Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sequoia Release 1.1 #457

Merged
merged 77 commits into from
Dec 16, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
77 commits
Select commit Hold shift + click to select a range
970d9c3
refactor[rules] STIG IDs
robertgendler Jul 25, 2024
2de903b
refactor[rules]ccis added
robertgendler Aug 7, 2024
8f10bab
refactor[rules] SRGs added
robertgendler Aug 7, 2024
675824d
refactor[rule] pwpolicy_custom_regex_enforce
robertgendler Aug 8, 2024
dc12a59
refactor[rules] Added, Removed, Updated rules
robertgendler Aug 14, 2024
e6aa74d
refactor[rules] Removed from STIG
robertgendler Aug 15, 2024
b1828f6
refactor[rules]Added new STIG IDs
robertgendler Aug 16, 2024
e304030
Added new rule file
robertgendler Sep 5, 2024
3380ed1
Add APPL-15-002023
robertgendler Sep 5, 2024
58d26f3
added APPL-15-002024
robertgendler Sep 10, 2024
a971615
fix[rules] removed tags for rules removed
golbiga Sep 17, 2024
eecf9b3
added os_time_server_enable back to cis
golbiga Sep 17, 2024
5273845
Update Gitignore
Sep 18, 2024
ecb5de4
Updating CIS benchmark and tags in missed rules.
Sep 18, 2024
15a6eec
refactor[rules]ssh fips and sshd fips
robertgendler Sep 19, 2024
a668067
refactor[rules]ssh and sshd fips
robertgendler Sep 19, 2024
a301504
Fixed ODV regression for CIS
robertgendler Sep 20, 2024
19e27c5
added missing path to grep
robertgendler Sep 20, 2024
259efff
removed [ ]
robertgendler Sep 20, 2024
5441520
Fix to not print, and fix multiple entries in .ssh/config
robertgendler Sep 20, 2024
8210cc6
added dev null redirection, prevention of double entries
robertgendler Sep 20, 2024
78cf7d4
Fixed bin to dev and case insensitive sed
robertgendler Sep 20, 2024
1315f06
800-171 Rev 2 to Rev 3
robertgendler Sep 23, 2024
b32a6bf
Updated media sharing key
robertgendler Sep 23, 2024
ea925dc
sync sequoia to dev_sequoia_stig
robertgendler Sep 23, 2024
c779a35
Updated STIG ID
robertgendler Sep 23, 2024
c4cdf50
merge from sequoia
robertgendler Sep 23, 2024
5e3365d
refactor[rules] ssh fixes
robertgendler Sep 23, 2024
22bacbc
slightly simplier fix. removed unneeded loop
robertgendler Sep 23, 2024
b0a9a25
slightly simplier fix. removed unneeded loop
robertgendler Sep 23, 2024
daf813b
Adjusting CIS numbering.
Sep 26, 2024
fb097c9
fix[rule] fixed path
golbiga Sep 27, 2024
1ae429c
fix[rule] fixed path on line 63
golbiga Sep 27, 2024
86709c3
Merge branch 'dev_sequoia_ssh_fips' into dev_sequoia_stig
robertgendler Oct 1, 2024
cb8447e
Merge branch 'sequoia' into dev_sequoia_stig
robertgendler Oct 1, 2024
0bcc9d7
fix[rule] added reference
golbiga Oct 15, 2024
84a063b
refactor[rules] Added, Modified and deleted rules
robertgendler Oct 18, 2024
9a1b289
renamed .yml to .yaml
robertgendler Oct 18, 2024
bba7b09
Merge branch 'dev_sequoia_stig' into sequoia
robertgendler Oct 24, 2024
8608f13
merge and updates
robertgendler Oct 24, 2024
0f533e9
changes for upcoming cis release
golbiga Oct 24, 2024
4e89c26
refactor - DISA STIG
robertgendler Oct 24, 2024
a630005
added os_sleep_and_display_sleep_apple_silicon_enable to all_rules
golbiga Oct 24, 2024
2b552f9
refactor[rules] CNSSI tags added
robertgendler Oct 24, 2024
64520d0
Merge branch 'sequoia' into dev_sequoia
robertgendler Oct 24, 2024
307c3b0
refactor[baselines] Updated baseline files
robertgendler Oct 24, 2024
2170874
udpdated baseline files
robertgendler Oct 24, 2024
cdd64fb
[fix]system_settings_sleep_enforce sleep/displaysleep swap
Oct 30, 2024
8f8e27f
updated title
golbiga Oct 30, 2024
ac50ebe
fix[rule] remove cis tags and reference
golbiga Oct 30, 2024
f837a8f
Adding arm64 tag to os_sleep_and_display_sleep_apple_silicon_enable
Nov 1, 2024
cc53fbe
Fixing Sleep/displaysleep numbers based on CIS changes.
Nov 5, 2024
5866cf8
Fixing os_sleep_and_display_sleep_apple_silicon_enable
Nov 5, 2024
457f030
Removing DRAFT status from CIS
Nov 7, 2024
bcd2a63
[fix]rule world writable library folder
golbiga Nov 11, 2024
aa061a1
Merge branch 'dev_sequoia' into sequoia
robertgendler Nov 13, 2024
dbd6480
refactor[rules] Added missing CCEs
robertgendler Nov 13, 2024
2020e6b
fix[rule] updated odv hint
golbiga Nov 18, 2024
e081212
Update system_settings_improve_assistive_voice_disable
robertgendler Nov 25, 2024
e99c62b
refactor[rules]pwpolicy updates
robertgendler Nov 25, 2024
2c50e63
refactor[rules] Added external intelligence rules
robertgendler Nov 25, 2024
52ffec3
Issue #450
robertgendler Nov 25, 2024
45a41e2
updated pwpolicy
robertgendler Dec 4, 2024
be15f9d
Merge branch 'dev_sequoia' into sequoia
robertgendler Dec 10, 2024
24bc696
Added CCEs
robertgendler Dec 10, 2024
4028a73
Removed double stig tag
robertgendler Dec 10, 2024
a186415
updated baseline files
robertgendler Dec 10, 2024
6869bfa
updated changelog
golbiga Dec 10, 2024
a908b9a
removed rules/system_settings/system_settings_cd_dvd_sharing_disable.…
robertgendler Dec 10, 2024
6cf5853
updated changelog
golbiga Dec 10, 2024
43ea6d0
update[supplemental]: added 800-63 guidance
Dec 10, 2024
a4ccbdc
refactor[rule] pwpolicy_special_character_enforce
robertgendler Dec 11, 2024
e78635f
refactor[rules] ssh rules discussion update
robertgendler Dec 11, 2024
d963ced
updated release date and version
robertgendler Dec 12, 2024
cda05fb
Added uniq to prevent false negatives
robertgendler Dec 12, 2024
1e894b9
updated authors
robertgendler Dec 12, 2024
9c5fa02
updated release date
robertgendler Dec 16, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
refactor[rules] Added, Removed, Updated rules
- os_authenticated_root_enable, updated check
- os_directory_services_configured, removed from stig
- os_ess_installed, removed from stig
- os_firewall_log_enable, removed from 15.x
- os_genmoji_disable, added 800-53 and stig
- os_image_generation_disable, added 800-53 and sti.yaml
- os_iphone_mirroring_disable
- os_password_autofill_disable, added 800-53 and sti
- os_ssh_fips_compliant, fixed check/fix
- os_ssh_server_alive_count_max_configure, fixed fix
- os_ssh_server_alive_interval_configure, fixed fix
- os_sshd_fips_compliant, fixed fix/check
- os_sudo_log_enforce, added 800-53 and stig
- os_writing_tools_disable, added 800-53 and sti
- pwpolicy_custom_regex_enforce, updated regex
- system_settings_ssh_enable, removed from stig
  • Loading branch information
robertgendler committed Aug 14, 2024
commit dc12a59cf9ed4b10a8d5f73c419a10bc464f60c7
2 changes: 1 addition & 1 deletion rules/os/os_authenticated_root_enable.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ discussion: |

WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
check: |
/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'
/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;"
result:
integer: 1
fix: |
Expand Down
7 changes: 3 additions & 4 deletions rules/os/os_directory_services_configured.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@ references:
cce:
- N/A
cci:
- CCI-000366
- N/A
800-53r5:
- N/A
800-53r4:
- N/A
srg:
- SRG-OS-000480-GPOS-00227
- N/A
disa_stig:
- APPL-15-000016
- N/A
cis:
benchmark:
- N/A
Expand All @@ -32,7 +32,6 @@ macOS:
- '15.0'
tags:
- cisv8
- stig
severity: medium
mobileconfig: false
mobileconfig_info:
33 changes: 0 additions & 33 deletions rules/os/os_ess_installed.yaml

This file was deleted.

80 changes: 0 additions & 80 deletions rules/os/os_firewall_log_enable.yaml

This file was deleted.

59 changes: 0 additions & 59 deletions rules/os/os_gatekeeper_rearm.yaml

This file was deleted.

20 changes: 18 additions & 2 deletions rules/os/os_genmoji_disable.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,29 @@ references:
cce:
- N/A
cci:
- CCI-000381
- CCI-001774
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
800-53r5:
- N/A
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
macOS:
- '15.0'
tags:
- none
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- stig
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
Expand Down
20 changes: 18 additions & 2 deletions rules/os/os_image_generation_disable.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,29 @@ references:
cce:
- N/A
cci:
- CCI-000381
- CCI-001774
srg:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
800-53r5:
- N/A
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
macOS:
- '15.0'
tags:
- none
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- stig
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
Expand Down
2 changes: 1 addition & 1 deletion rules/os/os_iphone_mirroring_disable.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ check: |
result:
string: 'false'
fix: |
This is implemented by a Configuration Profile.references:
This is implemented by a Configuration Profile
references:
cce:
- N/A
Expand Down
48 changes: 3 additions & 45 deletions rules/os/os_password_autofill_disable.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,55 +17,13 @@ references:
cce:
- N/A
cci:
- CCI-000381
- N/A
800-53r5:
- IA-5(13)
- CM-7
- CM-7(1)
- IA-11
- IA-5
800-53r4:
- IA-5
- IA-5(13)
- IA-11
- CM-7
- CM-7(1)
disa_stig:
- APPL-15-002190
srg:
- SRG-OS-000095-GPOS-00049
800-171r2:
- 3.4.6
- 3.5.1
- 3.5.2
cis:
benchmark:
- N/A
controls v8:
- 4.1
- 4.8
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
- IA.L2-3.5.8
- IA.L2-3.5.9
- N/A
macOS:
- '15.0'
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
severity: medium
- none
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
Expand Down
25 changes: 8 additions & 17 deletions rules/os/os_ssh_fips_compliant.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,29 +9,20 @@ discussion: |

NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.
check: |
fips_ssh_config="Host *
Ciphers aes128-gcm@openssh.com
fips_ssh_config="Ciphers aes128-gcm@openssh.com
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256"
/usr/bin/grep -c "$fips_ssh_config" /etc/ssh/ssh_config.d/fips_ssh_config
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com"
/usr/bin/grep -c "$fips_ssh_config" /etc/ssh/crypto.conf
result:
integer: 8
integer: 7
fix: |
[source,bash]
----
fips_ssh_config="Host *
Ciphers aes128-gcm@openssh.com
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256"
/bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config
/bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
----
references:
cce:
Expand Down
3 changes: 3 additions & 0 deletions rules/os/os_ssh_server_alive_count_max_configure.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ fix: |
config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
configarray=( ${(f)config} )
for c in $configarray; do
if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then
continue
fi
/usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax $ODV/' "$c" || /bin/echo 'ServerAliveCountMax $ODV' >> "$c"
done
done
Expand Down
Loading