 2>&1 | /usr/bin/awk '{print $2}') hibernateStandbyThreshValue=$(/usr/bin/pmset -g | /usr/bin/grep highstandbythreshold 2>&1 | /usr/bin/awk '{print $2}') - + if [[ "$hibernateStandbyLowValue" == "" ]] || [[ "$hibernateStandbyLowValue" -gt 900 ]]; then ((error_count++)) fi diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml index d87817bbe..705a3b62c 100644 --- a/rules/os/os_home_folders_default.yaml +++ b/rules/os/os_home_folders_default.yaml @@ -2,27 +2,27 @@ id: os_home_folders_default title: "Configure User's Home Folders to Apple's Default" discussion: | The system _MUST_ be configured to prevent access to other user's home folders. - + Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures. check: |- Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands: /bin/ls -le /Users - + This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as \"staff\". The plus(+) sign indicates an associated Access Control List, which must be: 0: group:everyone deny delete - + For every authorized user account, also run the following command: - /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. - + /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. + This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be: - drwx------+ + drwx------+ 0: group:everyone deny delete The exception is the \"Public\" directory, whose permissions must match the following: - drwxr-xr-x+ + drwxr-xr-x+ 0: group:everyone deny delete - + If the permissions returned by either of these checks differ from what is shown, this is a finding. result: "" fix: |- diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml index a4c410551..a0f5fbdf1 100644 --- a/rules/os/os_home_folders_secure.yaml +++ b/rules/os/os_home_folders_secure.yaml @@ -2,7 +2,7 @@ id: os_home_folders_secure title: "Secure User's Home Folders" discussion: | The system _MUST_ be configured to prevent access to other user's home folders. - + The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within. check: | /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml index 03a0a7a4b..9d3c135c9 100644 --- a/rules/os/os_implement_cryptography.yaml +++ b/rules/os/os_implement_cryptography.yaml @@ -1,14 +1,14 @@ id: os_implement_cryptography title: "Configure the System to Implement Approved Cryptography to Protect Information" discussion: | - The information system _IS_ configured to implement approved cryptography to protect information. + The information system _IS_ configured to implement approved cryptography to protect information. - Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] - + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules. diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml index 97d11229c..99a1207ef 100644 --- a/rules/os/os_implement_memory_protection.yaml +++ b/rules/os/os_implement_memory_protection.yaml @@ -3,16 +3,16 @@ title: "Configure the System to Protect Memory from Unauthorized Code Execution" discussion: | The information system _IS_ configured to implement non-executable data to protect memory from code execution. - Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection. link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[] - + link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[] link:https://www.apple.com/macos/security/[] - + check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml index a985a5666..38eab6c6d 100644 --- a/rules/os/os_information_validation.yaml +++ b/rules/os/os_information_validation.yaml @@ -2,7 +2,7 @@ id: os_information_validation title: "Information Input Validation" discussion: | Check the validity of the following information inputs: organization-defined information inputs to the systems. - + Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks. check: | This requirement is NA for this technology. diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml index a32b025a1..8946b8040 100644 --- a/rules/os/os_install_log_retention_configure.yaml +++ b/rules/os/os_install_log_retention_configure.yaml @@ -1,7 +1,7 @@ id: os_install_log_retention_configure title: "Configure Install.log Retention to $ODV" discussion: | - The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. + The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility. check: | /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}' result: @@ -10,7 +10,7 @@ fix: | [source,bash] ---- /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=$ODV/g" /etc/asl/com.apple.install - ---- + ---- NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml index 75db6dfc4..1bec9ec00 100644 --- a/rules/os/os_ir_support_disable.yaml +++ b/rules/os/os_ir_support_disable.yaml @@ -1,10 +1,10 @@ id: os_ir_support_disable title: "Disable Infrared (IR) support" discussion: | - Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. - - By default, if IR is enabled, the system will accept IR control from any remote device. - + Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. + + By default, if IR is enabled, the system will accept IR control from any remote device. + NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | /usr/bin/osascript -l JavaScript << EOS @@ -18,13 +18,13 @@ fix: | references: cce: - CCE-92812-7 - cci: + cci: - N/A 800-53r5: - AC-18 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-18 diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml index 2885a32c3..804837eb3 100644 --- a/rules/os/os_isolate_security_functions.yaml +++ b/rules/os/os_isolate_security_functions.yaml @@ -1,8 +1,8 @@ id: os_isolate_security_functions title: "Configure the System to Separate User and System Functionality" discussion: | - The information system _IS_ configured to isolate security functions from non-security functions. - + The information system _IS_ configured to isolate security functions from non-security functions. + link:https://support.apple.com/guide/security/welcome/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml index 63a423b96..cefbf83d9 100644 --- a/rules/os/os_library_validation_enabled.yaml +++ b/rules/os/os_library_validation_enabled.yaml @@ -1,6 +1,6 @@ id: os_library_validation_enabled title: "Enable Library Validation" -discussion: +discussion: Library validation _MUST_ be enabled. check: | /usr/bin/osascript -l JavaScript << EOS @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92814-3 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml index 4249e4986..b8b107995 100644 --- a/rules/os/os_limit_dos_attacks.yaml +++ b/rules/os/os_limit_dos_attacks.yaml @@ -1,9 +1,9 @@ id: os_limit_dos_attacks title: "Limit Impact of Denial of Service Attacks" discussion: | - The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. + The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. - DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. + DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml index b7bce84ff..7e83e52e3 100644 --- a/rules/os/os_limit_gui_sessions.yaml +++ b/rules/os/os_limit_gui_sessions.yaml @@ -1,7 +1,7 @@ id: os_limit_gui_sessions title: "Limit Concurrent GUI Sessions to 10 for all Accounts" discussion: | - The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. + The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user helps reduce the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. check: | diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml index 0302dffc8..c1d491e09 100644 --- a/rules/os/os_logical_access.yaml +++ b/rules/os/os_logical_access.yaml @@ -1,9 +1,9 @@ id: os_logical_access title: "Enforce Approved Authorization for Logical Access" discussion: | - The information system _IS_ configured to enforce an approved authorization process before granting users logical access. + The information system _IS_ configured to enforce an approved authorization process before granting users logical access. - The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. + The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml index 3ae406daf..c95c15e31 100644 --- a/rules/os/os_mail_app_disable.yaml +++ b/rules/os/os_mail_app_disable.yaml @@ -1,10 +1,10 @@ id: os_mail_app_disable title: "Disable Mail App" discussion: | - The macOS built-in Mail.app _MUST_ be disabled. + The macOS built-in Mail.app _MUST_ be disabled. The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place. - + [IMPORTANT] ==== Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -14,7 +14,7 @@ discussion: | ==== Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ==== -check: | +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -36,7 +36,7 @@ fix: | references: cce: - CCE-92820-0 - cci: + cci: - N/A 800-53r5: - AC-20 @@ -74,5 +74,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Mail.app diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml index 494660462..e54584b0a 100644 --- a/rules/os/os_malicious_code_prevention.yaml +++ b/rules/os/os_malicious_code_prevention.yaml @@ -2,31 +2,31 @@ id: os_malicious_code_prevention title: "Ensure the System Implements Malicious Code Protection Mechanisms" discussion: | The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention. - - 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. - The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: - * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. - * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. + + 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. + The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: + * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. + * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. * In macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when: * an app is first launched, * an app has been changed (in the file system), and * XProtect signatures are updated. * YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running. - * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. + * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. - 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. - The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: + 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. + The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: * XProtect (defined above). * Gatekeeper (defined above). * Notarization (defined above). - 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. - The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: + 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. + The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: * Apple's XProtect: a technology included on all macOS systems. XProtect will remediate infections upon receiving updated information delivered and when infections are detected link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] - + link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml index ffa9e09c9..f64e8e858 100644 --- a/rules/os/os_mdm_require.yaml +++ b/rules/os/os_mdm_require.yaml @@ -2,9 +2,9 @@ id: os_mdm_require title: "Enforce Enrollment in Mobile Device Management" discussion: | You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software. - + User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include: - + * Allowed Kernel Extensions * Allowed Approved System Extensions * Privacy Preferences Policy Control Payload @@ -12,7 +12,7 @@ discussion: | * FDEFileVault In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM: - + * Activation Lock Bypass * Access to Bootstrap Tokens * Scheduling Software Updates @@ -38,7 +38,7 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - 3.4.1 - 3.4.2 diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml index ba134c110..ea360c73c 100644 --- a/rules/os/os_messages_app_disable.yaml +++ b/rules/os/os_messages_app_disable.yaml @@ -1,7 +1,7 @@ id: os_messages_app_disable title: "Disable Messages App" discussion: | - The macOS built-in Messages.app _MUST_ be disabled. + The macOS built-in Messages.app _MUST_ be disabled. The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. @@ -31,7 +31,7 @@ fix: | references: cce: - CCE-92825-9 - cci: + cci: - N/A 800-53r5: - AC-20 @@ -69,5 +69,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Messages.app diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml index a27fbb0cf..b0f8a483e 100644 --- a/rules/os/os_mobile_file_integrity_enable.yaml +++ b/rules/os/os_mobile_file_integrity_enable.yaml @@ -1,6 +1,6 @@ id: os_mobile_file_integrity_enable title: "Enable Apple Mobile File Integrity" -discussion: +discussion: Mobile file integrity _MUST_ be ebabled. check: | /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92828-3 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml index 089ed2393..388952a1d 100644 --- a/rules/os/os_nonlocal_maintenance.yaml +++ b/rules/os/os_nonlocal_maintenance.yaml @@ -1,7 +1,7 @@ id: os_nonlocal_maintenance title: "Configure the System for Nonlocal Maintenance" discussion: | - Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. + Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. check: | This requirement is NA for this technology. fix: | diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml index ee54e7ec3..edb08d655 100644 --- a/rules/os/os_notify_account_created.yaml +++ b/rules/os/os_notify_account_created.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Created Actions" discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when new accounts are created. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml index 5614756b7..e7a881c3e 100644 --- a/rules/os/os_notify_account_disabled.yaml +++ b/rules/os/os_notify_account_disabled.yaml @@ -5,7 +5,7 @@ discussion: | When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account disabling actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. - To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml index 99f0ce25f..72e74a257 100644 --- a/rules/os/os_notify_account_enable.yaml +++ b/rules/os/os_notify_account_enable.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Enabled Actions " discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml index 63cd63a4b..593898c27 100644 --- a/rules/os/os_notify_account_modified.yaml +++ b/rules/os/os_notify_account_modified.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Modified Actions" discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml index 68a1bf8ce..f765a10b6 100644 --- a/rules/os/os_notify_account_removal.yaml +++ b/rules/os/os_notify_account_removal.yaml @@ -4,8 +4,8 @@ discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are removed. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account removal actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. - - To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + + To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml index 759816d26..d8656c7bd 100644 --- a/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Baseline Configuration Changes" discussion: | The macOS should be configured to automatically notify system administrators, Information System Security Officers (ISSOs), and (IMOs) when baseline configurations are modified. - Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. - To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml index d893b305a..76be9ffd3 100644 --- a/rules/os/os_parental_controls_enable.yaml +++ b/rules/os/os_parental_controls_enable.yaml @@ -1,8 +1,8 @@ id: os_parental_controls_enable title: "Enable Parental Controls" discussion: | - Parental Controls _MUST_ be enabled. - + Parental Controls _MUST_ be enabled. + Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline. Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. @@ -18,11 +18,11 @@ fix: | references: cce: - CCE-92842-4 - cci: + cci: - N/A 800-53r5: - CM-7(2) - 800-53r4: + 800-53r4: - CM-7(2) srg: - N/A diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml index b928ab749..0d63b799a 100644 --- a/rules/os/os_password_autofill_disable.yaml +++ b/rules/os/os_password_autofill_disable.yaml @@ -1,7 +1,7 @@ id: os_password_autofill_disable title: "Disable Password Autofill" discussion: | - Password Autofill _MUST_ be disabled. + Password Autofill _MUST_ be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. check: | diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml index 1854c973f..a86c59944 100644 --- a/rules/os/os_password_hint_remove.yaml +++ b/rules/os/os_password_hint_remove.yaml @@ -9,7 +9,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do /usr/bin/dscl . -delete /Users/$u hint done ---- @@ -17,7 +17,7 @@ references: cce: - CCE-92844-0 cci: - - N/A + - N/A 800-53r5: - IA-6 800-53r4: diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml index 2a7920a2d..03afbab35 100644 --- a/rules/os/os_password_proximity_disable.yaml +++ b/rules/os/os_password_proximity_disable.yaml @@ -1,8 +1,8 @@ id: os_password_proximity_disable title: "Disable Proximity Based Password Sharing Requests" discussion: | - Proximity based password sharing requests _MUST_ be disabled. - + Proximity based password sharing requests _MUST_ be disabled. + The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml index c9d91c96f..0466e921e 100644 --- a/rules/os/os_password_sharing_disable.yaml +++ b/rules/os/os_password_sharing_disable.yaml @@ -1,8 +1,8 @@ id: os_password_sharing_disable title: "Disable Password Sharing" discussion: | - Password Sharing _MUST_ be disabled. - + Password Sharing _MUST_ be disabled. + The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml index 35148f321..1fac6a635 100644 --- a/rules/os/os_peripherals_identify.yaml +++ b/rules/os/os_peripherals_identify.yaml @@ -2,7 +2,7 @@ id: os_peripherals_identify title: The macOS system must uniquely identify peripherals before establishing a connection. discussion: | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - + Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -22,7 +22,7 @@ references: disa_stig: - N/A 800-171r2: - - N/A + - N/A macOS: - "14.0" tags: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 6d33ed99a..2988465d2 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -6,7 +6,7 @@ discussion: | System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder. - + The banner text of the document _MUST_ read: [source,text] @@ -65,15 +65,15 @@ odv: cis_lvl1: "Center for Internet Security Test Message" cis_lvl2: "Center for Internet Security Test Message" stig: |- - You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: - -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - -At any time, the USG may inspect and seize data stored on this IS. + -At any time, the USG may inspect and seize data stored on this IS. - -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. - -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. tags: diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml index 235005a9c..8ef024a78 100644 --- a/rules/os/os_policy_banner_ssh_configure.yaml +++ b/rules/os/os_policy_banner_ssh_configure.yaml @@ -60,13 +60,13 @@ odv: -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml index 6ad0fafe9..330d7d3e5 100644 --- a/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/rules/os/os_policy_banner_ssh_enforce.yaml @@ -1,7 +1,7 @@ id: os_policy_banner_ssh_enforce title: "Enforce SSH to Display Policy Banner" discussion: | - SSH _MUST_ be configured to display a policy banner. + SSH _MUST_ be configured to display a policy banner. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. @@ -55,13 +55,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml index b5b28508e..a78d4fb7c 100644 --- a/rules/os/os_power_nap_disable.yaml +++ b/rules/os/os_power_nap_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Power Nap" discussion: | Power Nap _MUST_ be disabled. - NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems. + NOTE: Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot and must therefore be disabled on all applicable systems. The following Macs support Power Nap: diff --git a/rules/os/os_power_nap_enable.yaml b/rules/os/os_power_nap_enable.yaml index 92bd1017c..a6e39a714 100644 --- a/rules/os/os_power_nap_enable.yaml +++ b/rules/os/os_power_nap_enable.yaml @@ -3,7 +3,7 @@ title: "Enable Power Nap" discussion: | Power Nap _MUST_ be enabled. - NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot. + NOTE: Power nap can interfere with USB power and may cause devices such as smartcards to stop functioning until a reboot. The following Macs support Power Nap: @@ -34,7 +34,7 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - N/A cis: diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml index b66eb6c0b..78ebe659f 100644 --- a/rules/os/os_prevent_priv_execution.yaml +++ b/rules/os/os_prevent_priv_execution.yaml @@ -3,8 +3,8 @@ title: "Prevent Software From Executing at Higher Privilege Levels than Users Ex discussion: | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. - The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. - + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -24,7 +24,7 @@ references: srg: - N/A 800-171r2: - - 3.1.7 + - 3.1.7 macOS: - "14.0" tags: diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml index 123cf112b..8d6f38581 100644 --- a/rules/os/os_prevent_priv_functions.yaml +++ b/rules/os/os_prevent_priv_functions.yaml @@ -1,11 +1,11 @@ id: os_prevent_priv_functions title: "Configure the System to Block Non-Privileged Users from Executing Privileged Functions" discussion: | - The information system _IS_ configured to block standard users from executing privileged functions. + The information system _IS_ configured to block standard users from executing privileged functions. - Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. - - The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. + + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[] check: | diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml index f95574b1c..5d3d1a09a 100644 --- a/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -1,9 +1,9 @@ id: os_prevent_unauthorized_disclosure title: "Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources" discussion: | - The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. - - The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. + The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. + + The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml index ab85c2026..041d9466a 100644 --- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -2,13 +2,13 @@ id: os_prohibit_remote_activation_collab_devices title: "Prohibit Remote Activation of Collaborative Computing Devices" discussion: | The inherent configuration of the macOS _IS_ in compliance. - + Apple has implemented a green light physically next to your camera that will glow when the camera is activated. There is an orange dot indicator by the Control Center pull down menu item to indicate when the system's microphone is listening or activated. The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device. - + link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[] - + link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[] link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/12.0/mac/12.0[] diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml index f1f0754f0..8e201d7e0 100644 --- a/rules/os/os_protect_dos_attacks.yaml +++ b/rules/os/os_protect_dos_attacks.yaml @@ -1,9 +1,9 @@ id: os_protect_dos_attacks title: "Protect Against Denial of Service Attacks by Ensuring Rate-Limiting Measures on Network Interfaces" discussion: | - The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. - - DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. + The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. + + DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To prevent DoS attacks by ensuring rate-limiting measures on network interfaces, many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml index a268f43f3..766bcf999 100644 --- a/rules/os/os_provide_automated_account_management.yaml +++ b/rules/os/os_provide_automated_account_management.yaml @@ -4,7 +4,7 @@ discussion: | The organization should employ automated mechanisms to support the management of information system accounts. The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management. - + To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml index c681bf799..6f49469f9 100644 --- a/rules/os/os_rapid_security_response_allow.yaml +++ b/rules/os/os_rapid_security_response_allow.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92865-5 - cci: + cci: - N/A 800-53r5: - SI-2 @@ -40,9 +40,9 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml index 65b87f397..c8f8f4daf 100644 --- a/rules/os/os_rapid_security_response_removal_disable.yaml +++ b/rules/os/os_rapid_security_response_removal_disable.yaml @@ -1,7 +1,7 @@ id: os_rapid_security_response_removal_disable title: "Disable User Ability from Being Able to Undo Rapid Security Responses" discussion: | - Rapid security response (RSR) mechanism _MUST_ be enabled and the ability for the user to disable RSR _MUST_ be disabled. + Rapid security response (RSR) mechanism _MUST_ be enabled and the ability for the user to disable RSR _MUST_ be disabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92866-3 - cci: + cci: - N/A 800-53r5: - SI-2 @@ -40,9 +40,9 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml index c78c035f0..c989af684 100644 --- a/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/rules/os/os_reauth_devices_change_authenticators.yaml @@ -1,8 +1,8 @@ id: os_reauth_devices_change_authenticators title: "Require Devices to Reauthenticate when Changing Authenticators" discussion: | - The macOS should be configured to require users to reauthenticate when the device authenticator is changed. - + The macOS should be configured to require users to reauthenticate when the device authenticator is changed. + Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate. check: | The technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml index e0dfccb64..fc0973e7a 100644 --- a/rules/os/os_recovery_lock_enable.yaml +++ b/rules/os/os_recovery_lock_enable.yaml @@ -1,17 +1,17 @@ id: os_recovery_lock_enable title: "Enable Recovery Lock" discussion: | - A recovery lock password _MUST_ be enabled and set. + A recovery lock password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1" -result: +result: integer: 1 fix: | - NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. + NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM. references: cce: - CCE-92870-5 @@ -33,11 +33,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - arm64 - manual - cnssi-1253_moderate diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 7537277db..a37d57f6b 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -2,13 +2,13 @@ id: os_required_crypto_module title: "Ensure all Federal Laws, Executive Orders, Directives, Policies, Regulations, Standards, and Guidance for Authentication to a Cryptographic Module are Met" discussion: | The inherent configuration of the macOS _IS_ in compliance by implementing mechanisms for authentication to a cryptographic module that meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication - + macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Ventura will be submitted for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[] - + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index afbf3f4b3..1e44c3d9a 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Root Login" discussion: | To assure individual accountability and prevent unauthorized access, logging in as root at the login window _MUST_ be disabled. - The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. + The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. check: | /usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false" result: @@ -17,7 +17,7 @@ references: cce: - CCE-92875-4 cci: - - N/A + - N/A 800-53r5: - IA-2 - IA-2(5) diff --git a/rules/os/os_safari_advertising_privacy_protection_enable.yaml b/rules/os/os_safari_advertising_privacy_protection_enable.yaml index 147d02ef0..15b42a4a5 100644 --- a/rules/os/os_safari_advertising_privacy_protection_enable.yaml +++ b/rules/os/os_safari_advertising_privacy_protection_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_advertising_privacy_protection_enable title: "Ensure Advertising Privacy Protection in Safari Is Enabled" discussion: | - Allow privacy-preserving measurement of ad effectiveness _MUST_ be enabled in Safari. + Allow privacy-preserving measurement of ad effectiveness _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"WebKitPreferences.privateClickMeasurementEnabled" = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml index f25c24e35..73a1ae35d 100644 --- a/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -1,7 +1,7 @@ id: os_safari_open_safe_downloads_disable title: "Disable Automatic Opening of Safe Files in Safari" discussion: | - Open "safe" files after downloading _MUST_ be disabled in Safari. + Open "safe" files after downloading _MUST_ be disabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/rules/os/os_safari_show_full_website_address_enable.yaml b/rules/os/os_safari_show_full_website_address_enable.yaml index 246db6e5e..595569598 100644 --- a/rules/os/os_safari_show_full_website_address_enable.yaml +++ b/rules/os/os_safari_show_full_website_address_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_show_full_website_address_enable title: "Ensure Show Full Website Address in Safari Is Enabled" discussion: | - Show full website address _MUST_ be enabled in Safari. + Show full website address _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'ShowFullURLInSmartSearchField = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/rules/os/os_safari_warn_fraudulent_website_enable.yaml b/rules/os/os_safari_warn_fraudulent_website_enable.yaml index 13b425232..ddd18de38 100644 --- a/rules/os/os_safari_warn_fraudulent_website_enable.yaml +++ b/rules/os/os_safari_warn_fraudulent_website_enable.yaml @@ -1,7 +1,7 @@ id: os_safari_warn_fraudulent_website_enable title: "Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled" discussion: | - Warn when visiting a fraudulent website _MUST_ be enabled in Safari. + Warn when visiting a fraudulent website _MUST_ be enabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WarnAboutFraudulentWebsites = 1' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml index b994709d2..9b31bfd41 100644 --- a/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -29,11 +29,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index 4872192cb..fe520f34a 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -3,12 +3,12 @@ title: "Ensure Secure Boot Level Set to Full" discussion: | The Secure Boot security setting _MUST_ be set to full. - Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. + Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" -result: +result: integer: 1 fix: | NOTE: Boot into Recovery Mode and enable Full Secure Boot diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 1d5a70e2a..98055d112 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -2,9 +2,9 @@ id: os_secure_enclave title: "Protected Storage for Cryptographic Keys" discussion: | A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard. - + Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. - + link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. @@ -13,7 +13,7 @@ check: | result: integer: 0 fix: | - The hardware does not support the requirement. + The hardware does not support the requirement. references: cce: - CCE-92884-6 diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml index d139bf275..83df7fb2f 100644 --- a/rules/os/os_separate_functionality.yaml +++ b/rules/os/os_separate_functionality.yaml @@ -1,11 +1,11 @@ id: os_separate_functionality title: "Configure the System to Separate User and System Functionality" discussion: | - The information system _IS_ configured to separate user and system functionality. - - Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. - - The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. + The information system _IS_ configured to separate user and system functionality. + + Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. + + The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[] check: | diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml index 70e48b9cc..7a7ff2b83 100644 --- a/rules/os/os_show_filename_extensions_enable.yaml +++ b/rules/os/os_show_filename_extensions_enable.yaml @@ -2,8 +2,8 @@ id: os_show_filename_extensions_enable title: "Enable Show All Filename Extensions" discussion: | Show all filename extensions _MUST_ be enabled in the Finder. - - [NOTE] + + [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml index 775e8b455..c6f577661 100644 --- a/rules/os/os_software_update_deferral.yaml +++ b/rules/os/os_software_update_deferral.yaml @@ -41,7 +41,7 @@ references: - 7.4 macOS: - "14.0" -odv: +odv: hint: "Number of days." recommended: 30 cis_lvl1: 30 diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml index 60f0cff16..e5af04bf0 100644 --- a/rules/os/os_ssh_fips_compliant.yaml +++ b/rules/os/os_ssh_fips_compliant.yaml @@ -5,7 +5,7 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information. check: | @@ -32,18 +32,18 @@ fix: | PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256" /bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config - ---- + ---- references: cce: - CCE-92894-5 - cci: + cci: - N/A 800-53r5: - AC-17(2) - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 49fbcfd59..f89602e44 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -19,7 +19,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do @@ -30,11 +30,11 @@ fix: | references: cce: - CCE-92895-2 - cci: + cci: - N/A 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -48,7 +48,7 @@ macOS: - "14.0" odv: hint: "Number of seconds." - recommended: 0 + recommended: 0 tags: - 800-53r5_moderate - 800-53r5_high diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index da6dccdba..8362b65b4 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -1,8 +1,8 @@ id: os_ssh_server_alive_interval_configure title: "Configure SSH ServerAliveInterval option set to $ODV" discussion: | - SSH _MUST_ be configured with an Active Server Alive Maximum Count set to $ODV. - + SSH _MUST_ be configured with an Active Server Alive Maximum Count set to $ODV. + Setting the Active Server Alive Maximum Count to $ODV will log users out after a $ODV seconds interval of inactivity. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -21,7 +21,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do @@ -32,12 +32,12 @@ fix: | references: cce: - CCE-92896-0 - cci: + cci: - N/A 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A diff --git a/rules/os/os_sshd_channel_timeout_configure.yaml b/rules/os/os_sshd_channel_timeout_configure.yaml index 1ce819c57..0e66b31a5 100644 --- a/rules/os/os_sshd_channel_timeout_configure.yaml +++ b/rules/os/os_sshd_channel_timeout_configure.yaml @@ -2,7 +2,7 @@ id: os_sshd_channel_timeout_configure title: "Configure SSHD Channel Timeout to $ODV" discussion: | If SSHD is enabled it _MUST_ be configured with session ChannelTime out set to $ODV. - + This will set the time out when the session is inactive. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -34,12 +34,12 @@ fix: | references: cce: - CCE-92897-8 - cci: + cci: - N/A 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -54,9 +54,9 @@ odv: hint: "Number of seconds." recommended: 900 tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate + - 800-53r4_moderate - 800-53r4_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml index 1f3b6978f..52a93014b 100644 --- a/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -36,11 +36,11 @@ fix: | references: cce: - CCE-92898-6 - cci: + cci: - CCI-001133 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 @@ -57,9 +57,9 @@ odv: recommended: 0 stig: 1 tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate + - 800-53r4_moderate - 800-53r4_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml index 3fbc67fd8..c81cf4ad1 100644 --- a/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -1,8 +1,8 @@ id: os_sshd_client_alive_interval_configure title: "Configure SSHD ClientAliveInterval to $ODV" discussion: | - If SSHD is enabled then it _MUST_ be configured with the Client Alive Interval set to $ODV. - + If SSHD is enabled then it _MUST_ be configured with the Client Alive Interval set to $ODV. + Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. This setting works in conjuction with ClientAliveCountMax to determine the termination of the connection after the threshold has been reached. @@ -38,12 +38,12 @@ fix: | references: cce: - CCE-92899-4 - cci: + cci: - CCI-001133 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 @@ -63,8 +63,8 @@ odv: tags: - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high + - 800-53r4_moderate + - 800-53r4_high - 800-171 - cnssi-1253_moderate - cnssi-1253_low diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml index d9b5a8342..719c56b3a 100644 --- a/rules/os/os_sshd_fips_compliant.yaml +++ b/rules/os/os_sshd_fips_compliant.yaml @@ -5,7 +5,7 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information. check: | @@ -28,7 +28,7 @@ fix: | fi fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") - + for config in $fips_sshd_config; do /usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf" done @@ -42,18 +42,18 @@ fix: | fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done - ---- + ---- references: cce: - CCE-92902-6 - cci: + cci: - N/A 800-53r5: - AC-17(2) - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml index 852c20de3..2826b3b73 100644 --- a/rules/os/os_sshd_unused_connection_timeout_configure.yaml +++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml @@ -2,7 +2,7 @@ id: os_sshd_unused_connection_timeout_configure title: "Configure SSHD Unused Connection Timeout to $ODV" discussion: | If SSHD is enabled it _MUST_ be configured with unused connectione timeout set to $ODV. - + This will set the time out when there are no open channels within an session. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -34,12 +34,12 @@ fix: | references: cce: - CCE-92906-7 - cci: + cci: - N/A 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -54,9 +54,9 @@ odv: hint: "Number of seconds." recommended: 900 tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate + - 800-53r4_moderate - 800-53r4_high - 800-171 - cnssi-1253_moderate diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml index ab132078e..e7d5ffa6b 100644 --- a/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -35,9 +35,9 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cis_lvl1 - cis_lvl2 - cisv8 diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml index 99b06b7a6..3ccc1a351 100644 --- a/rules/os/os_system_read_only.yaml +++ b/rules/os/os_system_read_only.yaml @@ -6,10 +6,10 @@ discussion: | NOTE: The system volume is read only by default in macOS. check: | /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' -result: +result: string: "No" fix: | - NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. + NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. references: cce: - CCE-92910-9 diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml index 64159c3f9..1038d88fe 100644 --- a/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -1,7 +1,7 @@ id: os_terminal_secure_keyboard_enable title: "Ensure Secure Keyboard Entry Terminal.app is Enabled" discussion: | - Secure keyboard entry _MUST_ be enabled in Terminal.app. + Secure keyboard entry _MUST_ be enabled in Terminal.app. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\ @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92912-5 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index bae5abd6c..f5c4f4330 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Trivial File Transfer Protocol Service" discussion: | If the system does not require Trivial File Transfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. + The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. NOTE: TFTP service is disabled at startup by default macOS. check: | diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml index 49285c42d..ce5bd7638 100644 --- a/rules/os/os_time_offset_limit_configure.yaml +++ b/rules/os/os_time_offset_limit_configure.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-92915-8 - cci: - - N/A + cci: + - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml index 1d3abfe94..26268bc72 100644 --- a/rules/os/os_unlock_active_user_session_disable.yaml +++ b/rules/os/os_unlock_active_user_session_disable.yaml @@ -1,8 +1,8 @@ id: os_unlock_active_user_session_disable title: "Disable Login to Other User's Active and Locked Sessions" discussion: | - The ability to log in to another user's active or locked session _MUST_ be disabled. - + The ability to log in to another user's active or locked session _MUST_ be disabled. + macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. check: | /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui' diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml index 160e05107..0e4bc80b1 100644 --- a/rules/os/os_user_app_installation_prohibit.yaml +++ b/rules/os/os_user_app_installation_prohibit.yaml @@ -1,8 +1,8 @@ id: os_user_app_installation_prohibit title: "Prohibit User Installation of Software into /Users/" discussion: | - Users _MUST_ not be allowed to install software into /Users/. - + Users _MUST_ not be allowed to install software into /Users/. + Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. [IMPORTANT] @@ -55,5 +55,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - "/Users/" diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index b1c7d3720..c1618048b 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Unix-to-Unix Copy Protocol Service" discussion: | The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active. - UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. + UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. NOTE: UUCP service is disabled at startup by default macOS. check: | diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml index e3cf3b229..0247cb6b9 100644 --- a/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -1,11 +1,11 @@ id: pwpolicy_50_percent title: "Require a Minimum of Fifty Percent Character Change in New Passwords" discussion: | - The macOS should be configured to require users to change at least 50% of the characters when setting a new password. - + The macOS should be configured to require users to change at least 50% of the characters when setting a new password. + If the operating system allows users to consecutively reuse extensive portions of passwords, this increases the window of opportunity for a malicious user to guess the password. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. - - To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. + + To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 2b84368b0..71203b155 100644 --- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -3,16 +3,16 @@ title: "Disable Accounts after $ODV Days of Inactivity" discussion: | The macOS _MUST_ be configured to disable accounts after $ODV days of inactivity. - This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. -check: | + This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. +check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeInactiveDays"]/following-sibling::integer[1]/text()' - result: integer: $ODV fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to disable an inactive user after $ODV days, edit the current password policy to contain the following within the "policyCategoryAuthentication": - + [source,xml] ---- @@ -28,7 +28,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -37,7 +37,7 @@ fix: | references: cce: - CCE-92926-5 - cci: + cci: - N/A 800-53r5: - AC-2(3) diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index 914955871..5bee2b8b7 100644 --- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -1,11 +1,11 @@ id: pwpolicy_emergency_accounts_disable title: "Automatically Remove or Disable Emergency Accounts within 72 Hours" discussion: | - The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. + The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. - Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. + Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. @@ -21,7 +21,7 @@ references: - N/A 800-53r5: - AC-2(2) - 800-53r4: + 800-53r4: - AC-2(2) srg: - N/A diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 0cf558406..c2dd37a85 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -2,19 +2,19 @@ id: pwpolicy_lower_case_character_enforce title: "Require Passwords Contain a Minimum of One Lowercase Character" discussion: | The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. - - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersLowerCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require at least $ODV lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-92933-1 - cci: + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml index 59cf49dc2..46c281ef7 100644 --- a/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_upper_case_character_enforce.yaml @@ -2,14 +2,14 @@ id: pwpolicy_lower_upper_case_character_enforce title: "Require Passwords Contain a Minimum of $ODV Lowercase Character and $ODV Uppercase Character" discussion: | The macOS _MUST_ be configured to require at least $ODV lower-case character and $ODV upper-case character be used when a password is created. - - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. NOTE: The configuration profile generated must be installed from an MDM server. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{$ODV,}[a-z]{$ODV,}.*'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{$ODV,}[a-z]{$ODV,}.*'\''")])' - result: string: "true" fix: | @@ -17,11 +17,11 @@ fix: | references: cce: - CCE-92934-9 - cci: + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 3ca84d3f9..a87b4254e 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{$ODV,}'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{$ODV,}'\''")])' - result: string: "true" fix: | diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 4073694ef..cdd60d460 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -6,15 +6,15 @@ discussion: | This rule discourages users from cycling through their previous passwords to get back to a preferred one. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. -check: | +check: | /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require a minimum password lifetime, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-92937-2 - cci: + cci: - N/A - 800-53r5: + 800-53r5: - IA-5 - 800-53r4: + 800-53r4: - IA-5(1) disa_stig: - N/A diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 88f9d61ae..0e847f441 100644 --- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -1,10 +1,10 @@ id: pwpolicy_prevent_dictionary_words title: "Prevent the Use of Dictionary Words for Passwords" discussion: | - The macOS should be configured to forbid users to use dictionary words for passwords. - - If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. - + The macOS should be configured to forbid users to use dictionary words for passwords. + + If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. + To prevent users from using dictionary words for passwords, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | For systems not requiring mandatory smart card authentication or those that are not bound to a directory, the technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 54e1e4b85..86249892d 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -4,12 +4,12 @@ discussion: | The macOS _MUST_ be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. - + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){$ODV,}'\''")])' - + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){$ODV,}'\''")])' - result: string: "true" fix: | diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 07d8be9cc..d7fb3a2ea 100644 --- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -1,7 +1,7 @@ id: pwpolicy_temporary_accounts_disable title: "Automatically Remove or Disable Temporary User Accounts within 72 Hours" discussion: | - The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. + The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created. diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index 3bac2a39e..07ee45b50 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -3,18 +3,18 @@ title: "Require Passwords Contain a Minimum of One Uppercase Character" discussion: | The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | - /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' + /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}' result: string: "yes" fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require at least $ODV lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-92943-0 - cci: + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: @@ -72,7 +72,7 @@ odv: hint: "Number of special characters." recommended: 1 cis_lvl1: 1 - cis_lvl2: 1 + cis_lvl2: 1 tags: - 800-171 - 800-53r4_low diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index d4e7a1eff..177c7c494 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -2,7 +2,7 @@ id: supplemental_cis_manual title: "CIS Manual Recommendations" discussion: | List of CIS recommendations that are manual check in the CIS macOS Benchmark. - + [cols="15%h, 85%a"] |=== |Section @@ -10,7 +10,7 @@ discussion: | |Recommendations |2.1.1.1 Audit iCloud Keychain + - 2.1.1.2 Audit iCloud Drive + + 2.1.1.2 Audit iCloud Drive + 2.1.1.4 Audit Security Keys Used With AppleIDs + 2.1.2 Audit App Store Password Settings + 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information + @@ -18,10 +18,10 @@ discussion: | 2.6.1.3 Audit Location Services Access + 2.6.6 Audit Lockdown Mode + 2.8.1 Audit Universal Control Settings + - 2.11.2 Audit Touch ID + + 2.11.2 Audit Touch ID + 2.13.1 Audit Passwords System Preference Setting + 2.14.1 Audit Game Center Settings + - 2.15.1 Audit Notification & Focus Settings + + 2.15.1 Audit Notification & Focus Settings + 2.16.1 Audit Wallet & Apple Pay Settings + |=== @@ -62,9 +62,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml index 31c2854c5..d443bdf2e 100644 --- a/rules/supplemental/supplemental_controls.yaml +++ b/rules/supplemental/supplemental_controls.yaml @@ -1,20 +1,20 @@ id: supplemental_controls title: "Out of Scope Supplemental" discussion: | - There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. + There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. + + This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. - This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. - [cols="15%h, 85%a"] |=== |Family |Access Control (AC) - |Controls + |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1[AC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2[AC-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3[AC-3(14)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14[AC-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17[AC-17(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22[AC-22] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -34,7 +34,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1[AU-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6[AU-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-9[AU-9(2)] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -44,7 +44,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1[CA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2[CA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3(6)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5[CA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6[CA-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9[CA-9] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -54,7 +54,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-1[CM-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-4[CM-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-8[CM-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-10[CM-10], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-11[CM-11] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -64,7 +64,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-1[CP-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-2[CP-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-3[CP-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-4[CP-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9[CP-9], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-10[CP-10] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -74,7 +74,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-1[IA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(1)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(3)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(4)] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -84,7 +84,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1[IR-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2[IR-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4[IR-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5[IR-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6[IR-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7[IR-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8[IR-8] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -114,7 +114,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-1[PE-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-2[PE-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-3[PE-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-6[PE-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-8[PE-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-12[PE-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-13[PE-13], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-14[PE-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-15[PE-15], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-16[PE-16] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -135,7 +135,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-1[PS-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-2[PS-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-3[PS-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-4[PS-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-5[PS-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-6[PS-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-7[PS-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-8[PS-8] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -181,9 +181,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml index ba6c40fd7..74bb455ac 100644 --- a/rules/supplemental/supplemental_filevault.yaml +++ b/rules/supplemental/supplemental_filevault.yaml @@ -58,7 +58,7 @@ references: cci: - N/A 800-53r5: - - N/A + - N/A 800-53r4: - N/A srg: diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml index 8a84ecc61..3bb5376b6 100644 --- a/rules/supplemental/supplemental_firewall_pf.yaml +++ b/rules/supplemental/supplemental_firewall_pf.yaml @@ -2,17 +2,17 @@ id: supplemental_firewall_pf title: "Packet Filter (pf) Supplemental" discussion: | The supplemental guidance found in this section is applicable for the following rules: - + * os_firewall_default_deny_require macOS contains an application layer firewall (ALF) and a packet filter (PF) firewall. - + * The ALF can block incoming traffic on a per-application basis and prevent applications from gaining control of network ports, but it cannot be configured to block outgoing traffic. - ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 - - * The PF firewall can manipulate virtually any packet data and is highly configurable. + ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 + + * The PF firewall can manipulate virtually any packet data and is highly configurable. ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html - + Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset. The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`. @@ -106,9 +106,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml index d0d30e6a3..f744cabe7 100644 --- a/rules/supplemental/supplemental_password_policy.yaml +++ b/rules/supplemental/supplemental_password_policy.yaml @@ -9,21 +9,21 @@ discussion: | * pwpolicy_minimum_lifetime_enforce Password policies should be enforced as much as possible via Configuration Profiles. However, the following policies are currently not enforceable via Configuration Profiles, and must therefore be enabled using the `pwpolicy` command: - + * Enforcing at least 1 lowercase character * Enforcing at least 1 uppercase character * Disabling an account after 35 days of inactivity * Password minimum lifetime To set the local policy to meet these requirements, save the following XML password policy to a file. - + [source,xml] ---- include::../../includes/pwpolicy.xml[] ---- Run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -38,9 +38,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml index 169eaafe5..a64575391 100644 --- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml +++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml @@ -1,8 +1,8 @@ id: system_settings_airplay_receiver_disable title: "Disable Airplay Receiver" discussion: | - Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. - + Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. + Support for Airplay Receiver is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. @@ -18,12 +18,12 @@ fix: | references: cce: - CCE-92944-8 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml index 97b1e5662..609cf4e02 100644 --- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml +++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml @@ -33,11 +33,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml index 2d8a69b91..6321951cf 100644 --- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml +++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml @@ -1,7 +1,7 @@ id: system_settings_automatic_logout_enforce title: "Enforce Auto Logout After $ODV Seconds of Inactivity" discussion: | - Auto logout _MUST_ be configured to automatically terminate a user session and log out the after $ODV seconds of inactivity. + Auto logout _MUST_ be configured to automatically terminate a user session and log out the after $ODV seconds of inactivity. NOTE:The maximum that macOS can be configured for autologoff is $ODV seconds. @@ -56,5 +56,5 @@ mobileconfig: true mobileconfig_info: .GlobalPreferences: com.apple.autologout.AutoLogOutDelay: $ODV - + diff --git a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml index 9bc2524b2..d2766fa0a 100644 --- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml +++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-92950-5 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -31,7 +31,7 @@ references: - 2.4.2 (level 1) controls v8: - 4.8 - - 13.9 + - 13.9 macOS: - "14.0" tags: diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml index 99053b810..4b393f53c 100644 --- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml +++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml @@ -1,11 +1,11 @@ id: system_settings_bluetooth_sharing_disable title: "Disable Bluetooth Sharing" discussion: | - Bluetooth Sharing _MUST_ be disabled. + Bluetooth Sharing _MUST_ be disabled. - Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. - - [NOTE] + Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. + + [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] @@ -25,14 +25,14 @@ fix: | references: cce: - CCE-92952-1 - cci: + cci: - N/A 800-53r5: - AC-3 - AC-18(4) - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - AC-3 - AC-18(4) - CM-7 diff --git a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml index e34200790..9c85376ec 100644 --- a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml +++ b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_cd_dvd_sharing_disable title: "Disable CD/DVD Sharing" discussion: | - CD/DVD Sharing _MUST_ be disabled. + CD/DVD Sharing _MUST_ be disabled. check: | /usr/bin/pgrep -q ODSAgent; /bin/echo $? result: @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-92953-9 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.1 (level 1) controls v8: - 4.1 diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml index c3a5e5d3d..4b0c670dd 100644 --- a/rules/system_settings/system_settings_content_caching_disable.yaml +++ b/rules/system_settings/system_settings_content_caching_disable.yaml @@ -1,9 +1,9 @@ id: system_settings_content_caching_disable title: "Disable Content Caching Service" discussion: | - Content caching _MUST_ be disabled. + Content caching _MUST_ be disabled. - Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. + Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -16,7 +16,7 @@ fix: | references: cce: - CCE-92954-7 - cci: + cci: - N/A 800-53r5: - CM-7 diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml index f622e6c8f..31cc1d0d9 100644 --- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml +++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml @@ -1,7 +1,7 @@ id: system_settings_critical_update_install_enforce title: "Enforce Critical Security Updates to be Installed" discussion: | - Ensure that security updates are installed as soon as they are available from Apple. + Ensure that security updates are installed as soon as they are available from Apple. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ @@ -14,11 +14,11 @@ fix: | references: cce: - CCE-92955-4 - cci: + cci: - N/A 800-53r5: - SI-2 - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml index 59097f2eb..326f5e0b2 100644 --- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml +++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml @@ -2,7 +2,7 @@ id: system_settings_diagnostics_reports_disable title: "Disable Sending Diagnostic and Usage Data to Apple" discussion: | The ability to submit diagnostic data to Apple _MUST_ be disabled. - + The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml index 3827370f1..ec4606e96 100644 --- a/rules/system_settings/system_settings_find_my_disable.yaml +++ b/rules/system_settings/system_settings_find_my_disable.yaml @@ -4,7 +4,7 @@ discussion: | The Find My service _MUST_ be disabled. A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service. - + Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | /usr/bin/osascript -l JavaScript << EOS @@ -29,13 +29,13 @@ fix: | references: cce: - CCE-92958-8 - cci: + cci: - N/A 800-53r5: - AC-20 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-20 @@ -80,4 +80,4 @@ mobileconfig_info: allowFindMyFriends: false com.apple.icloud.managed: DisableFMMiCloudSetting: true - + diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 06f80b5b1..5258da076 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_firewall_enable title: "Enable macOS Application Firewall" discussion: | - The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. + The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | @@ -28,7 +28,7 @@ fix: | references: cce: - CCE-92959-6 - cci: + cci: - CCI-000366 800-53r5: - AC-4 @@ -36,7 +36,7 @@ references: - CM-7 - CM-7(1) - SC-7 - 800-53r4: + 800-53r4: - AC-4 - AC-6(1) - AC-19 @@ -57,9 +57,9 @@ references: - 3.13.2 - 3.13.5 cis: - benchmark: + benchmark: - 2.2.1 (level 1) - controls v8: + controls v8: - 4.1 - 4.5 - 13.1 @@ -71,13 +71,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cis_lvl1 - cis_lvl2 - cisv8 diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml index 68e4554de..92e4916a0 100644 --- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml +++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml @@ -2,7 +2,7 @@ id: system_settings_gatekeeper_identified_developers_allowed title: "Apply Gatekeeper Settings to Block Applications from Unidentified Developers" discussion: | The information system implements cryptographic mechanisms to authenticate software prior to installation. - + Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party. check: | /usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled" @@ -38,12 +38,12 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml index 9bb8dd7ec..bd4285c81 100644 --- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml +++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml @@ -1,9 +1,9 @@ id: system_settings_gatekeeper_override_disallow title: "Configure Gatekeeper to Disallow End User Override" discussion: | - Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. + Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. - If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. + If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\ @@ -16,12 +16,12 @@ fix: | references: cce: - CCE-92962-0 - cci: + cci: - N/A 800-53r5: - CM-5 - SI-7(15) - 800-53r4: + 800-53r4: - CM-5 - SI-7(15) srg: @@ -35,12 +35,12 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high @@ -50,4 +50,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempolicy.managed: DisableOverride: true - + diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index 9bb6c0c81..8b636677d 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -1,8 +1,8 @@ id: system_settings_guest_access_smb_disable title: "Disable Guest Access to Shared SMB Folders" discussion: | - Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. - + Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. + Turning off guest access prevents anonymous users from accessing files shared via SMB. check: | /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess @@ -16,8 +16,8 @@ fix: | references: cce: - CCE-92963-8 - cci: - - N/A + cci: + - N/A 800-171r2: - 3.5.1 - 3.5.2 @@ -32,9 +32,9 @@ references: srg: - N/A cis: - benchmark: + benchmark: - 2.12.2 (level 1) - controls v8: + controls v8: - 3.3 cmmc: - AC.L1-3.1.2 diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml index 85071eafb..d7a63b1a8 100644 --- a/rules/system_settings/system_settings_hot_corners_disable.yaml +++ b/rules/system_settings/system_settings_hot_corners_disable.yaml @@ -28,11 +28,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index 011cd9891..857c3a5de 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -1,7 +1,7 @@ id: system_settings_hot_corners_secure title: "Secure Hot Corners" discussion: | - Hot corners _MUST_ be secured. + Hot corners _MUST_ be secured. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. check: | @@ -26,15 +26,15 @@ fix: | references: cce: - CCE-92966-1 - cci: + cci: - N/A 800-53r5: - AC-11(1) - 800-53r4: + 800-53r4: - AC-11(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml index fc8cd1153..d7d000b34 100644 --- a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml +++ b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92968-7 - cci: + cci: - N/A 800-53r5: - N/A @@ -27,9 +27,9 @@ references: 800-171r2: - N/A cis: - benchmark: + benchmark: - 1.4 (level 1) - controls v8: + controls v8: - 7.3 - 7.4 macOS: diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml index 8c98f26fa..595497966 100644 --- a/rules/system_settings/system_settings_location_services_disable.yaml +++ b/rules/system_settings/system_settings_location_services_disable.yaml @@ -40,13 +40,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_location_services_enable.yaml b/rules/system_settings/system_settings_location_services_enable.yaml index eb316007a..55b78f082 100644 --- a/rules/system_settings/system_settings_location_services_enable.yaml +++ b/rules/system_settings/system_settings_location_services_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_location_services_enable title: "Enable Location Services" discussion: | - Location Services _MUST_ be enabled. + Location Services _MUST_ be enabled. check: | /usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\ @@ -17,22 +17,22 @@ fix: | references: cce: - CCE-92973-7 - cci: + cci: - N/A 800-53r5: - - N/A - 800-53r4: + - N/A + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.6.1.1 (level 2) - controls v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml index 373bf9155..76bfdebeb 100644 --- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml +++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-92974-5 - cci: + cci: - N/A 800-53r5: - - N/A - 800-53r4: + - N/A + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.6.1.2 (level 2) - controls v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml index 84d200482..719dd595f 100644 --- a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml +++ b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_loginwindow_loginwindowtext_enable title: "Configure Login Window to Show A Custom Message" discussion: | - The login window _MUST_ be configured to show a custom access warning message. + The login window _MUST_ be configured to show a custom access warning message. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ @@ -14,26 +14,26 @@ fix: | references: cce: - CCE-92975-2 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.10.3 (level 1) controls v8: - 4.1 macOS: - "14.0" -odv: +odv: hint: "Organization's approved message." recommended: Center for Internet Security Test Message cis_lvl1: Center for Internet Security Test Message diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml index eac26f16d..9f82faf0f 100644 --- a/rules/system_settings/system_settings_media_sharing_disabled.yaml +++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml @@ -3,7 +3,7 @@ title: "Disable Media Sharing" discussion: | Media sharing _MUST_ be disabled. - When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. + When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml index 9111a3a78..85ec502a1 100644 --- a/rules/system_settings/system_settings_password_hints_disable.yaml +++ b/rules/system_settings/system_settings_password_hints_disable.yaml @@ -2,7 +2,7 @@ id: system_settings_password_hints_disable title: "Disable Password Hints" discussion: | Password hints _MUST_ be disabled. - + Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml index 1f9a7c4a5..f5498016e 100644 --- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml +++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Personalized Advertising" discussion: | Ad tracking and targeted ads _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. + The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -16,14 +16,14 @@ fix: | references: cce: - CCE-92979-4 - cci: + cci: - N/A 800-53r5: - AC-20 - CM-7 - CM-7(1) - - SC-7(10) - 800-53r4: + - SC-7(10) + 800-53r4: - AC-20 - CM-7 - CM-7(1) diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml index a2bc6be0d..9cac53b08 100644 --- a/rules/system_settings/system_settings_printer_sharing_disable.yaml +++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_printer_sharing_disable title: "Disable Printer Sharing" discussion: | - Printer Sharing _MUST_ be disabled. + Printer Sharing _MUST_ be disabled. check: | /usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0" result: @@ -15,22 +15,22 @@ fix: | references: cce: - CCE-92980-2 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.4 (level 1) controls v8: - 4.1 diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml index 76925341a..f40ac4639 100644 --- a/rules/system_settings/system_settings_remote_management_disable.yaml +++ b/rules/system_settings/system_settings_remote_management_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_remote_management_disable title: "Disable Remote Management" discussion: | - Remote Management _MUST_ be disabled. + Remote Management _MUST_ be disabled. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0" result: @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-92982-8 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.3.6 (level 1) controls v8: - 4.1 diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml index 1fec3cc0f..608c2e289 100644 --- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml +++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml @@ -33,11 +33,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_siri_prefpane_disable.yaml b/rules/system_settings/system_settings_siri_prefpane_disable.yaml index d4b422ee2..eced38cdf 100644 --- a/rules/system_settings/system_settings_siri_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_siri_prefpane_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_siri_prefpane_disable title: "Disable the System Preference Pane for Siri" discussion: | - This is required for compliance with the DISA STIG for macOS. + This is required for compliance with the DISA STIG for macOS. The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. diff --git a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml index a18183032..f969fba64 100644 --- a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92990-1 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/system_settings/system_settings_software_update_download_enforce.yaml b/rules/system_settings/system_settings_software_update_download_enforce.yaml index a55de19ce..cba551beb 100644 --- a/rules/system_settings/system_settings_software_update_download_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_download_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92991-9 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/rules/system_settings/system_settings_software_update_enforce.yaml b/rules/system_settings/system_settings_software_update_enforce.yaml index 635069c5f..191930068 100644 --- a/rules/system_settings/system_settings_software_update_enforce.yaml +++ b/rules/system_settings/system_settings_software_update_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92992-7 - cci: + cci: - N/A 800-53r5: - SI-2(5) diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml index 77eb1404d..d445c87fb 100644 --- a/rules/system_settings/system_settings_softwareupdate_current.yaml +++ b/rules/system_settings/system_settings_softwareupdate_current.yaml @@ -23,7 +23,7 @@ fix: | references: cce: - CCE-92993-5 - cci: + cci: - N/A 800-53r5: - N/A @@ -31,7 +31,7 @@ references: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml index 5f58aa0e7..acacec1ba 100644 --- a/rules/system_settings/system_settings_ssh_enable.yaml +++ b/rules/system_settings/system_settings_ssh_enable.yaml @@ -1,7 +1,7 @@ id: system_settings_ssh_enable title: "Enable SSH Server for Remote Access Sessions" discussion: | - Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. + Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => enabled' result: @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-92995-0 - cci: + cci: - N/A 800-53r5: - IA-2(8) @@ -23,7 +23,7 @@ references: - CM-7(1) - AC-17 800-53r4: - - AC-3 + - AC-3 - CM-7 - CM-7(1) - IA-2(8) @@ -45,13 +45,13 @@ references: macOS: - "14.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml index f21085b7a..2865158e5 100644 --- a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml +++ b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml @@ -1,33 +1,33 @@ id: system_settings_time_machine_auto_backup_enable title: "Configure Time Machine for Automatic Backups" discussion: | - Automatic backups _MUST_ be enabled when using Time Machine. + Automatic backups _MUST_ be enabled when using Time Machine. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\ .objectForKey('AutoBackup').js EOS -result: +result: string: "true" fix: | This is implemented by a Configuration Profile. references: cce: - CCE-92997-6 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.4.1 (level 2) controls v8: - 11.2 diff --git a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml index 274b212a9..121780f04 100644 --- a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml +++ b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml @@ -1,7 +1,7 @@ id: system_settings_time_machine_encrypted_configure title: "Ensure Time Machine Volumes are Encrypted" discussion: | - Time Machine volumes _MUST_ be encrypted. + Time Machine volumes _MUST_ be encrypted. check: | error_count=0 for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do @@ -12,7 +12,7 @@ check: | fi done echo "$error_count" -result: +result: integer: 0 fix: | . Go to System Settings -> Time Machine @@ -23,20 +23,20 @@ fix: | references: cce: - CCE-92998-4 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.3.4.2 (level 1) controls v8: - 3.6 diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml index f388980ee..4c2db4b6b 100644 --- a/rules/system_settings/system_settings_time_server_enforce.yaml +++ b/rules/system_settings/system_settings_time_server_enforce.yaml @@ -16,17 +16,17 @@ fix: | references: cce: - CCE-93000-8 - cci: + cci: - CCI-001891 - CCI-002046 800-53r5: - AU-12(1) - SC-45(1) - 800-53r4: + 800-53r4: - AU-8(1) srg: - SRG-OS-000355-GPOS-00143 - - SRG-OS-000356-GPOS-00144 + - SRG-OS-000356-GPOS-00144 disa_stig: - N/A 800-171r2: diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml index 2523e0b12..07bab8c4e 100644 --- a/rules/system_settings/system_settings_token_removal_enforce.yaml +++ b/rules/system_settings/system_settings_token_removal_enforce.yaml @@ -38,11 +38,11 @@ references: macOS: - "14.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253_moderate - cnssi-1253_low - cnssi-1253_high diff --git a/rules/system_settings/system_settings_touch_id_pane_disable.yaml b/rules/system_settings/system_settings_touch_id_pane_disable.yaml index 99ccc4f75..32ba99e90 100644 --- a/rules/system_settings/system_settings_touch_id_pane_disable.yaml +++ b/rules/system_settings/system_settings_touch_id_pane_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_touch_id_pane_disable title: "Disable the Touch ID and Password Preference Pane" discussion: | - This is required for compliance with the DISA STIG for macOS. + This is required for compliance with the DISA STIG for macOS. The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml index a9eb335c5..125aebdca 100644 --- a/rules/system_settings/system_settings_usb_restricted_mode.yaml +++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml @@ -27,10 +27,10 @@ references: cce: - CCE-93004-0 cci: - - N/A + - N/A 800-53r5: - MP-7 - - SC-41 + - SC-41 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml index 828c885db..648e795e5 100644 --- a/rules/system_settings/system_settings_wake_network_access_disable.yaml +++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml @@ -23,7 +23,7 @@ references: disa_stig: - N/A srg: - - N/A + - N/A 800-171r2: - N/A cis: diff --git a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml index 8f4b13d8b..262aa5226 100644 --- a/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml +++ b/rules/system_settings/system_settings_wallet_applepay_prefpane_disable.yaml @@ -1,7 +1,7 @@ id: system_settings_wallet_applepay_prefpane_disable title: "Disable the System Preference Pane for Wallet and Apple Pay" discussion: | - This is required for compliance with the DISA STIG for macOS. + This is required for compliance with the DISA STIG for macOS. The domain *com.apple.systempreferences* has been deprecated by Apple in macOS 13. The recommended way to disable System Setting Panes is to use the *DisabledSystemSettings* key. diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml index fb87d55be..cf149de1c 100644 --- a/rules/system_settings/system_settings_wifi_disable.yaml +++ b/rules/system_settings/system_settings_wifi_disable.yaml @@ -1,14 +1,14 @@ id: system_settings_wifi_disable title: "Disable Wi-Fi Interface" discussion: | - The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. + The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit.Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. check: | /usr/sbin/networksetup -listallnetworkservices | /usr/bin/grep -c "*Wi-Fi" -result: +result: integer: 1 fix: | To disable Wi-Fi on a macOS system, run the following command. @@ -26,7 +26,7 @@ references: - AC-18 - AC-18(1) - AC-18(3) - 800-53r4: + 800-53r4: - AC-4 - AC-18(1) - AC-18(3) diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml index 3016e9f07..350b281aa 100644 --- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml +++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml @@ -1,9 +1,9 @@ id: system_settings_wifi_disable_when_connected_to_ethernet title: "Disable Wi-Fi When Connected to Ethernet" discussion: | - The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. + The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. - The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. + The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. check: | @@ -19,7 +19,7 @@ references: - AC-4 - AC-18(1) - AC-18(3) - 800-53r4: + 800-53r4: - AC-4 - AC-18(1) - AC-18(3) diff --git a/rules/system_settings/system_settings_wifi_menu_enable.yaml b/rules/system_settings/system_settings_wifi_menu_enable.yaml index cb74f6757..3cc6026cc 100644 --- a/rules/system_settings/system_settings_wifi_menu_enable.yaml +++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-93010-7 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index cf2f1bcdf..d1d9db9ff 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -65,13 +65,13 @@ def get_rule_yaml(rule_file, custom=False): else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - + try: og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] except IndexError: #assume this is a completely new rule og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] - + # get original/default rule yaml for comparison with open(og_rule_path) as og: og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) @@ -165,7 +165,7 @@ def create_args(): help="List the available keyword tags to search for.", action="store_true") parser.add_argument("-t", "--tailor", default=None, help="Customize the baseline to your organizations values.", action="store_true") - + return parser.parse_args() def section_title(section_name, platform): @@ -181,7 +181,7 @@ def section_title(section_name, platform): "sys_prefs": "systempreferences", "srg": "srg" } - + if section_name in titles: return titles[section_name] else: @@ -193,9 +193,9 @@ def get_controls(all_rules): for control in rule.rule_80053r4: if control not in all_controls: all_controls.append(control) - + all_controls.sort() - + return all_controls def append_authors(authors, name, org): @@ -212,7 +212,7 @@ def parse_authors(authors_from_yaml): if "preamble" in authors_from_yaml.keys(): preamble = authors_from_yaml['preamble'] author_block += f'{preamble}\n ' - + author_block += "|===\n " for name in authors_from_yaml['names']: author_block += f'|{name}\n ' @@ -269,16 +269,16 @@ def output_baseline(rules, version, baseline_tailored_string, benchmark, authors else: output_text = f'title: "{version["platform"]} {version["os"]}: Security Configuration -{full_title}"\n' output_text += f'description: |\n This guide describes the actions to take when securing a {version["platform"]} {version["os"]} system against the{full_title} security baseline.\n' - + if benchmark == "recommended": output_text += "\n Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.\n" - + # # process authors output_text += f'authors: |\n {authors}' output_text += f'parent_values: "{benchmark}"\n' output_text += 'profile:\n' - + # sort the rules other_rules.sort() inherent_rules.sort() @@ -293,7 +293,7 @@ def output_baseline(rules, version, baseline_tailored_string, benchmark, authors for rule in other_rules: if rule.startswith(section): output_text += (" - {}\n".format(rule)) - + if len(inherent_rules) > 0: output_text += (' - section: "Inherent"\n') output_text += (" rules:\n") @@ -317,12 +317,12 @@ def output_baseline(rules, version, baseline_tailored_string, benchmark, authors output_text += (" rules:\n") for rule in supplemental_rules: output_text += (" - {}\n".format(rule)) - + return output_text def write_odv_custom_rule(rule, odv): print(f"Writing custom rule for {rule.rule_id} to include value {odv}") - + if not os.path.exists("../custom/rules"): os.makedirs("../custom/rules") if os.path.exists(f"../custom/rules/{rule.rule_id}.yaml"): @@ -331,11 +331,11 @@ def write_odv_custom_rule(rule, odv): else: rule_yaml = {} - # add odv to rule_yaml + # add odv to rule_yaml rule_yaml['odv'] = {"custom" : odv} with open(f"../custom/rules/{rule.rule_id}.yaml", 'w') as f: - yaml.dump(rule_yaml, f, explicit_start=True) - + yaml.dump(rule_yaml, f, explicit_start=True) + return def remove_odv_custom_rule(rule): @@ -353,7 +353,7 @@ def remove_odv_custom_rule(rule): else: if os.path.exists(f"../custom/rules/{rule.rule_id}.yaml"): os.remove(f"../custom/rules/{rule.rule_id}.yaml") - + def sanitised_input(prompt, type_=None, range_=None, default_=None): while True: ui = input(prompt) or default_ @@ -387,18 +387,18 @@ def sanitised_input(prompt, type_=None, range_=None, default_=None): def odv_query(rules, benchmark): print("The inclusion of any given rule is a risk-based-decision (RBD). While each rule is mapped to an 800-53 control, deploying it in your organization should be part of the decision-making process. \nYou will be prompted to include each rule, and for those with specific organizational defined values (ODV), you will be prompted for those as well.\n") - + if not benchmark == "recommended": print(f"WARNING: You are attempting to tailor an already established benchmark. Excluding rules or modifying ODVs may not meet the compliance of the established benchmark.\n") - + included_rules = [] queried_rule_ids = [] - + include_all = False for rule in rules: get_odv = False - + _always_include = ['inherent'] if any(tag in rule.rule_tags for tag in _always_include): #print(f"Including rule {rule.rule_id} by default") @@ -461,7 +461,7 @@ def main(): # switch to the scripts directory os.chdir(file_dir) - + all_rules = collect_rules() if args.list_tags: @@ -475,14 +475,14 @@ def main(): with open(baselines_file) as r: baselines = yaml.load(r, Loader=yaml.SafeLoader) - + included_controls = get_controls(all_rules) needed_controls = [] - + for control in baselines['low']: if control not in needed_controls: needed_controls.append(control) - + for n_control in needed_controls: if n_control not in included_controls: print(f'{n_control} missing from any rule, needs a rule, or included in supplemental') @@ -507,7 +507,7 @@ def main(): version_file = os.path.join(parent_dir, "VERSION.yaml") with open(version_file) as r: - version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + version_yaml = yaml.load(r, Loader=yaml.SafeLoader) found_rules = [] for rule in all_rules: @@ -517,7 +517,7 @@ def main(): if "supplemental" in rule.rule_tags: if rule not in found_rules: found_rules.append(rule) - + if args.keyword == None: print("No rules found for the keyword provided, please verify from the following list:") available_tags(all_rules) @@ -527,19 +527,19 @@ def main(): benchmark = args.keyword else: benchmark = "recommended" - + if args.keyword in mscp_data_yaml['authors']: authors = parse_authors(mscp_data_yaml['authors'][args.keyword]) else: authors = "|===\n |Name|Organization\n |===\n" - + if args.keyword in mscp_data_yaml['titles'] and not args.tailor: full_title = f" {mscp_data_yaml['titles'][args.keyword]}" elif args.tailor: full_title = "" else: full_title = f" {args.keyword}" - + baseline_tailored_string = "" if args.tailor: # prompt for name of benchmark to be used for filename @@ -558,7 +558,7 @@ def main(): else: baseline_output_file = open(f"{build_path}/{args.keyword}.yaml", 'w') baseline_output_file.write(output_baseline(found_rules, version_yaml, baseline_tailored_string, benchmark, authors, full_title)) - + # finally revert back to the prior directory os.chdir(original_working_directory) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 66d55e935..b4d9f6a33 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -359,7 +359,7 @@ def concatenate_payload_settings(settings): def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=''): """Generate the configuration profiles for the rules in the provided baseline YAML file """ - + # import profile_manifests.plist manifests_file = os.path.join( parent_dir, 'includes', 'supported_payloads.yaml') @@ -486,7 +486,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign created = date.today() description = "Created: {}\nConfiguration settings for the {} preference domain.".format(created, payload) - + organization = "macOS Security Compliance Project" displayname = f"[{baseline_name}] {payload} settings" @@ -852,7 +852,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): nist_80053r5 = 'N/A' else: nist_80053r5 = rule_yaml['references']['800-53r5'] - + cis_ref = ['cis', 'cis_lvl1', 'cis_lvl2', 'cisv8'] if reference == "default": @@ -1155,7 +1155,7 @@ def get_rule_yaml(rule_file, baseline_yaml, custom=False,): resulting_yaml = {} names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] file_name = os.path.basename(rule_file) - + # get parent values try: parent_values = baseline_yaml['parent_values'] @@ -1370,7 +1370,7 @@ def generate_xls(baseline_name, build_path, baseline_yaml): cis = cis.replace(", ", "\n") sheet1.write(counter, 13, cis, topWrap) sheet1.col(13).width = 500 * 15 - + cmmc_refs = (str(rule.rule_cmmc)).strip('[]\'') cmmc_refs = cmmc_refs.replace(", ", "\n").replace("\'", "") @@ -1621,7 +1621,7 @@ def main(): # convert logo to base64 for inline processing b64logo = base64.b64encode(open(pdf_logo_path, "rb").read()) - + build_path = os.path.join(parent_dir, 'build', f'{baseline_name}') if not (os.path.isdir(build_path)): @@ -1769,8 +1769,8 @@ def main(): else: adoc_html_subtitle=baseline_yaml['title'].split(':')[1] adoc_document_subtitle2 = ':document-subtitle2:' - - # Create header + + # Create header header_adoc = adoc_header_template.substitute( description=baseline_yaml['description'], html_header_title=baseline_yaml['title'], diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index cfd798f3c..a0ed910d8 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -106,8 +106,8 @@ def sort_nicely( l ): def main(): file_dir = os.path.dirname(os.path.abspath(__file__)) - - os.chdir(file_dir) + + os.chdir(file_dir) nist_header = "" other_header = "" @@ -123,7 +123,7 @@ def dir_path(string): parser = argparse.ArgumentParser(description='Easily generate custom rules from compliance framework mappings') parser.add_argument("CSV", default=None, help="CSV to create custom rule files from a mapping.", type=argparse.FileType('rt')) parser.add_argument("-f", "--framework", default="800-53r5", help="Specify framework for the source. If no framework is specified, the default is 800-53r5.", action="store") - + try: results = parser.parse_args() print("Mapping CSV: " + results.CSV.name) @@ -131,9 +131,9 @@ def dir_path(string): except IOError as msg: - + parser.error(str(msg)) - + version_file = "../VERSION.yaml" with open(version_file) as r: @@ -142,14 +142,14 @@ def dir_path(string): for rule in glob.glob('../rules/**/*.yaml',recursive=True) + glob.glob('../custom/rules/**/*.yaml',recursive=True): sub_directory = rule.split(".yaml")[0].split("/")[2] - + if "supplemental" in rule or "srg" in rule: continue - + # with open(rule) as r: # rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) rule_yaml = get_rule_yaml(rule, custom=False) - + control_array = [] # print("----------------------") # print(rule_yaml) @@ -159,21 +159,21 @@ def dir_path(string): modded_reader = csv_reader dict_from_csv = dict(list(modded_reader)[0]) - + list_of_column_names = list(dict_from_csv.keys()) nist_header = list_of_column_names[1] other_header = list_of_column_names[0] - - - + + + with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: reader = csv.DictReader(csvfile,dialect='excel') - + for row in reader: - + if results.framework != nist_header: sys.exit(str(results.framework) + " not found in CSV") @@ -185,33 +185,33 @@ def dir_path(string): duplicate = "" csv_duplicate = "" for control in controls: - + try: - + rule_yaml['references'] - + if "/" in str(results.framework): - + framework_main = results.framework.split("/")[0] framework_sub = results.framework.split("/")[1] - + references = [] if "custom" not in rule_yaml['references']: references = rule_yaml['references'][framework_main][framework_sub] else: references = rule_yaml['references']['custom'][framework_main][framework_sub] - + for yaml_control in references: if duplicate == str(yaml_control).split("(")[0]: continue if csv_duplicate == str(row[other_header]): - + continue if control.replace(" ",'') == str(yaml_control): - + duplicate = str(yaml_control).split("(")[0] csv_duplicate = str(row[other_header]) - + row_array = str(row[other_header]).split(",") for item in row_array: control_array.append(item) @@ -219,7 +219,7 @@ def dir_path(string): else: - + references = [] if "custom" not in rule_yaml['references']: references = rule_yaml['references'][results.framework] @@ -239,33 +239,33 @@ def dir_path(string): for item in row_array: control_array.append(item) print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item) - + except: continue - + if len(control_array) == 0: continue - + custom_rule = '''references: custom: {}:'''.format(other_header) - + for control in control_array: custom_rule = custom_rule + ''' - {}'''.format(control) - + custom_rule = custom_rule + ''' tags: - {}'''.format(other_header) - + if os.path.isdir("../build/" + other_header) == False: os.mkdir("../build/" + other_header) if os.path.isdir("../build/" + other_header + "/rules/") == False: os.mkdir("../build/" + other_header + "/rules/") if os.path.isdir("../build/" + other_header + "/rules/" + sub_directory) == False: os.mkdir("../build/" + other_header + "/rules/" + sub_directory) - - try: + + try: with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as r: custom_yaml = r.read() @@ -276,23 +276,23 @@ def dir_path(string): with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: fw.write(custom_rule) - + for rule in glob.glob("../build/" + other_header + "/rules/*/*"): if "supplemental" in rule or "srg" in rule: continue - + with open(rule) as r: custom_rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) othercontrols = [] - + if other_header in custom_rule_yaml['references']['custom']: - + for control in custom_rule_yaml['references']['custom'][other_header]: - + if str(control) in othercontrols: continue else: - + othercontrols.append(str(control)) sort_nicely(othercontrols) @@ -302,18 +302,18 @@ def dir_path(string): custom_rule = '''references: custom: {}:'''.format(other_header) - + for control in othercontrols: custom_rule = custom_rule + ''' - {}'''.format(control) - + custom_rule = custom_rule + ''' tags: - {}'''.format(other_header) - + with open(rule, 'w') as rite: - rite.write(custom_rule) - + rite.write(custom_rule) + audit = [] auth = [] @@ -333,8 +333,8 @@ def dir_path(string): with open(rule) as r: custom_rule = yaml.load(r, Loader=yaml.SafeLoader) rule_id = rule.split(".yaml")[0].split("/")[5] - - + + if other_header in custom_rule['tags']: if "inherent" in rule_yaml['tags']: inherent.append(rule_id) @@ -345,10 +345,10 @@ def dir_path(string): if "n_a" in custom_rule['tags']: na.append(rule_id) continue - + if "/audit/" in rule: audit.append(rule_id) - + continue if "/auth/" in rule: auth.append(rule_id) @@ -368,8 +368,8 @@ def dir_path(string): if "/sysprefs/" in rule: sysprefs.append(rule_id) continue - - + + full_baseline = '''title: "{4} {2} ({3}): Security Configuration - {0}" description: | This guide describes the actions to take when securing a {4} {2} system against the {1}. @@ -377,11 +377,11 @@ def dir_path(string): |=== |Name|Organization |=== -parent_values: recommended +parent_values: recommended profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['version'].split(" ")[0],version_yaml['platform']) - + if len(audit) != 0: - + full_baseline = full_baseline + ''' - section: "Auditing" rules:''' @@ -395,7 +395,7 @@ def dir_path(string): - section: "Authentication" rules:''' auth.sort() - + for rule in auth: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -405,7 +405,7 @@ def dir_path(string): - section: "SystemPreferences" rules:''' sysprefs.sort() - + for rule in sysprefs: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -415,7 +415,7 @@ def dir_path(string): - section: "SystemSettings" rules:''' system_settings.sort() - + for rule in system_settings: full_baseline = full_baseline + ''' - {}'''.format(rule) @@ -437,7 +437,7 @@ def dir_path(string): for rule in os_section: full_baseline = full_baseline + ''' - {}'''.format(rule) - + if len(os_section) != 0 and version_yaml['platform'] == "macOS": full_baseline = full_baseline + ''' - section: "macOS" @@ -446,7 +446,7 @@ def dir_path(string): for rule in os_section: full_baseline = full_baseline + ''' - {}'''.format(rule) - + if len(pwpolicy) != 0: full_baseline = full_baseline + ''' - section: "PasswordPolicy" @@ -493,7 +493,7 @@ def dir_path(string): {} '''.format(listofsupplementals) - + try: if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False: @@ -502,7 +502,7 @@ def dir_path(string): with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower().replace(" ","_") + ".yaml",'w') as fw: fw.write(full_baseline) print(other_header.lower().replace(" ","_") + ".yaml baseline file created in build/" + other_header + "/baseline/") - + print("Move all of the folders in rules into the custom folder.") except: print("No controls mapped were found in rule files.") diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index bd2a3c080..a6b6f4f4e 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -16,7 +16,7 @@ import argparse from xml.sax.saxutils import escape -warnings.filterwarnings("ignore", category=DeprecationWarning) +warnings.filterwarnings("ignore", category=DeprecationWarning) def format_mobileconfig_fix(mobileconfig): """Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide. @@ -73,7 +73,7 @@ def replace_ocil(xccdf, x): def create_args(): - + parser = argparse.ArgumentParser( description="Easily generate xccdf, oval, or scap datastream. If no option is defined, it will generate an scap datastream file.") parser.add_argument("-x", "--xccdf", default=None, @@ -88,16 +88,16 @@ def create_args(): return parser.parse_args() def generate_scap(all_rules, all_baselines, args): - + export_as = "" version_file = "../VERSION.yaml" with open(version_file) as r: version_yaml = yaml.load(r, Loader=yaml.SafeLoader) - + if args.xccdf: export_as = "xccdf" - + if args.oval: export_as = "oval" if "ios" in version_yaml['cpe']: @@ -118,10 +118,10 @@ def generate_scap(all_rules, all_baselines, args): output = "../build/macOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) if "ios" in version_yaml['cpe']: output = "../build/iOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion) - + if export_as == "xccdf": output = output + "_xccdf.xml" - + if export_as == "oval": output = output + "_oval.xml" @@ -159,8 +159,8 @@ def generate_scap(all_rules, all_baselines, args): {4} {1}: Security Configuration - - + + Security Content Automation Protocol National Institute of Standards and Technology @@ -207,8 +207,8 @@ def generate_scap(all_rules, all_baselines, args): macOS {1}: Security Configuration - - + + Security Content Automation Protocol National Institute of Standards and Technology @@ -228,32 +228,32 @@ def generate_scap(all_rules, all_baselines, args): '''.format(date_time_string, version_yaml['os'], version_yaml['cpe'], version_yaml['version'],date_time_string.split("T")[0] + "Z") generated_baselines = {} - + for rule in all_rules: - + if glob.glob('../custom/rules/**/{}.yaml'.format(rule),recursive=True): rule_file = glob.glob('../custom/rules/**/{}.yaml'.format(rule),recursive=True)[0] custom=True - + elif glob.glob('../rules/*/{}.yaml'.format(rule)): rule_file = glob.glob('../rules/*/{}.yaml'.format(rule))[0] custom=False odv_label = str() og_rule_yaml = get_rule_yaml(rule_file, custom) - + loop = 1 if "odv" in og_rule_yaml: loop = len(og_rule_yaml['odv']) - + if args.baseline != "None": loop = 1 for a in range(0, loop): - + rule_yaml = get_rule_yaml(rule_file, custom) - try: - + try: + # # odv_label = list(rule_yaml['odv'].keys())[a] # # odv_label.remove('hint') if args.baseline != "None": @@ -265,27 +265,27 @@ def generate_scap(all_rules, all_baselines, args): else: odv_label = list(rule_yaml['odv'].keys())[a] - - + + # if odv_label == "hint": # continue - - + + odv_value = str(rule_yaml['odv'][odv_label]) rule_yaml['title'] = rule_yaml['title'].replace("$ODV",str(odv_value)) rule_yaml['discussion'] = rule_yaml['discussion'].replace("$ODV",odv_value) rule_yaml['check'] = rule_yaml['check'].replace("$ODV",odv_value) - + rule_yaml['fix'] = rule_yaml['fix'].replace("$ODV",odv_value) - - + + for result_value in rule_yaml['result']: if "$ODV" == rule_yaml['result'][result_value]: rule_yaml['result'][result_value] = rule_yaml['result'][result_value].replace("$ODV",odv_value) - - + + if rule_yaml['mobileconfig_info']: for mobileconfig_type in rule_yaml['mobileconfig_info']: if isinstance(rule_yaml['mobileconfig_info'][mobileconfig_type], dict): @@ -295,30 +295,30 @@ def generate_scap(all_rules, all_baselines, args): except: odv_label = "recommended" - + for baseline in all_baselines: found_rules = [] for tag in rule_yaml['tags']: if tag == baseline: if odv_label != "recommended" and odv_label == tag or odv_label == "custom": - + if baseline in generated_baselines: generated_baselines[baseline].append(rule_yaml['id'] + "_" + odv_label) else: generated_baselines[baseline] = [rule_yaml['id'] + "_" + odv_label] continue elif odv_label == "recommended" or odv_label == "custom": - + if "odv" in rule_yaml: if baseline not in rule_yaml['odv']: if baseline in generated_baselines: - + generated_baselines[baseline].append(rule_yaml['id'] + "_" + odv_label) else: generated_baselines[baseline] = [rule_yaml['id'] + "_" + odv_label] else: if baseline in generated_baselines: - + generated_baselines[baseline].append(rule_yaml['id'] + "_" + odv_label) else: generated_baselines[baseline] = [rule_yaml['id'] + "_" + odv_label] @@ -347,7 +347,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x) references = str() - + if "800-53r5" in rule_yaml['references'] and rule_yaml['references']['800-53r5'][0] != "N/A": references = references + "NIST SP 800-53r5: " for nist80053 in rule_yaml['references']['800-53r5']: @@ -379,13 +379,13 @@ def generate_scap(all_rules, all_baselines, args): for v8controls in rule_yaml['references']['cis']['controls v8']: references = references + str(v8controls) + ", " references = references[:-2] + "" - + for k,v in rule_yaml['references'].items(): if k == "cci" or k == "srg": continue if k == "custom": - - + + for i,u in rule_yaml['references']['custom'].items(): references = references + '{0}: '.format(i) for refs in rule_yaml['references']['custom'][i]: @@ -407,9 +407,9 @@ def generate_scap(all_rules, all_baselines, args): {2} {3} - + {4} - + {5}{9} {6} {7} @@ -426,19 +426,19 @@ def generate_scap(all_rules, all_baselines, args): {2} {3} - + {4} - + {5}{8} {6} {7} - + '''.format(rule_yaml['id'] + "_" + odv_label, severity, rule_yaml['title'], rule_yaml['discussion'].replace("<","<").replace(">",">").replace("&","&").rstrip(), rule_yaml['check'].replace("<","<").replace(">",">").replace("&","&").rstrip(), result, cce,rule_yaml['fix'].replace("<","<").replace(">",">").replace("&","&") + "\n" + mobileconfig_info, references) continue - - + + if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 @@ -495,13 +495,13 @@ def generate_scap(all_rules, all_baselines, args): continue if "os_home_folders_secure" in rule_yaml['id']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -517,7 +517,7 @@ def generate_scap(all_rules, all_baselines, args): - + @@ -551,24 +551,24 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+999) x = x + 1 continue - + if rule_yaml['mobileconfig']: if "spctl" in rule_yaml['check']: - + if "verbose" in rule_yaml['check']: xccdf_rules = replace_ocil(xccdf_rules,x) x = x + 1 continue else: - + oval_definition = oval_definition + ''' - - + + {} - {} - + {} + @@ -590,28 +590,28 @@ def generate_scap(all_rules, all_baselines, args): true '''.format(rule_yaml['id'] + "_" + odv_label,x) - + x += 1 continue - + for payload_type, info in rule_yaml['mobileconfig_info'].items(): if payload_type == "com.apple.systempolicy.control": continue if payload_type == "com.apple.ManagedClient.preferences": for payload_domain, settings in info.items(): oval_definition = oval_definition + ''' - - + + {} - {} + {} '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip()) if len(settings) > 1: oval_definition = oval_definition + '''''' else: oval_definition = oval_definition + '''''' - + for key, value in settings.items(): state_kind = "" if type(value) == bool: @@ -620,7 +620,7 @@ def generate_scap(all_rules, all_baselines, args): state_kind = "int" elif type(value) == str: state_kind = "string" - + dz = d + 5000 oval_definition = oval_definition + ''''''.format(rule_yaml['id'] + '_' + odv_label + "_" + str(d), dz) @@ -629,11 +629,11 @@ def generate_scap(all_rules, all_baselines, args): - - + + '''.format(rule_yaml['id'] + "_" + odv_label + "_" + str(d),dz,dz,dz) if payload_domain == "com.apple.dock": - + oval_object = oval_object + ''' /Library/Preferences/com.apple.loginwindow.plist @@ -661,8 +661,8 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,dz,payload_domain,key) - - + + oval_state = oval_state + ''' {} @@ -677,19 +677,19 @@ def generate_scap(all_rules, all_baselines, args): if key == "familyControlsEnabled": xpath_search = "" if len(info) > 1: - + xpath_search = info['pathBlackList'] oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -706,28 +706,28 @@ def generate_scap(all_rules, all_baselines, args): boolean(plist/dict/array/string/text() = "{}") '''.format(rule_yaml['id'] + "_" + odv_label,x,str(xpath_search).replace('[',"").replace(']',"").replace("'","")) - + oval_state = oval_state + ''' true '''.format(rule_yaml['id'] + "_" + odv_label,x) - + x = x + 1 continue else: - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -741,7 +741,7 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) - + state_kind = "" if type(value) == bool: oval_object = oval_object + ''' @@ -769,16 +769,16 @@ def generate_scap(all_rules, all_baselines, args): continue if payload_type == "com.apple.finder": oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -797,7 +797,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + state_kind = "" if type(value) == bool: oval_object = oval_object + ''' @@ -822,7 +822,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Managed Preferences/ @@ -832,19 +832,19 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999) x += 1 continue - + if payload_type == "com.apple.DiscRecording": oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -863,7 +863,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + state_kind = "" if type(value) == bool: oval_object = oval_object + ''' @@ -888,7 +888,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Managed Preferences/ @@ -897,19 +897,19 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999) x += 1 - continue + continue if payload_type == "com.apple.Safari" and key == "AutoOpenSafeDownloads": oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -928,7 +928,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + state_kind = "" if type(value) == bool: oval_object = oval_object + ''' @@ -953,7 +953,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,state_kind,value) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Managed Preferences/ @@ -962,20 +962,20 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999) x += 1 - continue - if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "HiddenPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "DisabledSystemSettings": - + continue + if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "HiddenPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "DisabledSystemSettings": + oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -994,19 +994,19 @@ def generate_scap(all_rules, all_baselines, args): /plist/dict/key[string()="{}"]/following-sibling::*[1]/string[string()="{}"]/text() - + '''.format(x+1999,rule_yaml['id'] + "_" + odv_label,x,x,key,str(value).strip('[]').strip("'")) - - + + oval_state = oval_state + ''' - + {} - + '''.format(rule_yaml['id'] + "_" + odv_label,x,str(value).strip('[]').strip("'")) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Managed Preferences/ @@ -1026,20 +1026,20 @@ def generate_scap(all_rules, all_baselines, args): elif type(value) == str: state_kind = "string" else: - + continue - + oval_definition = oval_definition + ''' - - + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) @@ -1050,11 +1050,11 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + oval_object = oval_object + ''' /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'] + "_" + odv_label,x,payload_type) - + if state_kind == "boolean": oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) @@ -1063,7 +1063,7 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) - + oval_state = oval_state + ''' {} @@ -1080,14 +1080,14 @@ def generate_scap(all_rules, all_baselines, args): continue if "SPStorageDataType" in rule_yaml['check']: - + print(rule_yaml['id'] + " - No relevant oval test") xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 continue try: if "fdesetup" in command[3]: - + print(rule_yaml['id'] + " - No relevant oval test") xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 @@ -1098,18 +1098,18 @@ def generate_scap(all_rules, all_baselines, args): if "profiles" in command[3]: if "/usr/bin/profiles status -type enrollment" in rule_yaml['check']: oval_definition = oval_definition + ''' - - + + {} - {} - + {} + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],x,x+899,x+799) oval_test = oval_test + ''' @@ -1140,19 +1140,19 @@ def generate_scap(all_rules, all_baselines, args): try: if "csrutil" in command[3]: if "authenticated-root" in command[3]: - + print(rule_yaml['id'] + " - No relevant oval test") xccdf_rules = replace_ocil(xccdf_rules,x) x += 1 continue oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1216,21 +1216,21 @@ def generate_scap(all_rules, all_baselines, args): try: if "pmset" in command[3] and "standby" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] +"_standbydelayhigh",x, rule_yaml['id'] +"_standbydelaylow",x+877, rule_yaml['id'] +"_highstandbythreshold",x+888) - - + + oval_test = oval_test + ''' @@ -1242,14 +1242,14 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_standbydelaylow",x+877,x+877,x+877) - + oval_test = oval_test + ''' '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888,x+888,x+888) - + standbydelayhigh = str() standbydelaylow = str() highstandbythreshold = str() @@ -1263,7 +1263,7 @@ def generate_scap(all_rules, all_baselines, args): standbydelaylow = line.split(" ")[-1].rstrip() if "highstandbythreshold" in line: highstandbythreshold = line.split(" ")[-1].rstrip() - + oval_object = oval_object + ''' SPHardwareDataType @@ -1271,7 +1271,7 @@ def generate_scap(all_rules, all_baselines, args): //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text() '''.format("hardware UUID",x+999) - oval_variable = oval_variable + ''' + oval_variable = oval_variable + ''' /Library/Preferences/com.apple.PowerManagement. @@ -1283,16 +1283,16 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x) - + oval_object = oval_object + ''' boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") '''.format("High Standby Delay",standbydelayhigh) - + oval_object = oval_object + ''' '''.format(rule_yaml['id'] + "_standbydelaylow",x+877, x) - + oval_object = oval_object + ''' boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") '''.format("Standby Delay",standbydelaylow) @@ -1300,11 +1300,11 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888, x) - + oval_object = oval_object + ''' boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") '''.format("Standby Battery Threshold",highstandbythreshold) - + oval_state = oval_state + ''' true @@ -1325,29 +1325,29 @@ def generate_scap(all_rules, all_baselines, args): except: pass if "sudo -V" in rule_yaml['check']: - - + + if "grep" in rule_yaml['check'].split("|")[1]: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x, rule_yaml['id'] + "_" + odv_label,x+5051) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' @@ -1355,7 +1355,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+5051, rule_yaml['id'] + "_" + odv_label, x+5051) check_string = rule_yaml['fix'].split("echo")[1].split('"')[1] - + oval_object = oval_object + ''' @@ -1373,21 +1373,21 @@ def generate_scap(all_rules, all_baselines, args): {} 1 '''.format(x+5051, rule_yaml['id'] + "_" + odv_label, check_string) - - + + x = x + 1 continue if "awk" in rule_yaml['check'].split("|")[1]: if "timestamp_type" in rule_yaml['fix'] and rule_yaml['result']['string'] == "tty": oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1395,13 +1395,13 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' @@ -1420,7 +1420,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+8002, rule_yaml['id'] + "_" + odv_label, x+8002) - + oval_object = oval_object + ''' @@ -1459,27 +1459,27 @@ def generate_scap(all_rules, all_baselines, args): continue else: check_string = "Defaults.*.timestamp_type={}".format(rule_yaml['result']['string']) - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+8000, rule_yaml['id'] + "_" + odv_label,x+8001, rule_yaml['id'] + "_" + odv_label,x+8002,rule_yaml['id'] + "_" + odv_label,x+8003) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' @@ -1494,7 +1494,7 @@ def generate_scap(all_rules, all_baselines, args): 1 '''.format(x, rule_yaml['id'] + "_" + odv_label, check_string) - + oval_object = oval_object + ''' @@ -1508,28 +1508,28 @@ def generate_scap(all_rules, all_baselines, args): continue if "ssh_config" in rule_yaml['discussion'] and "dscl" in rule_yaml['check']: - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5000, rule_yaml['id'] + "_" + odv_label,x+5001) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' @@ -1545,9 +1545,9 @@ def generate_scap(all_rules, all_baselines, args): matchy_match = "" for matchNum, match in enumerate(matches, start=1): matchy_match = match.group() - + ssh_config_pattern = matchy_match.split('"')[1] - + oval_object = oval_object + ''' @@ -1566,21 +1566,21 @@ def generate_scap(all_rules, all_baselines, args): {} 1 '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, ssh_config_pattern) - + oval_object = oval_object + ''' {} 1 - + - + .* oval:mscp:ste:{} '''.format(x+5001,rule_yaml['id'] + "_" + odv_label,x,ssh_config_pattern,x+999,x+999) - + oval_state = oval_state + ''' ^[^_\s].* @@ -1600,34 +1600,34 @@ def generate_scap(all_rules, all_baselines, args): continue if "sshd -T" in rule_yaml['check'] and "fips" in rule_yaml['check'] or "sshd -G" in rule_yaml['check'] and "fips" in rule_yaml['check']: fipslist = rule_yaml['check'].split("\n")[0].split("(")[1].replace(")","").replace('" "',"\n").replace('"',"") - - + + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5000, rule_yaml['id'] + "_" + odv_label,x+5001) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, x+5000) - + oval_object = oval_object + ''' @@ -1645,38 +1645,38 @@ def generate_scap(all_rules, all_baselines, args): {} 1 '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, fipslist) - + x = x + 1 - + continue if "sshd -T" in rule_yaml['check'] or "sshd -G" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label, x+5000, rule_yaml['id'] + "_" + odv_label,x+5001) - + oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + oval_test = oval_test + ''' '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, x+5000) sshd_config_pattern = "" - if "grep" in rule_yaml['check']: + if "grep" in rule_yaml['check']: regex = r"(?<=grep).*$" matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE) matchy_match = "" @@ -1687,12 +1687,12 @@ def generate_scap(all_rules, all_baselines, args): sshd_config_pattern = matchy_match.split('"')[1] elif "'" in matchy_match: sshd_config_pattern = matchy_match.split("'")[1] - + if "awk" in rule_yaml['check']: matchy_match = rule_yaml['check'].split("'")[1].split("/")[1] for item in rule_yaml['result']: sshd_config_pattern = matchy_match + " " + str(rule_yaml['result'][item]) - + oval_object = oval_object + ''' @@ -1710,32 +1710,32 @@ def generate_scap(all_rules, all_baselines, args): {} 1 '''.format(x+5000, rule_yaml['id'] + "_" + odv_label, sshd_config_pattern) - - + + x = x + 1 continue try: if "pmset" in command[3]: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + oval_test = oval_test + ''' '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + oval_object = oval_object + ''' /Library/Preferences/com.apple.PowerManagement.plist'''.format(rule_yaml['id'] + "_" + odv_label,x) @@ -1759,13 +1759,13 @@ def generate_scap(all_rules, all_baselines, args): pass if "socketfilterfw" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1802,13 +1802,13 @@ def generate_scap(all_rules, all_baselines, args): if "systemsetup" in command[3]: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1826,9 +1826,9 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x) state_test = "" if "-getnetworktimeserver" in rule_yaml['check']: - + timeservers = rule_yaml['result']['string'] - + state_test = ''' {} '''.format(timeservers) @@ -1843,7 +1843,7 @@ def generate_scap(all_rules, all_baselines, args): abc = 0 if "defaults" in rule_yaml['check'] and "grep" in rule_yaml['check'] and "CURRENT_USER" in rule_yaml['check']: - + regex = r"(?<=\()(.*?)(?=\))" test_str = rule_yaml['check'].split("grep")[1] @@ -1852,25 +1852,25 @@ def generate_scap(all_rules, all_baselines, args): matchy_match = "" for matchNum, match in enumerate(matches, start=1): matchy_match = match.group() - - + + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + for multi_grep in matchy_match.split("|"): - + oval_definition = oval_definition + ''' '''.format(rule_yaml['id']+"_"+str(abc),x) - + oval_test = oval_test + ''' @@ -1880,7 +1880,7 @@ def generate_scap(all_rules, all_baselines, args): key = matchy_match.split("|")[abc].split(" = ")[0].replace("\"","") value = matchy_match.split("|")[abc].split(" = ")[1].replace(";","") if "$CURRENT_USER" in rule_yaml['check']: - + oval_object = oval_object + ''' @@ -1898,18 +1898,18 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x+1999) plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - + oval_variable = oval_variable + ''' - /Library/Preferences/{}. + /Library/Preferences/{}. plist '''.format(x,x+1999,plist) - + oval_object = oval_object + ''' '''.format(rule_yaml['id']+"_"+str(abc),x,x) @@ -1917,8 +1917,8 @@ def generate_scap(all_rules, all_baselines, args): oval_datatype = "" try: int(value) - - oval_datatype = "int" + + oval_datatype = "int" oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) @@ -1937,28 +1937,28 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value) - + abc =+ 1 x = x+1 oval_definition = oval_definition + ''' ''' oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) - + x = x+1 break - + if "defaults" in rule_yaml['check']: - + if rule_yaml['id'] == "system_settings_hot_corners_secure" or rule_yaml['id'] == "sysprefs_hot_corners_secure": oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -1966,7 +1966,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+5000,rule_yaml['id'] + "_" + odv_label,x+5001,rule_yaml['id'] + "_" + odv_label,x+5002) - + oval_test = oval_test + ''' @@ -1994,44 +1994,44 @@ def generate_scap(all_rules, all_baselines, args): plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].split("\n")[0].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) + '''.format(key) key = rule_yaml['check'].split("\n")[1].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - + oval_object = oval_object + ''' - + '''.format(rule_yaml['id'] + "_" + odv_label,x+5000,x) oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) key = rule_yaml['check'].split("\n")[2].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - + oval_object = oval_object + ''' - + '''.format(rule_yaml['id'] + "_" + odv_label,x+5001,x) oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) key = rule_yaml['check'].split("\n")[3].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - + oval_object = oval_object + ''' - + '''.format(rule_yaml['id'] + "_" + odv_label,x+5002,x) oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) @@ -2043,8 +2043,8 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - - + + after_user = plist.split('"')[2] oval_variable = oval_variable + ''' @@ -2056,10 +2056,10 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,after_user,x+999) try: check_if = rule_yaml['check'].split("\n")[5] - + modifier = 0 for n in check_if.split(): - + if n.replace('"',"").isdigit(): if modifier >= 4999: modifier = modifier + 1 @@ -2070,25 +2070,25 @@ def generate_scap(all_rules, all_baselines, args): modifier = 4999 x = x + 1 continue - except: - x = x + 1 + except: + x = x + 1 continue - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + oval_test = oval_test + ''' @@ -2096,9 +2096,9 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - + if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: - + oval_object = oval_object + ''' SPHardwareDataType @@ -2107,28 +2107,28 @@ def generate_scap(all_rules, all_baselines, args): '''.format("hardware UUID",x+999) if "$CURRENT_USER" in rule_yaml['check']: - - + + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].split()[check_length-1] - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - try: + + try: rule_yaml['result']['boolean'] oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) except: - + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) oval_state = oval_state + ''' @@ -2138,7 +2138,7 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - + oval_variable = oval_variable + ''' @@ -2149,10 +2149,10 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,plist,x+999) - + else: - + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].replace(" 2>/dev/null","").split()[check_length-1] @@ -2170,8 +2170,8 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) - - oval_variable = oval_variable + ''' + + oval_variable = oval_variable + ''' {}. @@ -2179,30 +2179,30 @@ def generate_scap(all_rules, all_baselines, args): .plist '''.format(x,plist,x+999) - + elif "$CURRENT_USER" in rule_yaml['check']: - - + + check_length = len(rule_yaml['check'].split()) key = rule_yaml['check'].replace(" 2>/dev/null","").split()[-1] - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - - try: + + try: rule_yaml['result']['boolean'] oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) except: - + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) oval_state = oval_state + ''' @@ -2212,7 +2212,7 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - + oval_variable = oval_variable + ''' @@ -2223,15 +2223,15 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,plist,x+999) else: - + if plist[-6:] != ".plist": plist = plist + ".plist" - + plist_key = rule_yaml['check'].replace(" 2>/dev/null","").split(" ")[3].rstrip() oval_object = oval_object + ''' {}'''.format(rule_yaml['id'] + "_" + odv_label,x,plist) - + try: rule_yaml['result']['boolean'] oval_object = oval_object + ''' @@ -2241,8 +2241,8 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(plist_key) - - + + datatype = "" plist_key = rule_yaml['check'].split(" ")[3].rstrip() for key in rule_yaml['result']: @@ -2259,20 +2259,20 @@ def generate_scap(all_rules, all_baselines, args): value = "true" else: value = rule_yaml['result'][datatype] - + oval_state = oval_state + ''' {} '''.format(rule_yaml['id'] + "_" + odv_label,x,oval_datatype,value) oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) x = x+1 - + continue try: if "security" in command[3]: if rule_yaml['check'].split()[1] == "authorizationdb": check = rule_yaml['check'].split("|") - + authdb = rule_yaml['check'].split()[3] if len(check) > 2: @@ -2280,18 +2280,18 @@ def generate_scap(all_rules, all_baselines, args): key = str(matches).replace("[","").replace("]","").replace("'","") length = len(check[2].split()) - + last_string = check[2].split()[length-1].replace('"',"").replace("<","").replace(">","").replace("/","") - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -2303,7 +2303,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) - + oval_object = oval_object + ''' {} @@ -2312,20 +2312,20 @@ def generate_scap(all_rules, all_baselines, args): oval_state = oval_state + ''' - + true '''.format(rule_yaml['id'] + "_" + odv_label,x) else: key = (check[1].split()[2].replace("'","")) oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -2347,7 +2347,7 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id'] + "_" + odv_label,x,key) - + else: if "authorizationdb" in rule_yaml['check']: regex = r"=\(.*.\)" @@ -2355,19 +2355,19 @@ def generate_scap(all_rules, all_baselines, args): matches = re.finditer(regex, rule_yaml['check'], re.MULTILINE) for matchNum, match in enumerate(matches, start=1): matchy_match = match.group().replace('=(',"").replace(")","").replace('"','').split() - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion']) for match in matchy_match: - + oval_definition = oval_definition + ''' '''.format(rule_yaml['id'] + "+" + match, x) @@ -2378,7 +2378,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(match,x,x,x) key="shared" value="" - if "false" in rule_yaml["check"]: + if "false" in rule_yaml["check"]: value="false" else: value="true" @@ -2391,11 +2391,11 @@ def generate_scap(all_rules, all_baselines, args): oval_state = oval_state + ''' - + true '''.format(match,x) x += 1 - + oval_definition = oval_definition + "" x += 1 continue @@ -2403,17 +2403,17 @@ def generate_scap(all_rules, all_baselines, args): pass if "/bin/rm" in rule_yaml['fix'] and "/bin/ls" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - - + + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' @@ -2421,11 +2421,11 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,x) path = rule_yaml['fix'].split("----")[1].split(" ")[-1] - + oval_object = oval_object + ''' {} - + '''.format(x,rule_yaml['id'] + "_" + odv_label,path.rstrip()) x += 1 continue @@ -2433,20 +2433,20 @@ def generate_scap(all_rules, all_baselines, args): try: if "ls" in command[2] or "stat" in command[3].split()[0]: if '/Library/Security/PolicyBanner.rtf' in rule_yaml['check']: - - + + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x,rule_yaml['id'] + "_" + odv_label,x+2999) oval_test = oval_test + ''' @@ -2460,33 +2460,33 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' /Library/Security/PolicyBanner.rtf - + /Library/Security/PolicyBanner.rtfd - + '''.format(x,rule_yaml['id'] + "_" + odv_label,x+2999,rule_yaml['id']) x = x + 1 continue - + s = rule_yaml['check'] config_file = str() oval_variable_need = bool() if "grep" in s.split()[2]: - - + + oval_variable_need = True grep_search = re.search('\((.*?)\)', s).group(1) - + substring = grep_search.split("|")[0] regex = re.search('\'(.*?)\'', substring).group(1) - + try: regex = re.search('/(.*?)/', regex).group(1) except: regex = regex - config_file = substring = grep_search.split("|")[0].split()[-1] + config_file = substring = grep_search.split("|")[0].split()[-1] oval_object = oval_object + ''' @@ -2500,7 +2500,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,x+999) - + else: oval_variable_need = False config_file = s.split()[2] @@ -2508,20 +2508,20 @@ def generate_scap(all_rules, all_baselines, args): s = rule_yaml['fix'] fix_command = re.search('-\n(.*?)\n-', s).group(1).split('$')[0] - + oval_definition = oval_definition + ''' - - - - {} + + + + {} - {} - - + {} + + - - + + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' @@ -2529,7 +2529,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,x,x) - + if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": behavior = '' if "audit" in rule_yaml['id']: @@ -2550,30 +2550,30 @@ def generate_scap(all_rules, all_baselines, args): {} {} - + '''.format(rule_yaml['id'] + "_" + odv_label,x,behavior,config_file) state_test = "" if "-" in fix_command and "N" in fix_command and "chmod" in fix_command: state_test = ''' false ''' - + elif "chgrp" in fix_command: state_test = ''' {} '''.format(rule_yaml['result']['integer']) elif "chown" in fix_command: - + state_test = ''' {} '''.format(rule_yaml['result']['integer']) - + elif "chmod" in fix_command: - + perms = fix_command.split()[1] - + if perms[0] == "0": state_test = ''' false @@ -2595,7 +2595,7 @@ def generate_scap(all_rules, all_baselines, args): true true''' elif perms[0] == "4": - + state_test = ''' true false @@ -2615,7 +2615,7 @@ def generate_scap(all_rules, all_baselines, args): true true true''' - + if perms[1] == "0": state_test = state_test + ''' false @@ -2637,7 +2637,7 @@ def generate_scap(all_rules, all_baselines, args): true true''' elif perms[1] == "4": - + state_test = state_test + ''' true false @@ -2659,11 +2659,11 @@ def generate_scap(all_rules, all_baselines, args): true''' if perms[2] == "0": - + state_test = state_test + ''' false false - false''' + false''' if perms[2] == "1": state_test = state_test + ''' false @@ -2709,7 +2709,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x) + state_test + ''' ''' - + x += 1 continue except: @@ -2719,19 +2719,19 @@ def generate_scap(all_rules, all_baselines, args): if "UserShell" in rule_yaml['check']: shell = rule_yaml['check'].split()[9].replace('"','') oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + oval_test = oval_test + ''' @@ -2744,7 +2744,7 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id'] + "_" + odv_label,x,command[5].split()[0]) - + oval_state = oval_state + ''' {} @@ -2759,51 +2759,51 @@ def generate_scap(all_rules, all_baselines, args): awk_file = "" awk_search = "" field_sep = "" - + if "grep -qE" in rule_yaml['fix']: awk_file = rule_yaml['fix'].split(" ")[3].strip(" ") awk_search = rule_yaml['fix'].split(" ")[2].strip("\"") - + elif "grep" in rule_yaml['check']: awk_file = rule_yaml['check'].split("|")[0].split(" ")[-2] awk_search = rule_yaml['check'].split("|")[-1].split(" ")[-2].strip("\'") - + else: awk_file = rule_yaml['check'].split("'")[2].strip(" ") awk_search = rule_yaml['check'].split("'")[1].split("/")[1] - - try: + + try: field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"") except: field_sep = " " - try: - + try: + awk_result = rule_yaml['result']['string'] - except: - + except: + awk_result = str(rule_yaml['result']['integer']) - + if awk_search[0] != "^": awk_search = "^" + awk_search + field_sep + awk_result else: awk_search = awk_search + field_sep + awk_result - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' @@ -2823,33 +2823,33 @@ def generate_scap(all_rules, all_baselines, args): pass try: if "grep" in command[3] and not "pgrep" in command[3]: - + if "bannerText" in rule_yaml['check'] or "fips_" in rule_yaml['check']: - + text_to_find = rule_yaml['check'].split("=")[1].split('"')[1] matches = text_to_find.replace(".","\.").replace(")","\)").replace("(","\(").replace("*","\*") - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} + {} - + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label, x) - + file_path = rule_yaml["check"].split(" ")[-1].rstrip() - + oval_object = oval_object + ''' {} @@ -2860,32 +2860,32 @@ def generate_scap(all_rules, all_baselines, args): x += 1 continue else: - + s = rule_yaml['check'] - - try: - + + try: + grep_search = re.search('"(.*?)"', s).group(1) - - except: - + + except: + grep_search = re.search('\'(.*?)\'', s).group(1) - - + + grep_file = rule_yaml['check'].split(grep_search,1)[1].split(" ")[1] - - + + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' @@ -2907,13 +2907,13 @@ def generate_scap(all_rules, all_baselines, args): if "launchctl" in command[2] or "launchctl" in rule_yaml['fix']: if "disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix'] or "disable" in command[2] and "=> disabled" in rule_yaml['check']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -2927,17 +2927,17 @@ def generate_scap(all_rules, all_baselines, args): - + '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x,x+999,rule_yaml['id'] + "_" + odv_label,x+999) - + domain = str() if "launchctl" not in rule_yaml['check']: domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") - + else: s = command[5].split()[2] domain = re.search('"(.*?)"', s).group(1) - + oval_object = oval_object + ''' /var/db/com.apple.xpc.launchd/disabled.plist @@ -2946,7 +2946,7 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,domain,x+999,rule_yaml['id'] + "_" + odv_label,domain) - + status = "" if "enable" in rule_yaml["fix"]: status = "false" @@ -2956,16 +2956,16 @@ def generate_scap(all_rules, all_baselines, args): {} '''.format(rule_yaml['id'] + "_" + odv_label,x,status) - + elif "launchctl unload" in rule_yaml['fix']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + @@ -2975,38 +2975,38 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,x) - + domain = str() - + if "launchctl" not in rule_yaml['check']: domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") - + else: s = command[5].split()[2] domain = re.search('"(.*?)"', s).group(1) - + oval_object = oval_object + ''' '''.format(x, rule_yaml['id'] + "_" + odv_label,domain) - + elif "defaults write" in rule_yaml['fix']: oval_definition = oval_definition + ''' - - - {} + + + {} - {} - + {} + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'],rule_yaml['id'] + "_" + odv_label,x) - + oval_test = oval_test + ''' @@ -3014,9 +3014,9 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x,x) plist = rule_yaml['fix'].split(" ")[2].replace(".plist","") # plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - + if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: - + oval_object = oval_object + ''' SPHardwareDataType @@ -3025,28 +3025,28 @@ def generate_scap(all_rules, all_baselines, args): '''.format("hardware UUID",x+999) if "$CURRENT_USER" in rule_yaml['check']: - - - + + + key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": rule_yaml['result']['boolean'] oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) else: - + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) oval_state = oval_state + ''' @@ -3056,7 +3056,7 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - + oval_variable = oval_variable + ''' @@ -3067,11 +3067,11 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,plist,x+999) - + else: - - + + key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] oval_object = oval_object + ''' @@ -3079,9 +3079,9 @@ def generate_scap(all_rules, all_baselines, args): '''.format(rule_yaml['id'] + "_" + odv_label,x,x) - + if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": - + oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) @@ -3089,8 +3089,8 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) - - oval_variable = oval_variable + ''' + + oval_variable = oval_variable + ''' {}. @@ -3098,30 +3098,30 @@ def generate_scap(all_rules, all_baselines, args): .plist '''.format(x,plist,x+999) - + elif "$CURRENT_USER" in rule_yaml['check']: - - + + check_length = len(rule_yaml['check'].split()) key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - + oval_object = oval_object + ''' .* oval:mscp:ste:{} - + - + '''.format(x+1999,x+1999,rule_yaml['id'] + "_" + odv_label,x,x) - + if rule_yaml['fix'].split("defaults")[1].split(" ")[4] == "-bool": - + oval_object = oval_object + ''' name(//*[contains(text(), "{}")]/following-sibling::*[1]) '''.format(key) else: - + oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(key) oval_state = oval_state + ''' @@ -3131,7 +3131,7 @@ def generate_scap(all_rules, all_baselines, args): 0 /usr/bin/false '''.format(x+1999) - + oval_variable = oval_variable + ''' @@ -3142,15 +3142,15 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,x+1999,plist,x+999) else: - + if plist[-6:] != ".plist": plist = plist + ".plist" plist_key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - + oval_object = oval_object + ''' {}'''.format(rule_yaml['id'] + "_" + odv_label,x,plist) - + try: rule_yaml['result']['boolean'] oval_object = oval_object + ''' @@ -3160,21 +3160,21 @@ def generate_scap(all_rules, all_baselines, args): oval_object = oval_object + ''' //*[contains(text(), "{}")]/following-sibling::*[1]/text() '''.format(plist_key) - - + + datatype = "" plist_key = rule_yaml['fix'].split("defaults")[1].split(" ")[3] - + oval_datatype = rule_yaml['fix'].split("defaults")[1].split(" ")[4].replace("-","") if oval_datatype == "integer": oval_datatype = "int" - + if oval_datatype == "bool": oval_datatype = "boolean" value = rule_yaml['fix'].split("defaults")[1].split(" ")[5].replace(";","") - + oval_state = oval_state + ''' {} @@ -3183,30 +3183,30 @@ def generate_scap(all_rules, all_baselines, args): x = x+1 - + continue else: - + oval_definition = oval_definition + ''' - - - {} + + + {} - {} - - + {} + + - + '''.format(x,rule_yaml['title'],cce,rule_yaml['id'] + "_" + odv_label,rule_yaml['discussion'].rstrip(),rule_yaml['id'] + "_" + odv_label,x) oval_test = oval_test + ''' '''.format(x,rule_yaml['id'] + "_" + odv_label,x) - + domain = command[5].split()[2] domain = domain.replace('"','').replace("'",'') @@ -3215,10 +3215,10 @@ def generate_scap(all_rules, all_baselines, args): '''.format(x,rule_yaml['id'] + "_" + odv_label,domain) x += 1 - continue + continue except: pass - + for k in generated_baselines.keys(): xccdf_profiles = xccdf_profiles + ''' @@ -3229,7 +3229,7 @@ def generate_scap(all_rules, all_baselines, args):