diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
index 6352ade67..1b2370026 100644
--- a/CHANGELOG.adoc
+++ b/CHANGELOG.adoc
@@ -2,113 +2,61 @@
This document provides a high-level view of the changes to the macOS Security Compliance Project.
-== [Sonoma, Revision 2.0] - 2024-04-24
+== [Sequoia, Revision 1.0] - 2024-XX-XX
* Rules
** Added Rules
-*** os_dictation_disable
+*** os_genmoji_disable
+*** os_image_generation_disable
+*** os_iphone_mirroring_disable
+*** os_sudo_log_enforce
+*** os_writing_tools_disable
** Modified Rules
-*** os_anti_virus_installed (https://github.com/usnistgov/macos_security/issues/345[#345])
-*** os_camera_disable (https://github.com/usnistgov/macos_security/issues/388[#388])
-*** os_install_log_retention_configure (https://github.com/usnistgov/macos_security/issues/292[#292])
-*** os_on_device_dictation_enforce
-*** os_password_hint_remove (https://github.com/usnistgov/macos_security/issues/343[#343])
-*** os_recovery_lock_enable
-*** os_setup_assistant_filevault_enforce (https://github.com/usnistgov/macos_security/issues/362[#362])
-*** os_time_server_enabled (https://github.com/usnistgov/macos_security/issues/345[#345])
-*** os_unlock_active_user_session_disable (https://github.com/usnistgov/macos_security/pull/365[#365])
-*** os_world_writable_system_folder_configure (https://github.com/usnistgov/macos_security/issues/355[#355])
-*** pwpolicy_custom_regex_enforce (https://github.com/usnistgov/macos_security/pull/363[#363])
-*** system_settings_apple_watch_unlock_disable.yaml (https://github.com/usnistgov/macos_security/issues/326[#326])
-*** system_settings_location_services_disable (https://github.com/usnistgov/macos_security/issues/372[#372])
-*** system_settings_location_services_enable (https://github.com/usnistgov/macos_security/issues/372[#372])
-*** system_settings_loginwindow_loginwindowtext_enable
-*** system_settings_system_wide_preferences_configure
-*** system_settings_time_server_configure.yaml (https://github.com/usnistgov/macos_security/pull/336[#336])
-*** system_settings_touchid_unlock_disable.yaml (https://github.com/usnistgov/macos_security/issues/326[#326])
-*** supplemental_cis_manual
+*** os_anti_virus_installed
+*** os_gatekeeper_enable
+*** os_ssh_fips_compliant
+*** system_settings_firewall_enable
+*** system_settings_firewall_stealth_mode_enable
+*** system_settings_gatekeeper_identified_developers_allowed
+*** system_settings_media_sharing_disabled
+*** DDM Support
+**** auth_pam_login_smartcard_enforce
+**** auth_pam_su_smartcard_enforce
+**** auth_pam_sudo_smartcard_enforce
+**** auth_ssh_password_authentication_disable
+**** os_external_storage_restriction
+**** os_network_storage_restriction
+**** os_policy_banner_ssh_enforce
+**** os_sshd_channel_timeout_configure
+**** os_sshd_client_alive_count_max_configure
+**** os_sshd_client_alive_interval_configure
+**** os_sshd_fips_compliant
+**** os_sshd_login_grace_time_configure
+**** os_sshd_permit_root_login_configure
+**** os_sshd_unused_connection_timeout_configure
+**** os_sudo_timeout_configure
+**** pwpolicy_account_lockout_enforce
+**** pwpolicy_account_lockout_timeout_enforce
+**** pwpolicy_alpha_numeric_enforce
+**** pwpolicy_custom_regex_enforce
+**** pwpolicy_history_enforce
+**** pwpolicy_max_lifetime_enforce
+**** pwpolicy_minimum_length_enforce
+**** pwpolicy_simple_sequence_disable
+**** pwpolicy_special_character_enforce
** Deleted Rules
-*** os_safari_javascript_enabled.yaml
-** Other
-*** Added tags to all supplemental rule files
-*** Removed duplicate entries in `pwpolicy.xml` (https://github.com/usnistgov/macos_security/issues/373[#373])
-
-* Baselines
-** Added Baselines
-*** macOS 14 STIG
-
-* Scripts
-** generate_guidance
-*** Added `--quiet` (https://github.com/usnistgov/macos_security/issues/301[#301])
-*** Modified Configuration Profile Payload (https://github.com/usnistgov/macos_security/issues/315[#315])
-*** Added `--audit` to compliance script (https://github.com/usnistgov/macos_security/pull/333/files[#333])
-*** Added `--no-rcs`to zsh sheband (https://github.com/usnistgov/macos_security/issues/377[#377])
-*** Bug Fixes
-**** https://github.com/usnistgov/macos_security/issues/319[#319]
-**** https://github.com/usnistgov/macos_security/issues/332[#332]
-** generate_baseline
-*** Add tags to baselines (https://github.com/usnistgov/macos_security/issues/324[#324])
-*** Bug Fixes
-** generate_mappings
-*** Bug Fixes
-** generate_scap
-*** Bug Fixes
-** Other
-*** Added `util` folder
-**** Added `generate_checklist.py`
-**** Added `mscp_local_report.py`
-*** Updated `enablePF-mscp.sh`
-
-== [Sonoma, Revision 1.0] - 2023-09-21
-
-* Rules
-** Added Rules
-*** icloud_freeform_disable
-*** os_account_modification_disable
-*** os_on_device_dictation_enforce
-*** os_setup_assistant_filevault_enforce
-*** os_sshd_channel_timeout_configure
-*** os_sshd_unused_connection_timeout_configure
-** Modified Rules
-*** auth_ssh_password_authentication_disable
-*** os_policy_banner_ssh_enforce
-*** os_sshd_client_alive_count_max_configure
-*** os_sshd_client_alive_interval_configure
-*** os_sshd_fips_compliant
-*** os_sshd_login_grace_time_configure
-*** os_sshd_permit_root_login_configure
-*** system_settings_location_services_menu_enforce
-*** system_settings_siri_disable
-** Deleted Rules
-*** icloud_appleid_preference_pane_disable.yaml
-*** os_efi_integrity_validated
-*** os_sshd_key_exchange_algorithm_configure
-*** os_sshd_fips_140_ciphers
-*** os_sshd_fips_140_macs
-*** system_settings_bluetooth_prefpane_disable
-*** system_settings_internet_accounts_preference_pane_disable
-*** system_settings_siri_prefpane_disable
-*** system_settings_touch_id_pane_disable
-*** system_settings_wallet_applepay_prefpane_disable
-*** system_settings_wallet_applepay_prefpane_hide
+*** os_firewall_log_enable
+*** os_gatekeeper_rearm
+*** os_safari_popups_disabled
** Bug Fixes
-
* Baselines
** Modified existing baselines
-
+** Updated 800-171 to Revision 3
* Scripts
** generate_guidance
-*** Added iOS support
-*** Added support for pwpolicy regex
-*** Modified ssh_key_check
-*** Bug Fixes
+*** Support for Declarative Device Management (DDM)
+*** Added support for severity
** generate_baseline
-*** Added iOS support
-*** Bug Fixes
** generate_mappings
-*** Added iOS support
-*** Bug Fixes
** generate_scap
-*** Added iOS support
-*** Added support for pwpolicy regex
-*** Bug Fixes
+*** Added support for severity
\ No newline at end of file
diff --git a/Gemfile b/Gemfile
index e622c7fa7..a374440ab 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,5 +1,6 @@
source 'https://rubygems.org'
-gem 'asciidoctor'
+gem 'rexml', '3.2.6'
+gem 'asciidoctor', '2.0.22'
gem 'asciidoctor-pdf'
gem 'rouge', '3.30.0'
diff --git a/VERSION.yaml b/VERSION.yaml
index dfbc5e9d2..482bf525f 100644
--- a/VERSION.yaml
+++ b/VERSION.yaml
@@ -1,5 +1,5 @@
-os: "14.0"
+os: "15.0"
platform: macOS
-version: "Sonoma Guidance, Revision 2.0"
-cpe: o:apple:macos:14.0
-date: "2024-04-24"
\ No newline at end of file
+version: "Sequoia Guidance, Revision 1.0"
+cpe: o:apple:macos:15.0
+date: "2024-XX-XX"
\ No newline at end of file
diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml
index 64283415f..c24d5804b 100644
--- a/baselines/800-171.yaml
+++ b/baselines/800-171.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - NIST 800-171 Rev 2"
+title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 2"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the NIST 800-171 Rev 2 security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 2 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -32,12 +32,14 @@ profile:
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_folders_mode_configure
+ - audit_retention_configure
- audit_settings_failure_notify
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
+ - auth_smartcard_allow
- auth_smartcard_enforce
- auth_ssh_password_authentication_disable
- section: "icloud"
@@ -63,18 +65,20 @@ profile:
- os_appleid_prompt_disable
- os_authenticated_root_enable
- os_bonjour_disable
+ - os_burn_support_disable
- os_config_profile_ui_install_disable
- os_dictation_disable
+ - os_erase_content_and_settings_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
+ - os_genmoji_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
+ - os_image_generation_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mdm_require
@@ -86,6 +90,7 @@ profile:
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
+ - os_privacy_setup_prompt_disable
- os_rapid_security_response_allow
- os_rapid_security_response_removal_disable
- os_recovery_lock_enable
@@ -93,6 +98,7 @@ profile:
- os_screensaver_loginwindow_enforce
- os_sip_enable
- os_siri_prompt_disable
+ - os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
@@ -102,11 +108,14 @@ profile:
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_unused_connection_timeout_configure
+ - os_sudo_log_enforce
+ - os_sudoers_timestamp_type_configure
- os_tftpd_disable
- os_time_server_enabled
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_uucp_disable
+ - os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
@@ -138,6 +147,8 @@ profile:
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
@@ -163,18 +174,25 @@ profile:
rules:
- os_implement_cryptography
- os_logical_access
+ - os_malicious_code_prevention
- os_obscure_password
- os_prevent_priv_functions
- os_prevent_unauthorized_disclosure
+ - os_prohibit_remote_activation_collab_devices
+ - os_reauth_privilege
+ - os_reauth_users_change_authenticators
- os_separate_functionality
- os_store_encrypted_passwords
+ - os_unique_identification
- pwpolicy_force_password_change
- section: "Permanent"
rules:
+ - os_reauth_devices_change_authenticators
- pwpolicy_50_percent
- system_settings_wifi_disable_when_connected_to_ethernet
- section: "not_applicable"
rules:
+ - os_access_control_mobile_devices
- os_nonlocal_maintenance
- section: "Supplemental"
rules:
diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml
index fc03f005b..ab96b52d0 100644
--- a/baselines/800-53r5_high.yaml
+++ b/baselines/800-53r5_high.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
+title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -74,17 +74,18 @@ profile:
- os_config_data_install_enforce
- os_config_profile_ui_install_disable
- os_dictation_disable
+ - os_external_storage_access_defined
- os_filevault_authorized_users
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
+ - os_genmoji_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
+ - os_image_generation_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mdm_require
@@ -117,6 +118,7 @@ profile:
- os_sshd_fips_compliant
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
+ - os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
@@ -125,6 +127,7 @@ profile:
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_uucp_disable
+ - os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
@@ -161,6 +164,8 @@ profile:
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml
index 54fc8d8ce..69e674d4f 100644
--- a/baselines/800-53r5_low.yaml
+++ b/baselines/800-53r5_low.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
+title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -69,13 +69,14 @@ profile:
- os_config_data_install_enforce
- os_config_profile_ui_install_disable
- os_dictation_disable
+ - os_external_storage_access_defined
- os_filevault_autologin_disable
- - os_firewall_log_enable
- os_gatekeeper_enable
- - os_gatekeeper_rearm
+ - os_genmoji_disable
- os_handoff_disable
- os_httpd_disable
- os_icloud_storage_prompt_disable
+ - os_image_generation_disable
- os_ir_support_disable
- os_mdm_require
- os_nfsd_disable
@@ -101,6 +102,7 @@ profile:
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_uucp_disable
+ - os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_lockout_enforce
@@ -131,6 +133,8 @@ profile:
- system_settings_gatekeeper_override_disallow
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml
index 364e736eb..340d0622c 100644
--- a/baselines/800-53r5_moderate.yaml
+++ b/baselines/800-53r5_moderate.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact"
+title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -73,16 +73,17 @@ profile:
- os_config_data_install_enforce
- os_config_profile_ui_install_disable
- os_dictation_disable
+ - os_external_storage_access_defined
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
+ - os_genmoji_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
+ - os_image_generation_disable
- os_ir_support_disable
- os_loginwindow_adminhostinfo_undefined
- os_mdm_require
@@ -114,6 +115,7 @@ profile:
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_unused_connection_timeout_configure
+ - os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
@@ -122,6 +124,7 @@ profile:
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_uucp_disable
+ - os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
@@ -158,6 +161,8 @@ profile:
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
diff --git a/baselines/DISA-STIG.yaml b/baselines/DISA-STIG.yaml
deleted file mode 100644
index 54623bd82..000000000
--- a/baselines/DISA-STIG.yaml
+++ /dev/null
@@ -1,192 +0,0 @@
-title: "macOS 14.0: Security Configuration - Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1"
-description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1 security baseline.
-authors: |
- *macOS Security Compliance Project*
-
- |===
- |Dan Brodjieski|National Aeronautics and Space Administration
- |Allen Golbig|Jamf
- |Bob Gendler|National Institute of Standards and Technology
- |Aaron Kegerreis|Defense Information Systems Agency
- |===
-parent_values: "stig"
-profile:
- - section: "auditing"
- rules:
- - audit_acls_files_configure
- - audit_acls_folders_configure
- - audit_auditd_enabled
- - audit_configure_capacity_notify
- - audit_control_acls_configure
- - audit_control_group_configure
- - audit_control_mode_configure
- - audit_control_owner_configure
- - audit_failure_halt
- - audit_files_group_configure
- - audit_files_mode_configure
- - audit_files_owner_configure
- - audit_flags_aa_configure
- - audit_flags_ad_configure
- - audit_flags_ex_configure
- - audit_flags_fd_configure
- - audit_flags_fm_configure
- - audit_flags_fr_configure
- - audit_flags_fw_configure
- - audit_flags_lo_configure
- - audit_folder_group_configure
- - audit_folder_owner_configure
- - audit_folders_mode_configure
- - audit_retention_configure
- - audit_settings_failure_notify
- - section: "authentication"
- rules:
- - auth_pam_login_smartcard_enforce
- - auth_pam_su_smartcard_enforce
- - auth_pam_sudo_smartcard_enforce
- - auth_smartcard_allow
- - auth_smartcard_certificate_trust_enforce_moderate
- - auth_smartcard_enforce
- - auth_ssh_password_authentication_disable
- - section: "icloud"
- rules:
- - icloud_addressbook_disable
- - icloud_bookmarks_disable
- - icloud_calendar_disable
- - icloud_drive_disable
- - icloud_freeform_disable
- - icloud_game_center_disable
- - icloud_keychain_disable
- - icloud_mail_disable
- - icloud_notes_disable
- - icloud_photos_disable
- - icloud_private_relay_disable
- - icloud_reminders_disable
- - icloud_sync_disable
- - section: "macos"
- rules:
- - os_account_modification_disable
- - os_airdrop_disable
- - os_appleid_prompt_disable
- - os_asl_log_files_owner_group_configure
- - os_asl_log_files_permissions_configure
- - os_authenticated_root_enable
- - os_bonjour_disable
- - os_camera_disable
- - os_certificate_authority_trust
- - os_config_data_install_enforce
- - os_dictation_disable
- - os_directory_services_configured
- - os_erase_content_and_settings_disable
- - os_ess_installed
- - os_facetime_app_disable
- - os_filevault_autologin_disable
- - os_firmware_password_require
- - os_gatekeeper_enable
- - os_handoff_disable
- - os_home_folders_secure
- - os_httpd_disable
- - os_icloud_storage_prompt_disable
- - os_install_log_retention_configure
- - os_loginwindow_adminhostinfo_undefined
- - os_mdm_require
- - os_newsyslog_files_owner_group_configure
- - os_newsyslog_files_permissions_configure
- - os_nfsd_disable
- - os_on_device_dictation_enforce
- - os_password_autofill_disable
- - os_password_hint_remove
- - os_password_proximity_disable
- - os_policy_banner_loginwindow_enforce
- - os_policy_banner_ssh_configure
- - os_policy_banner_ssh_enforce
- - os_privacy_setup_prompt_disable
- - os_recovery_lock_enable
- - os_root_disable
- - os_secure_boot_verify
- - os_sip_enable
- - os_siri_prompt_disable
- - os_skip_screen_time_prompt_enable
- - os_skip_unlock_with_watch_enable
- - os_ssh_fips_compliant
- - os_ssh_server_alive_count_max_configure
- - os_ssh_server_alive_interval_configure
- - os_sshd_channel_timeout_configure
- - os_sshd_client_alive_count_max_configure
- - os_sshd_client_alive_interval_configure
- - os_sshd_fips_compliant
- - os_sshd_login_grace_time_configure
- - os_sshd_permit_root_login_configure
- - os_sshd_unused_connection_timeout_configure
- - os_sudo_timeout_configure
- - os_sudoers_timestamp_type_configure
- - os_tftpd_disable
- - os_time_server_enabled
- - os_touchid_prompt_disable
- - os_unlock_active_user_session_disable
- - os_user_app_installation_prohibit
- - os_uucp_disable
- - section: "passwordpolicy"
- rules:
- - pwpolicy_account_inactivity_enforce
- - pwpolicy_account_lockout_enforce
- - pwpolicy_account_lockout_timeout_enforce
- - pwpolicy_alpha_numeric_enforce
- - pwpolicy_custom_regex_enforce
- - pwpolicy_history_enforce
- - pwpolicy_max_lifetime_enforce
- - pwpolicy_minimum_length_enforce
- - pwpolicy_minimum_lifetime_enforce
- - pwpolicy_special_character_enforce
- - pwpolicy_temporary_or_emergency_accounts_disable
- - section: "systemsettings"
- rules:
- - system_settings_airplay_receiver_disable
- - system_settings_apple_watch_unlock_disable
- - system_settings_automatic_login_disable
- - system_settings_automatic_logout_enforce
- - system_settings_bluetooth_disable
- - system_settings_bluetooth_settings_disable
- - system_settings_bluetooth_sharing_disable
- - system_settings_cd_dvd_sharing_disable
- - system_settings_content_caching_disable
- - system_settings_diagnostics_reports_disable
- - system_settings_filevault_enforce
- - system_settings_find_my_disable
- - system_settings_firewall_enable
- - system_settings_gatekeeper_identified_developers_allowed
- - system_settings_guest_account_disable
- - system_settings_hot_corners_disable
- - system_settings_improve_siri_dictation_disable
- - system_settings_internet_sharing_disable
- - system_settings_location_services_disable
- - system_settings_loginwindow_prompt_username_password_enforce
- - system_settings_media_sharing_disabled
- - system_settings_password_hints_disable
- - system_settings_personalized_advertising_disable
- - system_settings_printer_sharing_disable
- - system_settings_rae_disable
- - system_settings_remote_management_disable
- - system_settings_screen_sharing_disable
- - system_settings_screensaver_ask_for_password_delay_enforce
- - system_settings_screensaver_password_enforce
- - system_settings_screensaver_timeout_enforce
- - system_settings_siri_disable
- - system_settings_siri_settings_disable
- - system_settings_smbd_disable
- - system_settings_ssh_enable
- - system_settings_system_wide_preferences_configure
- - system_settings_time_server_configure
- - system_settings_time_server_enforce
- - system_settings_token_removal_enforce
- - system_settings_touch_id_settings_disable
- - system_settings_touchid_unlock_disable
- - system_settings_usb_restricted_mode
- - system_settings_wallet_applepay_settings_disable
- - section: "Supplemental"
- rules:
- - supplemental_controls
- - supplemental_filevault
- - supplemental_firewall_pf
- - supplemental_password_policy
- - supplemental_smartcard
diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml
index ff0de1df6..6dc9d169f 100644
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - All Rules"
+title: "macOS 15.0: Security Configuration - All Rules"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the All Rules security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the All Rules security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -94,14 +94,14 @@ profile:
- os_dvdram_disable
- os_erase_content_and_settings_disable
- os_ess_installed
+ - os_external_storage_access_defined
- os_facetime_app_disable
- os_filevault_authorized_users
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
+ - os_genmoji_disable
- os_guest_folder_removed
- os_handoff_disable
- os_hibernate_mode_apple_silicon_enable
@@ -111,7 +111,9 @@ profile:
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
+ - os_image_generation_disable
- os_install_log_retention_configure
+ - os_iphone_mirroring_disable
- os_ir_support_disable
- os_library_validation_enabled
- os_loginwindow_adminhostinfo_undefined
@@ -119,6 +121,7 @@ profile:
- os_mdm_require
- os_messages_app_disable
- os_mobile_file_integrity_enable
+ - os_network_storage_restriction
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
@@ -141,7 +144,6 @@ profile:
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_open_safe_downloads_disable
- - os_safari_popups_disabled
- os_safari_prevent_cross-site_tracking_enable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
@@ -166,6 +168,7 @@ profile:
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
+ - os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_read_only
@@ -180,6 +183,7 @@ profile:
- os_uucp_disable
- os_world_writable_library_folder_configure
- os_world_writable_system_folder_configure
+ - os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
@@ -220,6 +224,8 @@ profile:
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_hot_corners_secure
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_install_macos_updates_enforce
- system_settings_internet_accounts_disable
@@ -240,6 +246,7 @@ profile:
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
+ - system_settings_siri_listen_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml
index f4d15d621..0e05b9605 100644
--- a/baselines/cis_lvl1.yaml
+++ b/baselines/cis_lvl1.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)"
+title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 1)"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1) security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 1) security baseline.
authors: |
*macOS Security Compliance Project*
@@ -34,7 +34,6 @@ profile:
- os_anti_virus_installed
- os_authenticated_root_enable
- os_config_data_install_enforce
- - os_firewall_log_enable
- os_gatekeeper_enable
- os_guest_folder_removed
- os_home_folders_secure
@@ -49,7 +48,6 @@ profile:
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_open_safe_downloads_disable
- - os_safari_popups_disabled
- os_safari_prevent_cross-site_tracking_enable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
@@ -57,6 +55,7 @@ profile:
- os_show_filename_extensions_enable
- os_sip_enable
- os_software_update_deferral
+ - os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_wide_applications_configure
@@ -79,11 +78,15 @@ profile:
- system_settings_bluetooth_sharing_disable
- system_settings_cd_dvd_sharing_disable
- system_settings_critical_update_install_enforce
+ - system_settings_diagnostics_reports_disable
- system_settings_filevault_enforce
- system_settings_firewall_enable
- system_settings_firewall_stealth_mode_enable
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
+ - system_settings_improve_siri_dictation_disable
- system_settings_install_macos_updates_enforce
- system_settings_internet_sharing_disable
- system_settings_loginwindow_loginwindowtext_enable
@@ -96,6 +99,7 @@ profile:
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_timeout_enforce
+ - system_settings_siri_listen_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce
diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml
index c5c3dd20e..d000afe96 100644
--- a/baselines/cis_lvl2.yaml
+++ b/baselines/cis_lvl2.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)"
+title: "macOS 15.0: Security Configuration - CIS Apple macOS 15.0 Sequoia v1.0.0 Benchmark (Level 2)"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2) security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 2) security baseline.
authors: |
*macOS Security Compliance Project*
@@ -45,7 +45,6 @@ profile:
- os_authenticated_root_enable
- os_bonjour_disable
- os_config_data_install_enforce
- - os_firewall_log_enable
- os_gatekeeper_enable
- os_guest_folder_removed
- os_hibernate_mode_apple_silicon_enable
@@ -64,7 +63,6 @@ profile:
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_open_safe_downloads_disable
- - os_safari_popups_disabled
- os_safari_prevent_cross-site_tracking_enable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
@@ -72,6 +70,7 @@ profile:
- os_show_filename_extensions_enable
- os_sip_enable
- os_software_update_deferral
+ - os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_wide_applications_configure
@@ -99,7 +98,6 @@ profile:
- system_settings_cd_dvd_sharing_disable
- system_settings_content_caching_disable
- system_settings_critical_update_install_enforce
- - system_settings_diagnostics_reports_disable
- system_settings_filevault_enforce
- system_settings_firewall_enable
- system_settings_firewall_stealth_mode_enable
@@ -121,6 +119,7 @@ profile:
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_timeout_enforce
+ - system_settings_siri_listen_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
- system_settings_software_update_download_enforce
diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml
index d8430d593..be010d671 100644
--- a/baselines/cisv8.yaml
+++ b/baselines/cisv8.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - CIS Controls Version 8"
+title: "macOS 15.0: Security Configuration - CIS Controls Version 8"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the CIS Controls Version 8 security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the CIS Controls Version 8 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -74,9 +74,7 @@ profile:
- os_directory_services_configured
- os_ess_installed
- os_filevault_autologin_disable
- - os_firewall_log_enable
- os_gatekeeper_enable
- - os_gatekeeper_rearm
- os_handoff_disable
- os_hibernate_mode_apple_silicon_enable
- os_hibernate_mode_destroyfvkeyonstandby_enable
@@ -100,7 +98,6 @@ profile:
- os_root_disable
- os_safari_advertising_privacy_protection_enable
- os_safari_open_safe_downloads_disable
- - os_safari_popups_disabled
- os_safari_prevent_cross-site_tracking_enable
- os_safari_show_full_website_address_enable
- os_safari_show_status_bar_enabled
@@ -110,6 +107,7 @@ profile:
- os_sip_enable
- os_siri_prompt_disable
- os_skip_unlock_with_watch_enable
+ - os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_system_wide_applications_configure
@@ -154,6 +152,8 @@ profile:
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
- system_settings_hot_corners_secure
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_install_macos_updates_enforce
- system_settings_internet_accounts_disable
@@ -171,6 +171,7 @@ profile:
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
+ - system_settings_siri_listen_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_software_update_app_update_enforce
diff --git a/baselines/cmmc_lvl1.yaml b/baselines/cmmc_lvl1.yaml
index e279ce01a..6bbcb4fea 100644
--- a/baselines/cmmc_lvl1.yaml
+++ b/baselines/cmmc_lvl1.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 1"
+title: "macOS 15.0: Security Configuration - US CMMC 2.0 Level 1"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 1 security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the US CMMC 2.0 Level 1 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -44,14 +44,14 @@ profile:
- os_config_data_install_enforce
- os_dictation_disable
- os_filevault_autologin_disable
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
+ - os_genmoji_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
+ - os_image_generation_disable
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_rapid_security_response_allow
@@ -64,6 +64,7 @@ profile:
- os_tftpd_disable
- os_unlock_active_user_session_disable
- os_uucp_disable
+ - os_writing_tools_disable
- section: "systemsettings"
rules:
- system_settings_automatic_login_disable
@@ -75,6 +76,8 @@ profile:
- system_settings_firewall_stealth_mode_enable
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
diff --git a/baselines/cmmc_lvl2.yaml b/baselines/cmmc_lvl2.yaml
index 744c59640..44494c306 100644
--- a/baselines/cmmc_lvl2.yaml
+++ b/baselines/cmmc_lvl2.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - US CMMC 2.0 Level 2"
+title: "macOS 15.0: Security Configuration - US CMMC 2.0 Level 2"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the US CMMC 2.0 Level 2 security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the US CMMC 2.0 Level 2 security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -86,16 +86,17 @@ profile:
- os_disk_image_disable
- os_dvdram_disable
- os_erase_content_and_settings_disable
+ - os_external_storage_access_defined
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
+ - os_genmoji_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
+ - os_image_generation_disable
- os_install_log_retention_configure
- os_ir_support_disable
- os_mdm_require
@@ -130,12 +131,14 @@ profile:
- os_sshd_fips_compliant
- os_sshd_login_grace_time_configure
- os_sshd_unused_connection_timeout_configure
+ - os_sudo_log_enforce
- os_tftpd_disable
- os_time_server_enabled
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_user_app_installation_prohibit
- os_uucp_disable
+ - os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
@@ -172,6 +175,8 @@ profile:
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_hot_corners_secure
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
diff --git a/baselines/cnssi-1253_high.yaml b/baselines/cnssi-1253_high.yaml
index 880499de6..6a04ee79e 100644
--- a/baselines/cnssi-1253_high.yaml
+++ b/baselines/cnssi-1253_high.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)"
+title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (High)"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (High) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -92,10 +92,8 @@ profile:
- os_filevault_authorized_users
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
@@ -185,6 +183,8 @@ profile:
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_hot_corners_secure
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
diff --git a/baselines/cnssi-1253_low.yaml b/baselines/cnssi-1253_low.yaml
index 8965561b9..85c06a5c7 100644
--- a/baselines/cnssi-1253_low.yaml
+++ b/baselines/cnssi-1253_low.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)"
+title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Low)"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (Low) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -92,10 +92,8 @@ profile:
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
@@ -182,6 +180,8 @@ profile:
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_hot_corners_secure
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
diff --git a/baselines/cnssi-1253_moderate.yaml b/baselines/cnssi-1253_moderate.yaml
index 2625cec9e..77490d4b9 100644
--- a/baselines/cnssi-1253_moderate.yaml
+++ b/baselines/cnssi-1253_moderate.yaml
@@ -1,6 +1,6 @@
-title: "macOS 14.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)"
+title: "macOS 15.0: Security Configuration - Committee on National Security Systems Instruction No. 1253 (Moderate)"
description: |
- This guide describes the actions to take when securing a macOS 14.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline.
+ This guide describes the actions to take when securing a macOS 15.0 system against the Committee on National Security Systems Instruction No. 1253 (Moderate) security baseline.
Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
authors: |
@@ -92,10 +92,8 @@ profile:
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- - os_firewall_log_enable
- os_firmware_password_require
- os_gatekeeper_enable
- - os_gatekeeper_rearm
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
@@ -186,6 +184,8 @@ profile:
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_hot_corners_secure
+ - system_settings_improve_assistive_voice_disable
+ - system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_accounts_disable
- system_settings_internet_sharing_disable
diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml
index 39d6d1bdf..c9aa370b5 100644
--- a/includes/mscp-data.yaml
+++ b/includes/mscp-data.yaml
@@ -83,8 +83,8 @@ titles:
800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
800-171: NIST 800-171 Rev 2
- cis_lvl1: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 1)
- cis_lvl2: CIS Apple macOS 14.0 Sonoma v1.0.0 Benchmark (Level 2)
+ cis_lvl1: CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 1)
+ cis_lvl2: CIS Apple macOS 15.0 Sequoia v1.0.0 DRAFT Benchmark (Level 2)
cmmc_lvl1: US CMMC 2.0 Level 1
cmmc_lvl2: US CMMC 2.0 Level 2
cisv8: CIS Controls Version 8
@@ -92,3 +92,14 @@ titles:
cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate)
cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High)
stig: Apple macOS 14 (Sonoma) STIG - Ver 1, Rel 1
+ddm:
+ supported_types:
+ - com.apple.configuration.services.configuration-files
+ - com.apple.configuration.passcode.settings
+ - com.apple.configuration.diskmanagement.settings
+ services:
+ com.apple.bash: /etc/
+ com.apple.pam: /etc/pam.d/
+ com.apple.sshd: /etc/ssh/
+ com.apple.sudo: /etc/
+ com.apple.zsh: /etc/
diff --git a/includes/supported_payloads.yaml b/includes/supported_payloads.yaml
index e927999b7..aa30cb20e 100644
--- a/includes/supported_payloads.yaml
+++ b/includes/supported_payloads.yaml
@@ -115,4 +115,5 @@ payloads_types:
- com.apple.AdLib
- .GlobalPreferences
- com.apple.preferences.sharing.SharingPrefsExtension
- - com.apple.controlcenter
\ No newline at end of file
+ - com.apple.controlcenter
+ - com.apple.Accessibility
\ No newline at end of file
diff --git a/rules/audit/audit_acls_files_configure.yaml b/rules/audit/audit_acls_files_configure.yaml
index b73f79aa7..521f93586 100644
--- a/rules/audit/audit_acls_files_configure.yaml
+++ b/rules/audit/audit_acls_files_configure.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92701-2
+ - CCE-94101-3
cci:
- CCI-000162
- CCI-000163
@@ -36,9 +36,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-000030
- 800-171r2:
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -47,7 +47,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r4_low
diff --git a/rules/audit/audit_acls_folders_configure.yaml b/rules/audit/audit_acls_folders_configure.yaml
index 15a4a7ede..3aeffc046 100644
--- a/rules/audit/audit_acls_folders_configure.yaml
+++ b/rules/audit/audit_acls_folders_configure.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92702-0
+ - CCE-94102-1
cci:
- CCI-000162
- CCI-000162
@@ -36,9 +36,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-000031
- 800-171r2:
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -47,7 +47,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_alert_processing_fail.yaml b/rules/audit/audit_alert_processing_fail.yaml
index ed0442437..e3b855929 100644
--- a/rules/audit/audit_alert_processing_fail.yaml
+++ b/rules/audit/audit_alert_processing_fail.yaml
@@ -8,7 +8,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92703-8
+ - CCE-94103-9
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- permanent
mobileconfig: false
diff --git a/rules/audit/audit_auditd_enabled.yaml b/rules/audit/audit_auditd_enabled.yaml
index 07914fbae..73308e728 100644
--- a/rules/audit/audit_auditd_enabled.yaml
+++ b/rules/audit/audit_auditd_enabled.yaml
@@ -9,7 +9,7 @@ discussion: |
The information system initiates session audits at system start-up.
- NOTE: Security auditing is NOT enabled by default on macOS Sonoma.
+ NOTE: Security auditing is NOT enabled by default on macOS Sequoia.
check: |
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
@@ -33,7 +33,7 @@ fix: |
----
references:
cce:
- - CCE-92704-6
+ - CCE-94104-7
cci:
- CCI-000130
- CCI-000131
@@ -101,11 +101,11 @@ references:
- SRG-OS-000462-GPOS-00206
- SRG-OS-000055-GPOS-00026
disa_stig:
- - APPL-14-001003
- 800-171r2:
- - 3.3.1
- - 3.3.2
- - 3.3.7
+ - N/A
+ 800-171r3:
+ - 03.03.02
+ - 03.03.03
+ - 03.03.07
cis:
benchmark:
- 3.1 (level 1)
@@ -116,7 +116,7 @@ references:
- AU.L2-3.3.2
- AU.L2-3.3.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_configure_capacity_notify.yaml b/rules/audit/audit_configure_capacity_notify.yaml
index 52cefeda8..6598765bc 100644
--- a/rules/audit/audit_configure_capacity_notify.yaml
+++ b/rules/audit/audit_configure_capacity_notify.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92705-3
+ - CCE-94105-4
cci:
- CCI-000139
- CCI-001855
@@ -27,9 +27,9 @@ references:
- SRG-OS-000046-GPOS-00022
- SRG-OS-000343-GPOS-00134
disa_stig:
- - APPL-14-001030
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Percentage of free space.
recommended: 25
diff --git a/rules/audit/audit_control_acls_configure.yaml b/rules/audit/audit_control_acls_configure.yaml
index 1e61b237b..22ee4af04 100644
--- a/rules/audit/audit_control_acls_configure.yaml
+++ b/rules/audit/audit_control_acls_configure.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92706-1
+ - CCE-94106-2
cci:
- CCI-000162
- CCI-000163
@@ -35,9 +35,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001140
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/audit/audit_control_group_configure.yaml b/rules/audit/audit_control_group_configure.yaml
index 0a1c8fe84..c69d26219 100644
--- a/rules/audit/audit_control_group_configure.yaml
+++ b/rules/audit/audit_control_group_configure.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92707-9
+ - CCE-94107-0
cci:
- CCI-000162
- CCI-000163
@@ -35,9 +35,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001110
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/audit/audit_control_mode_configure.yaml b/rules/audit/audit_control_mode_configure.yaml
index c0e4f5756..f1888919c 100644
--- a/rules/audit/audit_control_mode_configure.yaml
+++ b/rules/audit/audit_control_mode_configure.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92708-7
+ - CCE-94108-8
cci:
- CCI-000162
- CCI-000163
@@ -35,9 +35,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001130
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/audit/audit_control_owner_configure.yaml b/rules/audit/audit_control_owner_configure.yaml
index 227279673..8bc3492b2 100644
--- a/rules/audit/audit_control_owner_configure.yaml
+++ b/rules/audit/audit_control_owner_configure.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92709-5
+ - CCE-94109-6
cci:
- CCI-000162
- CCI-000163
@@ -35,9 +35,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001120
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/audit/audit_enforce_dual_auth.yaml b/rules/audit/audit_enforce_dual_auth.yaml
index 26e7f2f20..4d6f73356 100644
--- a/rules/audit/audit_enforce_dual_auth.yaml
+++ b/rules/audit/audit_enforce_dual_auth.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92710-3
+ - CCE-94110-4
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000360-GPOS-00147
macOS:
- - '14.0'
+ - '15.0'
tags:
- permanent
- cnssi-1253_high
diff --git a/rules/audit/audit_failure_halt.yaml b/rules/audit/audit_failure_halt.yaml
index 8288e95f6..dc0bd4e37 100644
--- a/rules/audit/audit_failure_halt.yaml
+++ b/rules/audit/audit_failure_halt.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92711-1
+ - CCE-94111-2
cci:
- CCI-000140
800-53r5:
@@ -25,13 +25,13 @@ references:
srg:
- SRG-OS-000047-GPOS-00023
disa_stig:
- - APPL-14-001010
- 800-171r2:
- - 3.3.4
+ - N/A
+ 800-171r3:
+ - 03.03.04
cmmc:
- AU.L2-3.3.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_files_group_configure.yaml b/rules/audit/audit_files_group_configure.yaml
index adf3d63f0..0e79c942b 100644
--- a/rules/audit/audit_files_group_configure.yaml
+++ b/rules/audit/audit_files_group_configure.yaml
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- - CCE-92712-9
+ - CCE-94112-0
cci:
- CCI-000162
- CCI-000163
@@ -37,9 +37,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001014
- 800-171r2:
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -48,7 +48,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_files_mode_configure.yaml b/rules/audit/audit_files_mode_configure.yaml
index f53ec5668..3d957818a 100644
--- a/rules/audit/audit_files_mode_configure.yaml
+++ b/rules/audit/audit_files_mode_configure.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92713-7
+ - CCE-94113-8
cci:
- CCI-000162
- CCI-000163
@@ -33,9 +33,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001016
- 800-171r2:
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -44,7 +44,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_files_owner_configure.yaml b/rules/audit/audit_files_owner_configure.yaml
index a3b5600af..c7e8cf975 100644
--- a/rules/audit/audit_files_owner_configure.yaml
+++ b/rules/audit/audit_files_owner_configure.yaml
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- - CCE-92714-5
+ - CCE-94114-6
cci:
- CCI-000162
- CCI-000163
@@ -37,9 +37,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001012
- 800-171r2:
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -48,7 +48,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_flags_aa_configure.yaml b/rules/audit/audit_flags_aa_configure.yaml
index 3b18ee783..97dcd3a95 100644
--- a/rules/audit/audit_flags_aa_configure.yaml
+++ b/rules/audit/audit_flags_aa_configure.yaml
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- - CCE-92715-2
+ - CCE-94115-3
cci:
- CCI-000172
- CCI-001814
@@ -46,10 +46,10 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000468-GPOS-00212
disa_stig:
- - APPL-14-001044
- 800-171r2:
- - 3.3.1
- - 3.3.2
+ - N/A
+ 800-171r3:
+ - 03.03.01
+ - 03.03.03
cis:
benchmark:
- 3.2 (level 2)
@@ -62,7 +62,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/rules/audit/audit_flags_ad_configure.yaml b/rules/audit/audit_flags_ad_configure.yaml
index cb7c2ce8e..42bcbbb74 100644
--- a/rules/audit/audit_flags_ad_configure.yaml
+++ b/rules/audit/audit_flags_ad_configure.yaml
@@ -21,7 +21,7 @@ fix: |
----
references:
cce:
- - CCE-92716-0
+ - CCE-94116-1
cci:
- CCI-000018
- CCI-000172
@@ -61,11 +61,11 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000303-GPOS-00120
disa_stig:
- - APPL-14-001001
- 800-171r2:
- - 3.1.7
- - 3.3.1
- - 3.3.2
+ - N/A
+ 800-171r3:
+ - 03.01.07
+ - 03.03.01
+ - 03.03.03
cis:
benchmark:
- 3.2 (level 2)
@@ -78,7 +78,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/rules/audit/audit_flags_ex_configure.yaml b/rules/audit/audit_flags_ex_configure.yaml
index 16dc7d207..3f1775718 100644
--- a/rules/audit/audit_flags_ex_configure.yaml
+++ b/rules/audit/audit_flags_ex_configure.yaml
@@ -18,7 +18,7 @@ fix: |
----
references:
cce:
- - CCE-92717-8
+ - CCE-94117-9
cci:
- CCI-000172
- CCI-001814
@@ -37,10 +37,10 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000463-GPOS-00207
disa_stig:
- - APPL-14-001024
- 800-171r2:
- - 3.3.1
- - 3.3.2
+ - N/A
+ 800-171r3:
+ - 03.03.01
+ - 03.03.03
cis:
benchmark:
- 3.2 (level 2)
@@ -53,7 +53,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/rules/audit/audit_flags_fd_configure.yaml b/rules/audit/audit_flags_fd_configure.yaml
index 3038550ce..832c52ec9 100644
--- a/rules/audit/audit_flags_fd_configure.yaml
+++ b/rules/audit/audit_flags_fd_configure.yaml
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- - CCE-92718-6
+ - CCE-94118-7
cci:
- CCI-000162
- CCI-000163
@@ -60,16 +60,18 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001020
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.03.01
+ - 03.03.03
+ - 03.03.08
cmmc:
- AU.L2-3.3.3
- AU.L2-3.3.6
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- 800-53r5_low
diff --git a/rules/audit/audit_flags_fm_configure.yaml b/rules/audit/audit_flags_fm_configure.yaml
index 7bb3d6944..923854f2c 100644
--- a/rules/audit/audit_flags_fm_configure.yaml
+++ b/rules/audit/audit_flags_fm_configure.yaml
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- - CCE-92719-4
+ - CCE-94119-5
cci:
- CCI-000162
- CCI-000163
@@ -61,16 +61,18 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001021
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.03.01
+ - 03.03.03
+ - 03.03.08
cmmc:
- AU.L2-3.3.3
- AU.L2-3.3.6
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/audit/audit_flags_fm_failed_configure.yaml b/rules/audit/audit_flags_fm_failed_configure.yaml
index 5d8f18037..03f1f54ce 100644
--- a/rules/audit/audit_flags_fm_failed_configure.yaml
+++ b/rules/audit/audit_flags_fm_failed_configure.yaml
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- - CCE-92720-2
+ - CCE-94120-3
cci:
- N/A
800-53r5:
@@ -39,10 +39,10 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.3.1
- - 3.3.2
- - 3.3.8
+ 800-171r3:
+ - 03.03.01
+ - 03.03.03
+ - 03.03.08
cis:
benchmark:
- 3.2 (level 2)
@@ -56,7 +56,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- 800-53r5_low
diff --git a/rules/audit/audit_flags_fr_configure.yaml b/rules/audit/audit_flags_fr_configure.yaml
index 956a6698a..4a40208b1 100644
--- a/rules/audit/audit_flags_fr_configure.yaml
+++ b/rules/audit/audit_flags_fr_configure.yaml
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- - CCE-92721-0
+ - CCE-94121-1
cci:
- CCI-000172
- CCI-001814
@@ -52,11 +52,11 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001022
- 800-171r2:
- - 3.3.1
- - 3.3.2
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.01
+ - 03.03.03
+ - 03.03.08
cis:
benchmark:
- 3.2 (level 2)
@@ -70,7 +70,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/rules/audit/audit_flags_fw_configure.yaml b/rules/audit/audit_flags_fw_configure.yaml
index da182f583..6d0049d91 100644
--- a/rules/audit/audit_flags_fw_configure.yaml
+++ b/rules/audit/audit_flags_fw_configure.yaml
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- - CCE-92722-8
+ - CCE-94122-9
cci:
- CCI-000172
- CCI-001814
@@ -53,11 +53,11 @@ references:
- SRG-OS-000458-GPOS-00203
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001023
- 800-171r2:
- - 3.3.1
- - 3.3.2
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.01
+ - 03.03.03
+ - 03.03.08
cis:
benchmark:
- 3.2 (level 2)
@@ -71,7 +71,7 @@ references:
- AU.L2-3.3.8
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/rules/audit/audit_flags_lo_configure.yaml b/rules/audit/audit_flags_lo_configure.yaml
index f5e6a37fc..62b18b1ff 100644
--- a/rules/audit/audit_flags_lo_configure.yaml
+++ b/rules/audit/audit_flags_lo_configure.yaml
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- - CCE-92723-6
+ - CCE-94123-7
cci:
- CCI-000067
- CCI-000172
@@ -44,11 +44,10 @@ references:
- SRG-OS-000471-GPOS-00215
- SRG-OS-000458-GPOS-00203
disa_stig:
- - APPL-14-001002
- 800-171r2:
- - 3.1.12
- - 3.3.1
- - 3.3.2
+ - N/A
+ 800-171r3:
+ - 03.03.01
+ - 03.03.03
cis:
benchmark:
- 3.2 (level 2)
@@ -62,7 +61,7 @@ references:
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/rules/audit/audit_folder_group_configure.yaml b/rules/audit/audit_folder_group_configure.yaml
index bea01858b..96e4e3cff 100644
--- a/rules/audit/audit_folder_group_configure.yaml
+++ b/rules/audit/audit_folder_group_configure.yaml
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- - CCE-92724-4
+ - CCE-94124-5
cci:
- CCI-000162
- CCI-000163
@@ -37,9 +37,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001015
- 800-171r2:
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -48,7 +48,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_folder_owner_configure.yaml b/rules/audit/audit_folder_owner_configure.yaml
index 24e01ac89..a8cff947f 100644
--- a/rules/audit/audit_folder_owner_configure.yaml
+++ b/rules/audit/audit_folder_owner_configure.yaml
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- - CCE-92725-1
+ - CCE-94125-2
cci:
- CCI-000162
- CCI-000163
@@ -37,9 +37,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001013
- 800-171r2:
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -48,7 +48,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_folders_mode_configure.yaml b/rules/audit/audit_folders_mode_configure.yaml
index f82372b77..4d79d4e43 100644
--- a/rules/audit/audit_folders_mode_configure.yaml
+++ b/rules/audit/audit_folders_mode_configure.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92726-9
+ - CCE-94126-0
cci:
- CCI-000162
- CCI-000163
@@ -35,9 +35,9 @@ references:
- SRG-OS-000258-GPOS-00099
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-001017
- 800-171r2:
- - 3.3.8
+ - N/A
+ 800-171r3:
+ - 03.03.08
cis:
benchmark:
- 3.5 (level 1)
@@ -46,7 +46,7 @@ references:
cmmc:
- AU.L2-3.3.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/audit/audit_off_load_records.yaml b/rules/audit/audit_off_load_records.yaml
index 137ab2797..3acb23f1c 100644
--- a/rules/audit/audit_off_load_records.yaml
+++ b/rules/audit/audit_off_load_records.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92727-7
+ - CCE-94127-8
cci:
- N/A
800-53r5:
@@ -30,7 +30,7 @@ references:
controls v8:
- 8.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- permanent
- cisv8
diff --git a/rules/audit/audit_record_reduction_report_generation.yaml b/rules/audit/audit_record_reduction_report_generation.yaml
index 5ee55ad1b..77bec6716 100644
--- a/rules/audit/audit_record_reduction_report_generation.yaml
+++ b/rules/audit/audit_record_reduction_report_generation.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92728-5
+ - CCE-94128-6
cci:
- N/A
800-53r5:
@@ -29,12 +29,12 @@ references:
- SRG-OS-000122-GPOS-00063
disa_stig:
- N/A
- 800-171r2:
- - N/A
+ 800-171r3:
+ - 03.03.06
cmmc:
- AU.L2-3.3.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/rules/audit/audit_records_processing.yaml b/rules/audit/audit_records_processing.yaml
index 93b8db572..760fdd765 100644
--- a/rules/audit/audit_records_processing.yaml
+++ b/rules/audit/audit_records_processing.yaml
@@ -10,7 +10,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92729-3
+ - CCE-94129-4
cci:
- N/A
800-53r5:
@@ -22,12 +22,12 @@ references:
- SRG-OS-000054-GPOS-00025
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cmmc:
- AU.L2-3.3.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml
index ed9137d43..a741e2e2a 100644
--- a/rules/audit/audit_retention_configure.yaml
+++ b/rules/audit/audit_retention_configure.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92730-1
+ - CCE-94130-2
cci:
- CCI-001849
800-53r5:
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000341-GPOS-00132
disa_stig:
- - APPL-14-001029
+ - N/A
cis:
benchmark:
- 3.4 (level 1)
@@ -36,8 +36,10 @@ references:
- 8.3
cmmc:
- AU.L2-3.3.1
+ 800-171r3:
+ - 03.03.03
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: See man audit_control for possible values.
recommended: 7d
@@ -45,6 +47,7 @@ odv:
cis_lvl2: 60d OR 5G
stig: 7d
tags:
+ - 800-171
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
diff --git a/rules/audit/audit_settings_failure_notify.yaml b/rules/audit/audit_settings_failure_notify.yaml
index 10b7c3071..3898b9550 100644
--- a/rules/audit/audit_settings_failure_notify.yaml
+++ b/rules/audit/audit_settings_failure_notify.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92731-9
+ - CCE-94131-0
cci:
- CCI-000140
- CCI-001858
@@ -29,13 +29,13 @@ references:
- SRG-OS-000047-GPOS-00023
- SRG-OS-000344-GPOS-00135
disa_stig:
- - APPL-14-001031
- 800-171r2:
- - 3.3.4
+ - N/A
+ 800-171r3:
+ - 03.03.04
cmmc:
- AU.L2-3.3.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/auth/auth_pam_login_smartcard_enforce.yaml b/rules/auth/auth_pam_login_smartcard_enforce.yaml
index efe3f4cf6..504aa1036 100644
--- a/rules/auth/auth_pam_login_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_login_smartcard_enforce.yaml
@@ -37,7 +37,7 @@ fix: |
----
references:
cce:
- - CCE-92732-7
+ - CCE-94132-8
cci:
- CCI-000765
- CCI-000766
@@ -59,9 +59,10 @@ references:
- SRG-OS-000106-GPOS-00053
- SRG-OS-000105-GPOS-00052
disa_stig:
- - APPL-14-003050
- 800-171r2:
- - 3.5.3
+ - N/A
+ 800-171r3:
+ - 03.05.03
+ - 03.05.04
cis:
benchmark:
- N/A
@@ -73,7 +74,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -91,3 +92,21 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.pam
+ config_file: login
+ configuration_key: file
+ configuration_value: |
+ auth sufficient pam_smartcard.so
+ auth optional pam_krb5.so use_kcminit
+ auth optional pam_ntlm.so try_first_pass
+ auth optional pam_mount.so try_first_pass
+ auth required pam_opendirectory.so try_first_pass
+ auth required pam_deny.so
+ account required pam_nologin.so
+ account required pam_opendirectory.so
+ password required pam_opendirectory.so
+ session required pam_launchd.so
+ session required pam_uwtmp.so
+ session optional pam_mount.so
\ No newline at end of file
diff --git a/rules/auth/auth_pam_su_smartcard_enforce.yaml b/rules/auth/auth_pam_su_smartcard_enforce.yaml
index 93a0770d4..d9c291bdb 100644
--- a/rules/auth/auth_pam_su_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_su_smartcard_enforce.yaml
@@ -32,7 +32,7 @@ fix: |
----
references:
cce:
- - CCE-92733-5
+ - CCE-94133-6
cci:
- CCI-000765
- CCI-000766
@@ -54,9 +54,10 @@ references:
- SRG-OS-000106-GPOS-00053
- SRG-OS-000105-GPOS-00052
disa_stig:
- - APPL-14-003051
- 800-171r2:
- - 3.5.3
+ - N/A
+ 800-171r3:
+ - 03.05.03
+ - 03.05.04
cis:
benchmark:
- N/A
@@ -68,7 +69,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -86,3 +87,16 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.pam
+ config_file: su
+ configuration_key: file
+ configuration_value: |
+ auth sufficient pam_smartcard.so
+ auth required pam_rootok.so
+ auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
+ account required pam_permit.so
+ account required pam_opendirectory.so no_check_shell
+ password required pam_opendirectory.so
+ session required pam_launchd.so
\ No newline at end of file
diff --git a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
index cfac92abc..f2f202629 100644
--- a/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
+++ b/rules/auth/auth_pam_sudo_smartcard_enforce.yaml
@@ -31,7 +31,7 @@ fix: |
----
references:
cce:
- - CCE-92734-3
+ - CCE-94134-4
cci:
- CCI-000765
- CCI-000766
@@ -53,9 +53,10 @@ references:
- SRG-OS-000106-GPOS-00053
- SRG-OS-000105-GPOS-00052
disa_stig:
- - APPL-14-003052
- 800-171r2:
- - 3.5.3
+ - N/A
+ 800-171r3:
+ - 03.05.03
+ - 03.05.04
cis:
benchmark:
- N/A
@@ -67,7 +68,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -85,3 +86,15 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.pam
+ config_file: sudo
+ configuration_key: file
+ configuration_value: |
+ auth sufficient pam_smartcard.so
+ auth required pam_opendirectory.so
+ auth required pam_deny.so
+ account required pam_permit.so
+ password required pam_deny.so
+ session required pam_permit.so
\ No newline at end of file
diff --git a/rules/auth/auth_smartcard_allow.yaml b/rules/auth/auth_smartcard_allow.yaml
index f918db32b..8d37d5c61 100644
--- a/rules/auth/auth_smartcard_allow.yaml
+++ b/rules/auth/auth_smartcard_allow.yaml
@@ -17,7 +17,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92735-0
+ - CCE-94135-1
cci:
- CCI-000187
- CCI-000765
@@ -42,7 +42,7 @@ references:
- SRG-OS-000105-GPOS-00052
- SRG-OS-000068-GPOS-00036
disa_stig:
- - APPL-14-003030
+ - N/A
cis:
benchmark:
- N/A
@@ -54,9 +54,12 @@ references:
- IA.L1-3.5.1
- IA.L1-3.5.2
- IA.L2-3.5.3
+ 800-171r3:
+ - 03.05.03
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
index 166f3ea95..352c46d4f 100644
--- a/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
+++ b/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml
@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92736-8
+ - CCE-94136-9
cci:
- N/A
800-53r5:
@@ -35,7 +35,7 @@ references:
cmmc:
- SC.L2-3.13.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r4_high
- 800-53r5_high
diff --git a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
index 58bf72699..3bf7a1329 100644
--- a/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
+++ b/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92737-6
+ - CCE-94137-7
cci:
- CCI-000186
- CCI-001953
@@ -38,11 +38,11 @@ references:
- SRG-OS-000377-GPOS-00162
- SRG-OS-000066-GPOS-00034
disa_stig:
- - APPL-14-001060
+ - N/A
cmmc:
- SC.L2-3.13.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r4_moderate
- 800-53r5_moderate
diff --git a/rules/auth/auth_smartcard_enforce.yaml b/rules/auth/auth_smartcard_enforce.yaml
index 747441911..13e3c6f48 100644
--- a/rules/auth/auth_smartcard_enforce.yaml
+++ b/rules/auth/auth_smartcard_enforce.yaml
@@ -21,7 +21,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92738-4
+ - CCE-94138-5
cci:
- CCI-000186
- CCI-000765
@@ -59,11 +59,11 @@ references:
- SRG-OS-000376-GPOS-00161
- SRG-OS-000105-GPOS-00052
disa_stig:
- - APPL-14-003020
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.3
+ - N/A
+ 800-171r3:
+ - 03.05.01
+ - 03.05.03
+ - 03.05.04
cis:
benchmark:
- N/A
@@ -77,7 +77,7 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/auth/auth_ssh_password_authentication_disable.yaml b/rules/auth/auth_ssh_password_authentication_disable.yaml
index 9057f6c4d..c5706cdda 100644
--- a/rules/auth/auth_ssh_password_authentication_disable.yaml
+++ b/rules/auth/auth_ssh_password_authentication_disable.yaml
@@ -32,7 +32,7 @@ fix: |
----
references:
cce:
- - CCE-92739-2
+ - CCE-94139-3
cci:
- CCI-000186
- CCI-000765
@@ -71,12 +71,12 @@ references:
- SRG-OS-000375-GPOS-00160
- SRG-OS-000105-GPOS-00052
disa_stig:
- - APPL-14-001150
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.3
- - 3.7.5
+ - N/A
+ 800-171r3:
+ - 03.05.01
+ - 03.05.03
+ - 03.05.04
+ - 03.07.05
cis:
benchmark:
- N/A
@@ -91,7 +91,7 @@ references:
- IA.L2-3.5.4
- MA.L2-3.7.5
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -110,3 +110,9 @@ tags:
severity: high
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: KbdInteractiveAuthentication
+ configuration_value: no
\ No newline at end of file
diff --git a/rules/icloud/icloud_addressbook_disable.yaml b/rules/icloud/icloud_addressbook_disable.yaml
index 5b7596db8..9ec79185a 100644
--- a/rules/icloud/icloud_addressbook_disable.yaml
+++ b/rules/icloud/icloud_addressbook_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92740-0
+ - CCE-94140-1
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002014
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_appleid_system_settings_disable.yaml b/rules/icloud/icloud_appleid_system_settings_disable.yaml
index 47f1591a5..90d0d396a 100644
--- a/rules/icloud/icloud_appleid_system_settings_disable.yaml
+++ b/rules/icloud/icloud_appleid_system_settings_disable.yaml
@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92742-6
+ - CCE-94141-9
cci:
- N/A
800-53r5:
@@ -29,9 +29,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -43,7 +43,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_bookmarks_disable.yaml b/rules/icloud/icloud_bookmarks_disable.yaml
index 4aba2d5d0..dc37b17ce 100644
--- a/rules/icloud/icloud_bookmarks_disable.yaml
+++ b/rules/icloud/icloud_bookmarks_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92743-4
+ - CCE-94142-7
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002042
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_calendar_disable.yaml b/rules/icloud/icloud_calendar_disable.yaml
index 284ffc43d..ba15ad129 100644
--- a/rules/icloud/icloud_calendar_disable.yaml
+++ b/rules/icloud/icloud_calendar_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92744-2
+ - CCE-94143-5
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002012
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_drive_disable.yaml b/rules/icloud/icloud_drive_disable.yaml
index cbe4ca5fc..26cc67040 100644
--- a/rules/icloud/icloud_drive_disable.yaml
+++ b/rules/icloud/icloud_drive_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92745-9
+ - CCE-94144-3
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002041
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_freeform_disable.yaml b/rules/icloud/icloud_freeform_disable.yaml
index f214b5a4a..630fe37e6 100644
--- a/rules/icloud/icloud_freeform_disable.yaml
+++ b/rules/icloud/icloud_freeform_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92746-7
+ - CCE-94145-0
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002270
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_game_center_disable.yaml b/rules/icloud/icloud_game_center_disable.yaml
index d3c5db942..f2b7f4286 100644
--- a/rules/icloud/icloud_game_center_disable.yaml
+++ b/rules/icloud/icloud_game_center_disable.yaml
@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92747-5
+ - CCE-94146-8
cci:
- CCI-000381
800-53r5:
@@ -31,10 +31,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002160
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -47,7 +47,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml
index 5910e982e..545211eaa 100644
--- a/rules/icloud/icloud_keychain_disable.yaml
+++ b/rules/icloud/icloud_keychain_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92748-3
+ - CCE-94147-6
cci:
- CCI-001774
- CCI-000381
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002040
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_mail_disable.yaml b/rules/icloud/icloud_mail_disable.yaml
index 31bd8537f..4a48a5569 100644
--- a/rules/icloud/icloud_mail_disable.yaml
+++ b/rules/icloud/icloud_mail_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92749-1
+ - CCE-94148-4
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002015
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_notes_disable.yaml b/rules/icloud/icloud_notes_disable.yaml
index b58a4263d..7ecc600ce 100644
--- a/rules/icloud/icloud_notes_disable.yaml
+++ b/rules/icloud/icloud_notes_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92750-9
+ - CCE-94149-2
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002016
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_photos_disable.yaml b/rules/icloud/icloud_photos_disable.yaml
index 9e4e24d8d..dbcf22af3 100644
--- a/rules/icloud/icloud_photos_disable.yaml
+++ b/rules/icloud/icloud_photos_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92751-7
+ - CCE-94150-0
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002043
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml
index 87274727c..019833992 100644
--- a/rules/icloud/icloud_private_relay_disable.yaml
+++ b/rules/icloud/icloud_private_relay_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92752-5
+ - CCE-94151-8
cci:
- CCI-000381
800-53r5:
@@ -32,10 +32,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002170
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -48,7 +48,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_reminders_disable.yaml b/rules/icloud/icloud_reminders_disable.yaml
index 9c5cd83f5..2c51517ff 100644
--- a/rules/icloud/icloud_reminders_disable.yaml
+++ b/rules/icloud/icloud_reminders_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92753-3
+ - CCE-94152-6
cci:
- CCI-000381
- CCI-001774
@@ -33,10 +33,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002013
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/icloud/icloud_sync_disable.yaml b/rules/icloud/icloud_sync_disable.yaml
index 1b4514597..b4dffd47f 100644
--- a/rules/icloud/icloud_sync_disable.yaml
+++ b/rules/icloud/icloud_sync_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92754-1
+ - CCE-94153-4
cci:
- CCI-000381
800-53r5:
@@ -32,10 +32,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002150
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- 2.1.1.3 (level 2)
@@ -48,7 +48,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_access_control_mobile_devices.yaml b/rules/os/os_access_control_mobile_devices.yaml
index 6c8b32526..5edaaaa02 100644
--- a/rules/os/os_access_control_mobile_devices.yaml
+++ b/rules/os/os_access_control_mobile_devices.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92755-8
+ - CCE-94154-2
cci:
- N/A
800-53r5:
@@ -30,9 +30,12 @@ references:
- 6.4
cmmc:
- AC.L2-3.1.18
+ 800-171r3:
+ - 03.01.18
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_account_modification_disable.yaml b/rules/os/os_account_modification_disable.yaml
index 30fbf8f50..80203ba9d 100644
--- a/rules/os/os_account_modification_disable.yaml
+++ b/rules/os/os_account_modification_disable.yaml
@@ -22,7 +22,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93012-3
+ - CCE-94155-9
cci:
- CCI-000381
800-53r5:
@@ -39,10 +39,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002120
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -54,7 +54,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - "14.0"
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_airdrop_disable.yaml b/rules/os/os_airdrop_disable.yaml
index 561774099..ccd655e3d 100644
--- a/rules/os/os_airdrop_disable.yaml
+++ b/rules/os/os_airdrop_disable.yaml
@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92756-6
+ - CCE-94156-7
cci:
- CCI-000213
- CCI-000381
@@ -34,13 +34,11 @@ references:
- SRG-OS-000080-GPOS-00048
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002009
- 800-171r2:
- - 3.1.1
- - 3.1.2
- - 3.1.16
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- 2.3.1.1 (level 1)
@@ -54,7 +52,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_allow_info_passed.yaml b/rules/os/os_allow_info_passed.yaml
index db57a4229..887309821 100644
--- a/rules/os/os_allow_info_passed.yaml
+++ b/rules/os/os_allow_info_passed.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92757-4
+ - CCE-94157-5
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000312-GPOS-00122
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_anti_virus_installed.yaml b/rules/os/os_anti_virus_installed.yaml
index 3b147fdd1..891213a3d 100644
--- a/rules/os/os_anti_virus_installed.yaml
+++ b/rules/os/os_anti_virus_installed.yaml
@@ -5,7 +5,7 @@ discussion: |
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.'
check: |
- /bin/launchctl list | /usr/bin/grep -cE "(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)"
+ /usr/bin/xprotect status | /usr/bin/grep -cE "(launch scans: enabled|background scans: enabled)"
result:
integer: 2
fix: |
@@ -18,7 +18,7 @@ fix: |
NOTE: These services cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled.
references:
cce:
- - CCE-92758-2
+ - CCE-94158-3
cci:
- CCI-000366
800-53r5:
@@ -37,7 +37,7 @@ references:
- 10.1
- 10.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_appleid_prompt_disable.yaml b/rules/os/os_appleid_prompt_disable.yaml
index c75e89827..2f907331f 100644
--- a/rules/os/os_appleid_prompt_disable.yaml
+++ b/rules/os/os_appleid_prompt_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92759-0
+ - CCE-94159-1
cci:
- CCI-000381
800-53r5:
@@ -25,9 +25,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002035
- 800-171r2:
- - 3.1.20
+ - N/A
+ 800-171r3:
+ - 03.01.20
cis:
benchmark:
- N/A
@@ -37,7 +37,7 @@ references:
cmmc:
- AC.L1-3.1.20
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_application_sandboxing.yaml b/rules/os/os_application_sandboxing.yaml
index 4f438de74..aab02186e 100644
--- a/rules/os/os_application_sandboxing.yaml
+++ b/rules/os/os_application_sandboxing.yaml
@@ -1,5 +1,5 @@
id: os_application_sandboxing
-title: Ensure Seperate Execution Domain for Processes
+title: Ensure Separate Execution Domain for Processes
discussion: |
The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing.
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92760-8
+ - CCE-94160-9
800-53r5:
- SC-39
800-53r4:
@@ -24,7 +24,7 @@ references:
cci:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- 800-53r5_low
diff --git a/rules/os/os_asl_log_files_owner_group_configure.yaml b/rules/os/os_asl_log_files_owner_group_configure.yaml
index 88b266a70..c88909c48 100644
--- a/rules/os/os_asl_log_files_owner_group_configure.yaml
+++ b/rules/os/os_asl_log_files_owner_group_configure.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92761-6
+ - CCE-94161-7
cci:
- CCI-001312
- CCI-001314
@@ -27,11 +27,11 @@ references:
- SRG-OS-000206-GPOS-00084
- SRG-OS-000205-GPOS-00083
disa_stig:
- - APPL-14-004001
- 800-171r2:
+ - N/A
+ 800-171r3:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_asl_log_files_permissions_configure.yaml b/rules/os/os_asl_log_files_permissions_configure.yaml
index 91c79b739..929ec20e0 100644
--- a/rules/os/os_asl_log_files_permissions_configure.yaml
+++ b/rules/os/os_asl_log_files_permissions_configure.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92762-4
+ - CCE-94162-5
cci:
- CCI-001312
- CCI-001314
@@ -25,11 +25,11 @@ references:
- SRG-OS-000206-GPOS-00084
- SRG-OS-000205-GPOS-00083
disa_stig:
- - APPL-14-004002
- 800-171r2:
+ - N/A
+ 800-171r3:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_auth_peripherals.yaml b/rules/os/os_auth_peripherals.yaml
index 85674f13d..97734334b 100644
--- a/rules/os/os_auth_peripherals.yaml
+++ b/rules/os/os_auth_peripherals.yaml
@@ -8,7 +8,7 @@ fix: |
This requirement is a permanent finding and can be fixed by implementing a third party solution.
references:
cce:
- - CCE-92763-2
+ - CCE-94163-3
cci:
- N/A
800-53r5:
@@ -20,9 +20,8 @@ references:
srg:
- SRG-OS-000114-GPOS-00059
- SRG-OS-000378-GPOS-00163
- 800-171r2:
- - 3.5.1
- - 3.5.2
+ 800-171r3:
+ - 03.05.02
cis:
benchmark:
- N/A
@@ -31,7 +30,7 @@ references:
cmmc:
- IA.L1-3.5.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_authenticated_root_enable.yaml b/rules/os/os_authenticated_root_enable.yaml
index 98c5190af..a809c8b07 100644
--- a/rules/os/os_authenticated_root_enable.yaml
+++ b/rules/os/os_authenticated_root_enable.yaml
@@ -20,7 +20,7 @@ fix: |
NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
references:
cce:
- - CCE-92764-0
+ - CCE-94164-1
cci:
- CCI-000213
800-53r5:
@@ -39,11 +39,10 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- - APPL-14-005070
- 800-171r2:
- - 3.1.1
- - 3.1.2
- - 3.4.5
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.05
cis:
benchmark:
- 5.1.4 (level 1)
@@ -55,7 +54,7 @@ references:
- CM.L2-3.4.5
- SC.L2-3.13.11
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml
index e8f1ac268..2ecde48fa 100644
--- a/rules/os/os_blank_bluray_disable.yaml
+++ b/rules/os/os_blank_bluray_disable.yaml
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92765-7
+ - CCE-94165-8
cci:
- N/A
800-53r5:
@@ -34,13 +34,13 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.8.8
+ 800-171r3:
+ - 03.08.07
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml
index 5a6d32d88..ff4aa0987 100644
--- a/rules/os/os_blank_cd_disable.yaml
+++ b/rules/os/os_blank_cd_disable.yaml
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92766-5
+ - CCE-94166-6
cci:
- N/A
800-53r5:
@@ -34,13 +34,13 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.8.8
+ 800-171r3:
+ - 03.08.07
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml
index 270a6ac31..d7dac1c74 100644
--- a/rules/os/os_blank_dvd_disable.yaml
+++ b/rules/os/os_blank_dvd_disable.yaml
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92767-3
+ - CCE-94167-4
cci:
- N/A
800-53r5:
@@ -34,13 +34,13 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.8.8
+ 800-171r3:
+ - 03.08.07
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_bluray_read_only_enforce.yaml b/rules/os/os_bluray_read_only_enforce.yaml
index b9ba4bb4e..34e725f28 100644
--- a/rules/os/os_bluray_read_only_enforce.yaml
+++ b/rules/os/os_bluray_read_only_enforce.yaml
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92768-1
+ - CCE-94168-2
cci:
- N/A
800-53r5:
@@ -34,13 +34,13 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.8.8
+ 800-171r3:
+ - 03.08.07
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_bonjour_disable.yaml b/rules/os/os_bonjour_disable.yaml
index 1ab89e23c..8aa722a40 100644
--- a/rules/os/os_bonjour_disable.yaml
+++ b/rules/os/os_bonjour_disable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92769-9
+ - CCE-94169-0
cci:
- CCI-000381
800-53r5:
@@ -25,9 +25,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002005
- 800-171r2:
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- 4.1 (level 2)
@@ -38,7 +38,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml
index c6dfa60aa..4abe731fc 100644
--- a/rules/os/os_burn_support_disable.yaml
+++ b/rules/os/os_burn_support_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92770-7
+ - CCE-94170-8
cci:
- N/A
800-53r5:
@@ -29,9 +29,12 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
+ 800-171r3:
+ - 03.08.07
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
diff --git a/rules/os/os_calendar_app_disable.yaml b/rules/os/os_calendar_app_disable.yaml
index 9a94ea549..e5bd75a54 100644
--- a/rules/os/os_calendar_app_disable.yaml
+++ b/rules/os/os_calendar_app_disable.yaml
@@ -33,7 +33,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92771-5
+ - CCE-94171-6
cci:
- N/A
800-53r5:
@@ -48,9 +48,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -62,7 +62,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_camera_disable.yaml b/rules/os/os_camera_disable.yaml
index 145ecd0c1..e6e46c36e 100644
--- a/rules/os/os_camera_disable.yaml
+++ b/rules/os/os_camera_disable.yaml
@@ -25,7 +25,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92772-3
+ - CCE-94172-4
cci:
- CCI-000381
- CCI-001774
@@ -36,9 +36,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002017
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- stig
severity: medium
diff --git a/rules/os/os_cd_read_only_enforce.yaml b/rules/os/os_cd_read_only_enforce.yaml
index 142821711..d06e82259 100644
--- a/rules/os/os_cd_read_only_enforce.yaml
+++ b/rules/os/os_cd_read_only_enforce.yaml
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92773-1
+ - CCE-94173-2
cci:
- N/A
800-53r5:
@@ -34,13 +34,13 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.8.8
+ 800-171r3:
+ - 03.08.07
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_certificate_authority_trust.yaml b/rules/os/os_certificate_authority_trust.yaml
index cb209f58b..effa6d771 100644
--- a/rules/os/os_certificate_authority_trust.yaml
+++ b/rules/os/os_certificate_authority_trust.yaml
@@ -10,7 +10,7 @@ fix: |
Obtain the approved certificates from the appropriate authority and install them to the System Keychain.
references:
cce:
- - CCE-92774-9
+ - CCE-94174-0
cci:
- CCI-002470
- CCI-000185
@@ -22,11 +22,11 @@ references:
srg:
- SRG-OS-000403-GPOS-00182
disa_stig:
- - APPL-14-003001
+ - N/A
cmmc:
- SC.L2-3.13.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_change_security_attributes.yaml b/rules/os/os_change_security_attributes.yaml
index 1aacf1635..5054c6783 100644
--- a/rules/os/os_change_security_attributes.yaml
+++ b/rules/os/os_change_security_attributes.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92775-6
+ - CCE-94175-7
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000312-GPOS-00123
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_config_data_install_enforce.yaml b/rules/os/os_config_data_install_enforce.yaml
index 4ae73b03c..e243cbd67 100644
--- a/rules/os/os_config_data_install_enforce.yaml
+++ b/rules/os/os_config_data_install_enforce.yaml
@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92776-4
+ - CCE-94176-5
cci:
- CCI-000366
800-53r5:
@@ -30,11 +30,9 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - APPL-14-005130
- 800-171r2:
- - 3.14.1
- - 3.14.2
- - 3.13.3
+ - N/A
+ 800-171r3:
+ - 03.14.02
cis:
benchmark:
- 1.6 (level 1)
@@ -47,7 +45,7 @@ references:
- SI.L1-3.14.2
- SI.L1-3.14.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_config_profile_ui_install_disable.yaml b/rules/os/os_config_profile_ui_install_disable.yaml
index 0f5f62758..f70bac32e 100644
--- a/rules/os/os_config_profile_ui_install_disable.yaml
+++ b/rules/os/os_config_profile_ui_install_disable.yaml
@@ -13,13 +13,13 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92777-2
+ - CCE-94177-3
cci:
- N/A
800-53r5:
- CM-5
- 800-171r2:
- - 3.4.5
+ 800-171r3:
+ - 03.04.05
cis:
benchmark:
- N/A
@@ -32,7 +32,7 @@ references:
disa_stig:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_continuous_monitoring.yaml b/rules/os/os_continuous_monitoring.yaml
index 1363ae081..4bcabb2de 100644
--- a/rules/os/os_continuous_monitoring.yaml
+++ b/rules/os/os_continuous_monitoring.yaml
@@ -8,7 +8,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92778-0
+ - CCE-94178-1
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
disa_stig:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_crypto_audit.yaml b/rules/os/os_crypto_audit.yaml
index 48d5fdd52..538d7c272 100644
--- a/rules/os/os_crypto_audit.yaml
+++ b/rules/os/os_crypto_audit.yaml
@@ -14,7 +14,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92779-8
+ - CCE-94179-9
cci:
- N/A
800-53r5:
@@ -26,7 +26,7 @@ references:
srg:
- SRG-OS-000278-GPOS-00108
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/rules/os/os_dictation_disable.yaml b/rules/os/os_dictation_disable.yaml
index 215829a59..45826e1aa 100644
--- a/rules/os/os_dictation_disable.yaml
+++ b/rules/os/os_dictation_disable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93017-2
+ - CCE-94180-7
cci:
- CCI-000381
800-53r5:
@@ -28,10 +28,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002230
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -43,7 +43,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- i386
- 800-53r5_low
diff --git a/rules/os/os_directory_services_configured.yaml b/rules/os/os_directory_services_configured.yaml
index b39e53e30..d8ba14526 100644
--- a/rules/os/os_directory_services_configured.yaml
+++ b/rules/os/os_directory_services_configured.yaml
@@ -12,7 +12,7 @@ fix: |
Integrate the system into an existing directory services infrastructure.
references:
cce:
- - CCE-92780-6
+ - CCE-94181-5
cci:
- CCI-000366
800-53r5:
@@ -22,14 +22,14 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - APPL-14-000016
+ - N/A
cis:
benchmark:
- N/A
controls v8:
- 6.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- cisv8
- stig
diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml
index 0393fd1b2..a35b9f2ec 100644
--- a/rules/os/os_disk_image_disable.yaml
+++ b/rules/os/os_disk_image_disable.yaml
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92781-4
+ - CCE-94182-3
cci:
- N/A
800-53r5:
@@ -34,13 +34,13 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.8.8
+ 800-171r3:
+ - 03.08.07
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml
index 06c512485..8e9a8af64 100644
--- a/rules/os/os_dvdram_disable.yaml
+++ b/rules/os/os_dvdram_disable.yaml
@@ -23,7 +23,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92782-2
+ - CCE-94183-1
cci:
- N/A
800-53r5:
@@ -34,13 +34,13 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.8.8
+ 800-171r3:
+ - 03.08.07
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_enforce_access_restrictions.yaml b/rules/os/os_enforce_access_restrictions.yaml
index 30dc469b1..11dbc04d6 100644
--- a/rules/os/os_enforce_access_restrictions.yaml
+++ b/rules/os/os_enforce_access_restrictions.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92784-8
+ - CCE-94184-9
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000364-GPOS-00151
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml
index b4afbeb70..40741d6db 100644
--- a/rules/os/os_erase_content_and_settings_disable.yaml
+++ b/rules/os/os_erase_content_and_settings_disable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92785-5
+ - CCE-94185-6
cci:
- CCI-000366
- CCI-000381
@@ -27,13 +27,16 @@ references:
- SRG-OS-000480-GPOS-00227
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-005061
+ - N/A
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
+ 800-171r3:
+ - 03.04.06
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
diff --git a/rules/os/os_error_message.yaml b/rules/os/os_error_message.yaml
index 1e079628d..2d1d25cc1 100644
--- a/rules/os/os_error_message.yaml
+++ b/rules/os/os_error_message.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92786-3
+ - CCE-94186-4
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
mobileconfig: false
diff --git a/rules/os/os_ess_installed.yaml b/rules/os/os_ess_installed.yaml
index 314588866..dcd4bad29 100644
--- a/rules/os/os_ess_installed.yaml
+++ b/rules/os/os_ess_installed.yaml
@@ -11,7 +11,7 @@ fix: |
Install the approved ESS solution onto the system.
references:
cce:
- - CCE-92787-1
+ - CCE-94187-2
cci:
- CCI-001233
800-53r5:
@@ -21,9 +21,9 @@ references:
srg:
- SRG-OS-000191-GPOS-00080
disa_stig:
- - APPL-14-000015
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- manual
- cisv8
diff --git a/rules/os/os_external_storage_access_defined.yaml b/rules/os/os_external_storage_access_defined.yaml
new file mode 100644
index 000000000..c1007cb4c
--- /dev/null
+++ b/rules/os/os_external_storage_access_defined.yaml
@@ -0,0 +1,44 @@
+id: os_external_storage_access_defined
+title: Access to External Storage Must Be Defined
+discussion: |-
+ Access to external storage _MUST_ be managed.
+
+ NOTE: Apple's built in method using declative device management method only allows you to set external storage manament to Allowed, ReadOnly, and Disallowed.
+check: |
+ /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq '.Restrictions | .ExternalStorage'
+result:
+ string: $ODV
+fix: |
+ This is implemented by a Declarative Device Management.
+references:
+ cce:
+ - CCE-94188-0
+ cci:
+ - N/A
+ 800-53r5:
+ - MP-7
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r3:
+ - 03.08.07
+ cmmc:
+ - MP.L2-3.8.7
+ - MP.L2-3.8.8
+macOS:
+ - '15.0'
+tags:
+ - cmmc_lvl2
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+odv:
+ hint: Allowed, ReadOnly, or Disallowed
+ recommended: Allowed
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.diskmanagement.settings
+ ddm_key: ExternalStorage
+ ddm_value: $ODV
\ No newline at end of file
diff --git a/rules/os/os_facetime_app_disable.yaml b/rules/os/os_facetime_app_disable.yaml
index 267768d8f..fe84e89df 100644
--- a/rules/os/os_facetime_app_disable.yaml
+++ b/rules/os/os_facetime_app_disable.yaml
@@ -30,7 +30,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92788-9
+ - CCE-94189-8
cci:
- CCI-000381
800-53r5:
@@ -44,10 +44,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002010
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -59,7 +59,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_fail_secure_state.yaml b/rules/os/os_fail_secure_state.yaml
index 7f18d07a5..090032a21 100644
--- a/rules/os/os_fail_secure_state.yaml
+++ b/rules/os/os_fail_secure_state.yaml
@@ -14,7 +14,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92789-7
+ - CCE-94190-6
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
- SRG-OS-000269-GPOS-00103
- SRG-OS-000184-GPOS-00078
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml
index 49dd9530a..a4ad1525d 100644
--- a/rules/os/os_filevault_authorized_users.yaml
+++ b/rules/os/os_filevault_authorized_users.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92790-5
+ - CCE-94191-4
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
disa_stig:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- manual
diff --git a/rules/os/os_filevault_autologin_disable.yaml b/rules/os/os_filevault_autologin_disable.yaml
index 48eff66dc..22e8bed77 100644
--- a/rules/os/os_filevault_autologin_disable.yaml
+++ b/rules/os/os_filevault_autologin_disable.yaml
@@ -17,7 +17,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92791-3
+ - CCE-94192-2
cci:
- CCI-000213
- CCI-000366
@@ -32,10 +32,9 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- - APPL-14-000033
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
cis:
benchmark:
- N/A
@@ -45,7 +44,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_firewall_default_deny_require.yaml b/rules/os/os_firewall_default_deny_require.yaml
index d4e8cb435..00db0aae9 100644
--- a/rules/os/os_firewall_default_deny_require.yaml
+++ b/rules/os/os_firewall_default_deny_require.yaml
@@ -21,7 +21,7 @@ fix: |
NOTE: See the firewall supplemental which includes a script that has an example policy to implement this rule.
references:
cce:
- - CCE-92792-1
+ - CCE-94193-0
cci:
- N/A
800-53r5:
@@ -34,14 +34,14 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.3
- - 3.13.6
+ 800-171r3:
+ - 03.01.03
+ - 03.13.06
cmmc:
- AC.L2-3.1.3
- SC.L2-3.13.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml
deleted file mode 100644
index a3ec75d95..000000000
--- a/rules/os/os_firewall_log_enable.yaml
+++ /dev/null
@@ -1,80 +0,0 @@
-id: os_firewall_log_enable
-title: Enable Firewall Logging
-discussion: |
- Firewall logging _MUST_ be enabled.
-
- Firewall logging ensures that malicious network activity will be logged to the system.
-
- NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder.
-check: |
- /usr/bin/osascript -l JavaScript << EOS
- function run() {
- let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
- .objectForKey('EnableLogging').js
- let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
- .objectForKey('LoggingOption').js
- if ( pref1 == true && pref2 == "detail" ){
- return("true")
- } else {
- return("false")
- }
- }
- EOS
-result:
- string: 'true'
-fix: |
- This is implemented by a Configuration Profile.
-references:
- cce:
- - CCE-92793-9
- cci:
- - N/A
- 800-53r5:
- - AU-12
- - SC-7
- 800-53r4:
- - SC-7
- - AU-12
- srg:
- - N/A
- disa_stig:
- - N/A
- 800-171r2:
- - 3.3.1
- - 3.3.2
- - 3.13.1
- - 3.13.2
- - 3.13.5
- cis:
- benchmark:
- - 3.6 (level 1)
- controls v8:
- - 4.5
- - 8.2
- - 8.5
- cmmc:
- - AU.L2-3.3.6
- - SC.L1-3.13.1
-macOS:
- - '14.0'
-tags:
- - 800-53r5_low
- - 800-53r5_moderate
- - 800-53r5_high
- - 800-53r4_low
- - 800-53r4_moderate
- - 800-53r4_high
- - 800-171
- - cis_lvl1
- - cis_lvl2
- - cisv8
- - cnssi-1253_moderate
- - cnssi-1253_low
- - cnssi-1253_high
- - cmmc_lvl2
- - cmmc_lvl1
-mobileconfig: true
-mobileconfig_info:
- com.apple.security.firewall:
- EnableLogging: true
- LoggingOption: detail
diff --git a/rules/os/os_firmware_password_require.yaml b/rules/os/os_firmware_password_require.yaml
index 0458297d8..1512c6ba1 100644
--- a/rules/os/os_firmware_password_require.yaml
+++ b/rules/os/os_firmware_password_require.yaml
@@ -23,7 +23,7 @@ fix: |
NOTE: See discussion on remediation and how to enable firmware password.
references:
cce:
- - CCE-92794-7
+ - CCE-94194-8
cci:
- CCI-000366
800-53r5:
@@ -33,14 +33,14 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - APPL-14-003013
- 800-171r2:
- - 3.1.5
+ - N/A
+ 800-171r3:
+ - 03.01.05
cmmc:
- AC.L1-3.1.1
- AC.L2-3.1.5
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_gatekeeper_enable.yaml b/rules/os/os_gatekeeper_enable.yaml
index 46c03d22c..ad6001090 100644
--- a/rules/os/os_gatekeeper_enable.yaml
+++ b/rules/os/os_gatekeeper_enable.yaml
@@ -7,17 +7,17 @@ discussion: |
Administrator users will still have the option to override these settings on a case-by-case basis.
check: |
- /usr/sbin/spctl --status | /usr/bin/grep -c "assessments enabled"
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\
+ .objectForKey('EnableAssessment').js
+ EOS
result:
- integer: 1
+ string: 'true'
fix: |
- [source,bash]
- ----
- /usr/sbin/spctl --global-enable
- ----
+ This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92795-4
+ - CCE-94195-5
cci:
- CCI-001749
800-53r5:
@@ -34,9 +34,9 @@ references:
srg:
- SRG-OS-000366-GPOS-00153
disa_stig:
- - APPL-14-002064
- 800-171r2:
- - 3.4.5
+ - N/A
+ 800-171r3:
+ - 03.14.02
cis:
benchmark:
- 2.6.5 (level 1)
@@ -50,7 +50,7 @@ references:
- SI.L1-3.14.2
- SI.L1-3.14.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_gatekeeper_rearm.yaml b/rules/os/os_gatekeeper_rearm.yaml
deleted file mode 100644
index cf1fdc4ab..000000000
--- a/rules/os/os_gatekeeper_rearm.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-id: os_gatekeeper_rearm
-title: Enforce Gatekeeper 30 Day Automatic Rearm
-discussion: |
- Gatekeeper _MUST_ be configured to automatically rearm after 30 days if disabled.
-check: |
- /usr/bin/osascript -l JavaScript << EOS
- $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security')\
- .objectForKey('GKAutoRearm').js
- EOS
-result:
- string: 'true'
-fix: |
- This is implemented by a Configuration Profile.
-references:
- cce:
- - CCE-92796-2
- cci:
- - N/A
- 800-53r5:
- - CM-5
- 800-53r4:
- - CM-5
- - SI-3
- srg:
- - N/A
- disa_stig:
- - N/A
- 800-171r2:
- - 3.4.5
- cis:
- benchmark:
- - N/A
- controls v8:
- - 10.5
- cmmc:
- - SI.L1-3.14.1
- - SI.L1-3.14.2
- - SI.L1-3.14.4
- - CM.L2-3.4.5
-macOS:
- - '14.0'
-tags:
- - 800-53r5_low
- - 800-53r5_moderate
- - 800-53r5_high
- - 800-53r4_moderate
- - 800-53r4_high
- - 800-171
- - cisv8
- - cnssi-1253_moderate
- - cnssi-1253_low
- - cnssi-1253_high
- - cmmc_lvl2
- - cmmc_lvl1
-mobileconfig: true
-mobileconfig_info:
- com.apple.ManagedClient.preferences:
- com.apple.security:
- GKAutoRearm: true
diff --git a/rules/os/os_genmoji_disable.yaml b/rules/os/os_genmoji_disable.yaml
new file mode 100644
index 000000000..d7b26ab48
--- /dev/null
+++ b/rules/os/os_genmoji_disable.yaml
@@ -0,0 +1,44 @@
+id: os_genmoji_disable
+title: Disable Genmoji AI Creation
+discussion: |-
+ Apple Intelligence features that use off device AI _MUST_ be disabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowGenmoji').js
+ EOS
+result:
+ string: 'false'
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-94196-3
+ cci:
+ - N/A
+ 800-53r5:
+ - AC-20
+ - AC-20(1)
+ - CM-7
+ - CM-7(1)
+ - SC-7(10)
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
+ cmmc:
+ - AC.L1-3.1.20
+ - CM.L2-3.4.6
+ - CM.L2-3.4.7
+macOS:
+ - '15.0'
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-171
+ - cmmc_lvl2
+ - cmmc_lvl1
+mobileconfig: true
+mobileconfig_info:
+ com.apple.applicationaccess:
+ allowGenmoji: false
diff --git a/rules/os/os_grant_privs.yaml b/rules/os/os_grant_privs.yaml
index 4b00e55d8..9091ada29 100644
--- a/rules/os/os_grant_privs.yaml
+++ b/rules/os/os_grant_privs.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92797-0
+ - CCE-94197-1
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000312-GPOS-00124
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_guest_folder_removed.yaml b/rules/os/os_guest_folder_removed.yaml
index 3a1eb6b34..a75924c62 100644
--- a/rules/os/os_guest_folder_removed.yaml
+++ b/rules/os/os_guest_folder_removed.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92798-8
+ - CCE-94198-9
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
controls v8:
- 4.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_handoff_disable.yaml b/rules/os/os_handoff_disable.yaml
index 408a7a62f..6f28b74ed 100644
--- a/rules/os/os_handoff_disable.yaml
+++ b/rules/os/os_handoff_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92799-6
+ - CCE-94199-7
cci:
- CCI-000213
- CCI-000381
@@ -35,12 +35,11 @@ references:
- SRG-OS-000080-GPOS-00048
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-005058
- 800-171r2:
- - 3.1.1
- - 3.1.2
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -53,7 +52,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml
index 78cdf08c0..dc15f4e3d 100644
--- a/rules/os/os_hibernate_mode_apple_silicon_enable.yaml
+++ b/rules/os/os_hibernate_mode_apple_silicon_enable.yaml
@@ -38,7 +38,7 @@ fix: |
----
references:
cce:
- - CCE-92800-2
+ - CCE-94200-3
cci:
- N/A
800-53r5:
@@ -49,7 +49,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -57,7 +57,7 @@ references:
controls v8:
- 4.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl2
- cisv8
diff --git a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
index 9ddb49bbd..3ec19ea3e 100644
--- a/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
+++ b/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92801-0
+ - CCE-94201-1
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
controls v8:
- 4.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl2
- cisv8
diff --git a/rules/os/os_hibernate_mode_intel_enable.yaml b/rules/os/os_hibernate_mode_intel_enable.yaml
index 3fb4a7b9f..18c2449d4 100644
--- a/rules/os/os_hibernate_mode_intel_enable.yaml
+++ b/rules/os/os_hibernate_mode_intel_enable.yaml
@@ -38,7 +38,7 @@ fix: |
----
references:
cce:
- - CCE-92802-8
+ - CCE-94202-9
cci:
- N/A
800-53r5:
@@ -49,7 +49,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -57,7 +57,7 @@ references:
controls v8:
- 4.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl2
- cisv8
diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml
index 9107b8fa8..20ee7a509 100644
--- a/rules/os/os_home_folders_default.yaml
+++ b/rules/os/os_home_folders_default.yaml
@@ -33,7 +33,7 @@ fix: |-
NOTE: Using the `/usr/sbin/diskutil resetUserPermissions` command will only reset the permissions on the default folder set. Other folders in the home directory will not be affected.
references:
cce:
- - CCE-92803-6
+ - CCE-94203-7
cci:
- N/A
800-53r5:
@@ -44,15 +44,15 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - N/A
+ 800-171r3:
+ - 03.01.05
cis:
benchmark:
- N/A
controls v8:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- manual
severity: medium
diff --git a/rules/os/os_home_folders_secure.yaml b/rules/os/os_home_folders_secure.yaml
index f3efc37f1..0ac44f4ac 100644
--- a/rules/os/os_home_folders_secure.yaml
+++ b/rules/os/os_home_folders_secure.yaml
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- - CCE-92804-4
+ - CCE-94204-5
cci:
- CCI-000366
800-53r5:
@@ -29,9 +29,9 @@ references:
srg:
- SRG-OS-000480-GPOS-00230
disa_stig:
- - APPL-14-002068
- 800-171r2:
- - 3.1.5
+ - N/A
+ 800-171r3:
+ - 03.01.05
cis:
benchmark:
- 5.1.1 (level 1)
@@ -41,7 +41,7 @@ references:
- AC.L1-3.1.1
- AC.L2-3.1.5
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml
index 88890d50d..116e6b16b 100644
--- a/rules/os/os_httpd_disable.yaml
+++ b/rules/os/os_httpd_disable.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92805-1
+ - CCE-94205-2
cci:
- CCI-000213
800-53r5:
@@ -26,10 +26,10 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- - APPL-14-002008
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- 4.2 (level 1)
@@ -39,7 +39,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_icloud_storage_prompt_disable.yaml b/rules/os/os_icloud_storage_prompt_disable.yaml
index fa65f2662..dd9e2dd0f 100644
--- a/rules/os/os_icloud_storage_prompt_disable.yaml
+++ b/rules/os/os_icloud_storage_prompt_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92806-9
+ - CCE-94206-0
cci:
- CCI-000381
800-53r5:
@@ -25,9 +25,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002037
- 800-171r2:
- - 3.1.20
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -37,7 +38,7 @@ references:
cmmc:
- AC.L1-3.1.20
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_identify_non-org_users.yaml b/rules/os/os_identify_non-org_users.yaml
index 2839dfc3b..2db470ac7 100644
--- a/rules/os/os_identify_non-org_users.yaml
+++ b/rules/os/os_identify_non-org_users.yaml
@@ -8,7 +8,7 @@ fix: |
The requirement is NA. No fix is required.
references:
cce:
- - CCE-92807-7
+ - CCE-94207-8
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_image_generation_disable.yaml b/rules/os/os_image_generation_disable.yaml
new file mode 100644
index 000000000..672d58da0
--- /dev/null
+++ b/rules/os/os_image_generation_disable.yaml
@@ -0,0 +1,44 @@
+id: os_image_generation_disable
+title: Disable AI Image Generation
+discussion: |-
+ Apple Intelligence features that use off device AI _MUST_ be disabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowImagePlayground').js
+ EOS
+result:
+ string: 'false'
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-94208-6
+ cci:
+ - N/A
+ 800-53r5:
+ - AC-20
+ - AC-20(1)
+ - CM-7
+ - CM-7(1)
+ - SC-7(10)
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
+ cmmc:
+ - AC.L1-3.1.20
+ - CM.L2-3.4.6
+ - CM.L2-3.4.7
+macOS:
+ - '15.0'
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-171
+ - cmmc_lvl2
+ - cmmc_lvl1
+mobileconfig: true
+mobileconfig_info:
+ com.apple.applicationaccess:
+ allowImagePlayground: false
\ No newline at end of file
diff --git a/rules/os/os_implement_cryptography.yaml b/rules/os/os_implement_cryptography.yaml
index 527a602da..b3fedaa11 100644
--- a/rules/os/os_implement_cryptography.yaml
+++ b/rules/os/os_implement_cryptography.yaml
@@ -5,7 +5,7 @@ discussion: |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government.
- Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation.
+ Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sequoia will be submitted for FIPS validation.
link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[]
@@ -16,7 +16,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92808-5
+ - CCE-94209-4
cci:
- N/A
800-53r5:
@@ -29,13 +29,13 @@ references:
- SRG-OS-000478-GPOS-00223
- SRG-OS-000033-GPOS-00014
- SRG-OS-000396-GPOS-00176
- 800-171r2:
- - 3.13.11
+ 800-171r3:
+ - 03.13.11
cmmc:
- MP.L2-3.8.6
- SC.L2-3.13.11
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_implement_memory_protection.yaml b/rules/os/os_implement_memory_protection.yaml
index b34a9c247..948a00b18 100644
--- a/rules/os/os_implement_memory_protection.yaml
+++ b/rules/os/os_implement_memory_protection.yaml
@@ -18,7 +18,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92809-3
+ - CCE-94210-2
cci:
- N/A
800-53r5:
@@ -31,7 +31,7 @@ references:
- SRG-OS-000433-GPOS-00193
- SRG-OS-000433-GPOS-00192
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_information_validation.yaml b/rules/os/os_information_validation.yaml
index 4f26d675d..d5d8f2c68 100644
--- a/rules/os/os_information_validation.yaml
+++ b/rules/os/os_information_validation.yaml
@@ -10,21 +10,21 @@ fix: |
The requirement is NA. No fix is required.
references:
cce:
- - CCE-92810-1
+ - CCE-94211-0
cci:
- N/A
800-53r5:
- SI-10
800-53r4:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
disa_stig:
- N/A
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_install_log_retention_configure.yaml b/rules/os/os_install_log_retention_configure.yaml
index f631a7520..e495d6b39 100644
--- a/rules/os/os_install_log_retention_configure.yaml
+++ b/rules/os/os_install_log_retention_configure.yaml
@@ -15,7 +15,7 @@ fix: |
NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed.
references:
cce:
- - CCE-92811-9
+ - CCE-94212-8
cci:
- CCI-001849
800-53r5:
@@ -27,9 +27,9 @@ references:
srg:
- SRG-OS-000341-GPOS-00132
disa_stig:
- - APPL-14-004050
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.03.03
cis:
benchmark:
- 3.3 (level 1)
@@ -39,7 +39,7 @@ references:
cmmc:
- AU.L2-3.3.1
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of days.
recommended: 365
diff --git a/rules/os/os_iphone_mirroring_disable.yaml b/rules/os/os_iphone_mirroring_disable.yaml
new file mode 100644
index 000000000..196fb1d61
--- /dev/null
+++ b/rules/os/os_iphone_mirroring_disable.yaml
@@ -0,0 +1,28 @@
+id: os_iphone_mirroring_disable
+title: Disable iPhone Mirroring
+discussion: |-
+ iPhone mirroring _MUST_ be disabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowiPhoneMirroring').js
+ EOS
+result:
+ string: 'false'
+fix: |
+ This is implemented by a Configuration Profile.references:
+references:
+ cce:
+ - CCE-94213-6
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+macOS:
+ - '15.0'
+tags:
+ - none
+mobileconfig: true
+mobileconfig_info:
+ com.apple.applicationaccess:
+ allowiPhoneMirroring: false
diff --git a/rules/os/os_ir_support_disable.yaml b/rules/os/os_ir_support_disable.yaml
index cbb57e224..32b2a9fd1 100644
--- a/rules/os/os_ir_support_disable.yaml
+++ b/rules/os/os_ir_support_disable.yaml
@@ -17,7 +17,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92812-7
+ - CCE-94214-4
cci:
- N/A
800-53r5:
@@ -32,9 +32,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.16
- - 3.4.6
+ 800-171r3:
+ - 03.01.16
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -47,7 +47,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_isolate_security_functions.yaml b/rules/os/os_isolate_security_functions.yaml
index 1810520eb..9661be9f0 100644
--- a/rules/os/os_isolate_security_functions.yaml
+++ b/rules/os/os_isolate_security_functions.yaml
@@ -10,7 +10,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92813-5
+ - CCE-94215-1
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
cmmc:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/rules/os/os_library_validation_enabled.yaml b/rules/os/os_library_validation_enabled.yaml
index 7be943f30..8f126f03a 100644
--- a/rules/os/os_library_validation_enabled.yaml
+++ b/rules/os/os_library_validation_enabled.yaml
@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92814-3
+ - CCE-94216-9
cci:
- N/A
800-53r5:
@@ -23,7 +23,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
- 2.3
- 2.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- cisv8
mobileconfig: true
diff --git a/rules/os/os_limit_auditable_events.yaml b/rules/os/os_limit_auditable_events.yaml
index 317f630f1..0db9e04f3 100644
--- a/rules/os/os_limit_auditable_events.yaml
+++ b/rules/os/os_limit_auditable_events.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92815-0
+ - CCE-94217-7
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
mobileconfig: false
diff --git a/rules/os/os_limit_dos_attacks.yaml b/rules/os/os_limit_dos_attacks.yaml
index 3d2deab03..9e1e5d4ee 100644
--- a/rules/os/os_limit_dos_attacks.yaml
+++ b/rules/os/os_limit_dos_attacks.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92816-8
+ - CCE-94218-5
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000142-GPOS-00071
macOS:
- - '14.0'
+ - '15.0'
tags:
- permanent
- cnssi-1253_moderate
diff --git a/rules/os/os_limit_gui_sessions.yaml b/rules/os/os_limit_gui_sessions.yaml
index 0185cdd44..1801d9bde 100644
--- a/rules/os/os_limit_gui_sessions.yaml
+++ b/rules/os/os_limit_gui_sessions.yaml
@@ -10,7 +10,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92817-6
+ - CCE-94219-3
cci:
- N/A
800-53r5:
@@ -22,7 +22,7 @@ references:
srg:
- SRG-OS-000027-GPOS-00008
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/rules/os/os_logical_access.yaml b/rules/os/os_logical_access.yaml
index e15b24f27..46cd98993 100644
--- a/rules/os/os_logical_access.yaml
+++ b/rules/os/os_logical_access.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92818-4
+ - CCE-94220-1
cci:
- N/A
800-53r5:
@@ -23,9 +23,8 @@ references:
- N/A
srg:
- SRG-OS-000080-GPOS-00048
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ 800-171r3:
+ - 03.01.02
cis:
benchmark:
- N/A
@@ -35,7 +34,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_loginwindow_adminhostinfo_undefined.yaml b/rules/os/os_loginwindow_adminhostinfo_undefined.yaml
index 20a85a6d7..13ffa4d6e 100644
--- a/rules/os/os_loginwindow_adminhostinfo_undefined.yaml
+++ b/rules/os/os_loginwindow_adminhostinfo_undefined.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93018-0
+ - CCE-94221-9
cci:
- CCI-000060
800-53r5:
@@ -23,11 +23,11 @@ references:
srg:
- SRG-OS-000031-GPOS-00012
disa_stig:
- - APPL-14-000009
- 800-171r2:
- - 3.1.10
-macOS:
- - '14.0'
+ - N/A
+ 800-171r3:
+ - 03.01.10
+ macOS:
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_logoff_capability_and_message.yaml b/rules/os/os_logoff_capability_and_message.yaml
index f4c05c29a..69d63ed6e 100644
--- a/rules/os/os_logoff_capability_and_message.yaml
+++ b/rules/os/os_logoff_capability_and_message.yaml
@@ -10,7 +10,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92819-2
+ - CCE-94222-7
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- SRG-OS-000280-GPOS-00110
- SRG-OS-000281-GPOS-00111
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_mail_app_disable.yaml b/rules/os/os_mail_app_disable.yaml
index 81abca4ec..5f97e7257 100644
--- a/rules/os/os_mail_app_disable.yaml
+++ b/rules/os/os_mail_app_disable.yaml
@@ -35,7 +35,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92820-0
+ - CCE-94223-5
cci:
- N/A
800-53r5:
@@ -50,9 +50,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -64,7 +64,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_malicious_code_prevention.yaml b/rules/os/os_malicious_code_prevention.yaml
index 5f5b947b0..d88a70d03 100644
--- a/rules/os/os_malicious_code_prevention.yaml
+++ b/rules/os/os_malicious_code_prevention.yaml
@@ -34,7 +34,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92821-8
+ - CCE-94224-3
cci:
- N/A
800-53r5:
@@ -56,9 +56,12 @@ references:
- SI.L1-3.14.1
- SI.L1-3.14.2
- SI.L1-3.14.4
+ 800-171r3:
+ - 03.14.02
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- inherent
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_managed_access_control_points.yaml b/rules/os/os_managed_access_control_points.yaml
index af7f82cb0..d22bfac45 100644
--- a/rules/os/os_managed_access_control_points.yaml
+++ b/rules/os/os_managed_access_control_points.yaml
@@ -10,15 +10,15 @@ fix: |
The requirement is NA. No fix is required.
references:
cce:
- - CCE-92822-6
+ - CCE-94225-0
cci:
- N/A
800-53r5:
- AC-17(3)
800-53r4:
- N/A
- 800-171r2:
- - N/A
+ 800-171r3:
+ - 03.01.12
disa_stig:
- N/A
srg:
@@ -26,7 +26,7 @@ references:
cmmc:
- AC.L2-3.1.14
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_map_pki_identity.yaml b/rules/os/os_map_pki_identity.yaml
index 6256f074e..cc92c2ea2 100644
--- a/rules/os/os_map_pki_identity.yaml
+++ b/rules/os/os_map_pki_identity.yaml
@@ -8,7 +8,7 @@ fix: |
For directory bound systems, the technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92823-4
+ - CCE-94226-8
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
mobileconfig: false
diff --git a/rules/os/os_mdm_require.yaml b/rules/os/os_mdm_require.yaml
index d69e91866..4f363fbde 100644
--- a/rules/os/os_mdm_require.yaml
+++ b/rules/os/os_mdm_require.yaml
@@ -25,7 +25,7 @@ fix: |
Ensure that system is enrolled via UAMDM.
references:
cce:
- - CCE-92824-2
+ - CCE-94227-6
cci:
- CCI-000366
800-53r5:
@@ -35,12 +35,12 @@ references:
- CM-2
- CM-6
disa_stig:
- - APPL-14-005110
+ - N/A
srg:
- SRG-OS-000480-GPOS-00227
- 800-171r2:
- - 3.4.1
- - 3.4.2
+ 800-171r3:
+ - 03.04.01
+ - 03.04.02
cis:
benchmark:
- 1.8 (level 1)
@@ -50,7 +50,7 @@ references:
cmmc:
- CM.L2-3.4.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_messages_app_disable.yaml b/rules/os/os_messages_app_disable.yaml
index b5a0750fb..5214f97d1 100644
--- a/rules/os/os_messages_app_disable.yaml
+++ b/rules/os/os_messages_app_disable.yaml
@@ -30,7 +30,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92825-9
+ - CCE-94228-4
cci:
- N/A
800-53r5:
@@ -45,9 +45,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -59,7 +59,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_mfa_network_access.yaml b/rules/os/os_mfa_network_access.yaml
index 6eab746d0..4da334565 100644
--- a/rules/os/os_mfa_network_access.yaml
+++ b/rules/os/os_mfa_network_access.yaml
@@ -9,7 +9,7 @@ fix: |
For directory bound systems, the technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92826-7
+ - CCE-94229-2
cci:
- N/A
800-53r5:
@@ -26,7 +26,7 @@ references:
controls v8:
- 5.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cisv8
diff --git a/rules/os/os_mfa_network_non-priv.yaml b/rules/os/os_mfa_network_non-priv.yaml
index aaca33e02..ede16ce35 100644
--- a/rules/os/os_mfa_network_non-priv.yaml
+++ b/rules/os/os_mfa_network_non-priv.yaml
@@ -9,7 +9,7 @@ fix: |
For directory bound systems, the technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92827-5
+ - CCE-94230-0
cci:
- N/A
800-53r5:
@@ -21,7 +21,7 @@ references:
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
mobileconfig: false
diff --git a/rules/os/os_mobile_file_integrity_enable.yaml b/rules/os/os_mobile_file_integrity_enable.yaml
index 7b39fc89e..4f7957789 100644
--- a/rules/os/os_mobile_file_integrity_enable.yaml
+++ b/rules/os/os_mobile_file_integrity_enable.yaml
@@ -1,6 +1,6 @@
id: os_mobile_file_integrity_enable
title: Enable Apple Mobile File Integrity
-discussion: Mobile file integrity _MUST_ be ebabled.
+discussion: Mobile file integrity _MUST_ be enabled.
check: |
/usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1"
result:
@@ -12,7 +12,7 @@ fix: |
----
references:
cce:
- - CCE-92828-3
+ - CCE-94231-8
cci:
- N/A
800-53r5:
@@ -23,7 +23,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
- 2.3
- 2.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_network_storage_restriction.yaml b/rules/os/os_network_storage_restriction.yaml
new file mode 100644
index 000000000..864b54652
--- /dev/null
+++ b/rules/os/os_network_storage_restriction.yaml
@@ -0,0 +1,40 @@
+id: os_network_storage_restriction
+title: Network Storage Must Be Restricted
+discussion: |-
+ Network Storage _MUST_ be restricted.
+
+ NOTE: Apple's built in method using declative device management method only allows you to set network storage manament to Allowed, ReadOnly, and Disallowed.
+check: |
+ /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq '.Restrictions | .ExternalStorage'
+result:
+ string: $ODV
+fix: |
+ This is implemented by a Declarative Device Management.
+references:
+ cce:
+ - CCE-94232-6
+ cci:
+ - N/A
+ 800-53r5:
+ - AC-20(4)
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ 800-171r3:
+ - N/A
+ cmmc:
+ - N/A
+macOS:
+ - '15.0'
+tags:
+ - none
+odv:
+ hint: Allowed, ReadOnly, or Disallowed
+ recommended: Allowed
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.diskmanagement.settings
+ ddm_key: NetworkStorage
+ ddm_value: $ODV
\ No newline at end of file
diff --git a/rules/os/os_newsyslog_files_owner_group_configure.yaml b/rules/os/os_newsyslog_files_owner_group_configure.yaml
index 9ec716687..3fd5a4724 100644
--- a/rules/os/os_newsyslog_files_owner_group_configure.yaml
+++ b/rules/os/os_newsyslog_files_owner_group_configure.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92829-1
+ - CCE-94233-4
cci:
- CCI-001312
- CCI-001314
@@ -27,11 +27,11 @@ references:
- SRG-OS-000206-GPOS-00084
- SRG-OS-000205-GPOS-00083
disa_stig:
- - APPL-14-004030
- 800-171r2:
+ - N/A
+ 800-171r3:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_newsyslog_files_permissions_configure.yaml b/rules/os/os_newsyslog_files_permissions_configure.yaml
index be12797d0..e26af6048 100644
--- a/rules/os/os_newsyslog_files_permissions_configure.yaml
+++ b/rules/os/os_newsyslog_files_permissions_configure.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92830-9
+ - CCE-94234-2
cci:
- CCI-001312
- CCI-001314
@@ -25,11 +25,11 @@ references:
- SRG-OS-000206-GPOS-00084
- SRG-OS-000205-GPOS-00083
disa_stig:
- - APPL-14-004040
- 800-171r2:
+ - N/A
+ 800-171r3:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml
index 58bdca63d..802bcca23 100644
--- a/rules/os/os_nfsd_disable.yaml
+++ b/rules/os/os_nfsd_disable.yaml
@@ -14,7 +14,7 @@ fix: |
The system may need to be restarted for the update to take effect.
references:
cce:
- - CCE-92831-7
+ - CCE-94235-9
cci:
- CCI-000213
800-53r5:
@@ -25,10 +25,10 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- - APPL-14-002003
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- 4.3 (level 1)
@@ -38,7 +38,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_non_repudiation.yaml b/rules/os/os_non_repudiation.yaml
index 32275f791..5c5aae8b8 100644
--- a/rules/os/os_non_repudiation.yaml
+++ b/rules/os/os_non_repudiation.yaml
@@ -10,21 +10,21 @@ fix: |
The requirement is NA. No fix is required.
references:
cce:
- - CCE-92832-5
+ - CCE-94236-7
cci:
- N/A
800-53r5:
- AU-10
800-53r4:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
disa_stig:
- N/A
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- n_a
diff --git a/rules/os/os_nonlocal_maintenance.yaml b/rules/os/os_nonlocal_maintenance.yaml
index 31f0ef4cf..6ea1e36d4 100644
--- a/rules/os/os_nonlocal_maintenance.yaml
+++ b/rules/os/os_nonlocal_maintenance.yaml
@@ -8,15 +8,15 @@ fix: |
The requirement is NA. No fix is required.
references:
cce:
- - CCE-92833-3
+ - CCE-94237-5
cci:
- N/A
800-53r5:
- MA-4
800-53r4:
- MA-4
- 800-171r2:
- - 3.7.5
+ 800-171r3:
+ - 03.07.05
disa_stig:
- N/A
srg:
@@ -24,7 +24,7 @@ references:
cmmc:
- MA.L2-3.7.5
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_notify_account_created.yaml b/rules/os/os_notify_account_created.yaml
index f318d0e6a..6ce579039 100644
--- a/rules/os/os_notify_account_created.yaml
+++ b/rules/os/os_notify_account_created.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92834-1
+ - CCE-94238-3
cci:
- N/A
800-53r5:
@@ -33,7 +33,7 @@ references:
- SRG-OS-000277-GPOS-00107
- SRG-OS-000303-GPOS-00120
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/rules/os/os_notify_account_disabled.yaml b/rules/os/os_notify_account_disabled.yaml
index 93d06af67..9423d13e4 100644
--- a/rules/os/os_notify_account_disabled.yaml
+++ b/rules/os/os_notify_account_disabled.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92835-8
+ - CCE-94239-1
cci:
- N/A
800-53r5:
@@ -31,7 +31,7 @@ references:
- SRG-OS-000276-GPOS-00106
- SRG-OS-000277-GPOS-00107
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/rules/os/os_notify_account_enable.yaml b/rules/os/os_notify_account_enable.yaml
index 4ab33b35a..c2857275c 100644
--- a/rules/os/os_notify_account_enable.yaml
+++ b/rules/os/os_notify_account_enable.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92836-6
+ - CCE-94240-9
cci:
- N/A
800-53r5:
@@ -33,7 +33,7 @@ references:
- SRG-OS-000277-GPOS-00107
- SRG-OS-000303-GPOS-00120
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/rules/os/os_notify_account_modified.yaml b/rules/os/os_notify_account_modified.yaml
index 56eb4c61a..d7e2121ca 100644
--- a/rules/os/os_notify_account_modified.yaml
+++ b/rules/os/os_notify_account_modified.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92837-4
+ - CCE-94241-7
cci:
- N/A
800-53r5:
@@ -31,7 +31,7 @@ references:
- SRG-OS-000276-GPOS-00106
- SRG-OS-000277-GPOS-00107
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/rules/os/os_notify_account_removal.yaml b/rules/os/os_notify_account_removal.yaml
index 86d51066b..7eef21368 100644
--- a/rules/os/os_notify_account_removal.yaml
+++ b/rules/os/os_notify_account_removal.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92838-2
+ - CCE-94242-5
cci:
- N/A
800-53r5:
@@ -31,7 +31,7 @@ references:
- SRG-OS-000276-GPOS-00106
- SRG-OS-000277-GPOS-00107
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/rules/os/os_notify_unauthorized_baseline_change.yaml b/rules/os/os_notify_unauthorized_baseline_change.yaml
index fed3f467c..e577251f8 100644
--- a/rules/os/os_notify_unauthorized_baseline_change.yaml
+++ b/rules/os/os_notify_unauthorized_baseline_change.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92839-0
+ - CCE-94243-3
cci:
- N/A
800-53r5:
@@ -26,7 +26,7 @@ references:
cmmc:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- permanent
- cnssi-1253_high
diff --git a/rules/os/os_obscure_password.yaml b/rules/os/os_obscure_password.yaml
index 58525ff6a..456012596 100644
--- a/rules/os/os_obscure_password.yaml
+++ b/rules/os/os_obscure_password.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92840-8
+ - CCE-94244-1
cci:
- N/A
800-53r5:
@@ -25,10 +25,8 @@ references:
- N/A
srg:
- SRG-OS-000079-GPOS-00047
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.11
+ 800-171r3:
+ - 03.05.11
cis:
benchmark:
- N/A
@@ -39,7 +37,7 @@ references:
- IA.L2-3.5.9
- IA.L2-3.5.11
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_on_device_dictation_enforce.yaml b/rules/os/os_on_device_dictation_enforce.yaml
index 9822c9c06..03808cd8e 100644
--- a/rules/os/os_on_device_dictation_enforce.yaml
+++ b/rules/os/os_on_device_dictation_enforce.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92841-6
+ - CCE-94245-8
cci:
- CCI-000381
800-53r5:
@@ -30,10 +30,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002220
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- 2.18.1 (level 1)
@@ -45,7 +45,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- arm64
- 800-53r5_low
diff --git a/rules/os/os_parental_controls_enable.yaml b/rules/os/os_parental_controls_enable.yaml
index df2f600b1..a792be56e 100644
--- a/rules/os/os_parental_controls_enable.yaml
+++ b/rules/os/os_parental_controls_enable.yaml
@@ -17,7 +17,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92842-4
+ - CCE-94246-6
cci:
- N/A
800-53r5:
@@ -28,7 +28,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- 3.4.7
cis:
benchmark:
@@ -36,7 +36,7 @@ references:
controls v8:
- 4.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_password_autofill_disable.yaml b/rules/os/os_password_autofill_disable.yaml
index 158da2831..6b13b503f 100644
--- a/rules/os/os_password_autofill_disable.yaml
+++ b/rules/os/os_password_autofill_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92843-2
+ - CCE-94247-4
cci:
- CCI-000381
800-53r5:
@@ -31,13 +31,11 @@ references:
- CM-7
- CM-7(1)
disa_stig:
- - APPL-14-002190
+ - N/A
srg:
- SRG-OS-000095-GPOS-00049
- 800-171r2:
- - 3.4.6
- - 3.5.1
- - 3.5.2
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -50,7 +48,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_password_hint_remove.yaml b/rules/os/os_password_hint_remove.yaml
index 543ae90bb..5a392c555 100644
--- a/rules/os/os_password_hint_remove.yaml
+++ b/rules/os/os_password_hint_remove.yaml
@@ -21,15 +21,15 @@ fix: |
----
references:
cce:
- - CCE-92844-0
+ - CCE-94248-2
cci:
- CCI-000206
800-53r5:
- IA-6
800-53r4:
- IA-6
- 800-171r2:
- - 3.5.11
+ 800-171r3:
+ - 03.05.11
cis:
benchmark:
- 2.11.1 (level 1)
@@ -40,9 +40,9 @@ references:
srg:
- SRG-OS-000079-GPOS-00047
disa_stig:
- - APPL-14-003014
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_password_proximity_disable.yaml b/rules/os/os_password_proximity_disable.yaml
index c4e3a00c5..b6db354bc 100644
--- a/rules/os/os_password_proximity_disable.yaml
+++ b/rules/os/os_password_proximity_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92845-7
+ - CCE-94249-0
cci:
- CCI-000381
800-53r5:
@@ -25,10 +25,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-005060
- 800-171r2:
- - 3.5.1
- - 3.5.2
+ - N/A
+ 800-171r3:
+ - 03.05.12
cis:
benchmark:
- N/A
@@ -39,7 +38,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_password_sharing_disable.yaml b/rules/os/os_password_sharing_disable.yaml
index 64cd34051..2fbe08143 100644
--- a/rules/os/os_password_sharing_disable.yaml
+++ b/rules/os/os_password_sharing_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92846-5
+ - CCE-94250-8
800-53r5:
- IA-5
800-53r4:
@@ -24,9 +24,8 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.5.1
- - 3.5.2
+ 800-171r3:
+ - 03.05.12
cis:
benchmark:
- N/A
@@ -39,7 +38,7 @@ references:
cci:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_peripherals_identify.yaml b/rules/os/os_peripherals_identify.yaml
index 1b062f671..4da79c3c1 100644
--- a/rules/os/os_peripherals_identify.yaml
+++ b/rules/os/os_peripherals_identify.yaml
@@ -10,7 +10,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92847-3
+ - CCE-94251-6
cci:
- N/A
800-53r5:
@@ -21,10 +21,10 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
mobileconfig: false
diff --git a/rules/os/os_pii_deidentification.yaml b/rules/os/os_pii_deidentification.yaml
index 963fdb266..a78b13179 100644
--- a/rules/os/os_pii_deidentification.yaml
+++ b/rules/os/os_pii_deidentification.yaml
@@ -10,21 +10,21 @@ fix: |
The requirement is NA. No fix is required.
references:
cce:
- - CCE-92848-1
+ - CCE-94252-4
cci:
- N/A
800-53r5:
- SI-19
800-53r4:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
disa_stig:
- N/A
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- n_a
diff --git a/rules/os/os_pii_quality_control.yaml b/rules/os/os_pii_quality_control.yaml
index 83443d565..f92ec9d17 100644
--- a/rules/os/os_pii_quality_control.yaml
+++ b/rules/os/os_pii_quality_control.yaml
@@ -10,21 +10,21 @@ fix: |
The requirement is NA. No fix is required.
references:
cce:
- - CCE-92849-9
+ - CCE-94253-2
cci:
- N/A
800-53r5:
- SI-18
800-53r4:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
disa_stig:
- N/A
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- n_a
diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml
index deeb193b9..295269697 100644
--- a/rules/os/os_policy_banner_loginwindow_enforce.yaml
+++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml
@@ -28,7 +28,7 @@ fix: |
----
references:
cce:
- - CCE-92850-7
+ - CCE-94254-0
cci:
- CCI-000048
- CCI-000050
@@ -46,9 +46,9 @@ references:
- SRG-OS-000228-GPOS-00088
- SRG-OS-000023-GPOS-00006
disa_stig:
- - APPL-14-000025
- 800-171r2:
- - 3.1.9
+ - N/A
+ 800-171r3:
+ - 03.01.09
cis:
benchmark:
- 5.8 (level 2)
@@ -57,7 +57,7 @@ references:
cmmc:
- AC.L2-3.1.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Organization's Policy Text
recommended: 'You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning.'
diff --git a/rules/os/os_policy_banner_ssh_configure.yaml b/rules/os/os_policy_banner_ssh_configure.yaml
index ef7446021..fb799229d 100644
--- a/rules/os/os_policy_banner_ssh_configure.yaml
+++ b/rules/os/os_policy_banner_ssh_configure.yaml
@@ -19,7 +19,7 @@ fix: |
----
references:
cce:
- - CCE-92851-5
+ - CCE-94255-7
cci:
- CCI-000048
- CCI-000050
@@ -31,13 +31,13 @@ references:
- SRG-OS-000024-GPOS-00007
- SRG-OS-000023-GPOS-00006
disa_stig:
- - APPL-14-000023
- 800-171r2:
- - 3.1.9
+ - N/A
+ 800-171r3:
+ - 03.01.09
cmmc:
- AC.L2-3.1.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Organization's Policy Text
recommended: |-
diff --git a/rules/os/os_policy_banner_ssh_enforce.yaml b/rules/os/os_policy_banner_ssh_enforce.yaml
index bf4db6bc1..356db703a 100644
--- a/rules/os/os_policy_banner_ssh_enforce.yaml
+++ b/rules/os/os_policy_banner_ssh_enforce.yaml
@@ -35,7 +35,7 @@ fix: |
----
references:
cce:
- - CCE-92852-3
+ - CCE-94256-5
cci:
- CCI-000048
- CCI-000050
@@ -47,13 +47,13 @@ references:
- SRG-OS-000024-GPOS-00007
- SRG-OS-000023-GPOS-00006
disa_stig:
- - APPL-14-000024
- 800-171r2:
- - 3.1.9
+ - N/A
+ 800-171r3:
+ - 03.01.09
cmmc:
- AC.L2-3.1.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -70,3 +70,9 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: Banner
+ configuration_value: /etc/banner
\ No newline at end of file
diff --git a/rules/os/os_power_nap_disable.yaml b/rules/os/os_power_nap_disable.yaml
index 4c1527dbe..b7fff6be8 100644
--- a/rules/os/os_power_nap_disable.yaml
+++ b/rules/os/os_power_nap_disable.yaml
@@ -24,7 +24,7 @@ fix: |
----
references:
cce:
- - CCE-92853-1
+ - CCE-94257-3
cci:
- N/A
800-53r5:
@@ -37,8 +37,8 @@ references:
- N/A
srg:
- N/A
- 800-171r2:
- - N/A
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- 2.9.2 (level 1)
@@ -49,7 +49,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_power_nap_enable.yaml b/rules/os/os_power_nap_enable.yaml
index c7290fe8d..972d9076c 100644
--- a/rules/os/os_power_nap_enable.yaml
+++ b/rules/os/os_power_nap_enable.yaml
@@ -24,7 +24,7 @@ fix: |
----
references:
cce:
- - CCE-92854-9
+ - CCE-94258-1
cci:
- N/A
800-53r5:
@@ -35,7 +35,7 @@ references:
- N/A
srg:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -43,7 +43,7 @@ references:
controls v8:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- none
mobileconfig: false
diff --git a/rules/os/os_predictable_behavior.yaml b/rules/os/os_predictable_behavior.yaml
index 59994760b..833ea858b 100644
--- a/rules/os/os_predictable_behavior.yaml
+++ b/rules/os/os_predictable_behavior.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92855-6
+ - CCE-94259-9
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000432-GPOS-00191
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_prevent_priv_execution.yaml b/rules/os/os_prevent_priv_execution.yaml
index 4d6459e08..2b29ec982 100644
--- a/rules/os/os_prevent_priv_execution.yaml
+++ b/rules/os/os_prevent_priv_execution.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92856-4
+ - CCE-94260-7
cci:
- N/A
800-53r5:
@@ -23,10 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000326-GPOS-00126
- 800-171r2:
- - 3.1.7
-macOS:
- - '14.0'
+ 800-171r3:
+ - 03.01.07
+ macOS:
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_prevent_priv_functions.yaml b/rules/os/os_prevent_priv_functions.yaml
index 6848fe17b..8a19df039 100644
--- a/rules/os/os_prevent_priv_functions.yaml
+++ b/rules/os/os_prevent_priv_functions.yaml
@@ -14,7 +14,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92857-2
+ - CCE-94261-5
cci:
- N/A
800-53r5:
@@ -25,12 +25,12 @@ references:
- N/A
srg:
- SRG-OS-000324-GPOS-00125
- 800-171r2:
- - 3.1.7
+ 800-171r3:
+ - 03.01.07
cmmc:
- AC.L2-3.1.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_prevent_unauthorized_disclosure.yaml b/rules/os/os_prevent_unauthorized_disclosure.yaml
index e13fe0b99..f98497523 100644
--- a/rules/os/os_prevent_unauthorized_disclosure.yaml
+++ b/rules/os/os_prevent_unauthorized_disclosure.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92858-0
+ - CCE-94262-3
cci:
- N/A
800-53r5:
@@ -23,12 +23,12 @@ references:
- N/A
srg:
- SRG-OS-000138-GPOS-00069
- 800-171r2:
- - 3.13.4
+ 800-171r3:
+ - 03.13.04
cmmc:
- SC.L2-3.13.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_privacy_principle_minimization.yaml b/rules/os/os_privacy_principle_minimization.yaml
index 68c8492c1..26f36c1cf 100644
--- a/rules/os/os_privacy_principle_minimization.yaml
+++ b/rules/os/os_privacy_principle_minimization.yaml
@@ -10,21 +10,21 @@ fix: |
The requirement is NA. No fix is required.
references:
cce:
- - CCE-92859-8
+ - CCE-94263-1
cci:
- N/A
800-53r5:
- SA-8(33)
800-53r4:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
disa_stig:
- N/A
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_privacy
- n_a
diff --git a/rules/os/os_privacy_setup_prompt_disable.yaml b/rules/os/os_privacy_setup_prompt_disable.yaml
index efbe2f010..25ce18627 100644
--- a/rules/os/os_privacy_setup_prompt_disable.yaml
+++ b/rules/os/os_privacy_setup_prompt_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92860-6
+ - CCE-94264-9
cci:
- CCI-000381
800-53r5:
@@ -27,7 +27,7 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002036
+ - N/A
cis:
benchmark:
- N/A
@@ -37,9 +37,12 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
+ 800-171r3:
+ - 03.04.06
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/rules/os/os_prohibit_remote_activation_collab_devices.yaml
index e941ae84d..a5138f2c7 100644
--- a/rules/os/os_prohibit_remote_activation_collab_devices.yaml
+++ b/rules/os/os_prohibit_remote_activation_collab_devices.yaml
@@ -18,7 +18,7 @@ fix: |
The technology partially meets this requirement. An appropriate mitigation for the system must be implemented for full compliance.
references:
cce:
- - CCE-92861-4
+ - CCE-94265-6
800-53r5:
- SC-15
800-53r4:
@@ -31,9 +31,12 @@ references:
- SC.L2-3.13.12
cci:
- N/A
+ 800-171r3:
+ - 03.13.12
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- inherent
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_protect_dos_attacks.yaml b/rules/os/os_protect_dos_attacks.yaml
index 44f366ceb..9bf080c80 100644
--- a/rules/os/os_protect_dos_attacks.yaml
+++ b/rules/os/os_protect_dos_attacks.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92862-2
+ - CCE-94266-4
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000420-GPOS-00186
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_provide_automated_account_management.yaml b/rules/os/os_provide_automated_account_management.yaml
index 52729ef81..9432a106b 100644
--- a/rules/os/os_provide_automated_account_management.yaml
+++ b/rules/os/os_provide_automated_account_management.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92863-0
+ - CCE-94267-2
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000001-GPOS-00001
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_provide_disconnect_remote_access.yaml b/rules/os/os_provide_disconnect_remote_access.yaml
index 7dfa14a8d..5c6158826 100644
--- a/rules/os/os_provide_disconnect_remote_access.yaml
+++ b/rules/os/os_provide_disconnect_remote_access.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92864-8
+ - CCE-94268-0
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000298-GPOS-00116
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_rapid_security_response_allow.yaml b/rules/os/os_rapid_security_response_allow.yaml
index 9eee254c3..92d7f6269 100644
--- a/rules/os/os_rapid_security_response_allow.yaml
+++ b/rules/os/os_rapid_security_response_allow.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92865-5
+ - CCE-94269-8
cci:
- N/A
800-53r5:
@@ -24,10 +24,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.14.1
- - 3.14.2
- - 3.13.3
+ 800-171r3:
+ - 03.14.01
+ - 03.14.02
cis:
benchmark:
- N/A
@@ -38,7 +37,7 @@ references:
- SI.L1-3.14.2
- SI.L1-3.14.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_rapid_security_response_removal_disable.yaml b/rules/os/os_rapid_security_response_removal_disable.yaml
index c94a4d050..02846fa91 100644
--- a/rules/os/os_rapid_security_response_removal_disable.yaml
+++ b/rules/os/os_rapid_security_response_removal_disable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92866-3
+ - CCE-94270-6
cci:
- N/A
800-53r5:
@@ -24,10 +24,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.14.1
- - 3.14.2
- - 3.13.3
+ 800-171r3:
+ - 03.14.01
+ - 03.14.02
cis:
benchmark:
- N/A
@@ -38,7 +37,7 @@ references:
- SI.L1-3.14.2
- SI.L1-3.14.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_reauth_devices_change_authenticators.yaml b/rules/os/os_reauth_devices_change_authenticators.yaml
index 21128bd0a..7c5b5d16e 100644
--- a/rules/os/os_reauth_devices_change_authenticators.yaml
+++ b/rules/os/os_reauth_devices_change_authenticators.yaml
@@ -10,7 +10,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92867-1
+ - CCE-94271-4
cci:
- N/A
800-53r5:
@@ -21,9 +21,12 @@ references:
- N/A
srg:
- SRG-OS-000374-GPOS-00159
+ 800-171r3:
+ - 03.05.01
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_reauth_privilege.yaml b/rules/os/os_reauth_privilege.yaml
index 1fa9f356c..9a6b46b21 100644
--- a/rules/os/os_reauth_privilege.yaml
+++ b/rules/os/os_reauth_privilege.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92868-9
+ - CCE-94272-2
cci:
- N/A
800-53r5:
@@ -20,9 +20,12 @@ references:
srg:
- SRG-OS-000373-GPOS-00157
- SRG-OS-000373-GPOS-00156
+ 800-171r3:
+ - 03.05.01
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- inherent
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_reauth_users_change_authenticators.yaml b/rules/os/os_reauth_users_change_authenticators.yaml
index af27a1f04..d7d751385 100644
--- a/rules/os/os_reauth_users_change_authenticators.yaml
+++ b/rules/os/os_reauth_users_change_authenticators.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92869-7
+ - CCE-94273-0
cci:
- N/A
800-53r5:
@@ -19,9 +19,12 @@ references:
- N/A
srg:
- SRG-OS-000373-GPOS-00158
+ 800-171r3:
+ - 03.05.01
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- inherent
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml
index 0b61ccfcc..7dfaf818e 100644
--- a/rules/os/os_recovery_lock_enable.yaml
+++ b/rules/os/os_recovery_lock_enable.yaml
@@ -14,7 +14,7 @@ fix: |
NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password and must be from your MDM.
references:
cce:
- - CCE-92870-5
+ - CCE-94274-8
cci:
- CCI-000366
800-53r5:
@@ -24,14 +24,14 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- - APPL-14-005120
- 800-171r2:
- - 3.1.5
+ - N/A
+ 800-171r3:
+ - 03.01.05
cmmc:
- AC.L1-3.1.1
- AC.L2-3.1.5
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_remote_access_methods.yaml b/rules/os/os_remote_access_methods.yaml
index 94375fbf1..719dc8958 100644
--- a/rules/os/os_remote_access_methods.yaml
+++ b/rules/os/os_remote_access_methods.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92871-3
+ - CCE-94275-5
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
mobileconfig: false
diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml
index 3ae29cbd3..00769ad0b 100644
--- a/rules/os/os_removable_media_disable.yaml
+++ b/rules/os/os_removable_media_disable.yaml
@@ -25,7 +25,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92872-1
+ - CCE-94276-3
cci:
- N/A
800-53r5:
@@ -36,13 +36,13 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.8.8
+ 800-171r3:
+ - 03.08.07
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_remove_software_components_after_updates.yaml b/rules/os/os_remove_software_components_after_updates.yaml
index 0fa58e188..2942a251c 100644
--- a/rules/os/os_remove_software_components_after_updates.yaml
+++ b/rules/os/os_remove_software_components_after_updates.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92873-9
+ - CCE-94277-1
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000437-GPOS-00194
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml
index 8e85df866..0d09eb862 100644
--- a/rules/os/os_required_crypto_module.yaml
+++ b/rules/os/os_required_crypto_module.yaml
@@ -5,7 +5,7 @@ discussion: |
macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules.
- Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sonoma will be submitted for FIPS validation.
+ Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Sequoia will be submitted for FIPS validation.
link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[]
@@ -16,7 +16,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92874-7
+ - CCE-94278-9
cci:
- N/A
800-53r5:
@@ -29,7 +29,7 @@ references:
- SRG-OS-000033-GPOS-00014
- SRG-OS-000120-GPOS-00061
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml
index 8c840e65e..72ff96388 100644
--- a/rules/os/os_root_disable.yaml
+++ b/rules/os/os_root_disable.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92875-4
+ - CCE-94279-7
cci:
- CCI-000764
- CCI-000770
@@ -26,9 +26,8 @@ references:
800-53r4:
- IA-2
- IA-2(5)
- 800-171r2:
- - 3.5.1
- - 3.5.2
+ 800-171r3:
+ - 03.05.01
cis:
benchmark:
- 5.6 (level 1)
@@ -42,9 +41,9 @@ references:
- SRG-OS-000109-GPOS-00056
- SRG-OS-000104-GPOS-00051
disa_stig:
- - APPL-14-000100
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_safari_advertising_privacy_protection_enable.yaml b/rules/os/os_safari_advertising_privacy_protection_enable.yaml
index 177bcc752..7c1012d39 100644
--- a/rules/os/os_safari_advertising_privacy_protection_enable.yaml
+++ b/rules/os/os_safari_advertising_privacy_protection_enable.yaml
@@ -10,7 +10,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92876-2
+ - CCE-94280-5
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
controls v8:
- 9.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_safari_open_safe_downloads_disable.yaml b/rules/os/os_safari_open_safe_downloads_disable.yaml
index 0690a8e21..bf9391c50 100644
--- a/rules/os/os_safari_open_safe_downloads_disable.yaml
+++ b/rules/os/os_safari_open_safe_downloads_disable.yaml
@@ -10,7 +10,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92877-0
+ - CCE-94281-3
cci:
- N/A
800-53r5:
@@ -28,7 +28,7 @@ references:
- 9.1
- 9.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_safari_popups_disabled.yaml b/rules/os/os_safari_popups_disabled.yaml
deleted file mode 100644
index a9bab257c..000000000
--- a/rules/os/os_safari_popups_disabled.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-id: os_safari_popups_disabled
-title: "Ensure Pop-Up Windows are Blocked in Safari"
-discussion: |
- Safari _MUST_ be configured to block Pop-Up windows.
-check: |
- /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'safariAllowPopups = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
-result:
- integer: 1
-fix: |
- This is implemented by a Configuration Profile.
-references:
- cce:
- - CCE-93014-9
- cci:
- - N/A
- 800-53r5:
- - N/A
- 800-53r4:
- - N/A
- disa_stig:
- - N/A
- srg:
- - N/A
- cis:
- benchmark:
- - 6.3.9 (level 1)
- controls v8:
- - 9.1
-macOS:
- - "14.0"
-tags:
- - cis_lvl1
- - cis_lvl2
- - cisv8
-mobileconfig: true
-mobileconfig_info:
- com.apple.Safari:
- safariAllowPopups: false
diff --git a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml
index 362c06b16..64944e8a4 100644
--- a/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml
+++ b/rules/os/os_safari_prevent_cross-site_tracking_enable.yaml
@@ -10,7 +10,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92878-8
+ - CCE-94282-1
cci:
- N/A
800-53r5:
@@ -28,7 +28,7 @@ references:
- 9.1
- 9.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_safari_show_full_website_address_enable.yaml b/rules/os/os_safari_show_full_website_address_enable.yaml
index 9aa69dcda..7a97e7b24 100644
--- a/rules/os/os_safari_show_full_website_address_enable.yaml
+++ b/rules/os/os_safari_show_full_website_address_enable.yaml
@@ -10,7 +10,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92879-6
+ - CCE-94283-9
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
controls v8:
- 9.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_safari_show_status_bar_enabled.yaml b/rules/os/os_safari_show_status_bar_enabled.yaml
index 98d04a297..6f83fb2f1 100644
--- a/rules/os/os_safari_show_status_bar_enabled.yaml
+++ b/rules/os/os_safari_show_status_bar_enabled.yaml
@@ -10,7 +10,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93015-6
+ - CCE-94284-7
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
controls v8:
- 9.1
macOS:
- - "14.0"
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_safari_warn_fraudulent_website_enable.yaml b/rules/os/os_safari_warn_fraudulent_website_enable.yaml
index 470f457fe..b3b14d851 100644
--- a/rules/os/os_safari_warn_fraudulent_website_enable.yaml
+++ b/rules/os/os_safari_warn_fraudulent_website_enable.yaml
@@ -10,7 +10,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92880-4
+ - CCE-94285-4
cci:
- N/A
800-53r5:
@@ -28,7 +28,7 @@ references:
- 9.1
- 9.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_screensaver_loginwindow_enforce.yaml b/rules/os/os_screensaver_loginwindow_enforce.yaml
index 42dfe5e5d..9322d9fcd 100644
--- a/rules/os/os_screensaver_loginwindow_enforce.yaml
+++ b/rules/os/os_screensaver_loginwindow_enforce.yaml
@@ -8,12 +8,12 @@ check: |
.objectForKey('moduleName').js
EOS
result:
- string: Sonoma
+ string: Sequoia
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92881-2
+ - CCE-94286-2
cci:
- CCI-000060
800-53r5:
@@ -24,12 +24,12 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.10
+ 800-171r3:
+ - 03.01.10
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -44,4 +44,4 @@ severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.screensaver:
- moduleName: Sonoma
+ moduleName: Sequoia
diff --git a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml
index b6dc402f2..3367e3920 100644
--- a/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml
+++ b/rules/os/os_screensaver_timeout_loginwindow_enforce.yaml
@@ -22,7 +22,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92882-0
+ - CCE-94287-0
cci:
- CCI-000057
800-53r5:
@@ -31,7 +31,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -41,7 +41,7 @@ references:
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds.
recommended: 1200
diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml
index 3ebfc2a5a..12216fc08 100644
--- a/rules/os/os_secure_boot_verify.yaml
+++ b/rules/os/os_secure_boot_verify.yaml
@@ -14,7 +14,7 @@ fix: |
NOTE: Boot into Recovery Mode and enable Full Secure Boot
references:
cce:
- - CCE-92883-8
+ - CCE-94288-8
cci:
- CCI-002696
- CCI-002699
@@ -31,9 +31,9 @@ references:
- SRG-OS-000445-GPOS-00199
- SRG-OS-000446-GPOS-00200
disa_stig:
- - APPL-14-005100
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r5_moderate
diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml
index 427bfb001..254cb4a4d 100644
--- a/rules/os/os_secure_enclave.yaml
+++ b/rules/os/os_secure_enclave.yaml
@@ -16,7 +16,7 @@ fix: |
The hardware does not support the requirement.
references:
cce:
- - CCE-92884-6
+ - CCE-94289-6
cci:
- N/A
800-53r5:
@@ -31,7 +31,7 @@ references:
cmmc:
- SC.L2-3.13.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_secure_name_resolution.yaml b/rules/os/os_secure_name_resolution.yaml
index 5c8939212..5388e9c2f 100644
--- a/rules/os/os_secure_name_resolution.yaml
+++ b/rules/os/os_secure_name_resolution.yaml
@@ -10,7 +10,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92885-3
+ - CCE-94290-4
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
controls v8:
- 4.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_separate_functionality.yaml b/rules/os/os_separate_functionality.yaml
index bf3b29182..2721ce1d5 100644
--- a/rules/os/os_separate_functionality.yaml
+++ b/rules/os/os_separate_functionality.yaml
@@ -14,7 +14,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92886-1
+ - CCE-94291-2
cci:
- N/A
800-53r5:
@@ -26,12 +26,12 @@ references:
- N/A
srg:
- SRG-OS-000132-GPOS-00067
- 800-171r2:
+ 800-171r3:
- 3.13.3
cmmc:
- SC.L2-3.13.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_setup_assistant_filevault_enforce.yaml b/rules/os/os_setup_assistant_filevault_enforce.yaml
index b1f788520..c2cd50510 100644
--- a/rules/os/os_setup_assistant_filevault_enforce.yaml
+++ b/rules/os/os_setup_assistant_filevault_enforce.yaml
@@ -15,7 +15,7 @@ fix: |
NOTE: See the FileVault supplemental to implement this rule.
references:
cce:
- - CCE-92887-9
+ - CCE-94292-0
cci:
- N/A
800-53r5:
@@ -28,8 +28,8 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.13.16
+ 800-171r3:
+ - 03.13.08
cis:
benchmark:
- N/A
@@ -39,7 +39,7 @@ references:
cmmc:
- SC.L2-3.13.16
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_show_filename_extensions_enable.yaml b/rules/os/os_show_filename_extensions_enable.yaml
index 1ebcdf406..8a74b0304 100644
--- a/rules/os/os_show_filename_extensions_enable.yaml
+++ b/rules/os/os_show_filename_extensions_enable.yaml
@@ -22,7 +22,7 @@ fix: |
----
references:
cce:
- - CCE-92888-7
+ - CCE-94293-8
cci:
- N/A
800-53r5:
@@ -33,7 +33,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -41,7 +41,7 @@ references:
controls v8:
- 2.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_sip_enable.yaml b/rules/os/os_sip_enable.yaml
index 9d85439d8..dea895b03 100644
--- a/rules/os/os_sip_enable.yaml
+++ b/rules/os/os_sip_enable.yaml
@@ -18,7 +18,7 @@ fix: |
NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
references:
cce:
- - CCE-92889-5
+ - CCE-94294-6
cci:
- CCI-000154
- CCI-000158
@@ -70,14 +70,12 @@ references:
- SRG-OS-000122-GPOS-00063
- SRG-OS-000058-GPOS-00028
disa_stig:
- - APPL-14-005001
- 800-171r2:
- - 3.1.1
- - 3.1.2
- - 3.3.6
- - 3.3.8
- - 3.4.5
- - 3.13.4
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.03.08
+ - 03.04.05
+ - 03.13.04
cis:
benchmark:
- 5.1.2 (level 1)
@@ -93,7 +91,7 @@ references:
- SI.L1-3.14.1
- SI.L1-3.14.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_siri_prompt_disable.yaml b/rules/os/os_siri_prompt_disable.yaml
index f94bd87b5..d8c9aa439 100644
--- a/rules/os/os_siri_prompt_disable.yaml
+++ b/rules/os/os_siri_prompt_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92890-3
+ - CCE-94295-3
cci:
- CCI-000381
- CCI-001774
@@ -30,10 +30,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002039
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -45,7 +45,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml
index 889e75134..2bcc5df96 100644
--- a/rules/os/os_skip_screen_time_prompt_enable.yaml
+++ b/rules/os/os_skip_screen_time_prompt_enable.yaml
@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92891-1
+ - CCE-94296-1
cci:
- CCI-000381
800-53r5:
@@ -24,13 +24,16 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-005055
+ - N/A
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
+ 800-171r3:
+ - 03.04.06
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
diff --git a/rules/os/os_skip_unlock_with_watch_enable.yaml b/rules/os/os_skip_unlock_with_watch_enable.yaml
index f5c7d7307..3983e343e 100644
--- a/rules/os/os_skip_unlock_with_watch_enable.yaml
+++ b/rules/os/os_skip_unlock_with_watch_enable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92892-9
+ - CCE-94297-9
cci:
- CCI-000381
800-53r5:
@@ -25,9 +25,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-005056
- 800-171r2:
- - 3.1.20
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -36,7 +37,7 @@ references:
cmmc:
- AC.L1-3.1.20
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_software_update_deferral.yaml b/rules/os/os_software_update_deferral.yaml
index 9a6d3789f..c4b12ee68 100644
--- a/rules/os/os_software_update_deferral.yaml
+++ b/rules/os/os_software_update_deferral.yaml
@@ -20,7 +20,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92893-7
+ - CCE-94298-7
cci:
- N/A
800-53r5:
@@ -31,7 +31,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -40,7 +40,7 @@ references:
- 7.3
- 7.4
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of days.
recommended: 30
diff --git a/rules/os/os_ssh_fips_compliant.yaml b/rules/os/os_ssh_fips_compliant.yaml
index 4cc6ac8e4..769505495 100644
--- a/rules/os/os_ssh_fips_compliant.yaml
+++ b/rules/os/os_ssh_fips_compliant.yaml
@@ -3,39 +3,30 @@ title: Limit SSH to FIPS Compliant Connections
discussion: |
SSH _MUST_ be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.
- FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.
+ FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.
Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.
check: |
- fips_ssh_config="Host *
- Ciphers aes128-gcm@openssh.com
+ fips_ssh_config="Ciphers aes128-gcm@openssh.com
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
- HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
+ HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com
KexAlgorithms ecdh-sha2-nistp256
- MACs hmac-sha2-256
- PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
- CASignatureAlgorithms ecdsa-sha2-nistp256"
- /usr/bin/grep -c "$fips_ssh_config" /etc/ssh/ssh_config.d/fips_ssh_config
+ MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256
+ PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
+ CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com"
+ /usr/bin/grep -c "$fips_ssh_config" /etc/ssh/crypto.conf
result:
- integer: 8
+ integer: 7
fix: |
[source,bash]
----
- fips_ssh_config="Host *
- Ciphers aes128-gcm@openssh.com
- HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
- HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
- KexAlgorithms ecdh-sha2-nistp256
- MACs hmac-sha2-256
- PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
- CASignatureAlgorithms ecdsa-sha2-nistp256"
- /bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config
+ /bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
----
references:
cce:
- - CCE-92894-5
+ - CCE-94299-5
cci:
- CCI-000068
- CCI-000803
@@ -60,18 +51,17 @@ references:
- SRG-OS-000033-GPOS-00014
- SRG-OS-000396-GPOS-00176
disa_stig:
- - APPL-14-000057
- 800-171r2:
- - 3.1.13
- - 3.13.8
- - 3.13.11
+ - N/A
+ 800-171r3:
+ - 03.13.08
+ - 03.13.11
cmmc:
- AC.L2-3.1.13
- MP.L2-3.8.6
- SC.L2-3.13.8
- SC.L2-3.13.11
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml
index 3511a613f..63f4a9ae8 100644
--- a/rules/os/os_ssh_server_alive_count_max_configure.yaml
+++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml
@@ -29,7 +29,7 @@ fix: |
----
references:
cce:
- - CCE-92895-2
+ - CCE-94300-1
cci:
- CCI-001133
800-53r5:
@@ -39,13 +39,13 @@ references:
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- - APPL-14-000140
- 800-171r2:
- - 3.13.9
+ - N/A
+ 800-171r3:
+ - 03.13.09
cmmc:
- SC.L2-3.13.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds.
recommended: 0
diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml
index 1e17a4e90..180795265 100644
--- a/rules/os/os_ssh_server_alive_interval_configure.yaml
+++ b/rules/os/os_ssh_server_alive_interval_configure.yaml
@@ -31,7 +31,7 @@ fix: |
----
references:
cce:
- - CCE-92896-0
+ - CCE-94301-9
cci:
- CCI-001133
800-53r5:
@@ -42,14 +42,15 @@ references:
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- - APPL-14-000110
- 800-171r2:
- - 3.13.9
+ - N/A
+ 800-171r3:
+ - 03.01.11
+ - 03.13.09
cmmc:
- AC.L2-3.1.11
- SC.L2-3.13.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds.
recommended: 900
diff --git a/rules/os/os_sshd_channel_timeout_configure.yaml b/rules/os/os_sshd_channel_timeout_configure.yaml
index 6e3611cb5..f187be1d0 100644
--- a/rules/os/os_sshd_channel_timeout_configure.yaml
+++ b/rules/os/os_sshd_channel_timeout_configure.yaml
@@ -7,9 +7,9 @@ discussion: |
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
- /usr/sbin/sshd -G | /usr/bin/awk -F "=" '/channeltimeout session:*/{print $2}'
+ /usr/sbin/sshd -G | /usr/bin/awk '/channeltimeout/{print $2}'
result:
- integer: $ODV
+ string: $ODV
fix: |
[source,bash]
----
@@ -19,7 +19,7 @@ fix: |
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
- /usr/bin/grep -qxF 'channeltimeout session:*=$ODV' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "channeltimeout session:*=$ODV" >> "${include_dir}01-mscp-sshd.conf"
+ /usr/bin/grep -qxF 'channeltimeout $ODV' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "channeltimeout $ODV" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
@@ -33,7 +33,7 @@ fix: |
----
references:
cce:
- - CCE-92897-8
+ - CCE-94302-7
cci:
- CCI-001133
- CCI-002361
@@ -46,16 +46,19 @@ references:
- SRG-OS-000163-GPOS-00072
- SRG-OS-000279-GPOS-00109
disa_stig:
- - APPL-14-000120
- 800-171r2:
- - 3.13.9
+ - N/A
+ 800-171r3:
+ - 03.01.11
+ - 03.13.09
cmmc:
- AC.L2-3.1.11
- SC.L2-3.13.9
odv:
- hint: Number of seconds.
- recommended: 900
- stig: 900
+ hint: Channel type and number of seconds.
+ recommended: session:*=900
+ stig: session:*=900
+macOS:
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -70,3 +73,9 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: ChannelTimeout
+ configuration_value: $ODV
\ No newline at end of file
diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml
index d91907249..37d1c7fee 100644
--- a/rules/os/os_sshd_client_alive_count_max_configure.yaml
+++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml
@@ -35,7 +35,7 @@ fix: |
----
references:
cce:
- - CCE-92898-6
+ - CCE-94303-5
cci:
- CCI-001133
800-53r5:
@@ -45,13 +45,13 @@ references:
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- - APPL-14-000052
- 800-171r2:
- - 3.13.9
+ - N/A
+ 800-171r3:
+ - 03.13.09
cmmc:
- SC.L2-3.13.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds.
recommended: 0
@@ -70,3 +70,9 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: ClientAliveCountMax
+ configuration_value: $ODV
\ No newline at end of file
diff --git a/rules/os/os_sshd_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml
index 151aaa07d..76c08ad18 100644
--- a/rules/os/os_sshd_client_alive_interval_configure.yaml
+++ b/rules/os/os_sshd_client_alive_interval_configure.yaml
@@ -37,7 +37,7 @@ fix: |
----
references:
cce:
- - CCE-92899-4
+ - CCE-94304-3
cci:
- CCI-001133
800-53r5:
@@ -48,14 +48,15 @@ references:
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- - APPL-14-000051
- 800-171r2:
- - 3.13.9
+ - N/A
+ 800-171r3:
+ - 03.01.11
+ - 03.13.09
cmmc:
- AC.L2-3.1.11
- SC.L2-3.13.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds.
recommended: 900
@@ -74,3 +75,9 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: ClientAliveInterval
+ configuration_value: $ODV
\ No newline at end of file
diff --git a/rules/os/os_sshd_fips_compliant.yaml b/rules/os/os_sshd_fips_compliant.yaml
index 488df9fdf..6488f72cf 100644
--- a/rules/os/os_sshd_fips_compliant.yaml
+++ b/rules/os/os_sshd_fips_compliant.yaml
@@ -3,13 +3,13 @@ title: Limit SSHD to FIPS Compliant Connections
discussion: |
If SSHD is enabled then it _MUST_ be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.
- FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.
+ FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.
Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information.
check: |
- fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256")
+ fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com")
total=0
for config in $fips_sshd_config; do
total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total)
@@ -21,31 +21,11 @@ result:
fix: |
[source,bash]
----
- include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
-
- if [[ -z $include_dir ]]; then
- /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
- fi
-
- fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256")
-
- for config in $fips_sshd_config; do
- /usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf"
- done
-
- for file in $(ls ${include_dir}); do
- if [[ "$file" == "100-macos.conf" ]]; then
- continue
- fi
- if [[ "$file" == "01-mscp-sshd.conf" ]]; then
- break
- fi
- /bin/mv ${include_dir}${file} ${include_dir}20-${file}
- done
+ /bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
----
references:
cce:
- - CCE-92902-6
+ - CCE-94305-0
cci:
- CCI-000068
- CCI-000803
@@ -75,18 +55,17 @@ references:
- SRG-OS-000393-GPOS-00173
- SRG-OS-000396-GPOS-00176
disa_stig:
- - APPL-14-000054
- 800-171r2:
- - 3.1.13
- - 3.13.8
- - 3.13.11
+ - N/A
+ 800-171r3:
+ - 03.13.08
+ - 03.13.11
cmmc:
- AC.L2-3.1.13
- MP.L2-3.8.6
- SC.L2-3.13.8
- SC.L2-3.13.11
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -103,3 +82,16 @@ tags:
severity: high
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: file
+ configuration_value: |
+ Ciphers aes128-gcm@openssh.com
+ HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
+ HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
+ KexAlgorithms ecdh-sha2-nistp256
+ MACs hmac-sha2-256
+ PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
+ CASignatureAlgorithms ecdsa-sha2-nistp256
\ No newline at end of file
diff --git a/rules/os/os_sshd_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml
index 3277d8616..7d959c8ed 100644
--- a/rules/os/os_sshd_login_grace_time_configure.yaml
+++ b/rules/os/os_sshd_login_grace_time_configure.yaml
@@ -31,7 +31,7 @@ fix: |
----
references:
cce:
- - CCE-92904-2
+ - CCE-94306-8
cci:
- CCI-001133
800-53r5:
@@ -41,13 +41,13 @@ references:
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- - APPL-14-000053
- 800-171r2:
- - 3.13.9
+ - N/A
+ 800-171r3:
+ - 03.13.09
cmmc:
- SC.L2-3.13.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds.
recommended: 30
@@ -61,3 +61,9 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: LoginGraceTime
+ configuration_value: $ODV
\ No newline at end of file
diff --git a/rules/os/os_sshd_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml
index 008227815..6988e1551 100644
--- a/rules/os/os_sshd_permit_root_login_configure.yaml
+++ b/rules/os/os_sshd_permit_root_login_configure.yaml
@@ -33,7 +33,7 @@ fix: |
----
references:
cce:
- - CCE-92905-9
+ - CCE-94307-6
cci:
- CCI-000770
- CCI-001813
@@ -45,9 +45,9 @@ references:
- SRG-OS-000364-GPOS-00151
- SRG-OS-000109-GPOS-00056
disa_stig:
- - APPL-14-001100
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_high
- 800-53r4_high
@@ -58,3 +58,9 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: PermitRootLogin
+ configuration_value: no
\ No newline at end of file
diff --git a/rules/os/os_sshd_unused_connection_timeout_configure.yaml b/rules/os/os_sshd_unused_connection_timeout_configure.yaml
index c1873f693..8b30f215b 100644
--- a/rules/os/os_sshd_unused_connection_timeout_configure.yaml
+++ b/rules/os/os_sshd_unused_connection_timeout_configure.yaml
@@ -33,7 +33,7 @@ fix: |
----
references:
cce:
- - CCE-92906-7
+ - CCE-94308-4
cci:
- CCI-001133
- CCI-002361
@@ -46,9 +46,10 @@ references:
- SRG-OS-000163-GPOS-00072
- SRG-OS-000279-GPOS-00109
disa_stig:
- - APPL-14-000130
- 800-171r2:
- - 3.13.9
+ - N/A
+ 800-171r3:
+ - 03.01.11
+ - 03.13.09
cmmc:
- AC.L2-3.1.11
- SC.L2-3.13.9
@@ -56,6 +57,8 @@ odv:
hint: Number of seconds.
recommended: 900
stig: 900
+macOS:
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -70,3 +73,9 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sshd
+ config_file: sshd_config
+ configuration_key: UnusedConnectionTimeout
+ configuration_value: $ODV
\ No newline at end of file
diff --git a/rules/os/os_store_encrypted_passwords.yaml b/rules/os/os_store_encrypted_passwords.yaml
index 36f075697..722ee3d53 100644
--- a/rules/os/os_store_encrypted_passwords.yaml
+++ b/rules/os/os_store_encrypted_passwords.yaml
@@ -12,7 +12,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92907-5
+ - CCE-94309-2
cci:
- N/A
800-53r5:
@@ -25,11 +25,8 @@ references:
- N/A
srg:
- SRG-OS-000073-GPOS-00041
- 800-171r2:
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- N/A
@@ -40,7 +37,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_sudo_log_enforce.yaml b/rules/os/os_sudo_log_enforce.yaml
new file mode 100644
index 000000000..3c7045419
--- /dev/null
+++ b/rules/os/os_sudo_log_enforce.yaml
@@ -0,0 +1,58 @@
+id: os_sudo_log_enforce
+title: Configure Sudo To Log Events
+discussion: |
+ Sudo _MUST_ be configured to log privilege escalation.
+check: |
+ /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Log when a command is allowed by sudoers"
+result:
+ integer: 1
+fix: |
+ [source,bash]
+ ----
+ /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \;
+ /bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp
+ ----
+references:
+ cce:
+ - CCE-94310-0
+ cci:
+ - CCI-000172
+ 800-53r5:
+ - AC-6(9)
+ 800-53r4:
+ - N/A
+ 800-171r3:
+ - 03.01.07
+ srg:
+ - SRG-OS-000064-GPOS-00033
+ disa_stig:
+ - APPL-15-000190
+ cis:
+ benchmark:
+ - N/A
+ controls v8:
+ - N/A
+ cmmc:
+ - AU.L2-3.3.3
+ - AU.L2-3.3.6
+ - SI.L2-3.14.3
+macOS:
+ - '15.0'
+tags:
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+ - cmmc_lvl2
+ - stig
+ - 800-171
+severity: medium
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sudo
+ config_file: sudoers
+ configuration_key: Defaults
+ configuration_value: log_allowed
\ No newline at end of file
diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml
index ea4f6a3ca..023d5ee67 100644
--- a/rules/os/os_sudo_timeout_configure.yaml
+++ b/rules/os/os_sudo_timeout_configure.yaml
@@ -14,7 +14,7 @@ fix: |
----
references:
cce:
- - CCE-92908-3
+ - CCE-94311-8
cci:
- CCI-002038
800-53r5:
@@ -24,14 +24,14 @@ references:
srg:
- SRG-OS-000373-GPOS-00156
disa_stig:
- - APPL-14-004022
+ - N/A
cis:
benchmark:
- 5.4 (level 1)
controls v8:
- 4.3
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of minutes.
recommended: 0
@@ -49,3 +49,9 @@ tags:
severity: medium
mobileconfig: false
mobileconfig_info:
+ddm_info:
+ declarationtype: com.apple.configuration.services.configuration-files
+ service: com.apple.sudo
+ config_file: sudoers
+ configuration_key: Defaults timestamp_timeout=
+ configuration_value: $ODV
\ No newline at end of file
diff --git a/rules/os/os_sudoers_timestamp_type_configure.yaml b/rules/os/os_sudoers_timestamp_type_configure.yaml
index 8c53dec22..c9598084c 100644
--- a/rules/os/os_sudoers_timestamp_type_configure.yaml
+++ b/rules/os/os_sudoers_timestamp_type_configure.yaml
@@ -15,7 +15,7 @@ fix: |
----
references:
cce:
- - CCE-92909-1
+ - CCE-94312-6
cci:
- CCI-002038
800-53r5:
@@ -27,15 +27,18 @@ references:
- SRG-OS-000373-GPOS-00157
- SRG-OS-000373-GPOS-00156
disa_stig:
- - APPL-14-004060
+ - N/A
cis:
benchmark:
- 5.5 (level 1)
controls v8:
- 4.3
+ 800-171r3:
+ - 03.05.01
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_system_read_only.yaml b/rules/os/os_system_read_only.yaml
index ec2953407..28707d5e6 100644
--- a/rules/os/os_system_read_only.yaml
+++ b/rules/os/os_system_read_only.yaml
@@ -12,7 +12,7 @@ fix: |
NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only.
references:
cce:
- - CCE-92910-9
+ - CCE-94313-4
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
disa_stig:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_system_wide_applications_configure.yaml b/rules/os/os_system_wide_applications_configure.yaml
index d0fa7af1c..ea2726ab8 100644
--- a/rules/os/os_system_wide_applications_configure.yaml
+++ b/rules/os/os_system_wide_applications_configure.yaml
@@ -16,7 +16,7 @@ fix: |
----
references:
cce:
- - CCE-92911-7
+ - CCE-94314-2
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -35,7 +35,7 @@ references:
controls v8:
- 3.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_terminal_secure_keyboard_enable.yaml b/rules/os/os_terminal_secure_keyboard_enable.yaml
index 356a0a1d5..2fcc57a17 100644
--- a/rules/os/os_terminal_secure_keyboard_enable.yaml
+++ b/rules/os/os_terminal_secure_keyboard_enable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92912-5
+ - CCE-94315-9
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
srg:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
controls v8:
- 4.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_terminate_session.yaml b/rules/os/os_terminate_session.yaml
index 289059887..37bc97c7e 100644
--- a/rules/os/os_terminate_session.yaml
+++ b/rules/os/os_terminate_session.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92913-3
+ - CCE-94316-7
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
mobileconfig: false
diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml
index 6d99a5bb2..b659bcd7f 100644
--- a/rules/os/os_tftpd_disable.yaml
+++ b/rules/os/os_tftpd_disable.yaml
@@ -18,7 +18,7 @@ fix: |
The system may need to be restarted for the update to take effect.
references:
cce:
- - CCE-92914-1
+ - CCE-94317-5
cci:
- CCI-000197
- CCI-000213
@@ -33,10 +33,11 @@ references:
- SRG-OS-000080-GPOS-00048
- SRG-OS-000074-GPOS-00042
disa_stig:
- - APPL-14-002038
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
+ - 03.05.07
cis:
benchmark:
- N/A
@@ -50,7 +51,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_time_offset_limit_configure.yaml b/rules/os/os_time_offset_limit_configure.yaml
index e43b61299..89184051e 100644
--- a/rules/os/os_time_offset_limit_configure.yaml
+++ b/rules/os/os_time_offset_limit_configure.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92915-8
+ - CCE-94318-3
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
controls v8:
- 8.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_time_server_enabled.yaml b/rules/os/os_time_server_enabled.yaml
index af5c37e4f..49d6c9564 100644
--- a/rules/os/os_time_server_enabled.yaml
+++ b/rules/os/os_time_server_enabled.yaml
@@ -17,7 +17,7 @@ fix: |
NOTE: The service `timed` cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled.
references:
cce:
- - CCE-92916-6
+ - CCE-94319-1
cci:
- CCI-002046
- CCI-001891
@@ -30,8 +30,8 @@ references:
- SRG-OS-000355-GPOS-00143
- SRG-OS-000356-GPOS-00144
disa_stig:
- - APPL-14-000180
- 800-171r2:
+ - N/A
+ 800-171r3:
- 3.3.7
cis:
benchmark:
@@ -41,7 +41,7 @@ references:
cmmc:
- AU.L2-3.3.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-171
- 800-53r5_low
diff --git a/rules/os/os_touchid_prompt_disable.yaml b/rules/os/os_touchid_prompt_disable.yaml
index a4cf82d2c..8929ca7c8 100644
--- a/rules/os/os_touchid_prompt_disable.yaml
+++ b/rules/os/os_touchid_prompt_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92917-4
+ - CCE-94320-9
cci:
- CCI-000381
800-53r5:
@@ -25,10 +25,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-005054
- 800-171r2:
- - 3.4.1
- - 3.4.2
+ - N/A
+ 800-171r3:
+ - 03.04.02
cis:
benchmark:
- N/A
@@ -37,7 +36,7 @@ references:
cmmc:
- CM.L2-3.4.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_unique_identification.yaml b/rules/os/os_unique_identification.yaml
index 8336eeb1c..758ca2471 100644
--- a/rules/os/os_unique_identification.yaml
+++ b/rules/os/os_unique_identification.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92918-2
+ - CCE-94321-7
cci:
- N/A
800-53r5:
@@ -27,9 +27,12 @@ references:
- 6.1
cmmc:
- IA.L2-3.5.5
+ 800-171r3:
+ - 03.05.05
macOS:
- - '14.0'
+ - '15.0'
tags:
+ - 800-171
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml
index f444a7f67..d0767bdaf 100644
--- a/rules/os/os_unlock_active_user_session_disable.yaml
+++ b/rules/os/os_unlock_active_user_session_disable.yaml
@@ -17,7 +17,7 @@ fix: |
----
references:
cce:
- - CCE-92919-0
+ - CCE-94322-5
cci:
- CCI-000764
- CCI-000770
@@ -28,13 +28,12 @@ references:
- IA-2
- IA-2(5)
disa_stig:
- - APPL-14-000090
+ - N/A
srg:
- SRG-OS-000109-GPOS-00056
- SRG-OS-000104-GPOS-00051
- 800-171r2:
- - 3.5.1
- - 3.5.2
+ 800-171r3:
+ - 03.05.01
cis:
benchmark:
- 5.7 (level 1)
@@ -44,7 +43,7 @@ references:
- IA.L1-3.5.1
- IA.L1-3.5.2
macOS:
- - "14.0"
+ - '15.0'
odv:
hint: "Review the /System/Library/Security/authorization.plist file for more information."
recommended: "authenticate-session-owner"
diff --git a/rules/os/os_user_app_installation_prohibit.yaml b/rules/os/os_user_app_installation_prohibit.yaml
index c10c8d749..16795cec6 100644
--- a/rules/os/os_user_app_installation_prohibit.yaml
+++ b/rules/os/os_user_app_installation_prohibit.yaml
@@ -30,7 +30,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92920-8
+ - CCE-94323-3
cci:
- CCI-001812
800-53r5:
@@ -40,11 +40,11 @@ references:
srg:
- SRG-OS-000362-GPOS-00149
disa_stig:
- - APPL-14-005080
+ - N/A
cmmc:
- CM.L2-3.4.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml
index fdbef337f..c51ff04ef 100644
--- a/rules/os/os_uucp_disable.yaml
+++ b/rules/os/os_uucp_disable.yaml
@@ -18,7 +18,7 @@ fix: |
The system may need to be restarted for the update to take effect.
references:
cce:
- - CCE-92921-6
+ - CCE-94324-1
cci:
- CCI-000213
800-53r5:
@@ -29,10 +29,10 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- - APPL-14-002006
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -43,7 +43,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/os/os_verify_remote_disconnection.yaml b/rules/os/os_verify_remote_disconnection.yaml
index 1dd123156..1c9eec31d 100644
--- a/rules/os/os_verify_remote_disconnection.yaml
+++ b/rules/os/os_verify_remote_disconnection.yaml
@@ -8,7 +8,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92922-4
+ - CCE-94325-8
cci:
- N/A
800-53r5:
@@ -20,7 +20,7 @@ references:
srg:
- SRG-OS-000395-GPOS-00175
macOS:
- - '14.0'
+ - '15.0'
tags:
- inherent
- cnssi-1253_moderate
diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml
index 5b3350428..efde86cc8 100644
--- a/rules/os/os_world_writable_library_folder_configure.yaml
+++ b/rules/os/os_world_writable_library_folder_configure.yaml
@@ -18,7 +18,7 @@ fix: |
----
references:
cce:
- - CCE-92923-2
+ - CCE-94326-6
cci:
- N/A
800-53r5:
@@ -29,7 +29,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -37,7 +37,7 @@ references:
controls v8:
- 3.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl2
- cisv8
diff --git a/rules/os/os_world_writable_system_folder_configure.yaml b/rules/os/os_world_writable_system_folder_configure.yaml
index f22c9d906..a8bacf8a9 100644
--- a/rules/os/os_world_writable_system_folder_configure.yaml
+++ b/rules/os/os_world_writable_system_folder_configure.yaml
@@ -16,7 +16,7 @@ fix: |
----
references:
cce:
- - CCE-92924-0
+ - CCE-94327-4
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -35,7 +35,7 @@ references:
controls v8:
- 3.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/os/os_writing_tools_disable.yaml b/rules/os/os_writing_tools_disable.yaml
new file mode 100644
index 000000000..301d85c12
--- /dev/null
+++ b/rules/os/os_writing_tools_disable.yaml
@@ -0,0 +1,44 @@
+id: os_writing_tools_disable
+title: Disable Apple Intelligence Writing Tools
+discussion: |-
+ Apple Intelligence features such as writing tools that use off device AI _MUST_ be disabled.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowWritingTools').js
+ EOS
+result:
+ string: 'false'
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-94328-2
+ cci:
+ - N/A
+ 800-53r5:
+ - AC-20
+ - AC-20(1)
+ - CM-7
+ - CM-7(1)
+ - SC-7(10)
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
+ cmmc:
+ - AC.L1-3.1.20
+ - CM.L2-3.4.6
+ - CM.L2-3.4.7
+macOS:
+ - '15.0'
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-171
+ - cmmc_lvl2
+ - cmmc_lvl1
+mobileconfig: true
+mobileconfig_info:
+ com.apple.applicationaccess:
+ allowWritingTools: false
diff --git a/rules/pwpolicy/pwpolicy_50_percent.yaml b/rules/pwpolicy/pwpolicy_50_percent.yaml
index fb50ffda2..59f5da0ee 100644
--- a/rules/pwpolicy/pwpolicy_50_percent.yaml
+++ b/rules/pwpolicy/pwpolicy_50_percent.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92925-7
+ - CCE-94329-0
cci:
- N/A
800-53r5:
@@ -25,15 +25,10 @@ references:
- N/A
srg:
- SRG-OS-000072-GPOS-00040
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
-macOS:
- - '14.0'
+ 800-171r3:
+ - 03.05.07
+ macOS:
+ - '15.0'
tags:
- 800-171
- 800-53r4_low
diff --git a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
index a3bbe3a44..ff83692ab 100644
--- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
@@ -36,7 +36,7 @@ fix: |
NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.
references:
cce:
- - CCE-92926-5
+ - CCE-94330-8
cci:
- CCI-000795
800-53r5:
@@ -46,10 +46,9 @@ references:
srg:
- SRG-OS-000118-GPOS-00060
disa_stig:
- - APPL-14-003080
- 800-171r2:
- - 3.5.5
- - 3.5.6
+ - N/A
+ 800-171r3:
+ - 03.01.01
cis:
benchmark:
- N/A
@@ -58,7 +57,7 @@ references:
cmmc:
- IA.L2-3.5.6
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of days.
recommended: 35
diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
index 06c9943d6..80453e508 100644
--- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92927-3
+ - CCE-94331-6
cci:
- CCI-000044
- CCI-002238
@@ -24,9 +24,9 @@ references:
- SRG-OS-000329-GPOS-00128
- SRG-OS-000021-GPOS-00005
disa_stig:
- - APPL-14-000022
- 800-171r2:
- - 3.1.8
+ - N/A
+ 800-171r3:
+ - 03.01.08
cis:
benchmark:
- 5.2.1 (level 1)
@@ -35,7 +35,7 @@ references:
cmmc:
- AC.L2-3.1.8
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of failed attempts.
recommended: 3
@@ -63,3 +63,7 @@ mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
maxFailedAttempts: $ODV
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: MaximumFailedAttempts
+ ddm_value: $ODV
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
index fa5901a91..09ea301b6 100644
--- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92928-1
+ - CCE-94332-4
cci:
- CCI-002238
- CCI-000044
@@ -24,9 +24,9 @@ references:
- SRG-OS-000329-GPOS-00128
- SRG-OS-000021-GPOS-00005
disa_stig:
- - APPL-14-000060
- 800-171r2:
- - 3.1.8
+ - N/A
+ 800-171r3:
+ - 03.01.08
cis:
benchmark:
- 5.2.1 (level 1)
@@ -35,7 +35,7 @@ references:
cmmc:
- AC.L2-3.1.8
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of minutes.
recommended: 15
@@ -63,3 +63,7 @@ mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
minutesUntilFailedLoginReset: $ODV
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: MaximumGracePeriodInMinutes
+ ddm_value: $ODV
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
index ce07c429d..dc812c266 100644
--- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92929-9
+ - CCE-94333-2
cci:
- CCI-000194
800-53r5:
@@ -25,14 +25,9 @@ references:
srg:
- SRG-OS-000071-GPOS-00039
disa_stig:
- - APPL-14-003007
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ - N/A
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- 5.2.3 (level 2)
@@ -44,7 +39,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-171
- 800-53r4_low
@@ -65,3 +60,7 @@ mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
requireAlphanumeric: true
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: RequireAlphanumericPasscode
+ ddm_value: true
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml
index c5c5cd257..9435e8cd2 100644
--- a/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_custom_regex_enforce.yaml
@@ -16,7 +16,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93011-5
+ - CCE-94334-0
cci:
- CCI-000192
- CCI-000193
@@ -26,17 +26,12 @@ references:
- IA-5
- IA-5(1)
disa_stig:
- - APPL-14-003060
+ - N/A
srg:
- SRG-OS-000070-GPOS-00038
- SRG-OS-000069-GPOS-00037
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- 5.2.6 (level 2)
@@ -47,7 +42,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Custom regex (recommended is 1 upper and 1 lowercase)
recommended: ^(?=.*[A-Z])(?=.*[a-z]).*$
@@ -76,3 +71,9 @@ mobileconfig_info:
passwordContentRegex: $ODV
passwordContentDescription:
default: Password must match custom regex.
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: CustomRegex
+ ddm_value:
+ Regex: $ODV
+ Description: Password must match custom regex.
diff --git a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
index 812f03c45..b91006e07 100644
--- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
@@ -16,7 +16,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92930-7
+ - CCE-94335-7
cci:
- N/A
800-53r5:
@@ -29,7 +29,7 @@ references:
disa_stig:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/pwpolicy/pwpolicy_force_password_change.yaml b/rules/pwpolicy/pwpolicy_force_password_change.yaml
index e396c6baf..d9fac7943 100644
--- a/rules/pwpolicy/pwpolicy_force_password_change.yaml
+++ b/rules/pwpolicy/pwpolicy_force_password_change.yaml
@@ -17,7 +17,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92931-5
+ - CCE-94336-5
cci:
- N/A
800-53r5:
@@ -29,13 +29,8 @@ references:
- N/A
srg:
- SRG-OS-000380-GPOS-00165
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- N/A
@@ -46,7 +41,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-171
- 800-53r4_low
diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml
index ad02a8421..4f9189975 100644
--- a/rules/pwpolicy/pwpolicy_history_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml
@@ -16,7 +16,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92932-3
+ - CCE-94337-3
cci:
- CCI-000200
800-53r5:
@@ -26,12 +26,9 @@ references:
srg:
- SRG-OS-000077-GPOS-00045
disa_stig:
- - APPL-14-003009
- 800-171r2:
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ - N/A
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- 5.2.8 (level 1)
@@ -42,7 +39,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of previous passwords.
recommended: 5
@@ -70,3 +67,7 @@ mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
pinHistory: $ODV
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: PasscodeReuseLimit
+ ddm_value: $ODV
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
index f9ae53e73..da54c9d45 100644
--- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
@@ -40,7 +40,7 @@ fix: |
NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.
references:
cce:
- - CCE-92933-1
+ - CCE-94338-1
cci:
- N/A
800-53r5:
@@ -52,13 +52,8 @@ references:
- N/A
srg:
- N/A
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- N/A
@@ -69,7 +64,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of lowercase characters.
recommended: 1
diff --git a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml
index f27933ef4..05c49a4a1 100644
--- a/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_max_lifetime_enforce.yaml
@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92935-6
+ - CCE-94339-9
cci:
- CCI-000199
800-53r5:
@@ -25,14 +25,9 @@ references:
srg:
- SRG-OS-000076-GPOS-00044
disa_stig:
- - APPL-14-003008
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ - N/A
+ 800-171r3:
+ - 03.05.12
cis:
benchmark:
- 5.2.7 (level 1)
@@ -42,7 +37,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of days.
recommended: 60
@@ -70,3 +65,7 @@ mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
maxPINAgeInDays: $ODV
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: MaximumPasscodeAgeInDays
+ ddm_value: $ODV
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
index e6e89cfd6..ae0de6f03 100644
--- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92936-4
+ - CCE-94340-7
cci:
- CCI-000205
800-53r5:
@@ -25,14 +25,9 @@ references:
srg:
- SRG-OS-000078-GPOS-00046
disa_stig:
- - APPL-14-003010
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ - N/A
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- 5.2.2 (level 1)
@@ -43,7 +38,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Minimum password length.
recommended: 15
@@ -71,3 +66,7 @@ mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
minLength: $ODV
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: MinimumLength
+ ddm_value: $ODV
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
index 9d33f44f0..dea2b05e3 100644
--- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
@@ -38,7 +38,7 @@ fix: |
NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.
references:
cce:
- - CCE-92937-2
+ - CCE-94341-5
cci:
- CCI-000198
800-53r5:
@@ -46,14 +46,11 @@ references:
800-53r4:
- IA-5(1)
disa_stig:
- - APPL-14-003070
+ - N/A
srg:
- SRG-OS-000075-GPOS-00043
- 800-171r2:
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ 800-171r3:
+ - 03.05.12
cis:
benchmark:
- N/A
@@ -63,7 +60,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of hours.
recommended: 24
diff --git a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
index bbab71298..9c8810009 100644
--- a/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
+++ b/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-92938-0
+ - CCE-94342-3
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00225
macOS:
- - '14.0'
+ - '15.0'
tags:
- permanent
- srg
diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
index 68cbb36a9..ae699c5d2 100644
--- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
@@ -14,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92939-8
+ - CCE-94343-1
cci:
- N/A
800-53r5:
@@ -26,13 +26,8 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- N/A
@@ -43,7 +38,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-171
- 800-53r4_low
@@ -61,3 +56,7 @@ mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
allowSimple: false
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: RequireComplexPasscode
+ ddm_value: true
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
index 7f6aaa3e0..5dee6c758 100644
--- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
@@ -16,7 +16,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92940-6
+ - CCE-94344-9
cci:
- CCI-001619
800-53r5:
@@ -27,14 +27,9 @@ references:
srg:
- SRG-OS-000266-GPOS-00101
disa_stig:
- - APPL-14-003011
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ - N/A
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- 5.2.5 (level 2)
@@ -45,7 +40,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of special characters.
recommended: 1
@@ -70,4 +65,8 @@ severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
- minComplexChars: 1
+ minComplexChars: $ODV
+ddm_info:
+ declarationtype: com.apple.configuration.passcode.settings
+ ddm_key: MinimumComplexCharacters
+ ddm_value: $ODV
\ No newline at end of file
diff --git a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
index b4bca5fef..a74d3dadd 100644
--- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
@@ -14,7 +14,7 @@ fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- - CCE-92941-4
+ - CCE-94345-6
cci:
- N/A
800-53r5:
@@ -27,7 +27,7 @@ references:
disa_stig:
- N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
index 8c5d8e7e0..9d09fb156 100644
--- a/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
@@ -56,7 +56,7 @@ fix: |
/usr/bin/pwpolicy -u username setaccountpolicies /path/to/file
references:
cce:
- - CCE-92942-2
+ - CCE-94346-4
cci:
- CCI-001682
- CCI-000016
@@ -68,9 +68,9 @@ references:
- SRG-OS-000002-GPOS-00002
- SRG-OS-000123-GPOS-00064
disa_stig:
- - APPL-14-000012
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
index e6dc64a60..5ff6c1421 100644
--- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
@@ -40,7 +40,7 @@ fix: |
NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.
references:
cce:
- - CCE-92943-0
+ - CCE-94347-2
cci:
- N/A
800-53r5:
@@ -52,13 +52,8 @@ references:
- N/A
srg:
- N/A
- 800-171r2:
- - 3.5.1
- - 3.5.2
- - 3.5.7
- - 3.5.8
- - 3.5.9
- - 3.5.10
+ 800-171r3:
+ - 03.05.07
cis:
benchmark:
- N/A
@@ -69,7 +64,7 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of special characters.
recommended: 1
diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml
index e0dae1ec7..b87f61bf4 100644
--- a/rules/supplemental/supplemental_cis_manual.yaml
+++ b/rules/supplemental/supplemental_cis_manual.yaml
@@ -17,6 +17,7 @@ discussion: |
2.5.1 Audit Siri Settings +
2.6.1.3 Audit Location Services Access +
2.6.2.1 Audit Full Disk Access for Applications +
+ 2.6.3.5 Audit Share iCloud Analytics +
2.6.7 Audit Lockdown Mode +
2.8.1 Audit Universal Control Settings +
2.11.2 Audit Touch ID +
@@ -61,6 +62,7 @@ discussion: |
6.3.5 Audit Hide IP Address in Safari Setting +
6.3.8 Audit Autofill +
6.3.10 Ensure JavaScript is Enabled in Safari +
+ 6.3.9 Audit Pop-up Windows +
|===
check: |
fix: |
@@ -76,7 +78,7 @@ references:
disa_stig:
- N/A
macOS:
- - "14.0"
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/supplemental/supplemental_controls.yaml b/rules/supplemental/supplemental_controls.yaml
index 9d0f2a977..f67ad7031 100644
--- a/rules/supplemental/supplemental_controls.yaml
+++ b/rules/supplemental/supplemental_controls.yaml
@@ -192,7 +192,7 @@ references:
cmmc:
- N/A
macOS:
- - "14.0"
+ - '15.0'
tags:
- 800-171
- 800-53r4_high
diff --git a/rules/supplemental/supplemental_filevault.yaml b/rules/supplemental/supplemental_filevault.yaml
index 067661cf3..db149ef99 100644
--- a/rules/supplemental/supplemental_filevault.yaml
+++ b/rules/supplemental/supplemental_filevault.yaml
@@ -68,7 +68,7 @@ references:
cmmc:
- N/A
macOS:
- - "14.0"
+ - '15.0'
tags:
- 800-171
- 800-53r4_high
diff --git a/rules/supplemental/supplemental_firewall_pf.yaml b/rules/supplemental/supplemental_firewall_pf.yaml
index c234fdb9e..66faaca28 100644
--- a/rules/supplemental/supplemental_firewall_pf.yaml
+++ b/rules/supplemental/supplemental_firewall_pf.yaml
@@ -117,7 +117,7 @@ references:
cmmc:
- N/A
macOS:
- - "14.0"
+ - '15.0'
tags:
- 800-171
- 800-53r4_high
diff --git a/rules/supplemental/supplemental_password_policy.yaml b/rules/supplemental/supplemental_password_policy.yaml
index df8604d1b..c3842d0c9 100644
--- a/rules/supplemental/supplemental_password_policy.yaml
+++ b/rules/supplemental/supplemental_password_policy.yaml
@@ -49,7 +49,7 @@ references:
cmmc:
- N/A
macOS:
- - "14.0"
+ - '15.0'
tags:
- 800-171
- 800-53r4_high
diff --git a/rules/supplemental/supplemental_smartcard.yaml b/rules/supplemental/supplemental_smartcard.yaml
index cba987ab8..c1cdea902 100644
--- a/rules/supplemental/supplemental_smartcard.yaml
+++ b/rules/supplemental/supplemental_smartcard.yaml
@@ -302,7 +302,7 @@ references:
cmmc:
- N/A
macOS:
- - "14.0"
+ - '15.0'
tags:
- 800-171
- 800-53r4_high
diff --git a/rules/system_settings/system_settings_airplay_receiver_disable.yaml b/rules/system_settings/system_settings_airplay_receiver_disable.yaml
index 4639dfda3..801174d04 100644
--- a/rules/system_settings/system_settings_airplay_receiver_disable.yaml
+++ b/rules/system_settings/system_settings_airplay_receiver_disable.yaml
@@ -17,7 +17,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92944-8
+ - CCE-94348-0
cci:
- CCI-000381
- CCI-001443
@@ -30,9 +30,9 @@ references:
- SRG-OS-000300-GPOS-00118
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002080
- 800-171r2:
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- 2.3.1.2 (level 1)
@@ -43,7 +43,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
index 0cfbe032f..1812362e7 100644
--- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
+++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
@@ -17,7 +17,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92945-5
+ - CCE-94349-8
cci:
- CCI-000056
800-53r5:
@@ -27,13 +27,13 @@ references:
srg:
- SRG-OS-000028-GPOS-00009
disa_stig:
- - APPL-14-000001
- 800-171r2:
- - 3.1.10
+ - N/A
+ 800-171r3:
+ - 03.05.12
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/system_settings/system_settings_automatic_login_disable.yaml b/rules/system_settings/system_settings_automatic_login_disable.yaml
index 5434557f9..12f867d6e 100644
--- a/rules/system_settings/system_settings_automatic_login_disable.yaml
+++ b/rules/system_settings/system_settings_automatic_login_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92947-1
+ - CCE-94350-6
cci:
- CCI-000366
800-53r5:
@@ -28,10 +28,9 @@ references:
- SRG-OS-000480-GPOS-00229
- SRG-OS-000104-GPOS-00051
disa_stig:
- - APPL-14-002066
- 800-171r2:
- - 3.5.1
- - 3.5.2
+ - N/A
+ 800-171r3:
+ - 03.05.01
cis:
benchmark:
- 2.12.3 (level 1)
@@ -41,7 +40,7 @@ references:
- IA.L1-3.5.1
- IA.L1-3.5.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_automatic_logout_enforce.yaml b/rules/system_settings/system_settings_automatic_logout_enforce.yaml
index 7e98a6f9a..230476bf8 100644
--- a/rules/system_settings/system_settings_automatic_logout_enforce.yaml
+++ b/rules/system_settings/system_settings_automatic_logout_enforce.yaml
@@ -20,7 +20,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92948-9
+ - CCE-94351-4
cci:
- CCI-002361
800-53r5:
@@ -29,16 +29,17 @@ references:
800-53r4:
- AC-12
disa_stig:
- - APPL-14-000160
+ - N/A
srg:
- SRG-OS-000279-GPOS-00109
- 800-171r2:
- - 3.1.11
+ 800-171r3:
+ - 03.01.01
+ - 03.01.11
cmmc:
- AC.L2-3.1.10
- AC.L2-3.1.11
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds
recommended: 86400
diff --git a/rules/system_settings/system_settings_bluetooth_disable.yaml b/rules/system_settings/system_settings_bluetooth_disable.yaml
index 6d8d145c2..addf18d6f 100644
--- a/rules/system_settings/system_settings_bluetooth_disable.yaml
+++ b/rules/system_settings/system_settings_bluetooth_disable.yaml
@@ -18,7 +18,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92949-7
+ - CCE-94352-2
cci:
- CCI-001967
- CCI-002418
@@ -33,9 +33,10 @@ references:
- SRG-OS-000423-GPOS-00187
- SRG-OS-000481-GPOS-00481
disa_stig:
- - APPL-14-002062
- 800-171r2:
- - 3.13.8
+ - N/A
+ 800-171r3:
+ - 03.01.16
+ - 03.13.08
cis:
benchmark:
- N/A
@@ -46,7 +47,7 @@ references:
cmmc:
- AC.L2-3.1.16
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r4_moderate
diff --git a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml
index 895fdf792..f6109c011 100644
--- a/rules/system_settings/system_settings_bluetooth_menu_enable.yaml
+++ b/rules/system_settings/system_settings_bluetooth_menu_enable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92950-5
+ - CCE-94353-0
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -33,7 +33,7 @@ references:
- 4.8
- 13.9
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_bluetooth_settings_disable.yaml b/rules/system_settings/system_settings_bluetooth_settings_disable.yaml
index d34f31dca..5e049191e 100644
--- a/rules/system_settings/system_settings_bluetooth_settings_disable.yaml
+++ b/rules/system_settings/system_settings_bluetooth_settings_disable.yaml
@@ -10,7 +10,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93016-4
+ - CCE-94354-8
cci:
- CCI-000381
800-53r5:
@@ -21,9 +21,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002260
- 800-171r2:
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -34,7 +34,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml
index 596171fa1..17820d28a 100644
--- a/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml
+++ b/rules/system_settings/system_settings_bluetooth_sharing_disable.yaml
@@ -24,7 +24,7 @@ fix: |
----
references:
cce:
- - CCE-92952-1
+ - CCE-94355-5
cci:
- CCI-000213
- CCI-000381
@@ -42,12 +42,9 @@ references:
- SRG-OS-000080-GPOS-00048
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002110
- 800-171r2:
- - 3.1.1
- - 3.1.2
- - 3.1.16
- - 3.4.7
+ - N/A
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- 2.3.3.11 (level 1)
@@ -59,7 +56,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml
index 1b35ad2eb..0e65bcc7c 100644
--- a/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml
+++ b/rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92953-9
+ - CCE-94356-3
cci:
- CCI-000381
800-53r5:
@@ -25,9 +25,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002130
- 800-171r2:
- - 3.1.20
+ - N/A
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- 2.3.3.1 (level 1)
@@ -38,7 +38,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_content_caching_disable.yaml b/rules/system_settings/system_settings_content_caching_disable.yaml
index aaac38a90..f9275de0e 100644
--- a/rules/system_settings/system_settings_content_caching_disable.yaml
+++ b/rules/system_settings/system_settings_content_caching_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92954-7
+ - CCE-94357-1
cci:
- CCI-000381
800-53r5:
@@ -27,9 +27,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002140
- 800-171r2:
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- 2.3.3.9 (level 2)
@@ -39,7 +39,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_critical_update_install_enforce.yaml b/rules/system_settings/system_settings_critical_update_install_enforce.yaml
index fc212e2fe..2239979ea 100644
--- a/rules/system_settings/system_settings_critical_update_install_enforce.yaml
+++ b/rules/system_settings/system_settings_critical_update_install_enforce.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92955-4
+ - CCE-94358-9
cci:
- N/A
800-53r5:
@@ -24,8 +24,8 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - N/A
+ 800-171r3:
+ - 03.14.01
cis:
benchmark:
- 1.6 (level 1)
@@ -37,7 +37,7 @@ references:
- SI.L1-3.14.1
- SI.L1-3.14.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml
index 2c8f0ce00..f2a619c7b 100644
--- a/rules/system_settings/system_settings_diagnostics_reports_disable.yaml
+++ b/rules/system_settings/system_settings_diagnostics_reports_disable.yaml
@@ -24,7 +24,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92956-2
+ - CCE-94359-7
cci:
- CCI-001312
- CCI-001314
@@ -39,19 +39,20 @@ references:
- SRG-OS-000206-GPOS-00084
- SRG-OS-000205-GPOS-00083
disa_stig:
- - APPL-14-002021
- 800-171r2:
- - 3.1.20
+ - N/A
+ 800-171r3:
+ - 03.01.20
cis:
benchmark:
- - 2.6.3 (level 2)
+ - 2.6.3.1 (level 1)
+ - 2.6.3.4 (level 1)
controls v8:
- 4.1
- 4.8
cmmc:
- AC.L1-3.1.20
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r4_low
@@ -60,7 +61,7 @@ tags:
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- - cis_lvl2
+ - cis_lvl1
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/rules/system_settings/system_settings_filevault_enforce.yaml b/rules/system_settings/system_settings_filevault_enforce.yaml
index b281c1843..2b7c1d280 100644
--- a/rules/system_settings/system_settings_filevault_enforce.yaml
+++ b/rules/system_settings/system_settings_filevault_enforce.yaml
@@ -22,7 +22,7 @@ fix: |
NOTE: See the FileVault supplemental to implement this rule.
references:
cce:
- - CCE-92957-0
+ - CCE-94360-5
cci:
- CCI-001199
- CCI-002475
@@ -38,9 +38,9 @@ references:
- SRG-OS-000405-GPOS-00184
- SRG-OS-000404-GPOS-00183
disa_stig:
- - APPL-14-005020
- 800-171r2:
- - 3.13.16
+ - N/A
+ 800-171r3:
+ - 03.13.08
cis:
benchmark:
- 2.6.6 (level 1)
@@ -50,7 +50,7 @@ references:
cmmc:
- SC.L2-3.13.16
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/system_settings/system_settings_find_my_disable.yaml b/rules/system_settings/system_settings_find_my_disable.yaml
index be2a3b841..06837dd02 100644
--- a/rules/system_settings/system_settings_find_my_disable.yaml
+++ b/rules/system_settings/system_settings_find_my_disable.yaml
@@ -28,7 +28,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92958-8
+ - CCE-94361-3
cci:
- CCI-000381
800-53r5:
@@ -42,10 +42,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002180
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- N/A
@@ -58,7 +58,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml
index 020d403ae..7a61c0cda 100644
--- a/rules/system_settings/system_settings_firewall_enable.yaml
+++ b/rules/system_settings/system_settings_firewall_enable.yaml
@@ -5,29 +5,17 @@ discussion: |
When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.
check: |
- profile="$(/usr/bin/osascript -l JavaScript << EOS
+ /usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableFirewall').js
EOS
- )"
-
- plist="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null)"
-
- if [[ "$profile" == "true" ]] && [[ "$plist" =~ [1,2] ]]; then
- echo "true"
- else
- echo "false"
- fi
result:
string: 'true'
fix: |
- [source,bash]
- ----
- /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1
- ----
+ This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92959-6
+ - CCE-94362-1
cci:
- CCI-000366
800-53r5:
@@ -47,15 +35,11 @@ references:
srg:
- SRG-OS-000480-GPOS-00232
disa_stig:
- - APPL-14-005050
- 800-171r2:
- - 3.1.3
- - 3.1.5
- - 3.1.18
- - 3.4.6
- - 3.13.1
- - 3.13.2
- - 3.13.5
+ - N/A
+ 800-171r3:
+ - 03.01.03
+ - 03.04.06
+ - 03.13.01
cis:
benchmark:
- 2.2.1 (level 1)
@@ -69,7 +53,7 @@ references:
- CM.L2-3.4.7
- SC.L1-3.13.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r4_low
diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml
index f1481e253..dbf5bccc4 100644
--- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml
+++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml
@@ -10,29 +10,17 @@ discussion: |
Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode.
====
check: |
- profile="$(/usr/bin/osascript -l JavaScript << EOS
+ /usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableStealthMode').js
EOS
- )"
-
- plist=$(/usr/bin/defaults read /Library/Preferences/com.apple.alf stealthenabled 2>/dev/null)
-
- if [[ "$profile" == "true" ]] && [[ $plist == 1 ]]; then
- echo "true"
- else
- echo "false"
- fi
result:
string: 'true'
fix: |
- [source,bash]
- ----
- /usr/bin/defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1
- ----
+ This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92960-4
+ - CCE-94363-9
cci:
- N/A
800-53r5:
@@ -49,11 +37,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.4.6
- - 3.13.1
- - 3.13.2
- - 3.13.5
+ 800-171r3:
+ - 03.04.06
+ - 03.13.01
cis:
benchmark:
- 2.2.2 (level 1)
@@ -66,7 +52,7 @@ references:
- CM.L2-3.4.7
- SC.L1-3.13.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml
index 062fbdae0..e247c4892 100644
--- a/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml
+++ b/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml
@@ -5,17 +5,26 @@ discussion: |
Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party.
check: |
- /usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled"
+ /usr/bin/osascript -l JavaScript << EOS
+ function run() {
+ let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\
+ .objectForKey('AllowIdentifiedDevelopers'))
+ let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.control')\
+ .objectForKey('EnableAssessment'))
+ if ( pref1 == true && pref2 == true ) {
+ return("true")
+ } else {
+ return("false")
+ }
+ }
+ EOS
result:
- integer: 1
+ string: 'true'
fix: |
- [source,bash]
- ----
- /usr/sbin/spctl --global-enable; /usr/sbin/spctl --enable
- ----
+ This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92961-2
+ - CCE-94364-7
cci:
- CCI-001749
800-53r5:
@@ -30,13 +39,13 @@ references:
srg:
- SRG-OS-000366-GPOS-00153
disa_stig:
- - APPL-14-002060
- 800-171r2:
- - 3.4.5
+ - N/A
+ 800-171r3:
+ - 03.14.02
cmmc:
- CM.L2-3.4.5
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml
index b7d12525e..4d02c28be 100644
--- a/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml
+++ b/rules/system_settings/system_settings_gatekeeper_override_disallow.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92962-0
+ - CCE-94365-4
cci:
- N/A
800-53r5:
@@ -28,12 +28,12 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.4.5
+ 800-171r3:
+ - 03.14.02
cmmc:
- CM.L2-3.4.5
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml
index 6922520ce..74c6aa9a0 100644
--- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml
+++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml
@@ -15,13 +15,12 @@ fix: |
----
references:
cce:
- - CCE-92963-8
+ - CCE-94366-2
cci:
- N/A
- 800-171r2:
- - 3.5.1
- - 3.5.2
- 800-53r5:
+ 800-171r3:
+ - 03.01.01
+ r5:
- AC-2(9)
- AC-2
800-53r4:
@@ -39,7 +38,7 @@ references:
cmmc:
- AC.L1-3.1.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_guest_account_disable.yaml b/rules/system_settings/system_settings_guest_account_disable.yaml
index 28a03aead..47c4dd660 100644
--- a/rules/system_settings/system_settings_guest_account_disable.yaml
+++ b/rules/system_settings/system_settings_guest_account_disable.yaml
@@ -24,7 +24,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92964-6
+ - CCE-94367-0
cci:
- CCI-001813
800-53r5:
@@ -36,10 +36,9 @@ references:
srg:
- SRG-OS-000364-GPOS-00151
disa_stig:
- - APPL-14-002063
- 800-171r2:
- - 3.5.1
- - 3.5.2
+ - N/A
+ 800-171r3:
+ - 03.01.01
cis:
benchmark:
- 2.12.1 (level 1)
@@ -50,7 +49,7 @@ references:
cmmc:
- AC.L1-3.1.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_hot_corners_disable.yaml b/rules/system_settings/system_settings_hot_corners_disable.yaml
index d91a1e232..9829aa4b6 100644
--- a/rules/system_settings/system_settings_hot_corners_disable.yaml
+++ b/rules/system_settings/system_settings_hot_corners_disable.yaml
@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92965-3
+ - CCE-94368-8
cci:
- CCI-000060
800-53r5:
@@ -22,13 +22,13 @@ references:
srg:
- SRG-OS-000031-GPOS-00012
disa_stig:
- - APPL-14-000007
- 800-171r2:
- - 3.1.10
+ - N/A
+ 800-171r3:
+ - 03.01.10
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml
index 333672065..d4c1dcffc 100644
--- a/rules/system_settings/system_settings_hot_corners_secure.yaml
+++ b/rules/system_settings/system_settings_hot_corners_secure.yaml
@@ -25,7 +25,7 @@ fix: |
----
references:
cce:
- - CCE-92966-1
+ - CCE-94369-6
cci:
- N/A
800-53r5:
@@ -36,8 +36,8 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - N/A
+ 800-171r3:
+ - 03.01.10
cis:
benchmark:
- 2.7.1 (level 2)
@@ -46,7 +46,7 @@ references:
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl2
- cisv8
diff --git a/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml b/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml
new file mode 100644
index 000000000..97f262db4
--- /dev/null
+++ b/rules/system_settings/system_settings_improve_assistive_voice_disable.yaml
@@ -0,0 +1,69 @@
+id: system_settings_improve_assistive_voice_disable
+title: Disable Sending Audio Recordings and Transcripts to Apple
+discussion: |
+ The ability for Apple to store and review audio of your audio recordings and transcripts of your vocal shortcuts and voice control interactions _MUST_ be disabled.
+
+ The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of this information will mitigate the risk of unwanted data being sent to Apple.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Accessibility')\
+ .objectForKey('AXSAudioDonationSiriImprovementEnabled').js
+ EOS
+result:
+ string: "false"
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-94370-4
+ cci:
+ - CCI-000381
+ 800-53r5:
+ - AC-20
+ - CM-7
+ - CM-7(1)
+ - SC-7(10)
+ 800-53r4:
+ - CM-7
+ - CM-7(1)
+ - AC-20
+ - SC-7(10)
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
+ srg:
+ - N/A
+ disa_stig:
+ - N/A
+ cis:
+ benchmark:
+ - 2.6.3.2 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
+ cmmc:
+ - AC.L1-3.1.20
+ - CM.L2-3.4.6
+ - CM.L2-3.4.7
+macOS:
+ - '15.0'
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - 800-171
+ - cisv8
+ - cnssi-1253_moderate
+ - cnssi-1253_low
+ - cnssi-1253_high
+ - cmmc_lvl2
+ - cmmc_lvl1
+ - cis_lvl1
+severity: medium
+mobileconfig: true
+mobileconfig_info:
+ com.apple.Accessibility:
+ AXSAudioDonationSiriImprovementEnabled: false
diff --git a/rules/system_settings/system_settings_improve_search_disable.yaml b/rules/system_settings/system_settings_improve_search_disable.yaml
new file mode 100644
index 000000000..920ba3c8f
--- /dev/null
+++ b/rules/system_settings/system_settings_improve_search_disable.yaml
@@ -0,0 +1,70 @@
+id: system_settings_improve_search_disable
+title: Disable Sending Spotlight Search Information to Apple
+discussion: |
+ Sending data to Apple to help improve search _MUST_ be disabled.
+
+ The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of search data will mitigate the risk of unwanted data being sent to Apple.
+check: |
+ /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\
+ .objectForKey('Search Queries Data Sharing Status').js
+ EOS
+result:
+ integer: 2
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-94371-2
+ cci:
+ - CCI-000381
+ 800-53r5:
+ - AC-20
+ - CM-7
+ - CM-7(1)
+ - SC-7(10)
+ 800-53r4:
+ - CM-7
+ - CM-7(1)
+ - AC-20
+ - SC-7(10)
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
+ srg:
+ - SRG-OS-000095-GPOS-00049
+ disa_stig:
+ - N/A
+ cis:
+ benchmark:
+ - 2.19.1
+ controls v8:
+ - 4.1
+ - 4.8
+ cmmc:
+ - AC.L1-3.1.20
+ - CM.L2-3.4.6
+ - CM.L2-3.4.7
+macOS:
+ - '15.0'
+tags:
+ - 800-53r5_low
+ - 800-53r5_moderate
+ - 800-53r5_high
+ - 800-53r4_low
+ - 800-53r4_moderate
+ - 800-53r4_high
+ - 800-171
+ - cisv8
+ - cnssi-1253_moderate
+ - cnssi-1253_low
+ - cnssi-1253_high
+ - cmmc_lvl2
+ - cmmc_lvl1
+ - stig
+ - cis_lvl1
+severity: medium
+mobileconfig: true
+mobileconfig_info:
+ com.apple.assistant.support:
+ Search Queries Data Sharing Status: 2
diff --git a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml
index b70261b56..c0074f499 100644
--- a/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml
+++ b/rules/system_settings/system_settings_improve_siri_dictation_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92967-9
+ - CCE-94372-0
cci:
- CCI-000381
800-53r5:
@@ -28,16 +28,16 @@ references:
- CM-7(1)
- AC-20
- SC-7(10)
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002210
+ - N/A
cis:
benchmark:
- - N/A
+ - 2.6.3.2 (level 1)
controls v8:
- 4.1
- 4.8
@@ -46,7 +46,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -62,6 +62,7 @@ tags:
- cmmc_lvl2
- cmmc_lvl1
- stig
+ - cis_lvl1
severity: medium
mobileconfig: true
mobileconfig_info:
diff --git a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml
index e54b4c1c2..bb86cce26 100644
--- a/rules/system_settings/system_settings_install_macos_updates_enforce.yaml
+++ b/rules/system_settings/system_settings_install_macos_updates_enforce.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92968-7
+ - CCE-94373-8
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -33,7 +33,7 @@ references:
- 7.3
- 7.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_internet_accounts_disable.yaml b/rules/system_settings/system_settings_internet_accounts_disable.yaml
index c796a33df..e76d66e5d 100644
--- a/rules/system_settings/system_settings_internet_accounts_disable.yaml
+++ b/rules/system_settings/system_settings_internet_accounts_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92969-5
+ - CCE-94374-6
cci:
- CCI-000381
800-53r5:
@@ -30,8 +30,10 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.20
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
+ - 03.04.08
cis:
benchmark:
- N/A
@@ -42,7 +44,7 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r4_low
diff --git a/rules/system_settings/system_settings_internet_sharing_disable.yaml b/rules/system_settings/system_settings_internet_sharing_disable.yaml
index 7f4df4709..d46318601 100644
--- a/rules/system_settings/system_settings_internet_sharing_disable.yaml
+++ b/rules/system_settings/system_settings_internet_sharing_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92971-1
+ - CCE-94375-3
cci:
- CCI-000381
800-53r5:
@@ -27,10 +27,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002007
- 800-171r2:
- - 3.1.3
- - 3.1.20
+ - N/A
+ 800-171r3:
+ - 03.01.03
+ - 03.01.20
cis:
benchmark:
- 2.3.3.8 (level 1)
@@ -41,7 +41,7 @@ references:
- AC.L1-3.1.20
- AC.L2-3.1.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r4_low
diff --git a/rules/system_settings/system_settings_location_services_disable.yaml b/rules/system_settings/system_settings_location_services_disable.yaml
index 543070a6e..801497e77 100644
--- a/rules/system_settings/system_settings_location_services_disable.yaml
+++ b/rules/system_settings/system_settings_location_services_disable.yaml
@@ -20,7 +20,7 @@ fix: |
----
references:
cce:
- - CCE-92972-9
+ - CCE-94376-1
cci:
- CCI-000381
800-53r5:
@@ -33,14 +33,14 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002004
- 800-171r2:
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.04.06
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_location_services_enable.yaml b/rules/system_settings/system_settings_location_services_enable.yaml
index 16734af3c..2e8f15487 100644
--- a/rules/system_settings/system_settings_location_services_enable.yaml
+++ b/rules/system_settings/system_settings_location_services_enable.yaml
@@ -18,7 +18,7 @@ fix: |
----
references:
cce:
- - CCE-92973-7
+ - CCE-94377-9
cci:
- N/A
800-53r5:
@@ -29,7 +29,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -38,7 +38,7 @@ references:
- 4.1
- 4.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl2
- cisv8
diff --git a/rules/system_settings/system_settings_location_services_menu_enforce.yaml b/rules/system_settings/system_settings_location_services_menu_enforce.yaml
index d49abf549..e6faf93ff 100644
--- a/rules/system_settings/system_settings_location_services_menu_enforce.yaml
+++ b/rules/system_settings/system_settings_location_services_menu_enforce.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92974-5
+ - CCE-94378-7
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -33,7 +33,7 @@ references:
- 4.1
- 4.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl2
mobileconfig: false
diff --git a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml
index 2f6b6715b..bd62f52b2 100644
--- a/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml
+++ b/rules/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92975-2
+ - CCE-94379-5
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
controls v8:
- 4.1
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Organization's approved message.
recommended: Center for Internet Security Test Message
diff --git a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml
index 507c397d8..c0db3c5f6 100644
--- a/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml
+++ b/rules/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92976-0
+ - CCE-94380-3
cci:
- CCI-000764
800-53r5:
@@ -25,10 +25,9 @@ references:
srg:
- SRG-OS-000104-GPOS-00051
disa_stig:
- - APPL-14-005052
- 800-171r2:
- - 3.5.1
- - 3.5.2
+ - N/A
+ 800-171r3:
+ - 03.05.01
cis:
benchmark:
- 2.10.4 (level 1)
@@ -38,7 +37,7 @@ references:
- IA.L1-3.5.1
- IA.L1-3.5.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_media_sharing_disabled.yaml b/rules/system_settings/system_settings_media_sharing_disabled.yaml
index 9c55dd652..bae8031a5 100644
--- a/rules/system_settings/system_settings_media_sharing_disabled.yaml
+++ b/rules/system_settings/system_settings_media_sharing_disabled.yaml
@@ -10,27 +10,16 @@ discussion: |
NOTE: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled.
check: |
/usr/bin/osascript -l JavaScript << EOS
- function run() {
- let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\
- .objectForKey('homeSharingUIStatus'))
- let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\
- .objectForKey('legacySharingUIStatus'))
- let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\
- .objectForKey('mediaSharingUIStatus'))
- if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) {
- return("true")
- } else {
- return("false")
- }
- }
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
+ .objectForKey('allowMediaSharing').js
EOS
result:
- string: 'true'
+ string: 'false'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92977-8
+ - CCE-94381-1
cci:
- CCI-000213
800-53r5:
@@ -41,10 +30,10 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- - APPL-14-002100
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- 2.3.3.10 (level 2)
@@ -54,7 +43,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -74,7 +63,5 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.preferences.sharing.SharingPrefsExtension:
- homeSharingUIStatus: 0
- legacySharingUIStatus: 0
- mediaSharingUIStatus: 0
+ com.apple.applicationaccess:
+ allowMediaSharing: false
diff --git a/rules/system_settings/system_settings_password_hints_disable.yaml b/rules/system_settings/system_settings_password_hints_disable.yaml
index 4d8584375..9d1bbd509 100644
--- a/rules/system_settings/system_settings_password_hints_disable.yaml
+++ b/rules/system_settings/system_settings_password_hints_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92978-6
+ - CCE-94382-9
cci:
- CCI-000206
800-53r5:
@@ -25,9 +25,9 @@ references:
srg:
- SRG-OS-000079-GPOS-00047
disa_stig:
- - APPL-14-003012
- 800-171r2:
- - 3.5.11
+ - N/A
+ 800-171r3:
+ - 03.05.11
cis:
benchmark:
- 2.10.5 (level 1)
@@ -36,7 +36,7 @@ references:
cmmc:
- IA.L2-3.5.11
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_personalized_advertising_disable.yaml b/rules/system_settings/system_settings_personalized_advertising_disable.yaml
index 7cf8c8dde..71ffe62ba 100644
--- a/rules/system_settings/system_settings_personalized_advertising_disable.yaml
+++ b/rules/system_settings/system_settings_personalized_advertising_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92979-4
+ - CCE-94383-7
cci:
- CCI-000381
800-53r5:
@@ -30,10 +30,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002200
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
cis:
benchmark:
- 2.6.4 (level 1)
@@ -44,7 +44,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_printer_sharing_disable.yaml b/rules/system_settings/system_settings_printer_sharing_disable.yaml
index b8fa2f80b..272193b91 100644
--- a/rules/system_settings/system_settings_printer_sharing_disable.yaml
+++ b/rules/system_settings/system_settings_printer_sharing_disable.yaml
@@ -14,7 +14,7 @@ fix: |
----
references:
cce:
- - CCE-92980-2
+ - CCE-94384-5
cci:
- CCI-000381
800-53r5:
@@ -26,9 +26,9 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002240
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.04.06
cis:
benchmark:
- 2.3.3.4 (level 1)
@@ -39,7 +39,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml
index ee689e1e0..7baaae95c 100644
--- a/rules/system_settings/system_settings_rae_disable.yaml
+++ b/rules/system_settings/system_settings_rae_disable.yaml
@@ -14,10 +14,10 @@ fix: |
/usr/sbin/systemsetup -setremoteappleevents off
/bin/launchctl disable system/com.apple.AEServer
----
- NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision.
+ NOTE: Systemsetup with -setremoteappleevents flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision.
references:
cce:
- - CCE-92981-0
+ - CCE-94385-2
cci:
- CCI-000213
- CCI-000382
@@ -30,10 +30,10 @@ references:
- SRG-OS-000080-GPOS-00048
- SRG-OS-000096-GPOS-00050
disa_stig:
- - APPL-14-002022
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- 2.3.3.7 (level 1)
@@ -43,7 +43,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_remote_management_disable.yaml b/rules/system_settings/system_settings_remote_management_disable.yaml
index b8517b5be..e1f029d44 100644
--- a/rules/system_settings/system_settings_remote_management_disable.yaml
+++ b/rules/system_settings/system_settings_remote_management_disable.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92982-8
+ - CCE-94386-0
cci:
- CCI-000381
800-53r5:
@@ -25,9 +25,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002250
- 800-171r2:
- N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- 2.3.3.6 (level 1)
@@ -39,7 +40,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml
index 012dea282..52f51776c 100644
--- a/rules/system_settings/system_settings_screen_sharing_disable.yaml
+++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml
@@ -16,7 +16,7 @@ fix: |
NOTE - This will apply to the whole system
references:
cce:
- - CCE-92983-6
+ - CCE-94387-8
cci:
- CCI-000213
800-53r5:
@@ -28,10 +28,10 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- - APPL-14-002050
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- 2.3.3.2 (level 1)
@@ -41,7 +41,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml
index dc2e98f7b..1cde1489e 100644
--- a/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml
+++ b/rules/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml
@@ -22,7 +22,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92984-4
+ - CCE-94388-6
cci:
- CCI-000056
800-53r5:
@@ -32,9 +32,9 @@ references:
srg:
- SRG-OS-000028-GPOS-00009
disa_stig:
- - APPL-14-000003
- 800-171r2:
- - 3.1.10
+ - N/A
+ 800-171r3:
+ - 03.01.10
cis:
benchmark:
- 2.10.2 (level 1)
@@ -43,7 +43,7 @@ references:
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds.
recommended: 5
diff --git a/rules/system_settings/system_settings_screensaver_password_enforce.yaml b/rules/system_settings/system_settings_screensaver_password_enforce.yaml
index 310dd5b99..b07b15b14 100644
--- a/rules/system_settings/system_settings_screensaver_password_enforce.yaml
+++ b/rules/system_settings/system_settings_screensaver_password_enforce.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92985-1
+ - CCE-94389-4
cci:
- CCI-000056
800-53r5:
@@ -25,13 +25,14 @@ references:
srg:
- SRG-OS-000028-GPOS-00009
disa_stig:
- - APPL-14-000002
- 800-171r2:
- - 3.1.10
+ - N/A
+ 800-171r3:
+ - 03.01.10
+ - 03.05.01
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml
index 3bdc7517c..dc9cb34cc 100644
--- a/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml
+++ b/rules/system_settings/system_settings_screensaver_timeout_enforce.yaml
@@ -22,7 +22,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92986-9
+ - CCE-94390-2
cci:
- CCI-000057
800-53r5:
@@ -33,9 +33,10 @@ references:
srg:
- SRG-OS-000029-GPOS-00010
disa_stig:
- - APPL-14-000070
- 800-171r2:
- - 3.1.10
+ - N/A
+ 800-171r3:
+ - 03.01.10
+ - 03.05.01
cis:
benchmark:
- 2.10.1 (level 1)
@@ -44,7 +45,7 @@ references:
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Number of seconds.
recommended: 1200
diff --git a/rules/system_settings/system_settings_siri_disable.yaml b/rules/system_settings/system_settings_siri_disable.yaml
index 03a41114b..67eb4c0d9 100644
--- a/rules/system_settings/system_settings_siri_disable.yaml
+++ b/rules/system_settings/system_settings_siri_disable.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92987-7
+ - CCE-94391-0
cci:
- CCI-000381
- CCI-001774
@@ -31,10 +31,11 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002020
- 800-171r2:
- - 3.1.20
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.01.20
+ - 03.04.06
+ - 03.04.08
cis:
benchmark:
- N/A
@@ -46,7 +47,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_siri_listen_disable.yaml b/rules/system_settings/system_settings_siri_listen_disable.yaml
new file mode 100644
index 000000000..9fd2fec27
--- /dev/null
+++ b/rules/system_settings/system_settings_siri_listen_disable.yaml
@@ -0,0 +1,42 @@
+id: system_settings_siri_listen_disable
+title: "Ensure Siri Listen For is Disabled"
+discussion: |
+ Siri has the ability to listen for "Hey Siri" or "Siri". Listen for _MUST_ be disabled.
+check: |
+ /usr/bin/sudo /usr/bin/osascript -l JavaScript << EOS
+ $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Siri')\
+ .objectForKey('VoiceTriggerUserEnabled').js
+ EOS
+result:
+ string: 'false'
+fix: |
+ This is implemented by a Configuration Profile.
+references:
+ cce:
+ - CCE-94392-8
+ cci:
+ - N/A
+ 800-53r5:
+ - N/A
+ 800-53r4:
+ - N/A
+ disa_stig:
+ - N/A
+ srg:
+ - N/A
+ cis:
+ benchmark:
+ - 2.5.2 (level 1)
+ controls v8:
+ - 4.1
+ - 4.8
+macOS:
+ - "15.0"
+tags:
+ - cis_lvl1
+ - cis_lvl2
+ - cisv8
+mobileconfig: true
+mobileconfig_info:
+ com.apple.Siri:
+ VoiceTriggerUserEnabled: false
diff --git a/rules/system_settings/system_settings_siri_settings_disable.yaml b/rules/system_settings/system_settings_siri_settings_disable.yaml
index ffe4e654a..e797768b4 100644
--- a/rules/system_settings/system_settings_siri_settings_disable.yaml
+++ b/rules/system_settings/system_settings_siri_settings_disable.yaml
@@ -4,6 +4,8 @@ discussion: |
The System Settings pane for Siri _MUST_ be hidden.
Hiding the System Settings pane prevents the users from configuring Siri.
+
+ NOTE: Disabling the Siri System Settings pane blocks the user from opting into Apple Intelligence.
check: |
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.Siri-Settings.extension
result:
@@ -12,7 +14,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93019-8
+ - CCE-94393-6
cci:
- CCI-000381
800-53r5:
@@ -25,9 +27,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002053
- 800-171r2:
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.04.06
+ - 03.04.08
cis:
benchmark:
- N/A
@@ -38,7 +41,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml
index ccd1d7fde..34a829a86 100644
--- a/rules/system_settings/system_settings_smbd_disable.yaml
+++ b/rules/system_settings/system_settings_smbd_disable.yaml
@@ -16,7 +16,7 @@ fix: |
The system may need to be restarted for the update to take effect.
references:
cce:
- - CCE-92989-3
+ - CCE-94394-4
cci:
- CCI-000213
800-53r5:
@@ -27,10 +27,10 @@ references:
srg:
- SRG-OS-000080-GPOS-00048
disa_stig:
- - APPL-14-002001
- 800-171r2:
- - 3.1.1
- - 3.1.2
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- 2.3.3.3 (level 1)
@@ -41,7 +41,7 @@ references:
cmmc:
- AC.L1-3.1.1
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml
index b5f617416..8eb241a81 100644
--- a/rules/system_settings/system_settings_software_update_app_update_enforce.yaml
+++ b/rules/system_settings/system_settings_software_update_app_update_enforce.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92990-1
+ - CCE-94395-1
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -33,7 +33,7 @@ references:
- 7.3
- 7.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_software_update_download_enforce.yaml b/rules/system_settings/system_settings_software_update_download_enforce.yaml
index 5c5083cdf..dbc9109e5 100644
--- a/rules/system_settings/system_settings_software_update_download_enforce.yaml
+++ b/rules/system_settings/system_settings_software_update_download_enforce.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92991-9
+ - CCE-94396-9
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -33,7 +33,7 @@ references:
- 7.3
- 7.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_software_update_enforce.yaml b/rules/system_settings/system_settings_software_update_enforce.yaml
index 433a3e12e..acffb4d38 100644
--- a/rules/system_settings/system_settings_software_update_enforce.yaml
+++ b/rules/system_settings/system_settings_software_update_enforce.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92992-7
+ - CCE-94397-7
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- 3.14.1
- 3.14.2
- 3.13.3
@@ -35,7 +35,7 @@ references:
- 7.3
- 7.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_softwareupdate_current.yaml b/rules/system_settings/system_settings_softwareupdate_current.yaml
index 2be673ac5..67b88610c 100644
--- a/rules/system_settings/system_settings_softwareupdate_current.yaml
+++ b/rules/system_settings/system_settings_softwareupdate_current.yaml
@@ -22,7 +22,7 @@ fix: |
NOTE - This will apply to the whole system
references:
cce:
- - CCE-92993-5
+ - CCE-94398-5
cci:
- N/A
800-53r5:
@@ -33,7 +33,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -42,7 +42,7 @@ references:
- 7.3
- 7.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml
index 954d00d59..1df810fbb 100644
--- a/rules/system_settings/system_settings_ssh_disable.yaml
+++ b/rules/system_settings/system_settings_ssh_disable.yaml
@@ -12,10 +12,10 @@ fix: |
/usr/sbin/systemsetup -f -setremotelogin off >/dev/null
/bin/launchctl disable system/com.openssh.sshd
----
- NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision.
+ NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision.
references:
cce:
- - CCE-92994-3
+ - CCE-94399-3
cci:
- N/A
800-53r5:
@@ -30,10 +30,9 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
- - 3.1.1
- - 3.1.2
- - 3.4.6
+ 800-171r3:
+ - 03.01.02
+ - 03.04.06
cis:
benchmark:
- 2.3.3.5 (level 1)
@@ -45,7 +44,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_ssh_enable.yaml b/rules/system_settings/system_settings_ssh_enable.yaml
index 0fded5d93..9f2b7f647 100644
--- a/rules/system_settings/system_settings_ssh_enable.yaml
+++ b/rules/system_settings/system_settings_ssh_enable.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-92995-0
+ - CCE-94400-9
cci:
- CCI-000213
- CCI-001942
@@ -37,19 +37,17 @@ references:
- SRG-OS-000425-GPOS-00189
- SRG-OS-000426-GPOS-00190
disa_stig:
- - APPL-14-000080
- 800-171r2:
- - 3.1.1
- - 3.1.2
- - 3.4.6
- - 3.5.4
+ - N/A
+ 800-171r3:
+ - 03.01.02
+ - 03.05.04
cmmc:
- AC.L1-3.1.1
- CM.L2-3.4.6
- CM.L2-3.4.7
- IA.L2-3.5.4
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml
index 0cb36a326..a4c1fd0c6 100644
--- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml
+++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml
@@ -11,7 +11,7 @@ check: |
if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "shared")]/following-sibling::*[1])' -) != "false" ]]; then
result="0"
fi
- if [[ $(security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath '//*[contains(text(), "group")]/following-sibling::*[1]/text()' - ) != "admin" ]]; then
+ if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath '//*[contains(text(), "group")]/following-sibling::*[1]/text()' - ) != "admin" ]]; then
result="0"
fi
if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "authenticate-user")]/following-sibling::*[1])' -) != "true" ]]; then
@@ -72,7 +72,7 @@ fix: |
----
references:
cce:
- - CCE-92996-8
+ - CCE-94401-7
cci:
- CCI-002235
800-53r5:
@@ -86,10 +86,9 @@ references:
srg:
- SRG-OS-000324-GPOS-00125
disa_stig:
- - APPL-14-002069
- 800-171r2:
- - 3.1.5
- - 3.1.6
+ - N/A
+ 800-171r3:
+ - 03.01.07
cis:
benchmark:
- 2.6.8 (level 1)
@@ -100,7 +99,7 @@ references:
- AC.L2-3.1.5
- AC.L2-3.1.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml
index bcb9d601d..f9dd0e4a5 100644
--- a/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml
+++ b/rules/system_settings/system_settings_time_machine_auto_backup_enable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92997-6
+ - CCE-94402-5
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
controls v8:
- 11.2
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl2
- cisv8
diff --git a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml
index 7026feb07..11408ef9d 100644
--- a/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml
+++ b/rules/system_settings/system_settings_time_machine_encrypted_configure.yaml
@@ -22,7 +22,7 @@ fix: |
. Click *Use Disk*
references:
cce:
- - CCE-92998-4
+ - CCE-94403-3
cci:
- N/A
800-53r5:
@@ -33,7 +33,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -43,7 +43,7 @@ references:
- 3.11
- 11.3
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_time_server_configure.yaml b/rules/system_settings/system_settings_time_server_configure.yaml
index 97e219314..9c2a2e02a 100644
--- a/rules/system_settings/system_settings_time_server_configure.yaml
+++ b/rules/system_settings/system_settings_time_server_configure.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-92999-2
+ - CCE-94404-1
cci:
- CCI-001891
- CCI-002046
@@ -28,8 +28,8 @@ references:
- SRG-OS-000355-GPOS-00143
- SRG-OS-000356-GPOS-00144
disa_stig:
- - APPL-14-000170
- 800-171r2:
+ - N/A
+ 800-171r3:
- 3.3.7
cis:
benchmark:
@@ -39,7 +39,7 @@ references:
cmmc:
- AU.L2-3.3.7
macOS:
- - '14.0'
+ - '15.0'
odv:
hint: Name of timeserver. As of macOS 10.13 only one time server is supported.
recommended: time.nist.gov
diff --git a/rules/system_settings/system_settings_time_server_enforce.yaml b/rules/system_settings/system_settings_time_server_enforce.yaml
index 13ed923da..862d38b80 100644
--- a/rules/system_settings/system_settings_time_server_enforce.yaml
+++ b/rules/system_settings/system_settings_time_server_enforce.yaml
@@ -15,7 +15,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93000-8
+ - CCE-94405-8
cci:
- CCI-001891
- CCI-002046
@@ -28,8 +28,8 @@ references:
- SRG-OS-000355-GPOS-00143
- SRG-OS-000356-GPOS-00144
disa_stig:
- - APPL-14-000014
- 800-171r2:
+ - N/A
+ 800-171r3:
- 3.3.7
cis:
benchmark:
@@ -39,7 +39,7 @@ references:
cmmc:
- AU.L2-3.3.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-171
- 800-53r5_low
diff --git a/rules/system_settings/system_settings_token_removal_enforce.yaml b/rules/system_settings/system_settings_token_removal_enforce.yaml
index 7590d7127..6d85daab3 100644
--- a/rules/system_settings/system_settings_token_removal_enforce.yaml
+++ b/rules/system_settings/system_settings_token_removal_enforce.yaml
@@ -19,7 +19,7 @@ result:
fix: This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93001-6
+ - CCE-94406-6
cci:
- CCI-000058
800-53r5:
@@ -29,13 +29,13 @@ references:
srg:
- SRG-OS-000030-GPOS-00011
disa_stig:
- - APPL-14-000005
- 800-171r2:
- - 3.1.10
+ - N/A
+ 800-171r3:
+ - 03.01.10
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/system_settings/system_settings_touch_id_settings_disable.yaml b/rules/system_settings/system_settings_touch_id_settings_disable.yaml
index 39e48caa1..72eb87947 100644
--- a/rules/system_settings/system_settings_touch_id_settings_disable.yaml
+++ b/rules/system_settings/system_settings_touch_id_settings_disable.yaml
@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93020-6
+ - CCE-94407-4
cci:
- CCI-000381
800-53r5:
@@ -25,9 +25,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002051
- 800-171r2:
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.04.06
+ - 03.04.08
cis:
benchmark:
- N/A
@@ -38,7 +39,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml
index 9cda7a329..38f13977c 100644
--- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml
+++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml
@@ -19,7 +19,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93003-2
+ - CCE-94408-2
cci:
- CCI-000056
800-53r5:
@@ -29,13 +29,13 @@ references:
srg:
- SRG-OS-000028-GPOS-00009
disa_stig:
- - APPL-14-002090
- 800-171r2:
- - 3.1.10
+ - N/A
+ 800-171r3:
+ - 03.05.12
cmmc:
- AC.L2-3.1.10
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/system_settings/system_settings_usb_restricted_mode.yaml b/rules/system_settings/system_settings_usb_restricted_mode.yaml
index 4b1e400c2..ccc89d90f 100644
--- a/rules/system_settings/system_settings_usb_restricted_mode.yaml
+++ b/rules/system_settings/system_settings_usb_restricted_mode.yaml
@@ -25,14 +25,14 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93004-0
+ - CCE-94409-0
cci:
- CCI-001958
800-53r5:
- MP-7
- SC-41
- 800-171r2:
- - N/A
+ 800-171r3:
+ - 03.08.07
cis:
benchmark:
- N/A
@@ -44,9 +44,9 @@ references:
srg:
- SRG-OS-000378-GPOS-00163
disa_stig:
- - APPL-14-005090
+ - N/A
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_wake_network_access_disable.yaml b/rules/system_settings/system_settings_wake_network_access_disable.yaml
index 1ada709d7..fd558d725 100644
--- a/rules/system_settings/system_settings_wake_network_access_disable.yaml
+++ b/rules/system_settings/system_settings_wake_network_access_disable.yaml
@@ -13,7 +13,7 @@ fix: |
----
references:
cce:
- - CCE-93005-7
+ - CCE-94410-8
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
srg:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -32,7 +32,7 @@ references:
controls v8:
- 4.8
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml b/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml
index 77d86bce3..e1da2119f 100644
--- a/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml
+++ b/rules/system_settings/system_settings_wallet_applepay_settings_disable.yaml
@@ -12,7 +12,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93021-4
+ - CCE-94411-6
cci:
- CCI-000381
800-53r5:
@@ -25,9 +25,10 @@ references:
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- - APPL-14-002052
- 800-171r2:
- - 3.4.6
+ - N/A
+ 800-171r3:
+ - 03.04.06
+ - 03.04.08
cis:
benchmark:
- N/A
@@ -38,7 +39,7 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/rules/system_settings/system_settings_wifi_disable.yaml b/rules/system_settings/system_settings_wifi_disable.yaml
index d4f434015..a0cd0e8b2 100644
--- a/rules/system_settings/system_settings_wifi_disable.yaml
+++ b/rules/system_settings/system_settings_wifi_disable.yaml
@@ -18,7 +18,7 @@ fix: |
----
references:
cce:
- - CCE-93008-1
+ - CCE-94412-4
cci:
- N/A
800-53r5:
@@ -34,8 +34,9 @@ references:
- N/A
srg:
- N/A
- 800-171r2:
- - N/A
+ 800-171r3:
+ - 03.01.03
+ - 03.01.16
cis:
benchmark:
- N/A
@@ -47,7 +48,7 @@ references:
- AC.L2-3.1.16
- AC.L2-3.1.17
macOS:
- - '14.0'
+ - '15.0'
tags:
- manual
- 800-53r4_low
diff --git a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml
index 8e1d496c9..1fd3474ed 100644
--- a/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml
+++ b/rules/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml
@@ -12,7 +12,7 @@ fix: |
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
references:
cce:
- - CCE-93009-9
+ - CCE-94413-2
cci:
- N/A
800-53r5:
@@ -27,14 +27,14 @@ references:
- N/A
srg:
- N/A
- 800-171r2:
- - 3.1.3
- - 3.1.17
+ 800-171r3:
+ - 03.01.03
+ - 03.01.16
cmmc:
- AC.L2-3.1.3
- AC.L2-3.1.17
macOS:
- - '14.0'
+ - '15.0'
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/rules/system_settings/system_settings_wifi_menu_enable.yaml b/rules/system_settings/system_settings_wifi_menu_enable.yaml
index 716842b14..2687343e3 100644
--- a/rules/system_settings/system_settings_wifi_menu_enable.yaml
+++ b/rules/system_settings/system_settings_wifi_menu_enable.yaml
@@ -13,7 +13,7 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- - CCE-93010-7
+ - CCE-94414-0
cci:
- N/A
800-53r5:
@@ -24,7 +24,7 @@ references:
- N/A
disa_stig:
- N/A
- 800-171r2:
+ 800-171r3:
- N/A
cis:
benchmark:
@@ -33,7 +33,7 @@ references:
- 4.8
- 12.6
macOS:
- - '14.0'
+ - '15.0'
tags:
- cis_lvl1
- cis_lvl2
diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py
index 4f24cf4f6..115e35769 100755
--- a/scripts/generate_baseline.py
+++ b/scripts/generate_baseline.py
@@ -51,7 +51,7 @@ def get_rule_yaml(rule_file, custom=False):
""" Takes a rule file, checks for a custom version, and returns the yaml for the rule
"""
resulting_yaml = {}
- names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)]
+ names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.y*ml', recursive=True)]
file_name = os.path.basename(rule_file)
if custom:
@@ -116,7 +116,7 @@ def collect_rules():
'srg']
- for rule in sorted(glob.glob('../rules/**/*.yaml',recursive=True)) + sorted(glob.glob('../custom/rules/**/*.yaml',recursive=True)):
+ for rule in sorted(glob.glob('../rules/**/*.y*ml',recursive=True)) + sorted(glob.glob('../custom/rules/**/*.y*ml',recursive=True)):
rule_yaml = get_rule_yaml(rule, custom=False)
for key in keys:
try:
@@ -132,12 +132,12 @@ def collect_rules():
#print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule))
rule_yaml[key].update({reference: ["None"]})
- all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'),
- rule_yaml['id'].replace('|', '\|'),
- rule_yaml['severity'].replace('|', '\|'),
- rule_yaml['discussion'].replace('|', '\|'),
- rule_yaml['check'].replace('|', '\|'),
- rule_yaml['fix'].replace('|', '\|'),
+ all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\\|'),
+ rule_yaml['id'].replace('|', '\\|'),
+ rule_yaml['severity'].replace('|', '\\|'),
+ rule_yaml['discussion'].replace('|', '\\|'),
+ rule_yaml['check'].replace('|', '\\|'),
+ rule_yaml['fix'].replace('|', '\\|'),
rule_yaml['references']['cci'],
rule_yaml['references']['cce'],
rule_yaml['references']['800-53r4'],
@@ -452,52 +452,49 @@ def odv_query(rules, benchmark):
def main():
args = create_args()
- try:
- file_dir = os.path.dirname(os.path.abspath(__file__))
- parent_dir = os.path.dirname(file_dir)
+
+ file_dir = os.path.dirname(os.path.abspath(__file__))
+ parent_dir = os.path.dirname(file_dir)
- # stash current working directory
- original_working_directory = os.getcwd()
+ # stash current working directory
+ original_working_directory = os.getcwd()
- # switch to the scripts directory
- os.chdir(file_dir)
+ # switch to the scripts directory
+ os.chdir(file_dir)
- all_rules = collect_rules()
+ all_rules = collect_rules()
- if args.list_tags:
- available_tags(all_rules)
- return
+ if args.list_tags:
+ available_tags(all_rules)
+ return
- if args.controls:
- baselines_file = os.path.join(
- parent_dir, 'includes', '800-53_baselines.yaml')
+ if args.controls:
+ baselines_file = os.path.join(
+ parent_dir, 'includes', '800-53_baselines.yaml')
- with open(baselines_file) as r:
- baselines = yaml.load(r, Loader=yaml.SafeLoader)
+ with open(baselines_file) as r:
+ baselines = yaml.load(r, Loader=yaml.SafeLoader)
- included_controls = get_controls(all_rules)
- needed_controls = []
+ included_controls = get_controls(all_rules)
+ needed_controls = []
- for control in baselines['low']:
- if control not in needed_controls:
- needed_controls.append(control)
+ for control in baselines['low']:
+ if control not in needed_controls:
+ needed_controls.append(control)
- for n_control in needed_controls:
- if n_control not in included_controls:
- print(f'{n_control} missing from any rule, needs a rule, or included in supplemental')
+ for n_control in needed_controls:
+ if n_control not in included_controls:
+ print(f'{n_control} missing from any rule, needs a rule, or included in supplemental')
- return
+ return
- build_path = os.path.join(parent_dir, 'build', 'baselines')
- if not (os.path.isdir(build_path)):
- try:
- os.makedirs(build_path)
- except OSError:
- print(f"Creation of the directory {build_path} failed")
-
- except IOError as msg:
- parser.error(str(msg))
+ build_path = os.path.join(parent_dir, 'build', 'baselines')
+ if not (os.path.isdir(build_path)):
+ try:
+ os.makedirs(build_path)
+ except OSError:
+ print(f"Creation of the directory {build_path} failed")
# import mscp-data
mscp_data_file = os.path.join(
diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py
index dbbb09f62..092e666bf 100755
--- a/scripts/generate_guidance.py
+++ b/scripts/generate_guidance.py
@@ -2,9 +2,7 @@
# filename: generate_guidance.py
# description: Process a given baseline, and output guidance files
import sys
-import os.path
import plistlib
-import xlwt
import glob
import os
import yaml
@@ -14,14 +12,43 @@
import logging
import tempfile
import base64
+import shutil
+import json
+import hashlib
from datetime import date
-from xlwt import Workbook
+from xlwt import Workbook, easyxf
from string import Template
from itertools import groupby
from uuid import uuid4
-
-class MacSecurityRule():
- def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, sfr, cis, cmmc, custom_refs, odv, tags, result_value, mobileconfig, mobileconfig_info, customized):
+from zipfile import ZipFile
+
+
+class MacSecurityRule:
+ def __init__(
+ self,
+ title,
+ rule_id,
+ severity,
+ discussion,
+ check,
+ fix,
+ cci,
+ cce,
+ nist_controls,
+ nist_171,
+ disa_stig,
+ srg,
+ sfr,
+ cis,
+ cmmc,
+ custom_refs,
+ odv,
+ tags,
+ result_value,
+ mobileconfig,
+ mobileconfig_info,
+ customized,
+ ):
self.rule_title = title
self.rule_id = rule_id
self.rule_severity = severity
@@ -61,20 +88,21 @@ def create_asciidoc(self, adoc_rule_template):
rule_cis=self.rule_cis,
rule_cmmc=self.rule_cmmc,
rule_srg=self.rule_srg,
- rule_result=self.rule_result_value
+ rule_result=self.rule_result_value,
)
return rule_adoc
def create_mobileconfig(self):
pass
- # Convert a list to AsciiDoc
+
def ulify(elements):
string = "\n"
for s in elements:
string += "* " + str(s) + "\n"
return string
+
def group_ulify(elements):
string = "\n * "
for s in elements:
@@ -94,14 +122,14 @@ def get_check_code(check_yaml):
check_string = check_yaml.split("[source,bash]")[1]
except:
return check_yaml
- #print check_string
- check_code = re.search('(?:----((?:.*?\r?\n?)*)----)+', check_string)
- #print(check_code.group(1).rstrip())
- return(check_code.group(1).strip())
+ # print check_string
+ check_code = re.search("(?:----((?:.*?\r?\n?)*)----)+", check_string)
+ # print(check_code.group(1).rstrip())
+ return check_code.group(1).strip()
def quotify(fix_code):
- string = fix_code.replace("'", "\'\"\'\"\'")
+ string = fix_code.replace("'", "'\"'\"'")
string = string.replace("%", "%%")
return string
@@ -109,41 +137,38 @@ def quotify(fix_code):
def get_fix_code(fix_yaml):
fix_string = fix_yaml.split("[source,bash]")[1]
- fix_code = re.search('(?:----((?:.*?\r?\n?)*)----)+', fix_string)
- return(fix_code.group(1))
+ fix_code = re.search("(?:----((?:.*?\r?\n?)*)----)+", fix_string)
+ return fix_code.group(1)
def format_mobileconfig_fix(mobileconfig):
- """Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.
- """
+ """Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide."""
rulefix = ""
for domain, settings in mobileconfig.items():
if domain == "com.apple.ManagedClient.preferences":
- rulefix = rulefix + \
- (f"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types.\n\n")
+ rulefix = rulefix + (
+ f"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types.\n\n"
+ )
rulefix = rulefix + format_mobileconfig_fix(settings)
else:
rulefix = rulefix + (
- f"Create a configuration profile containing the following keys in the ({domain}) payload type:\n\n")
+ f"Create a configuration profile containing the following keys in the ({domain}) payload type:\n\n"
+ )
rulefix = rulefix + "[source,xml]\n----\n"
for item in settings.items():
rulefix = rulefix + (f"{item[0]}\n")
if type(item[1]) == bool:
- rulefix = rulefix + \
- (f"<{str(item[1]).lower()}/>\n")
+ rulefix = rulefix + (f"<{str(item[1]).lower()}/>\n")
elif type(item[1]) == list:
rulefix = rulefix + "\n"
for setting in item[1]:
- rulefix = rulefix + \
- (f" {setting}\n")
+ rulefix = rulefix + (f" {setting}\n")
rulefix = rulefix + "\n"
elif type(item[1]) == int:
- rulefix = rulefix + \
- (f"{item[1]}\n")
+ rulefix = rulefix + (f"{item[1]}\n")
elif type(item[1]) == str:
- rulefix = rulefix + \
- (f"{item[1]}\n")
+ rulefix = rulefix + (f"{item[1]}\n")
elif type(item[1]) == dict:
rulefix = rulefix + "\n"
for k,v in item[1].items():
@@ -178,12 +203,14 @@ def format_mobileconfig_fix(mobileconfig):
return rulefix
+
class AdocTemplate:
def __init__(self, name, path, template_file):
self.name = name
self.path = path
self.template_file = template_file
+
class PayloadDict:
"""Class to create and manipulate Configuration Profiles.
The actual plist content can be accessed as a dictionary via the 'data' attribute.
@@ -191,10 +218,10 @@ class PayloadDict:
def __init__(self, identifier, uuid=False, description='', organization='', displayname=''):
self.data = {}
- self.data['PayloadVersion'] = 1
- self.data['PayloadOrganization'] = organization
+ self.data["PayloadVersion"] = 1
+ self.data["PayloadOrganization"] = organization
if uuid:
- self.data['PayloadUUID'] = uuid
+ self.data["PayloadUUID"] = uuid
else:
self.data['PayloadUUID'] = makeNewUUID()
self.data['PayloadType'] = 'Configuration'
@@ -205,14 +232,14 @@ def __init__(self, identifier, uuid=False, description='', organization='', disp
self.data['ConsentText'] = {"default": "THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER."}
# An empty list for 'sub payloads' that we'll fill later
- self.data['PayloadContent'] = []
+ self.data["PayloadContent"] = []
def _updatePayload(self, payload_content_dict, baseline_name):
"""Update the profile with the payload settings. Takes the settings dictionary which will be the
PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive
elements.
"""
- #description = "Configuration settings for the {} preference domain.".format(payload_type)
+ # description = "Configuration settings for the {} preference domain.".format(payload_type)
payload_dict = {}
# Boilerplate
@@ -221,7 +248,7 @@ def _updatePayload(self, payload_content_dict, baseline_name):
payload_dict['PayloadType'] = payload_content_dict['PayloadType']
payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}"
- payload_dict['PayloadContent'] = payload_content_dict
+ payload_dict["PayloadContent"] = payload_content_dict
# Add the payload to the profile
self.data.update(payload_dict)
@@ -230,7 +257,7 @@ def _addPayload(self, payload_content_dict, baseline_name):
PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive
elements.
"""
- #description = "Configuration settings for the {} preference domain.".format(payload_type)
+ # description = "Configuration settings for the {} preference domain.".format(payload_type)
payload_dict = {}
# Boilerplate
@@ -239,18 +266,18 @@ def _addPayload(self, payload_content_dict, baseline_name):
payload_dict['PayloadType'] = payload_content_dict['PayloadType']
payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}"
- payload_dict['PayloadContent'] = payload_content_dict
+ payload_dict["PayloadContent"] = payload_content_dict
# Add the payload to the profile
- #print payload_dict
- del payload_dict['PayloadContent']['PayloadType']
- self.data['PayloadContent'].append(payload_dict)
+ # print payload_dict
+ del payload_dict["PayloadContent"]["PayloadType"]
+ self.data["PayloadContent"].append(payload_dict)
def addNewPayload(self, payload_type, settings, baseline_name):
"""Add a payload to the profile. Takes the settings dictionary which will be the
PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive
elements.
"""
- #description = "Configuration settings for the {} preference domain.".format(payload_type)
+ # description = "Configuration settings for the {} preference domain.".format(payload_type)
payload_dict = {}
# Boilerplate
@@ -265,8 +292,7 @@ def addNewPayload(self, payload_type, settings, baseline_name):
payload_dict[k] = v
# Add the payload to the profile
- #
- self.data['PayloadContent'].append(payload_dict)
+ self.data["PayloadContent"].append(payload_dict)
def addMCXPayload(self, settings, baseline_name):
"""Add a payload to the profile. Takes the settings dictionary which will be the
@@ -278,7 +304,7 @@ def addMCXPayload(self, settings, baseline_name):
for key in keys.split():
plist_dict[key] = settings[2]
- #description = "Configuration settings for the {} preference domain.".format(payload_type)
+ # description = "Configuration settings for the {} preference domain.".format(payload_type)
payload_dict = {}
state = "Forced"
@@ -288,43 +314,45 @@ def addMCXPayload(self, settings, baseline_name):
payload_dict[domain] = {}
payload_dict[domain][state] = []
payload_dict[domain][state].append({})
- payload_dict[domain][state][0]['mcx_preference_settings'] = plist_dict
- payload_dict['PayloadType'] = "com.apple.ManagedClient.preferences"
+ payload_dict[domain][state][0]["mcx_preference_settings"] = plist_dict
+ payload_dict["PayloadType"] = "com.apple.ManagedClient.preferences"
self._addPayload(payload_dict, baseline_name)
def finalizeAndSave(self, output_path):
- """Perform last modifications and save to configuration profile.
- """
+ """Perform last modifications and save to configuration profile."""
plistlib.dump(self.data, output_path)
print(f"Configuration profile written to {output_path.name}")
def finalizeAndSavePlist(self, output_path):
- """Perform last modifications and save to an output plist.
- """
+ """Perform last modifications and save to an output plist."""
output_file_path = output_path.name
preferences_path = os.path.dirname(output_file_path)
-
settings_dict = {}
- for i in self.data['PayloadContent']:
- if i['PayloadType'] == "com.apple.ManagedClient.preferences":
- for key, value in i['PayloadContent'].items():
- domain=key
- preferences_output_file = os.path.join(preferences_path, domain + ".plist")
+ for i in self.data["PayloadContent"]:
+ if i["PayloadType"] == "com.apple.ManagedClient.preferences":
+ for key, value in i["PayloadContent"].items():
+ domain = key
+ preferences_output_file = os.path.join(
+ preferences_path, domain + ".plist"
+ )
if not os.path.exists(preferences_output_file):
- with open(preferences_output_file, 'w'): pass
- with open (preferences_output_file, 'rb') as fp:
+ with open(preferences_output_file, "w"):
+ pass
+ with open(preferences_output_file, "rb") as fp:
try:
settings_dict = plistlib.load(fp)
except:
settings_dict = {}
- with open(preferences_output_file, 'wb') as fp:
- for setting in value['Forced']:
- for key, value in setting['mcx_preference_settings'].items():
+ with open(preferences_output_file, "wb") as fp:
+ for setting in value["Forced"]:
+ for key, value in setting[
+ "mcx_preference_settings"
+ ].items():
settings_dict[key] = value
- #preferences_output_path = open(preferences_output_file, 'wb')
+ # preferences_output_path = open(preferences_output_file, 'wb')
plistlib.dump(settings_dict, fp)
print(f"Settings plist written to {preferences_output_file}")
settings_dict.clear()
@@ -334,12 +362,12 @@ def finalizeAndSavePlist(self, output_path):
continue
else:
if os.path.exists(output_file_path):
- with open (output_file_path, 'rb') as fp:
+ with open(output_file_path, "rb") as fp:
try:
settings_dict = plistlib.load(fp)
except:
settings_dict = {}
- for key,value in i.items():
+ for key, value in i.items():
if not key.startswith("Payload"):
settings_dict[key] = value
@@ -352,8 +380,7 @@ def makeNewUUID():
def concatenate_payload_settings(settings):
- """Takes a list of dictionaries, removed duplicate entries and concatenates an array of settings for the same key
- """
+ """Takes a list of dictionaries, removed duplicate entries and concatenates an array of settings for the same key"""
settings_list = []
settings_dict = {}
for item in settings:
@@ -368,72 +395,79 @@ def concatenate_payload_settings(settings):
return [settings_dict]
-def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=''):
- """Generate the configuration profiles for the rules in the provided baseline YAML file
- """
-
+def generate_profiles(
+ baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=""
+):
+ """Generate the configuration profiles for the rules in the provided baseline YAML file"""
+
# import profile_manifests.plist
- manifests_file = os.path.join(
- parent_dir, 'includes', 'supported_payloads.yaml')
+ manifests_file = os.path.join(parent_dir, "includes", "supported_payloads.yaml")
with open(manifests_file) as r:
manifests = yaml.load(r, Loader=yaml.SafeLoader)
# Output folder
unsigned_mobileconfig_output_path = os.path.join(
- f'{build_path}', 'mobileconfigs', 'unsigned')
+ f"{build_path}", "mobileconfigs", "unsigned"
+ )
if not (os.path.isdir(unsigned_mobileconfig_output_path)):
try:
os.makedirs(unsigned_mobileconfig_output_path)
except OSError:
- print("Creation of the directory %s failed" %
- unsigned_mobileconfig_output_path)
+ print(
+ "Creation of the directory %s failed"
+ % unsigned_mobileconfig_output_path
+ )
if signing:
signed_mobileconfig_output_path = os.path.join(
- f'{build_path}', 'mobileconfigs', 'signed')
+ f"{build_path}", "mobileconfigs", "signed"
+ )
if not (os.path.isdir(signed_mobileconfig_output_path)):
try:
os.makedirs(signed_mobileconfig_output_path)
except OSError:
- print("Creation of the directory %s failed" %
- signed_mobileconfig_output_path)
+ print(
+ "Creation of the directory %s failed"
+ % signed_mobileconfig_output_path
+ )
settings_plist_output_path = os.path.join(
- f'{build_path}', 'mobileconfigs', 'preferences')
+ f"{build_path}", "mobileconfigs", "preferences"
+ )
if not (os.path.isdir(settings_plist_output_path)):
try:
os.makedirs(settings_plist_output_path)
except OSError:
- print("Creation of the directory %s failed" %
- settings_plist_output_path)
+ print("Creation of the directory %s failed" % settings_plist_output_path)
# setup lists and dictionaries
profile_errors = []
profile_types = {}
mount_controls = {}
- for sections in baseline_yaml['profile']:
- for profile_rule in sections['rules']:
+ for sections in baseline_yaml["profile"]:
+ for profile_rule in sections["rules"]:
logging.debug(f"checking for rule file for {profile_rule}")
- if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
- rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0]
+ if glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True):
+ rule = glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True)[0]
custom=True
logging.debug(f"{rule}")
- elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
- rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0]
+ elif glob.glob('../rules/*/{}.y*ml'.format(profile_rule)):
+ rule = glob.glob('../rules/*/{}.y*ml'.format(profile_rule))[0]
custom=False
logging.debug(f"{rule}")
- #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
+ #for rule in glob.glob('../rules/*/{}.y*ml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True):
rule_yaml = get_rule_yaml(rule, baseline_yaml, custom)
- if rule_yaml['mobileconfig']:
- for payload_type, info in rule_yaml['mobileconfig_info'].items():
+ if rule_yaml["mobileconfig"]:
+ for payload_type, info in rule_yaml["mobileconfig_info"].items():
valid = True
try:
- if payload_type not in manifests['payloads_types']:
+ if payload_type not in manifests["payloads_types"]:
profile_errors.append(rule)
raise ValueError(
- "{}: Payload Type is not supported".format(payload_type))
+ "{}: Payload Type is not supported".format(payload_type)
+ )
else:
pass
except (KeyError, ValueError) as e:
@@ -443,8 +477,7 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
try:
if isinstance(info, list):
- raise ValueError(
- "Payload key is non-conforming")
+ raise ValueError("Payload key is non-conforming")
else:
pass
except (KeyError, ValueError) as e:
@@ -454,51 +487,68 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
if valid:
if payload_type == "com.apple.systemuiserver":
- for setting_key, setting_value in info['mount-controls'].items():
+ for setting_key, setting_value in info[
+ "mount-controls"
+ ].items():
mount_controls[setting_key] = setting_value
payload_settings = {"mount-controls": mount_controls}
- profile_types.setdefault(
- payload_type, []).append(payload_settings)
+ profile_types.setdefault(payload_type, []).append(
+ payload_settings
+ )
elif payload_type == "com.apple.ManagedClient.preferences":
for payload_domain, settings in info.items():
for key, value in settings.items():
- payload_settings = (
- payload_domain, key, value)
- profile_types.setdefault(
- payload_type, []).append(payload_settings)
+ payload_settings = (payload_domain, key, value)
+ profile_types.setdefault(payload_type, []).append(
+ payload_settings
+ )
else:
for profile_key, key_value in info.items():
payload_settings = {profile_key: key_value}
- profile_types.setdefault(
- payload_type, []).append(payload_settings)
+ profile_types.setdefault(payload_type, []).append(
+ payload_settings
+ )
if len(profile_errors) > 0:
- print("There are errors in the following files, please correct the .yaml file(s)!")
+ print(
+ "There are errors in the following files, please correct the .yaml file(s)!"
+ )
for error in profile_errors:
print(error)
# process the payloads from the yaml file and generate new config profile for each type
for payload, settings in profile_types.items():
if payload.startswith("."):
unsigned_mobileconfig_file_path = os.path.join(
- unsigned_mobileconfig_output_path, "com.apple" + payload + '.mobileconfig')
+ unsigned_mobileconfig_output_path,
+ "com.apple" + payload + ".mobileconfig",
+ )
settings_plist_file_path = os.path.join(
- settings_plist_output_path, "com.apple" + payload + '.plist')
+ settings_plist_output_path, "com.apple" + payload + ".plist"
+ )
if signing:
signed_mobileconfig_file_path = os.path.join(
- signed_mobileconfig_output_path, "com.apple" + payload + '.mobileconfig')
+ signed_mobileconfig_output_path,
+ "com.apple" + payload + ".mobileconfig",
+ )
else:
unsigned_mobileconfig_file_path = os.path.join(
- unsigned_mobileconfig_output_path, payload + '.mobileconfig')
+ unsigned_mobileconfig_output_path, payload + ".mobileconfig"
+ )
settings_plist_file_path = os.path.join(
- settings_plist_output_path, payload + '.plist')
+ settings_plist_output_path, payload + ".plist"
+ )
if signing:
signed_mobileconfig_file_path = os.path.join(
- signed_mobileconfig_output_path, payload + '.mobileconfig')
+ signed_mobileconfig_output_path, payload + ".mobileconfig"
+ )
identifier = payload + f".{baseline_name}"
created = date.today()
- description = "Created: {}\nConfiguration settings for the {} preference domain.".format(created,
- payload)
-
+ description = (
+ "Created: {}\nConfiguration settings for the {} preference domain.".format(
+ created, payload
+ )
+ )
+
organization = "macOS Security Compliance Project"
displayname = f"[{baseline_name}] {payload} settings"
@@ -514,14 +564,17 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
for item in settings:
newProfile.addMCXPayload(item, baseline_name)
# handle these payloads for array settings
- elif (payload == "com.apple.applicationaccess.new") or (payload == 'com.apple.systempreferences'):
+ elif (payload == "com.apple.applicationaccess.new") or (
+ payload == "com.apple.systempreferences"
+ ):
newProfile.addNewPayload(
- payload, concatenate_payload_settings(settings), baseline_name)
+ payload, concatenate_payload_settings(settings), baseline_name
+ )
else:
newProfile.addNewPayload(payload, settings, baseline_name)
if signing:
- unsigned_file_path=os.path.join(unsigned_mobileconfig_file_path)
+ unsigned_file_path = os.path.join(unsigned_mobileconfig_file_path)
unsigned_config_file = open(unsigned_file_path, "wb")
newProfile.finalizeAndSave(unsigned_config_file)
settings_config_file = open(settings_plist_file_path, "wb")
@@ -538,7 +591,8 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
newProfile.finalizeAndSavePlist(settings_config_file)
config_file.close()
- print(f"""
+ print(
+ f"""
CAUTION: These configuration profiles are intended for evaluation in a TEST
environment. Certain configuration profiles (Smartcards), when applied could
leave a system in a state where a user can no longer login with a password.
@@ -546,34 +600,286 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
NOTE: If an MDM is already being leveraged, many of these profile settings may
be available through the vendor.
- """)
+ """
+ )
+
+
+def zip_folder(folder_to_zip):
+ with ZipFile(folder_to_zip + ".zip", "w") as zip_object:
+ for folder_name, sub_folders, file_names in os.walk(folder_to_zip):
+ for filename in file_names:
+ # Create filepath of files in directory
+ file_path = os.path.join(folder_name, filename)
+ arcname = os.path.join(folder_name[len(folder_to_zip) :], filename)
+ # Add files to zip file
+ zip_object.write(file_path, arcname)
+
+ return zip_object.filename
+
+def create_ddm_activation(identifier, ddm_output_path):
+
+ ddm_output_path = f'{ddm_output_path}/activations'
+ ddm_identifier = f'{identifier.replace("config","activation").replace("asset","activation")}'
+ ddm_json = {}
+ ddm_json["Identifier"] = ddm_identifier
+ ddm_json["Type"] = "com.apple.activation.simple"
+ ddm_json["Payload"] = { "StandardConfigurations" : [ identifier ]}
+
+ ddm_object = json.dumps(ddm_json, indent=4)
+
+ logging.debug(f"Building declarative activation for {ddm_identifier}...")
+
+ # Writing the .json to disk
+ if not (os.path.isdir(ddm_output_path)):
+ try:
+ os.makedirs(ddm_output_path)
+ except OSError:
+ print("Creation of the directory %s failed" % ddm_output_path)
+
+ with open(
+ ddm_output_path + "/" + ddm_identifier + ".json", "w"
+ ) as outfile:
+ outfile.write(ddm_object)
+
+ return
+
+def create_ddm_conf(identifier, service, ddm_output_path):
+
+ ddm_output_path = f'{ddm_output_path}/configurations'
+ ddm_identifier = f'{identifier.replace("asset","config")}'
+ ddm_json = {}
+ ddm_json["Identifier"] = ddm_identifier
+ ddm_json["Type"] = "com.apple.configuration.services.configuration-files"
+ ddm_json["Payload"] = { "ServiceType" : service,
+ "DataAssetReference" : identifier }
+
+ ddm_object = json.dumps(ddm_json, indent=4)
+
+ logging.debug(f"Building declarative configuration for {ddm_identifier}...")
+
+ # Writing the .json to disk
+ if not (os.path.isdir(ddm_output_path)):
+ try:
+ os.makedirs(ddm_output_path)
+ except OSError:
+ print("Creation of the directory %s failed" % ddm_output_path)
+
+ with open(
+ ddm_output_path + "/" + ddm_identifier + ".json", "w"
+ ) as outfile:
+ outfile.write(ddm_object)
+
+ return
+
+def generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml):
+ """Generate the declarative management artifacts for the rules in the provided baseline YAML file"""
+ # import mscp-data
+ mscp_data_file = os.path.join(parent_dir, "includes", "mscp-data.yaml")
+ with open(mscp_data_file) as r:
+ mscp_data_yaml = yaml.load(r, Loader=yaml.SafeLoader)
+
+ # Output folder
+ ddm_output_path = os.path.join(f"{build_path}", "declarative")
+ if not (os.path.isdir(ddm_output_path)):
+ try:
+ os.makedirs(ddm_output_path)
+ except OSError:
+ print("Creation of the directory %s failed" % ddm_output_path)
+
+ # setup lists and dictionaries
+ ddm_rules = []
+ ddm_dict = {}
+
+ for sections in baseline_yaml["profile"]:
+ for profile_rule in sections["rules"]:
+ logging.debug(f"checking for rule file for {profile_rule}")
+ if glob.glob(
+ "../custom/rules/**/{}.y*ml".format(profile_rule), recursive=True
+ ):
+ rule = glob.glob(
+ "../custom/rules/**/{}.y*ml".format(profile_rule), recursive=True
+ )[0]
+ custom = True
+ logging.debug(f"{rule}")
+ elif glob.glob("../rules/*/{}.y*ml".format(profile_rule)):
+ rule = glob.glob("../rules/*/{}.y*ml".format(profile_rule))[0]
+ custom = False
+ logging.debug(f"{rule}")
+
+ rule_yaml = get_rule_yaml(rule, baseline_yaml, custom)
+ if "ddm_info" in rule_yaml.keys():
+ if rule_yaml["ddm_info"]:
+ logging.debug(f'adding {rule_yaml["id"]}')
+ ddm_rules.append(rule_yaml)
+
+ for ddm_rule in ddm_rules:
+ if (
+ ddm_rule["ddm_info"]["declarationtype"]
+ == "com.apple.configuration.services.configuration-files"
+ ):
+ # verify the ddm service is supported
+ if ddm_rule["ddm_info"]["service"] in mscp_data_yaml["ddm"]["services"]:
+ config_file_path = mscp_data_yaml["ddm"]["services"][
+ ddm_rule["ddm_info"]["service"]
+ ]
+ else:
+ print(f"{ddm_rule['ddm_info']['service']} service NOT found")
+
+ # set up configuration file
+ config_file_output_path = os.path.join(
+ f"{ddm_output_path}/"
+ + ddm_rule["ddm_info"]["service"]
+ + config_file_path
+ )
+ if not (os.path.isdir(config_file_output_path)):
+ try:
+ os.makedirs(config_file_output_path)
+ except OSError:
+ print(
+ "Creation of the directory %s failed" % config_file_output_path
+ )
+
+ # write the configuration file
+ service_config_file = open(
+ config_file_output_path + ddm_rule["ddm_info"]["config_file"], "a"
+ )
+ if ddm_rule["ddm_info"]["configuration_key"] == "file":
+ service_config_file.write(
+ f'{ddm_rule["ddm_info"]["configuration_value"]}\n'
+ )
+ else:
+ service_config_file.write(
+ f'{ddm_rule["ddm_info"]["configuration_key"]} {ddm_rule["ddm_info"]["configuration_value"]}\n'
+ )
+
+ # add configuration-files type to ddm_dict
+ ddm_dict.setdefault(ddm_rule["ddm_info"]["declarationtype"], {}).update(
+ {}
+ )
+
+ service_config_file.close()
+ else:
+ ddm_key = ddm_rule["ddm_info"]["ddm_key"]
+ ddm_key_value = ddm_rule["ddm_info"]["ddm_value"]
+ ddm_dict.setdefault(ddm_rule["ddm_info"]["declarationtype"], {}).update(
+ {ddm_key: ddm_key_value}
+ )
+
+ for ddm_type in mscp_data_yaml["ddm"]["supported_types"]:
+ if ddm_type not in ddm_dict.keys():
+ continue
+ if ddm_type == "com.apple.configuration.services.configuration-files":
+ # build zip files for configs
+ for service in mscp_data_yaml["ddm"]["services"]:
+ for root, dirs, files in os.walk(ddm_output_path):
+ for folder in dirs:
+ if folder == service:
+ logging.debug(
+ f"Found Configuration files for {service}, zipping..."
+ )
+ service_path = os.path.join(ddm_output_path, service)
+ zip_file = zip_folder(service_path)
+ shutil.rmtree(service_path)
+
+ # get SHA hash of file
+ sha256_hash = hashlib.sha256()
+ with open(zip_file, "rb") as f:
+ # Read and update hash string value in blocks of 4K
+ for byte_block in iter(lambda: f.read(4096), b""):
+ sha256_hash.update(byte_block)
+ zip_sha = sha256_hash.hexdigest()
+
+ ddm_identifier = f'org.mscp.{baseline_name}.asset.{service.split(".")[2]}'
+ # create declaration for asset created
+ ddm_json = {}
+ ddm_json["Identifier"] = ddm_identifier
+ ddm_json["Type"] = "com.apple.asset.data"
+ ddm_json["Payload"] = {}
+ ddm_json["Payload"]["Reference"] = {}
+ ddm_json["Payload"]["Reference"][
+ "ContentType"
+ ] = "application/zip"
+ ddm_json["Payload"]["Reference"][
+ "DataURL"
+ ] = f"https://hostname.site.com/{service}.zip"
+ ddm_json["Payload"]["Reference"]["Hash-SHA-256"] = zip_sha
+ ddm_json["Authentication"] = {}
+ ddm_json["Authentication"]["Type"] = "None"
+
+ ddm_object = json.dumps(ddm_json, indent=4)
+
+ # Writing the .json to disk
+ ddm_asset_output_path = f'{ddm_output_path}/assets'
+ if not (os.path.isdir(ddm_asset_output_path)):
+ try:
+ os.makedirs(ddm_asset_output_path)
+ except OSError:
+ print("Creation of the directory %s failed" % ddm_asset_output_path)
+
+ with open(
+ ddm_asset_output_path + "/" + ddm_identifier + ".json", "w"
+ ) as outfile:
+ outfile.write(ddm_object)
+
+ # move .zips to assets
+ shutil.move(zip_file,ddm_asset_output_path)
+
+ # create activation
+ create_ddm_activation(ddm_identifier, ddm_output_path)
+
+ # create configuration declaration for assets
+ create_ddm_conf(ddm_identifier, service, ddm_output_path)
+ else:
+ logging.debug(f"Building any declarations for {ddm_type}...")
+ ddm_identifier = f'org.mscp.{baseline_name}.config.{ddm_type.replace("com.apple.configuration.", "")}'
+ ddm_json = {}
+ ddm_json["Identifier"] = ddm_identifier
+ ddm_json["Type"] = ddm_type
+ ddm_json["Payload"] = ddm_dict[ddm_type]
+
+ ddm_object = json.dumps(ddm_json, indent=4)
+
+ # Writing the .json to disk
+ ddm_config_output_path = f'{ddm_output_path}/configurations'
+ if not (os.path.isdir(ddm_config_output_path)):
+ try:
+ os.makedirs(ddm_config_output_path)
+ except OSError:
+ print("Creation of the directory %s failed" % ddm_config_output_path)
+
+ with open(
+ ddm_config_output_path + "/" + ddm_identifier + ".json", "w"
+ ) as outfile:
+ outfile.write(ddm_object)
+
+ # create activation
+ create_ddm_activation(ddm_identifier, ddm_output_path)
+
def default_audit_plist(baseline_name, build_path, baseline_yaml):
- """"Generate the default audit plist file to define exemptions
- """
+ """ "Generate the default audit plist file to define exemptions"""
# Output folder
- plist_output_path = os.path.join(
- f'{build_path}', 'preferences')
+ plist_output_path = os.path.join(f"{build_path}", "preferences")
if not (os.path.isdir(plist_output_path)):
try:
os.makedirs(plist_output_path)
except OSError:
- print("Creation of the directory %s failed" %
- plist_output_path)
+ print("Creation of the directory %s failed" % plist_output_path)
plist_file_path = os.path.join(
- plist_output_path, 'org.' + baseline_name + '.audit.plist')
+ plist_output_path, "org." + baseline_name + ".audit.plist"
+ )
plist_file = open(plist_file_path, "wb")
plist_dict = {}
- for sections in baseline_yaml['profile']:
- for profile_rule in sections['rules']:
+ for sections in baseline_yaml["profile"]:
+ for profile_rule in sections["rules"]:
if profile_rule.startswith("supplemental"):
continue
- plist_dict[profile_rule] = { "exempt": False }
+ plist_dict[profile_rule] = {"exempt": False}
plistlib.dump(plist_dict, plist_file)
@@ -582,12 +888,12 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere
"""Generates the zsh script from the rules in the baseline YAML
"""
compliance_script_file = open(
- build_path + '/' + baseline_name + '_compliance.sh', 'w')
+ build_path + "/" + baseline_name + "_compliance.sh", "w"
+ )
check_function_string = ""
fix_function_string = ""
-
# create header of fix zsh script
check_zsh_header = f"""#!/bin/zsh --no-rcs
@@ -834,80 +1140,94 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere
/usr/bin/mcxrefresh -u $CURR_USER_UID
# write timestamp of last compliance check
-/usr/bin/defaults write "$audit_plist" lastComplianceCheck "$(date)"
+/usr/bin/defaults write "$audit_plist" lastComplianceCheck "$(date +"%Y-%m-%d %H:%M:%S%z")"
"""
# Read all rules in the section and output the check functions
- for sections in baseline_yaml['profile']:
- for profile_rule in sections['rules']:
+ for sections in baseline_yaml["profile"]:
+ for profile_rule in sections["rules"]:
logging.debug(f"checking for rule file for {profile_rule}")
- if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
- rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0]
+ if glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True):
+ rule = glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True)[0]
custom=True
logging.debug(f"{rule}")
- elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
- rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0]
+ elif glob.glob('../rules/*/{}.y*ml'.format(profile_rule)):
+ rule = glob.glob('../rules/*/{}.y*ml'.format(profile_rule))[0]
custom=False
logging.debug(f"{rule}")
rule_yaml = get_rule_yaml(rule, baseline_yaml, custom)
-
- if rule_yaml['id'].startswith("supplemental"):
+ if rule_yaml["id"].startswith("supplemental"):
continue
- arch=""
+ arch = ""
try:
- if "manual" in rule_yaml['tags']:
+ if "manual" in rule_yaml["tags"]:
continue
- if "arm64" in rule_yaml['tags']:
- arch="arm64"
- elif "i386" in rule_yaml['tags']:
- arch="i386"
+ if "arm64" in rule_yaml["tags"]:
+ arch = "arm64"
+ elif "i386" in rule_yaml["tags"]:
+ arch = "i386"
except:
pass
# grab the 800-53 controls
try:
- rule_yaml['references']['800-53r5']
+ rule_yaml["references"]["800-53r5"]
except KeyError:
- nist_80053r5 = 'N/A'
+ nist_80053r5 = "N/A"
else:
- nist_80053r5 = rule_yaml['references']['800-53r5']
-
- cis_ref = ['cis', 'cis_lvl1', 'cis_lvl2', 'cisv8']
+ nist_80053r5 = rule_yaml["references"]["800-53r5"]
+
+ cis_ref = ["cis", "cis_lvl1", "cis_lvl2", "cisv8"]
if reference == "default":
- log_reference_id = [rule_yaml['id']]
+ log_reference_id = [rule_yaml["id"]]
elif reference in cis_ref:
if "v8" in reference:
- log_reference_id = [f"CIS Controls-{', '.join(map(str,rule_yaml['references']['cis']['controls v8']))}"]
+ log_reference_id = [
+ f"CIS Controls-{', '.join(map(str,rule_yaml['references']['cis']['controls v8']))}"
+ ]
else:
- log_reference_id = [f"CIS-{rule_yaml['references']['cis']['benchmark'][0]}"]
+ log_reference_id = [
+ f"CIS-{rule_yaml['references']['cis']['benchmark'][0]}"
+ ]
else:
try:
- rule_yaml['references'][reference]
+ rule_yaml["references"][reference]
except KeyError:
try:
- rule_yaml['references']['custom'][reference]
+ rule_yaml["references"]["custom"][reference]
except KeyError:
- log_reference_id = [rule_yaml['id']]
+ log_reference_id = [rule_yaml["id"]]
else:
- if isinstance(rule_yaml['references']['custom'][reference], list):
- log_reference_id = rule_yaml['references']['custom'][reference] + [rule_yaml['id']]
+ if isinstance(
+ rule_yaml["references"]["custom"][reference], list
+ ):
+ log_reference_id = rule_yaml["references"]["custom"][
+ reference
+ ] + [rule_yaml["id"]]
else:
- log_reference_id = [rule_yaml['references']['custom'][reference]] + [rule_yaml['id']]
+ log_reference_id = [
+ rule_yaml["references"]["custom"][reference]
+ ] + [rule_yaml["id"]]
else:
- if isinstance(rule_yaml['references'][reference], list):
- log_reference_id = rule_yaml['references'][reference] + [rule_yaml['id']]
+ if isinstance(rule_yaml["references"][reference], list):
+ log_reference_id = rule_yaml["references"][reference] + [
+ rule_yaml["id"]
+ ]
else:
- log_reference_id = [rule_yaml['references'][reference]] + [rule_yaml['id']]
- # group the controls
+ log_reference_id = [rule_yaml["references"][reference]] + [
+ rule_yaml["id"]
+ ]
+ # group the controls
if not nist_80053r5 == "N/A":
nist_80053r5.sort()
- res = [list(i) for j, i in groupby(
- nist_80053r5, lambda a: a.split('(')[0])]
- nist_controls = ''
+ res = [
+ list(i) for j, i in groupby(nist_80053r5, lambda a: a.split("(")[0])
+ ]
+ nist_controls = ""
for i in res:
nist_controls += group_ulify(i)
else:
@@ -915,19 +1235,19 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere
# print checks and result
try:
- check = rule_yaml['check']
+ check = rule_yaml["check"]
except KeyError:
- print("no check found for {}".format(rule_yaml['id']))
+ print("no check found for {}".format(rule_yaml["id"]))
continue
try:
- result = rule_yaml['result']
+ result = rule_yaml["result"]
except KeyError:
continue
if "integer" in result:
- result_value = result['integer']
+ result_value = result["integer"]
elif "boolean" in result:
- result_value = str(result['boolean']).lower()
+ result_value = str(result["boolean"]).lower()
elif "string" in result:
result_value = result['string']
elif "base64" in result:
@@ -993,22 +1313,31 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere
logmessage "{5} does not apply to this architecture"
/usr/bin/defaults write "$audit_plist" {0} -dict-add finding -bool NO
fi
- """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), str(result), result_value, ' '.join(log_reference_id), arch, baseline_name)
+ """.format(
+ rule_yaml["id"],
+ nist_controls.replace("\n", "\n#"),
+ check.strip(),
+ str(result).lower(),
+ result_value,
+ " ".join(log_reference_id),
+ arch,
+ baseline_name,
+ )
check_function_string = check_function_string + zsh_check_text
# print fix and result
try:
- rule_yaml['fix']
+ rule_yaml["fix"]
except KeyError:
- fix_text = 'N/A'
+ fix_text = "N/A"
else:
- fix_text = rule_yaml['fix'] or ["n/a"]
+ fix_text = rule_yaml["fix"] or ["n/a"]
-# write the fixes
+ # write the fixes
if "[source,bash]" in fix_text:
- nist_controls_commented = nist_controls.replace('\n', '\n#')
+ nist_controls_commented = nist_controls.replace("\n", "\n#")
zsh_fix_text = f"""
#####----- Rule: {rule_yaml['id']} -----#####
## Addresses the following NIST 800-53 controls: {nist_controls_commented}
@@ -1103,7 +1432,7 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere
" "
"Optional parameters:"
"--check : run the compliance checks without interaction"
- "--fix : run the remediation commands without interation"
+ "--fix : run the remediation commands without interaction"
"--cfc : runs a check, fix, check without interaction"
"--stats : display the statistics from last compliance check"
"--compliant : reports the number of compliant checks"
@@ -1145,7 +1474,7 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere
fi
"""
- #write out the compliance script
+ # write out the compliance script
compliance_script_file.write(check_zsh_header)
compliance_script_file.write(check_function_string)
compliance_script_file.write(zsh_check_footer)
@@ -1157,31 +1486,32 @@ def generate_script(baseline_name, audit_name, build_path, baseline_yaml, refere
# make the compliance script executable
os.chmod(compliance_script_file.name, 0o755)
- #fix_script_file.close()
+ # fix_script_file.close()
compliance_script_file.close()
+
def fill_in_odv(resulting_yaml, parent_values):
- fields_to_process = ['title', 'discussion', 'check', 'fix']
+ fields_to_process = ["title", "discussion", "check", "fix"]
_has_odv = False
if "odv" in resulting_yaml:
try:
- if type(resulting_yaml['odv'][parent_values]) == int:
- odv = resulting_yaml['odv'][parent_values]
+ if type(resulting_yaml["odv"][parent_values]) == int:
+ odv = resulting_yaml["odv"][parent_values]
else:
- odv = str(resulting_yaml['odv'][parent_values])
+ odv = str(resulting_yaml["odv"][parent_values])
_has_odv = True
except KeyError:
try:
- if type(resulting_yaml['odv']['custom']) == int:
- odv = resulting_yaml['odv']['custom']
+ if type(resulting_yaml["odv"]["custom"]) == int:
+ odv = resulting_yaml["odv"]["custom"]
else:
- odv = str(resulting_yaml['odv']['custom'])
+ odv = str(resulting_yaml["odv"]["custom"])
_has_odv = True
except KeyError:
- if type(resulting_yaml['odv']['recommended']) == int:
- odv = resulting_yaml['odv']['recommended']
+ if type(resulting_yaml["odv"]["recommended"]) == int:
+ odv = resulting_yaml["odv"]["recommended"]
else:
- odv = str(resulting_yaml['odv']['recommended'])
+ odv = str(resulting_yaml["odv"]["recommended"])
_has_odv = True
else:
pass
@@ -1189,12 +1519,12 @@ def fill_in_odv(resulting_yaml, parent_values):
if _has_odv:
for field in fields_to_process:
if "$ODV" in resulting_yaml[field]:
- resulting_yaml[field]=resulting_yaml[field].replace("$ODV", str(odv))
+ resulting_yaml[field] = resulting_yaml[field].replace("$ODV", str(odv))
- if 'result' in resulting_yaml:
- for result_value in resulting_yaml['result']:
- if "$ODV" in str(resulting_yaml['result'][result_value]):
- resulting_yaml['result'][result_value] = odv
+ if "result" in resulting_yaml.keys():
+ for result_value in resulting_yaml["result"]:
+ if "$ODV" in str(resulting_yaml["result"][result_value]):
+ resulting_yaml["result"][result_value] = odv
if resulting_yaml['mobileconfig_info']:
for mobileconfig_type in resulting_yaml['mobileconfig_info']:
@@ -1208,29 +1538,43 @@ def fill_in_odv(resulting_yaml, parent_values):
else:
resulting_yaml['mobileconfig_info'][mobileconfig_type][mobileconfig_value] = odv
-
-
-
-def get_rule_yaml(rule_file, baseline_yaml, custom=False,):
- """ Takes a rule file, checks for a custom version, and returns the yaml for the rule
- """
+ if "ddm_info" in resulting_yaml.keys():
+ for ddm_type, value in resulting_yaml["ddm_info"].items():
+ if isinstance(value, dict):
+ for _value in value:
+ if "$ODV" in str(value[_value]):
+ resulting_yaml["ddm_info"][ddm_type] = odv
+ if "$ODV" in value:
+ resulting_yaml["ddm_info"][ddm_type] = odv
+
+
+def get_rule_yaml(
+ rule_file,
+ baseline_yaml,
+ custom=False,
+):
+ """Takes a rule file, checks for a custom version, and returns the yaml for the rule"""
global resulting_yaml
resulting_yaml = {}
- names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)]
+ names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.y*ml', recursive=True)]
file_name = os.path.basename(rule_file)
-
+
# get parent values
try:
- parent_values = baseline_yaml['parent_values']
+ parent_values = baseline_yaml["parent_values"]
except KeyError:
parent_values = "recommended"
if custom:
print(f"Custom settings found for rule: {rule_file}")
try:
- override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0]
+ override_path = glob.glob(
+ "../custom/rules/**/{}".format(file_name), recursive=True
+ )[0]
except IndexError:
- override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0]
+ override_path = glob.glob(
+ "../custom/rules/{}".format(file_name), recursive=True
+ )[0]
with open(override_path) as r:
rule_yaml = yaml.load(r, Loader=yaml.SafeLoader)
else:
@@ -1238,66 +1582,83 @@ def get_rule_yaml(rule_file, baseline_yaml, custom=False,):
rule_yaml = yaml.load(r, Loader=yaml.SafeLoader)
try:
- og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0]
+ og_rule_path = glob.glob("../rules/**/{}".format(file_name), recursive=True)[0]
except IndexError:
- #assume this is a completely new rule
- og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0]
- resulting_yaml['customized'] = ["customized rule"]
+ # assume this is a completely new rule
+ og_rule_path = glob.glob(
+ "../custom/rules/**/{}".format(file_name), recursive=True
+ )[0]
+ resulting_yaml["customized"] = ["customized rule"]
# get original/default rule yaml for comparison
with open(og_rule_path) as og:
og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader)
for yaml_field in og_rule_yaml:
- #print('processing field {} for rule {}'.format(yaml_field, file_name))
+ # print('processing field {} for rule {}'.format(yaml_field, file_name))
if yaml_field == "references":
- if not 'references' in resulting_yaml:
- resulting_yaml['references'] = {}
- for ref in og_rule_yaml['references']:
+ if not "references" in resulting_yaml:
+ resulting_yaml["references"] = {}
+ for ref in og_rule_yaml["references"]:
try:
- if og_rule_yaml['references'][ref] == rule_yaml['references'][ref]:
- resulting_yaml['references'][ref] = og_rule_yaml['references'][ref]
+ if og_rule_yaml["references"][ref] == rule_yaml["references"][ref]:
+ resulting_yaml["references"][ref] = og_rule_yaml["references"][
+ ref
+ ]
else:
- resulting_yaml['references'][ref] = rule_yaml['references'][ref]
+ resulting_yaml["references"][ref] = rule_yaml["references"][ref]
except KeyError:
# reference not found in original rule yaml, trying to use reference from custom rule
try:
- resulting_yaml['references'][ref] = rule_yaml['references'][ref]
+ resulting_yaml["references"][ref] = rule_yaml["references"][ref]
except KeyError:
- resulting_yaml['references'][ref] = og_rule_yaml['references'][ref]
+ resulting_yaml["references"][ref] = og_rule_yaml["references"][
+ ref
+ ]
try:
- if "custom" in rule_yaml['references']:
- resulting_yaml['references']['custom'] = rule_yaml['references']['custom']
- if 'customized' in resulting_yaml:
- if 'customized references' not in resulting_yaml['customized']:
- resulting_yaml['customized'].append("customized references")
+ if "custom" in rule_yaml["references"]:
+ resulting_yaml["references"]["custom"] = rule_yaml[
+ "references"
+ ]["custom"]
+ if "customized" in resulting_yaml:
+ if (
+ "customized references"
+ not in resulting_yaml["customized"]
+ ):
+ resulting_yaml["customized"].append(
+ "customized references"
+ )
else:
- resulting_yaml['customized'] = ["customized references"]
+ resulting_yaml["customized"] = ["customized references"]
except:
pass
elif yaml_field == "tags":
# try to concatenate tags from both original yaml and custom yaml
try:
if og_rule_yaml["tags"] == rule_yaml["tags"]:
- #print("using default data in yaml field {}".format("tags"))
- resulting_yaml['tags'] = og_rule_yaml['tags']
+ # print("using default data in yaml field {}".format("tags"))
+ resulting_yaml["tags"] = og_rule_yaml["tags"]
else:
- #print("Found custom tags... concatenating them")
- resulting_yaml['tags'] = og_rule_yaml['tags'] + rule_yaml['tags']
+ # print("Found custom tags... concatenating them")
+ resulting_yaml["tags"] = og_rule_yaml["tags"] + rule_yaml["tags"]
except KeyError:
- resulting_yaml['tags'] = og_rule_yaml['tags']
+ resulting_yaml["tags"] = og_rule_yaml["tags"]
else:
try:
if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]:
- #print("using default data in yaml field {}".format(yaml_field))
+ # print("using default data in yaml field {}".format(yaml_field))
resulting_yaml[yaml_field] = og_rule_yaml[yaml_field]
else:
- #print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name))
+ # print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name))
resulting_yaml[yaml_field] = rule_yaml[yaml_field]
- if 'customized' in resulting_yaml:
- resulting_yaml['customized'].append("customized {}".format(yaml_field))
+ if "customized" in resulting_yaml:
+ resulting_yaml["customized"].append(
+ "customized {}".format(yaml_field)
+ )
else:
- resulting_yaml['customized'] = ["customized {}".format(yaml_field)]
+ resulting_yaml["customized"] = [
+ "customized {}".format(yaml_field)
+ ]
except KeyError:
resulting_yaml[yaml_field] = og_rule_yaml[yaml_field]
@@ -1307,8 +1668,7 @@ def get_rule_yaml(rule_file, baseline_yaml, custom=False,):
def generate_xls(baseline_name, build_path, baseline_yaml):
- """Using the baseline yaml file, create an XLS document containing the YAML fields
- """
+ """Using the baseline yaml file, create an XLS document containing the YAML fields"""
baseline_rules = create_rules(baseline_yaml)
@@ -1319,15 +1679,14 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
# Output files
xls_output_file = f"{build_path}/{baseline_name}.xls"
-
wb = Workbook()
- sheet1 = wb.add_sheet('Sheet 1', cell_overwrite_ok=True)
- topWrap = xlwt.easyxf("align: vert top; alignment: wrap True")
- top = xlwt.easyxf("align: vert top")
- headers = xlwt.easyxf("font: bold on")
+ sheet1 = wb.add_sheet("Sheet 1", cell_overwrite_ok=True)
+ topWrap = easyxf("align: vert top; alignment: wrap True")
+ top = easyxf("align: vert top")
+ headers = easyxf("font: bold on")
counter = 1
- column_counter = 17
+ column_counter = 18
custom_ref_column = {}
sheet1.write(0, 0, "CCE", headers)
sheet1.write(0, 1, "Rule ID", headers)
@@ -1346,12 +1705,12 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.write(0, 14, "CIS v8", headers)
sheet1.write(0, 15, "CMMC", headers)
sheet1.write(0, 16, "CCI", headers)
- sheet1.write(0, 17, "Modifed Rule", headers)
+ sheet1.write(0, 17, "Modified Rule", headers)
+ sheet1.write(0, 18, "Severity", headers)
sheet1.set_panes_frozen(True)
sheet1.set_horz_split_pos(1)
sheet1.set_vert_split_pos(2)
-
for rule in baseline_rules:
if rule.rule_id.startswith("supplemental") or rule.rule_id.startswith("srg"):
continue
@@ -1374,7 +1733,9 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
if "permanent" in rule.rule_tags:
mechanism = "The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control."
if "not_applicable" in rule.rule_tags:
- mechanism = " The control is not applicable when configuring a macOS system."
+ mechanism = (
+ " The control is not applicable when configuring a macOS system."
+ )
sheet1.write(counter, 4, mechanism, top)
sheet1.col(4).width = 256 * 25
@@ -1386,9 +1747,13 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.col(6).width = 256 * 25
if rule.rule_mobileconfig:
- sheet1.write(counter, 7, format_mobileconfig_fix(
- rule.rule_mobileconfig_info), topWrap)
- #print(format_mobileconfig_fix(rule.rule_mobileconfig_info))
+ sheet1.write(
+ counter,
+ 7,
+ format_mobileconfig_fix(rule.rule_mobileconfig_info),
+ topWrap,
+ )
+ # print(format_mobileconfig_fix(rule.rule_mobileconfig_info))
# sheet1.write(counter, 7, str(
# configProfile(rule_file)), topWrap)
@@ -1397,22 +1762,20 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.col(7).width = 1000 * 50
- baseline_refs = (
- str(rule.rule_80053r5)).strip('[]\'')
- baseline_refs = baseline_refs.replace(", ", "\n").replace("\'", "")
+ baseline_refs = (str(rule.rule_80053r5)).strip("[]'")
+ baseline_refs = baseline_refs.replace(", ", "\n").replace("'", "")
sheet1.write(counter, 8, baseline_refs, topWrap)
sheet1.col(8).width = 256 * 15
- nist171_refs = (
- str(rule.rule_800171)).strip('[]\'')
- nist171_refs = nist171_refs.replace(", ", "\n").replace("\'", "")
+ nist171_refs = (str(rule.rule_800171)).strip("[]'")
+ nist171_refs = nist171_refs.replace(", ", "\n").replace("'", "")
sheet1.write(counter, 9, nist171_refs, topWrap)
sheet1.col(9).width = 256 * 15
- srg_refs = (str(rule.rule_srg)).strip('[]\'')
- srg_refs = srg_refs.replace(", ", "\n").replace("\'", "")
+ srg_refs = (str(rule.rule_srg)).strip("[]'")
+ srg_refs = srg_refs.replace(", ", "\n").replace("'", "")
sheet1.write(counter, 10, srg_refs, topWrap)
sheet1.col(10).width = 500 * 15
@@ -1430,13 +1793,13 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.col(12).width = 500 * 15
cis = ""
- if rule.rule_cis != ['None']:
+ if rule.rule_cis != ["None"]:
for title, ref in rule.rule_cis.items():
if title.lower() == "benchmark":
sheet1.write(counter, 13, ref, topWrap)
sheet1.col(13).width = 500 * 15
if title.lower() == "controls v8":
- cis = (str(ref).strip('[]\''))
+ cis = str(ref).strip("[]'")
cis = cis.replace(", ", "\n")
sheet1.write(counter, 14, cis, topWrap)
sheet1.col(14).width = 500 * 15
@@ -1447,31 +1810,44 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
sheet1.write(counter, 15, cmmc_refs, topWrap)
sheet1.col(15).width = 500 * 15
- cci = (str(rule.rule_cci)).strip('[]\'')
- cci = cci.replace(", ", "\n").replace("\'", "")
+ cci = (str(rule.rule_cci)).strip("[]'")
+ cci = cci.replace(", ", "\n").replace("'", "")
sheet1.write(counter, 16, cci, topWrap)
sheet1.col(16).width = 400 * 15
- customized = (str(rule.rule_customized)).strip('[]\'')
- customized = customized.replace(", ", "\n").replace("\'", "")
+ customized = (str(rule.rule_customized)).strip("[]'")
+ customized = customized.replace(", ", "\n").replace("'", "")
sheet1.write(counter, 17, customized, topWrap)
sheet1.col(17).width = 400 * 15
- if rule.rule_custom_refs != ['None']:
+ if rule.rule_custom_refs != ["None"]:
for title, ref in rule.rule_custom_refs.items():
if title not in custom_ref_column:
custom_ref_column[title] = column_counter
column_counter = column_counter + 1
sheet1.write(0, custom_ref_column[title], title, headers)
sheet1.col(custom_ref_column[title]).width = 512 * 25
- added_ref = (str(ref)).strip('[]\'')
- added_ref = added_ref.replace(", ", "\n").replace("\'", "")
+ added_ref = (str(ref)).strip("[]'")
+ added_ref = added_ref.replace(", ", "\n").replace("'", "")
sheet1.write(counter, custom_ref_column[title], added_ref, topWrap)
+ # determine severity
+ # uses 'parent_values' from baseline.yaml file to determine which/if any severity to use
+ severity = ""
+ if isinstance(rule.rule_severity, str):
+ severity = f'{rule.rule_severity}'
+ if isinstance(rule.rule_severity, dict):
+ try:
+ severity = f'{rule.rule_severity[baseline_yaml["parent_values"]]}'
+ except KeyError:
+ severity = ""
+
+ sheet1.write(counter, 18, severity, topWrap)
+ sheet1.col(18).width = 400 * 15
- tall_style = xlwt.easyxf('font:height 640;') # 36pt
+ tall_style = easyxf("font:height 640;") # 36pt
sheet1.row(counter).set_style(tall_style)
counter = counter + 1
@@ -1479,9 +1855,9 @@ def generate_xls(baseline_name, build_path, baseline_yaml):
wb.save(xls_output_file)
print(f"Finished building {xls_output_file}")
+
def create_rules(baseline_yaml):
- """Takes a baseline yaml file and parses the rules, returns a list of containing rules
- """
+ """Takes a baseline yaml file and parses the rules, returns a list of containing rules"""
all_rules = []
#expected keys and references
keys = ['mobileconfig',
@@ -1501,50 +1877,53 @@ def create_rules(baseline_yaml):
'cci',
'cce',
'800-53r5',
- '800-171r2',
+ '800-171r3',
'cis',
'cmmc',
'srg',
'sfr',
'custom']
-
- for sections in baseline_yaml['profile']:
- for profile_rule in sections['rules']:
- if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
- rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0]
- custom=True
- elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
- rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0]
- custom=False
-
- #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
+ for sections in baseline_yaml["profile"]:
+ for profile_rule in sections["rules"]:
+ if glob.glob(
+ "../custom/rules/**/{}.y*ml".format(profile_rule), recursive=True
+ ):
+ rule = glob.glob(
+ "../custom/rules/**/{}.y*ml".format(profile_rule), recursive=True
+ )[0]
+ custom = True
+ elif glob.glob("../rules/*/{}.y*ml".format(profile_rule)):
+ rule = glob.glob("../rules/*/{}.y*ml".format(profile_rule))[0]
+ custom = False
+
+ # for rule in glob.glob('../rules/*/{}.y*ml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.y*ml'.format(profile_rule),recursive=True):
rule_yaml = get_rule_yaml(rule, baseline_yaml, custom)
for key in keys:
try:
rule_yaml[key]
except:
- #print("{} key missing ..for {}".format(key, rule))
+ # print("{} key missing ..for {}".format(key, rule))
rule_yaml.update({key: ""})
if key == "references":
for reference in references:
try:
rule_yaml[key][reference]
- #print("FOUND reference {} for key {} for rule {}".format(reference, key, rule))
+ # print("FOUND reference {} for key {} for rule {}".format(reference, key, rule))
except:
- #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule))
+ # print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule))
rule_yaml[key].update({reference: ["None"]})
all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', r'\|'),
rule_yaml['id'].replace('|', r'\|'),
- rule_yaml['severity'].replace('|', r'\|'),
+ rule_yaml['severity'],
rule_yaml['discussion'], #.replace('|', r'\|'),
rule_yaml['check'].replace('|', r'\|'),
rule_yaml['fix'].replace('|', r'\|'),
rule_yaml['references']['cci'],
rule_yaml['references']['cce'],
rule_yaml['references']['800-53r5'],
- rule_yaml['references']['800-171r2'],
+ rule_yaml['references']['800-171r3'],
rule_yaml['references']['disa_stig'],
rule_yaml['references']['srg'],
rule_yaml['references']['sfr'],
@@ -1561,41 +1940,86 @@ def create_rules(baseline_yaml):
return all_rules
+
def create_args():
- """configure the arguments used in the script, returns the parsed arguements
- """
+ """configure the arguments used in the script, returns the parsed arguements"""
parser = argparse.ArgumentParser(
- description='Given a baseline, create guidance documents and files.')
- parser.add_argument("baseline", default=None,
- help="Baseline YAML file used to create the guide.", type=argparse.FileType('rt'))
- parser.add_argument("-c", "--clean", default=None,
- help=argparse.SUPPRESS, action="store_true")
- parser.add_argument("-d", "--debug", default=None,
- help=argparse.SUPPRESS, action="store_true")
- parser.add_argument("-l", "--logo", default=None,
- help="Full path to logo file to be included in the guide.", action="store")
- parser.add_argument("-p", "--profiles", default=None,
- help="Generate configuration profiles for the rules.", action="store_true")
- parser.add_argument("-r", "--reference", default=None,
- help="Use the reference ID instead of rule ID for identification.")
- parser.add_argument("-s", "--script", default=None,
- help="Generate the compliance script for the rules.", action="store_true")
+ description="Given a baseline, create guidance documents and files."
+ )
+ parser.add_argument(
+ "baseline",
+ default=None,
+ help="Baseline YAML file used to create the guide.",
+ type=argparse.FileType("rt"),
+ )
+ parser.add_argument(
+ "-c", "--clean", default=None, help=argparse.SUPPRESS, action="store_true"
+ )
+ parser.add_argument(
+ "-d", "--debug", default=None, help=argparse.SUPPRESS, action="store_true"
+ )
+ parser.add_argument(
+ "-D",
+ "--ddm",
+ default=None,
+ help="Generate declarative management artifacts for the rules.",
+ action="store_true",
+ )
+ parser.add_argument(
+ "-l",
+ "--logo",
+ default=None,
+ help="Full path to logo file to be included in the guide.",
+ action="store",
+ )
+ parser.add_argument(
+ "-p",
+ "--profiles",
+ default=None,
+ help="Generate configuration profiles for the rules.",
+ action="store_true",
+ )
+ parser.add_argument(
+ "-r",
+ "--reference",
+ default=None,
+ help="Use the reference ID instead of rule ID for identification.",
+ )
+ parser.add_argument(
+ "-s",
+ "--script",
+ default=None,
+ help="Generate the compliance script for the rules.",
+ action="store_true",
+ )
# add gary argument to include tags for XCCDF generation, with a nod to Gary the SCAP guru
- parser.add_argument("-g", "--gary", default=None,
- help=argparse.SUPPRESS, action="store_true")
- parser.add_argument("-x", "--xls", default=None,
- help="Generate the excel (xls) document for the rules.", action="store_true")
- parser.add_argument("-H", "--hash", default=None,
- help="sign the configuration profiles with subject key ID (hash value without spaces)")
- parser.add_argument("-a", "--audit_name", default=None,
- help="name of audit plist and log - defaults to baseline name")
+ parser.add_argument(
+ "-g", "--gary", default=None, help=argparse.SUPPRESS, action="store_true"
+ )
+ parser.add_argument(
+ "-x",
+ "--xls",
+ default=None,
+ help="Generate the excel (xls) document for the rules.",
+ action="store_true",
+ )
+ parser.add_argument(
+ "-H",
+ "--hash",
+ default=None,
+ help="sign the configuration profiles with subject key ID (hash value without spaces)",
+ )
+ parser.add_argument(
+ "-a", "--audit_name",
+ default=None,
+ help="name of audit plist and log - defaults to baseline name",
+ )
return parser.parse_args()
def is_asciidoctor_installed():
- """Checks to see if the ruby gem for asciidoctor is installed
- """
- #cmd = "gem list asciidoctor -i"
+ """Checks to see if the ruby gem for asciidoctor is installed"""
+ # cmd = "gem list asciidoctor -i"
cmd = "which asciidoctor"
process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
@@ -1605,24 +2029,23 @@ def is_asciidoctor_installed():
def is_asciidoctor_pdf_installed():
- """Checks to see if the ruby gem for asciidoctor-pdf is installed
- """
- #cmd = "gem list asciidoctor-pdf -i"
+ """Checks to see if the ruby gem for asciidoctor-pdf is installed"""
+ # cmd = "gem list asciidoctor-pdf -i"
cmd = "which asciidoctor-pdf"
process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
return output.decode("utf-8").strip()
+
def verify_signing_hash(hash):
- """Attempts to validate the existence of the certificate provided by the hash
- """
+ """Attempts to validate the existence of the certificate provided by the hash"""
with tempfile.NamedTemporaryFile(mode="w") as in_file:
- unsigned_tmp_file_path=in_file.name
+ unsigned_tmp_file_path = in_file.name
in_file.write("temporary file for signing")
cmd = f"security cms -S -Z {hash} -i {unsigned_tmp_file_path}"
- FNULL = open(os.devnull, 'w')
+ FNULL = open(os.devnull, "w")
process = subprocess.Popen(cmd.split(), stdout=FNULL, stderr=FNULL)
output, error = process.communicate()
if process.returncode == 0:
@@ -1630,15 +2053,16 @@ def verify_signing_hash(hash):
else:
return False
+
def sign_config_profile(in_file, out_file, hash):
- """Signs the configuration profile using the identity associated with the provided hash
- """
+ """Signs the configuration profile using the identity associated with the provided hash"""
cmd = f"security cms -S -Z {hash} -i {in_file} -o {out_file}"
process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
print(f"Signed Configuration profile written to {out_file}")
return output.decode("utf-8")
+
def parse_custom_references(reference):
string = "\n"
for item in reference:
@@ -1650,6 +2074,7 @@ def parse_custom_references(reference):
string += "!" + str(item) + "!* " + str(reference[item]) + "\n"
return string
+
def parse_cis_references(reference):
string = "\n"
for item in reference:
@@ -1663,69 +2088,77 @@ def parse_cis_references(reference):
string += "!" + str(item) + "!* " + str(reference[item]) + "\n"
return string
+
# Might have to do something similar to above for cmmc
-def main():
+def main():
args = create_args()
if args.debug:
logging.basicConfig(level=logging.DEBUG)
else:
logging.basicConfig(level=logging.WARNING)
- try:
- output_basename = os.path.basename(args.baseline.name)
- output_filename = os.path.splitext(output_basename)[0]
- baseline_name = os.path.splitext(output_basename)[0]#.capitalize()
- file_dir = os.path.dirname(os.path.abspath(__file__))
- parent_dir = os.path.dirname(file_dir)
+ output_basename = os.path.basename(args.baseline.name)
+ output_filename = os.path.splitext(output_basename)[0]
+ baseline_name = os.path.splitext(output_basename)[0] # .capitalize()
+ file_dir = os.path.dirname(os.path.abspath(__file__))
+ parent_dir = os.path.dirname(file_dir)
- # stash current working directory
- original_working_directory = os.getcwd()
+ # stash current working directory
+ original_working_directory = os.getcwd()
- # switch to the scripts directory
- os.chdir(file_dir)
+ # switch to the scripts directory
+ os.chdir(file_dir)
- audit_name = args.audit_name
+ audit_name = args.audit_name
- if args.logo:
- logo = args.logo
- pdf_logo_path = logo
- else:
- logo = "../../templates/images/mscp_banner.png"
- pdf_logo_path = "../templates/images/mscp_banner.png"
+ if args.logo:
+ logo = args.logo
+ pdf_logo_path = logo
+ else:
+ logo = "../../templates/images/mscp_banner.png"
+ pdf_logo_path = "../templates/images/mscp_banner.png"
- # convert logo to base64 for inline processing
- b64logo = base64.b64encode(open(pdf_logo_path, "rb").read())
-
+ # convert logo to base64 for inline processing
+ b64logo = base64.b64encode(open(pdf_logo_path, "rb").read())
- build_path = os.path.join(parent_dir, 'build', f'{baseline_name}')
- if not (os.path.isdir(build_path)):
+ build_path = os.path.join(parent_dir, "build", f"{baseline_name}")
+ if not (os.path.isdir(build_path)):
+ try:
+ os.makedirs(build_path)
+ except OSError:
+ print(f"Creation of the directory {build_path} failed")
+ else:
+ for filename in os.listdir(build_path):
+ file_path = os.path.join(build_path, filename)
try:
- os.makedirs(build_path)
- except OSError:
- print(f"Creation of the directory {build_path} failed")
- adoc_output_file = open(f"{build_path}/{output_filename}.adoc", 'w')
- print('Profile YAML:', args.baseline.name)
- print('Output path:', adoc_output_file.name)
-
- if args.hash:
- signing = True
- if not verify_signing_hash(args.hash):
- sys.exit('Cannot use the provided hash to sign. Please make sure you provide the subject key ID hash from an installed certificate')
- else:
- signing = False
-
- if args.reference:
- use_custom_reference = True
- log_reference = args.reference
- else:
- log_reference = "default"
- use_custom_reference = False
-
- except IOError as msg:
- parser.error(str(msg))
+ if os.path.isfile(file_path) or os.path.islink(file_path):
+ os.unlink(file_path)
+ elif os.path.isdir(file_path):
+ shutil.rmtree(file_path)
+ except Exception as e:
+ print("Failed to delete %s. Reason: %s" % (file_path, e))
+
+ adoc_output_file = open(f"{build_path}/{output_filename}.adoc", "w")
+ print("Profile YAML:", args.baseline.name)
+ print("Output path:", adoc_output_file.name)
+
+ if args.hash:
+ signing = True
+ if not verify_signing_hash(args.hash):
+ sys.exit(
+ "Cannot use the provided hash to sign. Please make sure you provide the subject key ID hash from an installed certificate"
+ )
+ else:
+ signing = False
+ if args.reference:
+ use_custom_reference = True
+ log_reference = args.reference
+ else:
+ log_reference = "default"
+ use_custom_reference = False
baseline_yaml = yaml.load(args.baseline, Loader=yaml.SafeLoader)
version_file = os.path.join(parent_dir, "VERSION.yaml")
@@ -1750,23 +2183,23 @@ def main():
for template in adoc_templates:
# custom template exists
- if template + ".adoc" in glob.glob1('../custom/templates/', '*.adoc'):
+ if template + ".adoc" in glob.glob1("../custom/templates/", "*.adoc"):
print(f"Custom template found for : {template}")
adoc_templates_dict[template] = f"../custom/templates/{template}.adoc"
else:
adoc_templates_dict[template] = f"../templates/{template}.adoc"
# check for custom PDF theme (must have theme in the name and end with .yml)
- pdf_theme="mscp-theme.yml"
- themes = glob.glob('../custom/templates/*theme*.yml')
- if len(themes) > 1 :
- print("Found muliple custom themes in directory, only one can exist, using default")
- elif len(themes) == 1 :
+ pdf_theme = "mscp-theme.yml"
+ themes = glob.glob("../custom/templates/*theme*.yml")
+ if len(themes) > 1:
+ print(
+ "Found multiple custom themes in directory, only one can exist, using default"
+ )
+ elif len(themes) == 1:
print(f"Found custom PDF theme: {themes[0]}")
pdf_theme = themes[0]
-
-
# Setup AsciiDoc templates
with open(adoc_templates_dict['adoc_rule_ios']) as adoc_rule_ios_file:
adoc_rule_ios_template = Template(adoc_rule_ios_file.read())
@@ -1774,83 +2207,85 @@ def main():
with open(adoc_templates_dict['adoc_rule']) as adoc_rule_file:
adoc_rule_template = Template(adoc_rule_file.read())
- with open(adoc_templates_dict['adoc_supplemental']) as adoc_supplemental_file:
+ with open(adoc_templates_dict["adoc_supplemental"]) as adoc_supplemental_file:
adoc_supplemental_template = Template(adoc_supplemental_file.read())
- with open(adoc_templates_dict['adoc_rule_no_setting']) as adoc_rule_no_setting_file:
+ with open(adoc_templates_dict["adoc_rule_no_setting"]) as adoc_rule_no_setting_file:
adoc_rule_no_setting_template = Template(adoc_rule_no_setting_file.read())
- with open(adoc_templates_dict['adoc_rule_custom_refs']) as adoc_rule_custom_refs_file:
+ with open(
+ adoc_templates_dict["adoc_rule_custom_refs"]
+ ) as adoc_rule_custom_refs_file:
adoc_rule_custom_refs_template = Template(adoc_rule_custom_refs_file.read())
- with open(adoc_templates_dict['adoc_section']) as adoc_section_file:
+ with open(adoc_templates_dict["adoc_section"]) as adoc_section_file:
adoc_section_template = Template(adoc_section_file.read())
- with open(adoc_templates_dict['adoc_header']) as adoc_header_file:
+ with open(adoc_templates_dict["adoc_header"]) as adoc_header_file:
adoc_header_template = Template(adoc_header_file.read())
- with open(adoc_templates_dict['adoc_footer']) as adoc_footer_file:
+ with open(adoc_templates_dict["adoc_footer"]) as adoc_footer_file:
adoc_footer_template = Template(adoc_footer_file.read())
- with open(adoc_templates_dict['adoc_foreword']) as adoc_foreword_file:
+ with open(adoc_templates_dict["adoc_foreword"]) as adoc_foreword_file:
adoc_foreword_template = adoc_foreword_file.read() + "\n"
- with open(adoc_templates_dict['adoc_scope']) as adoc_scope_file:
- adoc_scope_template = Template(adoc_scope_file.read() +"\n")
+ with open(adoc_templates_dict["adoc_scope"]) as adoc_scope_file:
+ adoc_scope_template = Template(adoc_scope_file.read() + "\n")
- with open(adoc_templates_dict['adoc_authors']) as adoc_authors_file:
+ with open(adoc_templates_dict["adoc_authors"]) as adoc_authors_file:
adoc_authors_template = Template(adoc_authors_file.read() + "\n")
- with open(adoc_templates_dict['adoc_acronyms']) as adoc_acronyms_file:
+ with open(adoc_templates_dict["adoc_acronyms"]) as adoc_acronyms_file:
adoc_acronyms_template = adoc_acronyms_file.read() + "\n"
- with open(adoc_templates_dict['adoc_additional_docs']) as adoc_additional_docs_file:
+ with open(adoc_templates_dict["adoc_additional_docs"]) as adoc_additional_docs_file:
adoc_additional_docs_template = adoc_additional_docs_file.read() + "\n"
# set tag attribute
- if "STIG" in baseline_yaml['title'].upper():
- adoc_STIG_show=":show_STIG:"
+ if "STIG" in baseline_yaml["title"].upper():
+ adoc_STIG_show = ":show_STIG:"
else:
- adoc_STIG_show=":show_STIG!:"
+ adoc_STIG_show = ":show_STIG!:"
- if "CIS" in baseline_yaml['title'].upper():
- adoc_cis_show=":show_cis:"
+ if "CIS" in baseline_yaml["title"].upper():
+ adoc_cis_show = ":show_cis:"
else:
- adoc_cis_show=":show_cis!:"
+ adoc_cis_show = ":show_cis!:"
- if "CMMC" in baseline_yaml['title'].upper():
- adoc_cmmc_show=":show_CMMC:"
+ if "CMMC" in baseline_yaml["title"].upper():
+ adoc_cmmc_show = ":show_CMMC:"
else:
- adoc_cmmc_show=":show_CMMC!:"
+ adoc_cmmc_show = ":show_CMMC!:"
- if "800" in baseline_yaml['title']:
- adoc_171_show=":show_171:"
+ if "800" in baseline_yaml["title"]:
+ adoc_171_show = ":show_171:"
else:
- adoc_171_show=":show_171!:"
+ adoc_171_show = ":show_171!:"
if args.gary:
- adoc_tag_show=":show_tags:"
- adoc_STIG_show=":show_STIG:"
- adoc_cis_show=":show_cis:"
- adoc_cmmc_show=":show_CMMC:"
- adoc_171_show=":show_171:"
+ adoc_tag_show = ":show_tags:"
+ adoc_STIG_show = ":show_STIG:"
+ adoc_cis_show = ":show_cis:"
+ adoc_cmmc_show = ":show_CMMC:"
+ adoc_171_show = ":show_171:"
else:
- adoc_tag_show=":show_tags!:"
+ adoc_tag_show = ":show_tags!:"
- if "Tailored from" in baseline_yaml['title']:
- s=baseline_yaml['title'].split(':')[1]
- adoc_html_subtitle = s.split('(')[0]
- adoc_html_subtitle2 = s[s.find('(')+1:s.find(')')]
- adoc_document_subtitle2 = f':document-subtitle2: {adoc_html_subtitle2}'
+ if "Tailored from" in baseline_yaml["title"]:
+ s = baseline_yaml["title"].split(":")[1]
+ adoc_html_subtitle = s.split("(")[0]
+ adoc_html_subtitle2 = s[s.find("(") + 1 : s.find(")")]
+ adoc_document_subtitle2 = f":document-subtitle2: {adoc_html_subtitle2}"
else:
- adoc_html_subtitle=baseline_yaml['title'].split(':')[1]
- adoc_document_subtitle2 = ':document-subtitle2:'
-
- # Create header
+ adoc_html_subtitle = baseline_yaml["title"].split(":")[1]
+ adoc_document_subtitle2 = ":document-subtitle2:"
+
+ # Create header
header_adoc = adoc_header_template.substitute(
- description=baseline_yaml['description'],
- html_header_title=baseline_yaml['title'],
- html_title=baseline_yaml['title'].split(':')[0],
+ description=baseline_yaml["description"],
+ html_header_title=baseline_yaml["title"],
+ html_title=baseline_yaml["title"].split(":")[0],
html_subtitle=adoc_html_subtitle,
document_subtitle2=adoc_document_subtitle2,
logo=logo,
@@ -1861,19 +2296,19 @@ def main():
stig_attribute=adoc_STIG_show,
cis_attribute=adoc_cis_show,
cmmc_attribute=adoc_cmmc_show,
- version=version_yaml['version'],
- os_version=version_yaml['os'],
- release_date=version_yaml['date']
+ version=version_yaml["version"],
+ os_version=version_yaml["os"],
+ release_date=version_yaml["date"],
)
# Create scope
scope_adoc = adoc_scope_template.substitute(
- scope_description=baseline_yaml['description']
+ scope_description=baseline_yaml["description"]
)
# Create author
authors_adoc = adoc_authors_template.substitute(
- authors_list=baseline_yaml['authors']
+ authors_list=baseline_yaml["authors"]
)
# Output header
@@ -1886,27 +2321,24 @@ def main():
adoc_output_file.write(adoc_acronyms_template)
adoc_output_file.write(adoc_additional_docs_template)
-
-
# Create sections and rules
for sections in baseline_yaml['profile']:
section_yaml_file = sections['section'].lower() + '.yaml'
#check for custom section
- if section_yaml_file in glob.glob1('../custom/sections/', '*.yaml'):
+ if section_yaml_file in glob.glob1('../custom/sections/', '*.y*ml'):
#print(f"Custom settings found for section: {sections['section']}")
override_section = os.path.join(
f'../custom/sections/{section_yaml_file}')
with open(override_section) as r:
section_yaml = yaml.load(r, Loader=yaml.SafeLoader)
else:
- with open(f'../sections/{section_yaml_file}') as s:
+ with open(f"../sections/{section_yaml_file}") as s:
section_yaml = yaml.load(s, Loader=yaml.SafeLoader)
# Read section info and output it
section_adoc = adoc_section_template.substitute(
- section_name=section_yaml['name'],
- description=section_yaml['description']
+ section_name=section_yaml["name"], description=section_yaml["description"]
)
adoc_output_file.write(section_adoc)
@@ -1915,81 +2347,83 @@ def main():
for rule in sections['rules']:
logging.debug(f'processing rule id: {rule}')
- rule_path = glob.glob('../rules/*/{}.yaml'.format(rule))
+ rule_path = glob.glob('../rules/*/{}.y*ml'.format(rule))
if not rule_path:
print(f"Rule file not found in library, checking in custom folder for rule: {rule}")
- rule_path = glob.glob('../custom/rules/**/{}.yaml'.format(rule), recursive=True)
+ rule_path = glob.glob('../custom/rules/**/{}.y*ml'.format(rule), recursive=True)
try:
- rule_file = (os.path.basename(rule_path[0]))
+ rule_file = os.path.basename(rule_path[0])
except IndexError:
- logging.debug(f'defined rule {rule} does not have valid yaml file, check that rule ID and filename match.')
+ logging.debug(
+ f"defined rule {rule} does not have valid yaml file, check that rule ID and filename match."
+ )
#check for custom rule
- if glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True):
- print(f"Custom settings found for rule: {rule_file}")
+ if glob.glob('../custom/rules/**/{}.y*ml'.format(rule), recursive=True):
+ print(f"Custom settings found for rule: {rule}")
#override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0]
- rule_location = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0]
+ rule_location = glob.glob('../custom/rules/**/{}.y*ml'.format(rule), recursive=True)[0]
custom=True
else:
rule_location = rule_path[0]
- custom=False
+ custom = False
rule_yaml = get_rule_yaml(rule_location, baseline_yaml, custom)
# Determine if the references exist and set accordingly
try:
- rule_yaml['references']['cci']
+ rule_yaml["references"]["cci"]
except KeyError:
- cci = 'N/A'
+ cci = "N/A"
else:
- cci = ulify(rule_yaml['references']['cci'])
+ cci = ulify(rule_yaml["references"]["cci"])
try:
- rule_yaml['references']['cce']
+ rule_yaml["references"]["cce"]
except KeyError:
- cce = '- N/A'
+ cce = "- N/A"
else:
- cce = ulify(rule_yaml['references']['cce'])
+ cce = ulify(rule_yaml["references"]["cce"])
try:
- rule_yaml['references']['800-53r5']
+ rule_yaml["references"]["800-53r5"]
except KeyError:
- nist_80053r5 = 'N/A'
+ nist_80053r5 = "N/A"
else:
- nist_80053r5 = rule_yaml['references']['800-53r5']
+ nist_80053r5 = rule_yaml["references"]["800-53r5"]
try:
- rule_yaml['references']['800-171r2']
+ rule_yaml["references"]["800-171r3"]
except KeyError:
- nist_800171 = '- N/A'
+ nist_800171 = "- N/A"
else:
- nist_800171 = ulify(rule_yaml['references']['800-171r2'])
+ nist_800171 = ulify(rule_yaml["references"]["800-171r3"])
try:
- rule_yaml['references']['disa_stig']
+ rule_yaml["references"]["disa_stig"]
except KeyError:
- disa_stig = '- N/A'
+ disa_stig = "- N/A"
else:
- disa_stig = ulify(rule_yaml['references']['disa_stig'])
+ disa_stig = ulify(rule_yaml["references"]["disa_stig"])
try:
- rule_yaml['references']['cis']
+ rule_yaml["references"]["cis"]
except KeyError:
cis = ""
else:
- cis = parse_cis_references(rule_yaml['references']['cis'])
+ cis = parse_cis_references(rule_yaml["references"]["cis"])
try:
- rule_yaml['references']['cmmc']
+ rule_yaml["references"]["cmmc"]
except KeyError:
cmmc = ""
else:
- cmmc = ulify(rule_yaml['references']['cmmc'])
+ cmmc = ulify(rule_yaml["references"]["cmmc"])
try:
- rule_yaml['references']['srg']
+ rule_yaml["references"]["srg"]
except KeyError:
- srg = '- N/A'
+ srg = "- N/A"
else:
srg = ulify(rule_yaml['references']['srg'])
@@ -2001,61 +2435,72 @@ def main():
sfr = ulify(rule_yaml['references']['sfr'])
try:
- rule_yaml['references']['custom']
+ rule_yaml["references"]["custom"]
except KeyError:
- custom_refs = ''
+ custom_refs = ""
else:
- custom_refs = parse_custom_references(rule_yaml['references']['custom'])
+ custom_refs = parse_custom_references(rule_yaml["references"]["custom"])
try:
- rule_yaml['fix']
+ rule_yaml["fix"]
except KeyError:
rulefix = "No fix Found"
else:
rulefix = rule_yaml['fix'] # .replace('|', r'\|')
try:
- rule_yaml['tags']
+ rule_yaml["tags"]
except KeyError:
- tags = 'none'
+ tags = "none"
else:
- tags = ulify(rule_yaml['tags'])
+ tags = ulify(rule_yaml["tags"])
try:
- result = rule_yaml['result']
+ result = rule_yaml["result"]
except KeyError:
- result = 'N/A'
+ result = "N/A"
if "integer" in result:
- result_value = result['integer']
+ result_value = result["integer"]
result_type = "integer"
elif "boolean" in result:
- result_value = result['boolean']
+ result_value = result["boolean"]
result_type = "boolean"
elif "string" in result:
- result_value = result['string']
+ result_value = result["string"]
result_type = "string"
elif "base64" in result:
result_value = result["base64"]
else:
- result_value = 'N/A'
+ result_value = "N/A"
+
+ # determine severity, if severity is determined, build asciidoc table row for references
+ # uses 'parent_values' from baseline.yaml file to determine which/if any severity to use
+ severity = ""
+ if "severity" in rule_yaml.keys():
+ if isinstance(rule_yaml["severity"], dict):
+ try:
+ severity = f'|Severity\n|{rule_yaml["severity"][baseline_yaml["parent_values"]]}'
+ print(severity)
+ except KeyError:
+ severity = ""
# determine if configprofile
try:
- rule_yaml['mobileconfig']
+ rule_yaml["mobileconfig"]
except KeyError:
pass
else:
- if rule_yaml['mobileconfig']:
- rulefix = format_mobileconfig_fix(
- rule_yaml['mobileconfig_info'])
+ if rule_yaml["mobileconfig"]:
+ rulefix = format_mobileconfig_fix(rule_yaml["mobileconfig_info"])
# process nist controls for grouping
if not nist_80053r5 == "N/A":
nist_80053r5.sort()
- res = [list(i) for j, i in groupby(
- nist_80053r5, lambda a: a.split('(')[0])]
- nist_controls = ''
+ res = [
+ list(i) for j, i in groupby(nist_80053r5, lambda a: a.split("(")[0])
+ ]
+ nist_controls = ""
for i in res:
nist_controls += group_ulify(i)
else:
@@ -2090,9 +2535,10 @@ def main():
rule_tags=tags,
rule_srg=srg,
rule_sfr=sfr,
- rule_result=result_value
+ rule_result=result_value,
+ severity=severity
)
- elif ('permanent' in tags) or ('inherent' in tags) or ('n_a' in tags):
+ elif ("permanent" in tags) or ("inherent" in tags) or ("n_a" in tags):
rule_adoc = adoc_rule_no_setting_template.substitute(
rule_title=rule_yaml['title'].replace('|', r'\|'),
rule_id=rule_yaml['id'].replace('|', r'\|'),
@@ -2106,10 +2552,11 @@ def main():
rule_cmmc=cmmc,
rule_cce=cce,
rule_tags=tags,
- rule_srg=srg
+ rule_srg=srg,
)
else:
- if version_yaml['platform'] == "iOS/iPadOS":
+ #using the same rule template for ios/ipados/visionos
+ if version_yaml['platform'] == "iOS/iPadOS" or version_yaml['platform'] == "visionOS":
rule_adoc = adoc_rule_ios_template.substitute(
rule_title=rule_yaml['title'].replace('|', r'\|'),
rule_id=rule_yaml['id'].replace('|', r'\|'),
@@ -2126,7 +2573,8 @@ def main():
rule_tags=tags,
rule_srg=srg,
rule_sfr=sfr,
- rule_result=result_value
+ rule_result=result_value,
+ severity=severity
)
else:
rule_adoc = adoc_rule_template.substitute(
@@ -2145,14 +2593,14 @@ def main():
rule_tags=tags,
rule_srg=srg,
rule_sfr=sfr,
- rule_result=result_value
+ rule_result=result_value,
+ severity=severity
)
adoc_output_file.write(rule_adoc)
# Create footer
- footer_adoc = adoc_footer_template.substitute(
- )
+ footer_adoc = adoc_footer_template.substitute()
# Output footer
adoc_output_file.write(footer_adoc)
@@ -2165,7 +2613,13 @@ def main():
if args.profiles:
print("Generating configuration profiles...")
- generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash)
+ generate_profiles(
+ baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash
+ )
+
+ if args.ddm:
+ print("Generating declarative components...")
+ generate_ddm(baseline_name, build_path, parent_dir, baseline_yaml)
if args.script:
print("Generating compliance script...")
@@ -2173,49 +2627,64 @@ def main():
default_audit_plist(baseline_name, build_path, baseline_yaml)
if args.xls:
- print('Generating excel document...')
+ print("Generating excel document...")
generate_xls(baseline_name, build_path, baseline_yaml)
asciidoctor_path = is_asciidoctor_installed()
if asciidoctor_path != "":
- print('Generating HTML file from AsciiDoc...')
- cmd = f"{asciidoctor_path} \'{adoc_output_file.name}\'"
+ print("Generating HTML file from AsciiDoc...")
+ cmd = f"{asciidoctor_path} '{adoc_output_file.name}'"
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
process.communicate()
- elif os.path.exists('../bin/asciidoctor'):
- print('Generating HTML file from AsciiDoc...')
- cmd = f"'../bin/asciidoctor' \'{adoc_output_file.name}\'"
+ elif os.path.exists("../bin/asciidoctor"):
+ print("Generating HTML file from AsciiDoc...")
+ cmd = f"'../bin/asciidoctor' '{adoc_output_file.name}'"
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
process.communicate()
- elif not os.path.exists('../bin/asciidoctor'):
- print('Installing gem requirements - asciidoctor, asciidoctor-pdf, and rouge...')
- cmd = ['/usr/bin/bundle', 'install', '--gemfile', '../Gemfile', '--binstubs', '--path', 'mscp_gems']
+ elif not os.path.exists("../bin/asciidoctor"):
+ print(
+ "Installing gem requirements - asciidoctor, asciidoctor-pdf, and rouge..."
+ )
+ cmd = [
+ "/usr/bin/bundle",
+ "install",
+ "--gemfile",
+ "../Gemfile",
+ "--binstubs",
+ "--path",
+ "mscp_gems",
+ ]
subprocess.run(cmd)
- print('Generating HTML file from AsciiDoc...')
- cmd = f"'../bin/asciidoctor' \'{adoc_output_file.name}\'"
+ print("Generating HTML file from AsciiDoc...")
+ cmd = f"'../bin/asciidoctor' '{adoc_output_file.name}'"
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
process.communicate()
else:
- print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor")
+ print(
+ "If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor"
+ )
# Don't create PDF if we are generating SCAP
if not args.gary:
asciidoctorPDF_path = is_asciidoctor_pdf_installed()
if asciidoctorPDF_path != "":
- print('Generating PDF file from AsciiDoc...')
- cmd = f"{asciidoctorPDF_path} \'{adoc_output_file.name}\'"
+ print("Generating PDF file from AsciiDoc...")
+ cmd = f"{asciidoctorPDF_path} '{adoc_output_file.name}'"
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
process.communicate()
- elif os.path.exists('../bin/asciidoctor-pdf'):
- print('Generating PDF file from AsciiDoc...')
- cmd = f"'../bin/asciidoctor-pdf' \'{adoc_output_file.name}\'"
+ elif os.path.exists("../bin/asciidoctor-pdf"):
+ print("Generating PDF file from AsciiDoc...")
+ cmd = f"'../bin/asciidoctor-pdf' '{adoc_output_file.name}'"
process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
process.communicate()
else:
- print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf")
+ print(
+ "If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf"
+ )
# finally revert back to the prior directory
os.chdir(original_working_directory)
+
if __name__ == "__main__":
main()
diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py
index b3f49f20b..938bb6aa2 100755
--- a/scripts/generate_mapping.py
+++ b/scripts/generate_mapping.py
@@ -438,6 +438,15 @@ def dir_path(string):
full_baseline = full_baseline + '''
- {}'''.format(rule)
+ if len(os_section) != 0 and version_yaml['platform'] == "visionOS":
+ full_baseline = full_baseline + '''
+ - section: "visionOS"
+ rules:'''
+ os_section.sort()
+ for rule in os_section:
+ full_baseline = full_baseline + '''
+ - {}'''.format(rule)
+
if len(os_section) != 0 and version_yaml['platform'] == "macOS":
full_baseline = full_baseline + '''
- section: "macOS"
diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py
index 1dbfc802b..9baa0cde9 100755
--- a/scripts/generate_scap.py
+++ b/scripts/generate_scap.py
@@ -120,13 +120,18 @@ def generate_scap(all_rules, all_baselines, args):
if "ios" in version_yaml['cpe']:
print("OVAL generation is not available on iOS")
exit()
-
+ if "visionOS" in version_yaml['cpe']:
+ print("OVAL generation is not available on visionOS")
+ exit()
if args.oval == None and args.xccdf == None:
export_as = "scap"
if "ios" in version_yaml['cpe']:
print("iOS will only export as XCCDF")
export_as = "xccdf"
+ if "visionos" in version_yaml['cpe']:
+ print("visionOS will only export as XCCDF")
+ export_as = "xccdf"
now = datetime.now()
date_time_string = now.strftime("%Y-%m-%dT%H:%M:%S")
@@ -135,7 +140,8 @@ def generate_scap(all_rules, all_baselines, args):
output = "../build/macOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion)
if "ios" in version_yaml['cpe']:
output = "../build/iOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion)
-
+ if "visionos" in version_yaml['cpe']:
+ output = "../build/iOS_{0}_Security_Compliance_Benchmark-{1}".format(version_yaml['os'],filenameversion)
if export_as == "xccdf":
output = output + "_xccdf.xml"
@@ -167,8 +173,11 @@ def generate_scap(all_rules, all_baselines, args):
'''.format(date_time_string)
ostype = "macOS"
- if "ios" in version_yaml['cpe']:
+ if "ios" in version_yaml['cpe'] or "visionos" in version_yaml['cpe']:
ostype = "iOS/iPadOS"
+ if "visionos" in version_yaml['cpe']:
+ ostype = "visionOS"
+
xccdfPrefix = '''
draft
@@ -356,12 +365,19 @@ def generate_scap(all_rules, all_baselines, args):
result = ""
severity = str()
- if "severity" in rule_yaml:
- severity = rule_yaml['severity']
+ if severity in rule_yaml:
+ if isinstance(rule_yaml["severity"], str):
+ severity = f'{rule_yaml["severity"]}'
+ if isinstance(rule_yaml["severity"], dict):
+ try:
+ severity = f'{rule_yaml["severity"][args.baseline]}'
+ except KeyError:
+ severity = "unknown"
else:
severity = "unknown"
+
check_rule = str()
- if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permenant" in rule_yaml['tags']:
+ if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']:
check_rule = '''
'''
@@ -381,9 +397,9 @@ def generate_scap(all_rules, all_baselines, args):
for nist80053 in rule_yaml['references']['800-53r4']:
references = references + nist80053 + ", "
references = references[:-2] + ""
- if "800-171r2" in rule_yaml['references'] and rule_yaml['references']['800-171r2'][0] != "N/A":
- references = references + "NIST SP 800-171r2: "
- for nist800171 in rule_yaml['references']['800-171r2']:
+ if "800-171r3" in rule_yaml['references'] and rule_yaml['references']['800-171r3'][0] != "N/A":
+ references = references + "NIST SP 800-171r3: "
+ for nist800171 in rule_yaml['references']['800-171r3']:
references = references + nist800171 + ", "
references = references[:-2] + ""
if "disa_stig" in rule_yaml['references'] and rule_yaml['references']['disa_stig'][0] != "N/A":
@@ -1119,7 +1135,11 @@ def generate_scap(all_rules, all_baselines, args):
xccdf_rules = replace_ocil(xccdf_rules,x)
x += 1
continue
-
+ if "xprotect status" in rule_yaml['check']:
+ print(rule_yaml['id'] + " - No relevant oval test")
+ xccdf_rules = replace_ocil(xccdf_rules,x)
+ x += 1
+ continue
if "SPStorageDataType" in rule_yaml['check']:
print(rule_yaml['id'] + " - No relevant oval test")
@@ -3621,7 +3641,7 @@ def collect_rules():
all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'),
rule_yaml['id'].replace('|', '\|'),
- rule_yaml['severity'].replace('|', '\|'),
+ rule_yaml['severity'],
rule_yaml['discussion'].replace('|', '\|'),
rule_yaml['check'].replace('|', '\|'),
rule_yaml['fix'].replace('|', '\|'),
diff --git a/templates/adoc_additional_docs.adoc b/templates/adoc_additional_docs.adoc
index 65a39b99a..578c7be67 100644
--- a/templates/adoc_additional_docs.adoc
+++ b/templates/adoc_additional_docs.adoc
@@ -18,9 +18,9 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
-|link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5_
+|link:https://nvd.nist.gov/800-53[NIST Special Publication 800-53 Rev 5]|_NIST Special Publication 800-53 Rev 5.1.1_
|link:https://www.nist.gov/itl/tig/projects/special-publication-800-63[NIST Special Publication 800-63]|_NIST Special Publication 800-63_
-|link:https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 2_
+|link:https://csrc.nist.gov/pubs/sp/800/171/r3/final[NIST Special Publication 800-171]|_NIST Special Publication 800-171 Rev 3_
|link:https://csrc.nist.gov/pubs/sp/800/219/r1/final[NIST Special Publication 800-219]|_NIST Special Publication 800-219 Rev 1_
|===
@@ -64,5 +64,5 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
-|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 14.0]|_CIS Apple macOS 14.0 Benchmark version 1.0.0_
+|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 14.0]|_CIS Apple macOS 14.0 Benchmark version 1.1.0_
|===
\ No newline at end of file
diff --git a/templates/adoc_rule.adoc b/templates/adoc_rule.adoc
index 660cc1cbc..3123770b9 100644
--- a/templates/adoc_rule.adoc
+++ b/templates/adoc_rule.adoc
@@ -22,7 +22,9 @@ $rule_fix
|===
|ID
-|$rule_id
+|$rule_id
+
+$severity
|References
|
@@ -36,7 +38,7 @@ $rule_fix
!$rule_80053r5
ifdef::show_171[]
-!800-171r2
+!800-171r3
!$rule_800171
endif::[]
diff --git a/templates/adoc_rule_custom_refs.adoc b/templates/adoc_rule_custom_refs.adoc
index 5a8b45824..0a5edd67f 100644
--- a/templates/adoc_rule_custom_refs.adoc
+++ b/templates/adoc_rule_custom_refs.adoc
@@ -36,7 +36,7 @@ $rule_fix
!$rule_80053r5
ifdef::show_171[]
-!800-171r2
+!800-171r3
!$rule_800171
endif::[]
diff --git a/templates/adoc_rule_ios.adoc b/templates/adoc_rule_ios.adoc
index 211a29e31..a3291354c 100644
--- a/templates/adoc_rule_ios.adoc
+++ b/templates/adoc_rule_ios.adoc
@@ -18,6 +18,8 @@ $rule_fix
|ID
|$rule_id
+$severity
+
|References
|
@@ -30,7 +32,7 @@ $rule_fix
!$rule_80053r5
ifdef::show_171[]
-!800-171r2
+!800-171r3
!$rule_800171
endif::[]
diff --git a/templates/adoc_rule_no_setting.adoc b/templates/adoc_rule_no_setting.adoc
index 5505b2cdd..921356b96 100644
--- a/templates/adoc_rule_no_setting.adoc
+++ b/templates/adoc_rule_no_setting.adoc
@@ -22,7 +22,7 @@ $rule_check
!$rule_80053r5
ifdef::show_171[]
-!800-171r2
+!800-171r3
!$rule_800171
endif::[]