Merge branch 'ventura'

CHANGELOG.adoc

@@ -2,6 +2,43 @@
 
 This document provides a high-level view of the changes to the macOS Security Compliance Project.
 
+== [Ventura, Revision 1.1] - 2022-12-08
+
+* Rules
+** Added Rules
+*** icloud_game_center_disable
+*** os_safari_advertising_privacy_protection_enable
+*** os_safari_prevent_cross-site_tracking_enable
+*** os_safari_show_full_website_address_enable
+*** os_safari_warn_fraudulent_website_enable
+** Modified Rules
+*** os_dvdram_disable
+*** os_hibernate_mode_enable
+*** os_rapid_security_response_removal_disable
+*** os_tftpd_disable
+*** system_settings_automatic_logout_enforce
+*** system_settings_internet_accounts_disable
+*** system_settings_ssh_enable
+*** system_settings_system_wide_preferences_configure
+*** system_settings_time_server_configure
+*** system_settings_time_server_enforce
+*** supplemental_cis_manual
+** Bug fixes
+
+* Baselines
+** Updated all baselines
+
+* Scripts
+** generate_guidance
+*** Added custom references to compliance check script
+*** Added debug option
+*** Bug Fixes
+** generate_baseline
+*** Added author function
+*** Bug Fixes
+** generate_mapping
+*** Bug Fixes
+
 == [Ventura, Revision 1] - 2022-10-20
 
 * Rules

Gemfile

@@ -2,4 +2,4 @@ source 'https://rubygems.org'
 
 gem 'asciidoctor'
 gem 'asciidoctor-pdf'
-gem 'rouge'
+gem 'rouge', '3.30.0'

VERSION.yaml

@@ -1,4 +1,4 @@
 os: "13.0"
-version: "Ventura Guidance, Revision 1"
+version: "Ventura Guidance, Revision 1.1"
 cpe: o:apple:macos:13.0
-date: "2022-10-20"
+date: "2022-12-07"

baselines/800-171.yaml

@@ -45,6 +45,7 @@ profile:
       - icloud_bookmarks_disable
       - icloud_calendar_disable
       - icloud_drive_disable
+      - icloud_game_center_disable
       - icloud_keychain_disable
       - icloud_mail_disable
       - icloud_notes_disable

baselines/800-53r5_high.yaml

@@ -50,6 +50,7 @@ profile:
       - icloud_bookmarks_disable
       - icloud_calendar_disable
       - icloud_drive_disable
+      - icloud_game_center_disable
       - icloud_keychain_disable
       - icloud_mail_disable
       - icloud_notes_disable

baselines/800-53r5_low.yaml

@@ -48,6 +48,7 @@ profile:
       - icloud_bookmarks_disable
       - icloud_calendar_disable
       - icloud_drive_disable
+      - icloud_game_center_disable
       - icloud_keychain_disable
       - icloud_mail_disable
       - icloud_notes_disable

baselines/800-53r5_moderate.yaml

@@ -49,6 +49,7 @@ profile:
       - icloud_bookmarks_disable
       - icloud_calendar_disable
       - icloud_drive_disable
+      - icloud_game_center_disable
       - icloud_keychain_disable
       - icloud_mail_disable
       - icloud_notes_disable

baselines/all_rules.yaml

@@ -56,6 +56,7 @@ profile:
       - icloud_bookmarks_disable
       - icloud_calendar_disable
       - icloud_drive_disable
+      - icloud_game_center_disable
       - icloud_keychain_disable
       - icloud_mail_disable
       - icloud_notes_disable
@@ -130,7 +131,11 @@ profile:
       - os_recovery_lock_enable
       - os_removable_media_disable
       - os_root_disable
+      - os_safari_advertising_privacy_protection_enable
       - os_safari_open_safe_downloads_disable
+      - os_safari_prevent_cross-site_tracking_enable
+      - os_safari_show_full_website_address_enable
+      - os_safari_warn_fraudulent_website_enable
       - os_screensaver_loginwindow_enforce
       - os_secure_boot_verify
       - os_show_filename_extensions_enable
@@ -188,7 +193,6 @@ profile:
       - system_settings_bluetooth_disable
       - system_settings_bluetooth_menu_enable
       - system_settings_bluetooth_sharing_disable
-      - system_settings_bluetooth_unpaired_disable
       - system_settings_cd_dvd_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_critical_update_install_enforce

baselines/cis_lvl1.yaml

@@ -35,8 +35,6 @@ profile:
       - os_firewall_log_enable
       - os_gatekeeper_enable
       - os_guest_folder_removed
-      - os_hibernate_mode_destroyfvkeyonstandby_enable
-      - os_hibernate_mode_enable
       - os_home_folders_secure
       - os_httpd_disable
       - os_install_log_retention_configure
@@ -45,7 +43,11 @@ profile:
       - os_password_hint_remove
       - os_power_nap_disable
       - os_root_disable
+      - os_safari_advertising_privacy_protection_enable
       - os_safari_open_safe_downloads_disable
+      - os_safari_prevent_cross-site_tracking_enable
+      - os_safari_show_full_website_address_enable
+      - os_safari_warn_fraudulent_website_enable
       - os_show_filename_extensions_enable
       - os_sip_enable
       - os_software_update_deferral
@@ -60,6 +62,7 @@ profile:
     rules:
       - pwpolicy_account_lockout_enforce
       - pwpolicy_history_enforce
+      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
   - section: "systemsettings"
     rules:

baselines/cis_lvl2.yaml

@@ -57,7 +57,11 @@ profile:
       - os_policy_banner_loginwindow_enforce
       - os_power_nap_disable
       - os_root_disable
+      - os_safari_advertising_privacy_protection_enable
       - os_safari_open_safe_downloads_disable
+      - os_safari_prevent_cross-site_tracking_enable
+      - os_safari_show_full_website_address_enable
+      - os_safari_warn_fraudulent_website_enable
       - os_show_filename_extensions_enable
       - os_sip_enable
       - os_software_update_deferral
@@ -75,6 +79,7 @@ profile:
       - pwpolicy_alpha_numeric_enforce
       - pwpolicy_history_enforce
       - pwpolicy_lower_case_character_enforce
+      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
       - pwpolicy_special_character_enforce
       - pwpolicy_upper_case_character_enforce

baselines/cisv8.yaml

@@ -51,6 +51,7 @@ profile:
       - icloud_bookmarks_disable
       - icloud_calendar_disable
       - icloud_drive_disable
+      - icloud_game_center_disable
       - icloud_keychain_disable
       - icloud_mail_disable
       - icloud_notes_disable
@@ -74,6 +75,8 @@ profile:
       - os_gatekeeper_enable
       - os_gatekeeper_rearm
       - os_handoff_disable
+      - os_hibernate_mode_destroyfvkeyonstandby_enable
+      - os_hibernate_mode_enable
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_install_log_retention_configure
@@ -92,7 +95,11 @@ profile:
       - os_power_nap_disable
       - os_privacy_setup_prompt_disable
       - os_root_disable
+      - os_safari_advertising_privacy_protection_enable
       - os_safari_open_safe_downloads_disable
+      - os_safari_prevent_cross-site_tracking_enable
+      - os_safari_show_full_website_address_enable
+      - os_safari_warn_fraudulent_website_enable
       - os_show_filename_extensions_enable
       - os_sip_enable
       - os_siri_prompt_disable

baselines/cnssi-1253.yaml

@@ -1,4 +1,4 @@
-title: "macOS 12: Security Configuration - CNSSI-1253"
+title: "macOS 13: Security Configuration - CNSSI-1253"
 description: |
   This guide describes the actions to take when securing a macOS 13 system against the CNSSI-1253 baseline.
 
@@ -47,6 +47,7 @@ profile:
       - icloud_bookmarks_disable
       - icloud_calendar_disable
       - icloud_drive_disable
+      - icloud_game_center_disable
       - icloud_keychain_disable
       - icloud_mail_disable
       - icloud_notes_disable

includes/mscp-data.yaml

@@ -0,0 +1,61 @@
+---
+authors:
+  all_rules: 
+    names:
+      - Bob Gendler|National Institute of Standards and Technology
+      - Dan Brodjieski|National Aeronautics and Space Administration
+      - Allen Golbig|Jamf
+  800-53r5_high:
+    names:
+      - Bob Gendler|National Institute of Standards and Technology
+      - Dan Brodjieski|National Aeronautics and Space Administration
+      - Allen Golbig|Jamf
+  800-53r5_moderate: 
+    names:
+      - Bob Gendler|National Institute of Standards and Technology
+      - Dan Brodjieski|National Aeronautics and Space Administration
+      - Allen Golbig|Jamf
+  800-53r5_low:
+    names:
+      - Bob Gendler|National Institute of Standards and Technology
+      - Dan Brodjieski|National Aeronautics and Space Administration
+      - Allen Golbig|Jamf
+  800-171: 
+    names:
+      - Bob Gendler|National Institute of Standards and Technology
+      - Dan Brodjieski|National Aeronautics and Space Administration
+      - Allen Golbig|Jamf
+  cis_lvl1: 
+    preamble: The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
+    names:
+      - Edward Byrd|Center for Internet Security
+      - Ron Colvin|Center for Internet Security
+      - Allen Golbig|Jamf
+  cis_lvl2:
+    preamble: The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
+    names:
+      - Edward Byrd|Center for Internet Security
+      - Ron Colvin|Center for Internet Security
+      - Allen Golbig|Jamf
+  cisv8:
+    preamble: CIS Critical Security Controls® (CIS Controls®) are referenced with the permission and support of the Center for Internet Security® (CIS®)
+    names:
+      - Edward Byrd|Center for Internet Security
+      - Bob Gendler|National Institute of Standards and Technology
+      - Dan Brodjieski|National Aeronautics and Space Administration
+      - Allen Golbig|Jamf
+  cnssi-1253:
+    names:
+      - Rob Lamb|Los Alamos National Laboratory
+      - Ekkehard Koch|
+      - Bob Gendler|National Institute of Standards and Technology
+titles:
+  all_rules: All Rules
+  800-53r5_high: NIST SP 800-53 Rev 5 High Impact
+  800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
+  800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
+  800-171: NIST 800-171 Rev 2
+  cis_lvl1: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 1)
+  cis_lvl2: CIS Apple macOS 13.0 Ventura v1.0.0 Benchmark (Level 2)
+  cisv8: CIS Controls Version 8
+  cnssi-1253: Committee on National Security Systems Instruction No. 1253

rules/audit/audit_retention_configure.yaml

@@ -32,8 +32,8 @@ references:
     benchmark:
       - 3.4 (level 1)
     controls v8:
-      - 8.3
       - 8.1
+      - 8.3
 macOS:
   - "13.0"
 odv:

rules/icloud/icloud_appleid_system_settings_disable.yaml

@@ -5,7 +5,7 @@ discussion: |
 
   Disabling the system setting prevents login to Apple ID and iCloud. 
 check: |
-  /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath 'string(//*[contains(text(), "DisabledSystemSettings")]/following-sibling::*[1])' - | /usr/bin/grep -c com.apple.systempreferences.AppleIDSettings
+  /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.systempreferences.AppleIDSettings
 result:
   integer: 1
 fix: |

rules/icloud/icloud_game_center_disable.yaml

@@ -0,0 +1,61 @@
+id: icloud_game_center_disable
+title: "Disable iCloud Game Center"
+discussion: |
+  This works only with supervised devices (MDM) and allows to disable Apple Game Center. The rationale is Game Center is using Apple ID and will shared data on AppleID based services, therefore, Game Center _MUST_ be disabled.
+  This setting also prohibits functionality of adding friends to Game Center.
+check: |
+  /usr/bin/osascript -l JavaScript << EOS
+  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+  .objectForKey('allowGameCenter').js
+  EOS
+result:
+  string: "false"
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - CCE-92001-7
+  cci:
+    - N/A
+  800-53r5:
+    - AC-20
+    - AC-20(1)
+    - CM-7
+    - CM-7(1)
+    - SC-7(10)    
+  800-53r4:
+    - CM-7
+    - CM-7(1)
+    - AC-20
+    - AC-20(1)
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r2:
+    - 3.1.20
+    - 3.4.6
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - 4.1
+      - 4.8
+      - 15.3    
+macOS:
+  - "13.0"
+tags:
+  - 800-53r5_low 
+  - 800-53r5_moderate 
+  - 800-53r5_high 
+  - 800-53r4_low 
+  - 800-53r4_moderate 
+  - 800-53r4_high 
+  - 800-171
+  - cisv8 
+  - cnssi-1253
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+  com.apple.applicationaccess:
+    allowGameCenter: false

rules/os/os_authenticated_root_enable.yaml

@@ -46,7 +46,8 @@ references:
     benchmark:
       - 5.1.4 (level 1)
     controls v8:
-      - 3.3
+      - 3.6
+      - 3.11
 macOS:
   - "13.0"
 tags:

rules/os/os_burn_support_disable.yaml

@@ -1,6 +1,6 @@
 id: os_burn_support_disable
 title: "Disable Burn Support"
-discussion:   
+discussion: |
   Burn support _MUST_ be disabled.
 
   [IMPORTANT]

rules/os/os_config_data_install_enforce.yaml

@@ -39,9 +39,9 @@ references:
     benchmark:
       - 1.6 (level 1)
     controls v8:
-      - 10.1
-      - 10.2
-      - 10.4
+      - 7.3
+      - 7.4
+      - 7.7
 macOS:
   - "13.0"
 tags:

rules/os/os_dvdram_disable.yaml

@@ -1,7 +1,7 @@
 id: os_dvdram_disable
-title: "Disable Blank CD"
+title: "Disable DVD-RAM"
 discussion: |
-  Blank CD media _MUST_ be disabled.
+  DVD-RAM media _MUST_ be disabled.
   
   [IMPORTANT]
   ====