Merge branch 'dev_sequoia' into fix_base64_result

usnistgov · Sep 11, 2024 · b740afb · b740afb
2 parents 461ddc2 + cf4bcf5
commit b740afb
Show file tree

Hide file tree

Showing 351 changed files with 3,259 additions and 2,567 deletions.
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -2,113 +2,61 @@
 
 This document provides a high-level view of the changes to the macOS Security Compliance Project.
 
-== [Sonoma, Revision 2.0] - 2024-04-24
+== [Sequoia, Revision 1.0] - 2024-XX-XX
 
 * Rules
 ** Added Rules
-*** os_dictation_disable
+*** os_genmoji_disable
+*** os_image_generation_disable
+*** os_iphone_mirroring_disable
+*** os_sudo_log_enforce
+*** os_writing_tools_disable
 ** Modified Rules
-*** os_anti_virus_installed (https://github.com/usnistgov/macos_security/issues/345[#345])
-*** os_camera_disable (https://github.com/usnistgov/macos_security/issues/388[#388])
-*** os_install_log_retention_configure (https://github.com/usnistgov/macos_security/issues/292[#292])
-*** os_on_device_dictation_enforce
-*** os_password_hint_remove (https://github.com/usnistgov/macos_security/issues/343[#343])
-*** os_recovery_lock_enable
-*** os_setup_assistant_filevault_enforce (https://github.com/usnistgov/macos_security/issues/362[#362])
-*** os_time_server_enabled (https://github.com/usnistgov/macos_security/issues/345[#345])
-*** os_unlock_active_user_session_disable (https://github.com/usnistgov/macos_security/pull/365[#365])
-*** os_world_writable_system_folder_configure (https://github.com/usnistgov/macos_security/issues/355[#355])
-*** pwpolicy_custom_regex_enforce (https://github.com/usnistgov/macos_security/pull/363[#363])
-*** system_settings_apple_watch_unlock_disable.yaml (https://github.com/usnistgov/macos_security/issues/326[#326])
-*** system_settings_location_services_disable (https://github.com/usnistgov/macos_security/issues/372[#372])
-*** system_settings_location_services_enable (https://github.com/usnistgov/macos_security/issues/372[#372])
-*** system_settings_loginwindow_loginwindowtext_enable
-*** system_settings_system_wide_preferences_configure
-*** system_settings_time_server_configure.yaml (https://github.com/usnistgov/macos_security/pull/336[#336])
-*** system_settings_touchid_unlock_disable.yaml (https://github.com/usnistgov/macos_security/issues/326[#326])
-*** supplemental_cis_manual
+*** os_anti_virus_installed
+*** os_gatekeeper_enable
+*** os_ssh_fips_compliant
+*** system_settings_firewall_enable
+*** system_settings_firewall_stealth_mode_enable
+*** system_settings_gatekeeper_identified_developers_allowed
+*** system_settings_media_sharing_disabled
+*** DDM Support
+**** auth_pam_login_smartcard_enforce
+**** auth_pam_su_smartcard_enforce
+**** auth_pam_sudo_smartcard_enforce
+**** auth_ssh_password_authentication_disable
+**** os_external_storage_restriction
+**** os_network_storage_restriction
+**** os_policy_banner_ssh_enforce
+**** os_sshd_channel_timeout_configure
+**** os_sshd_client_alive_count_max_configure
+**** os_sshd_client_alive_interval_configure
+**** os_sshd_fips_compliant
+**** os_sshd_login_grace_time_configure
+**** os_sshd_permit_root_login_configure
+**** os_sshd_unused_connection_timeout_configure
+**** os_sudo_timeout_configure
+**** pwpolicy_account_lockout_enforce
+**** pwpolicy_account_lockout_timeout_enforce
+**** pwpolicy_alpha_numeric_enforce
+**** pwpolicy_custom_regex_enforce
+**** pwpolicy_history_enforce
+**** pwpolicy_max_lifetime_enforce
+**** pwpolicy_minimum_length_enforce
+**** pwpolicy_simple_sequence_disable
+**** pwpolicy_special_character_enforce
 ** Deleted Rules
-*** os_safari_javascript_enabled.yaml
-** Other
-*** Added tags to all supplemental rule files
-*** Removed duplicate entries in `pwpolicy.xml` (https://github.com/usnistgov/macos_security/issues/373[#373])
-
-* Baselines
-** Added Baselines
-*** macOS 14 STIG
-
-* Scripts
-** generate_guidance
-*** Added `--quiet` (https://github.com/usnistgov/macos_security/issues/301[#301])
-*** Modified Configuration Profile Payload (https://github.com/usnistgov/macos_security/issues/315[#315])
-*** Added `--audit` to compliance script (https://github.com/usnistgov/macos_security/pull/333/files[#333])
-*** Added `--no-rcs`to zsh sheband (https://github.com/usnistgov/macos_security/issues/377[#377])
-*** Bug Fixes
-**** https://github.com/usnistgov/macos_security/issues/319[#319]
-**** https://github.com/usnistgov/macos_security/issues/332[#332]
-** generate_baseline
-*** Add tags to baselines (https://github.com/usnistgov/macos_security/issues/324[#324])
-*** Bug Fixes
-** generate_mappings
-*** Bug Fixes
-** generate_scap
-*** Bug Fixes
-** Other
-*** Added `util` folder
-**** Added `generate_checklist.py`
-**** Added `mscp_local_report.py`
-*** Updated `enablePF-mscp.sh`
-
-== [Sonoma, Revision 1.0] - 2023-09-21
-
-* Rules
-** Added Rules
-*** icloud_freeform_disable
-*** os_account_modification_disable
-*** os_on_device_dictation_enforce
-*** os_setup_assistant_filevault_enforce
-*** os_sshd_channel_timeout_configure
-*** os_sshd_unused_connection_timeout_configure
-** Modified Rules
-*** auth_ssh_password_authentication_disable
-*** os_policy_banner_ssh_enforce
-*** os_sshd_client_alive_count_max_configure
-*** os_sshd_client_alive_interval_configure
-*** os_sshd_fips_compliant
-*** os_sshd_login_grace_time_configure
-*** os_sshd_permit_root_login_configure
-*** system_settings_location_services_menu_enforce
-*** system_settings_siri_disable
-** Deleted Rules
-*** icloud_appleid_preference_pane_disable.yaml
-*** os_efi_integrity_validated
-*** os_sshd_key_exchange_algorithm_configure
-*** os_sshd_fips_140_ciphers
-*** os_sshd_fips_140_macs
-*** system_settings_bluetooth_prefpane_disable
-*** system_settings_internet_accounts_preference_pane_disable
-*** system_settings_siri_prefpane_disable
-*** system_settings_touch_id_pane_disable
-*** system_settings_wallet_applepay_prefpane_disable
-*** system_settings_wallet_applepay_prefpane_hide
+*** os_firewall_log_enable
+*** os_gatekeeper_rearm
+*** os_safari_popups_disabled
 ** Bug Fixes
-
 * Baselines
 ** Modified existing baselines
-
+** Updated 800-171 to Revision 3
 * Scripts
 ** generate_guidance
-*** Added iOS support
-*** Added support for pwpolicy regex
-*** Modified ssh_key_check
-*** Bug Fixes
+*** Support for Declarative Device Management (DDM)
+*** Added support for severity
 ** generate_baseline
-*** Added iOS support
-*** Bug Fixes
 ** generate_mappings
-*** Added iOS support
-*** Bug Fixes
 ** generate_scap
-*** Added iOS support
-*** Added support for pwpolicy regex
-*** Bug Fixes
+*** Added support for severity
diff --git a/Gemfile b/Gemfile
@@ -1,5 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'asciidoctor'
+gem 'rexml', '3.2.6'
+gem 'asciidoctor', '2.0.22'
 gem 'asciidoctor-pdf'
 gem 'rouge', '3.30.0'
diff --git a/VERSION.yaml b/VERSION.yaml
@@ -1,5 +1,5 @@
-os: "14.0"
+os: "15.0"
 platform: macOS
-version: "Sonoma Guidance, Revision 2.0"
-cpe: o:apple:macos:14.0
-date: "2024-04-24"
+version: "Sequoia Guidance, Revision 1.0"
+cpe: o:apple:macos:15.0
+date: "2024-XX-XX"
diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - NIST 800-171 Rev 2"
+title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 2"
 description: |
-  This guide describes the actions to take when securing a macOS 14.0 system against the NIST 800-171 Rev 2 security baseline.
+  This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 2 security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -32,12 +32,14 @@ profile:
       - audit_folder_group_configure
       - audit_folder_owner_configure
       - audit_folders_mode_configure
+      - audit_retention_configure
       - audit_settings_failure_notify
   - section: "authentication"
     rules:
       - auth_pam_login_smartcard_enforce
       - auth_pam_su_smartcard_enforce
       - auth_pam_sudo_smartcard_enforce
+      - auth_smartcard_allow
       - auth_smartcard_enforce
       - auth_ssh_password_authentication_disable
   - section: "icloud"
@@ -63,18 +65,20 @@ profile:
       - os_appleid_prompt_disable
       - os_authenticated_root_enable
       - os_bonjour_disable
+      - os_burn_support_disable
       - os_config_profile_ui_install_disable
       - os_dictation_disable
+      - os_erase_content_and_settings_disable
       - os_filevault_autologin_disable
       - os_firewall_default_deny_require
-      - os_firewall_log_enable
       - os_firmware_password_require
       - os_gatekeeper_enable
-      - os_gatekeeper_rearm
+      - os_genmoji_disable
       - os_handoff_disable
       - os_home_folders_secure
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
+      - os_image_generation_disable
       - os_ir_support_disable
       - os_loginwindow_adminhostinfo_undefined
       - os_mdm_require
@@ -86,13 +90,15 @@ profile:
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
+      - os_privacy_setup_prompt_disable
       - os_rapid_security_response_allow
       - os_rapid_security_response_removal_disable
       - os_recovery_lock_enable
       - os_root_disable
       - os_screensaver_loginwindow_enforce
       - os_sip_enable
       - os_siri_prompt_disable
+      - os_skip_screen_time_prompt_enable
       - os_skip_unlock_with_watch_enable
       - os_ssh_fips_compliant
       - os_ssh_server_alive_count_max_configure
@@ -102,11 +108,14 @@ profile:
       - os_sshd_client_alive_interval_configure
       - os_sshd_fips_compliant
       - os_sshd_unused_connection_timeout_configure
+      - os_sudo_log_enforce
+      - os_sudoers_timestamp_type_configure
       - os_tftpd_disable
       - os_time_server_enabled
       - os_touchid_prompt_disable
       - os_unlock_active_user_session_disable
       - os_uucp_disable
+      - os_writing_tools_disable
   - section: "passwordpolicy"
     rules:
       - pwpolicy_account_inactivity_enforce
@@ -138,6 +147,8 @@ profile:
       - system_settings_guest_access_smb_disable
       - system_settings_guest_account_disable
       - system_settings_hot_corners_disable
+      - system_settings_improve_assistive_voice_disable
+      - system_settings_improve_search_disable
       - system_settings_improve_siri_dictation_disable
       - system_settings_internet_accounts_disable
       - system_settings_internet_sharing_disable
@@ -163,18 +174,25 @@ profile:
     rules:
       - os_implement_cryptography
       - os_logical_access
+      - os_malicious_code_prevention
       - os_obscure_password
       - os_prevent_priv_functions
       - os_prevent_unauthorized_disclosure
+      - os_prohibit_remote_activation_collab_devices
+      - os_reauth_privilege
+      - os_reauth_users_change_authenticators
       - os_separate_functionality
       - os_store_encrypted_passwords
+      - os_unique_identification
       - pwpolicy_force_password_change
   - section: "Permanent"
     rules:
+      - os_reauth_devices_change_authenticators
       - pwpolicy_50_percent
       - system_settings_wifi_disable_when_connected_to_ethernet
   - section: "not_applicable"
     rules: 
+      - os_access_control_mobile_devices
       - os_nonlocal_maintenance
   - section: "Supplemental"
     rules:

diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
+title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
 description: |
-  This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
+  This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -74,17 +74,18 @@ profile:
       - os_config_data_install_enforce
       - os_config_profile_ui_install_disable
       - os_dictation_disable
+      - os_external_storage_access_defined
       - os_filevault_authorized_users
       - os_filevault_autologin_disable
       - os_firewall_default_deny_require
-      - os_firewall_log_enable
       - os_firmware_password_require
       - os_gatekeeper_enable
-      - os_gatekeeper_rearm
+      - os_genmoji_disable
       - os_handoff_disable
       - os_home_folders_secure
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
+      - os_image_generation_disable
       - os_ir_support_disable
       - os_loginwindow_adminhostinfo_undefined
       - os_mdm_require
@@ -117,6 +118,7 @@ profile:
       - os_sshd_fips_compliant
       - os_sshd_permit_root_login_configure
       - os_sshd_unused_connection_timeout_configure
+      - os_sudo_log_enforce
       - os_sudo_timeout_configure
       - os_sudoers_timestamp_type_configure
       - os_system_read_only
@@ -125,6 +127,7 @@ profile:
       - os_touchid_prompt_disable
       - os_unlock_active_user_session_disable
       - os_uucp_disable
+      - os_writing_tools_disable
   - section: "passwordpolicy"
     rules:
       - pwpolicy_account_inactivity_enforce
@@ -161,6 +164,8 @@ profile:
       - system_settings_guest_access_smb_disable
       - system_settings_guest_account_disable
       - system_settings_hot_corners_disable
+      - system_settings_improve_assistive_voice_disable
+      - system_settings_improve_search_disable
       - system_settings_improve_siri_dictation_disable
       - system_settings_internet_accounts_disable
       - system_settings_internet_sharing_disable

diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
+title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
 description: |
-  This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
+  This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -69,13 +69,14 @@ profile:
       - os_config_data_install_enforce
       - os_config_profile_ui_install_disable
       - os_dictation_disable
+      - os_external_storage_access_defined
       - os_filevault_autologin_disable
-      - os_firewall_log_enable
       - os_gatekeeper_enable
-      - os_gatekeeper_rearm
+      - os_genmoji_disable
       - os_handoff_disable
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
+      - os_image_generation_disable
       - os_ir_support_disable
       - os_mdm_require
       - os_nfsd_disable
@@ -101,6 +102,7 @@ profile:
       - os_touchid_prompt_disable
       - os_unlock_active_user_session_disable
       - os_uucp_disable
+      - os_writing_tools_disable
   - section: "passwordpolicy"
     rules:
       - pwpolicy_account_lockout_enforce
@@ -131,6 +133,8 @@ profile:
       - system_settings_gatekeeper_override_disallow
       - system_settings_guest_access_smb_disable
       - system_settings_guest_account_disable
+      - system_settings_improve_assistive_voice_disable
+      - system_settings_improve_search_disable
       - system_settings_improve_siri_dictation_disable
       - system_settings_internet_accounts_disable
       - system_settings_internet_sharing_disable