Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Apple macOS 13 (Ventura) Security Technical Implementation Guide

V1R3 · · · Released 25 Oct 2023 · 112 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R2 · 29 Jun 2023 +1 −1 ✎ 6

Comparison against the immediately-prior release (V1R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 1

  • V-257776 Medium The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Removed rules 1

  • V-257223 Medium The macOS system must authenticate peripherals before establishing a connection.

Content changes 6

  • V-257151 Medium check The macOS system must compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS).
  • V-257162 Medium description The macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.
  • V-257199 Medium check The macOS system must be configured to disable Siri and dictation.
  • V-257219 High check The macOS system must disable the guest account.
  • V-257224 High check The macOS system must use an approved antivirus program.
  • V-257239 Medium checkfix The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
Sort by
b
The macOS system must be configured to prevent Apple Watch from terminating a session lock.
AC-11 - Medium - CCI-000056 - V-257142 - SV-257142r905059_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000056
Version
APPL-13-000001
Vuln IDs
  • V-257142
Rule IDs
  • SV-257142r905059_rule
Users must be prompted to enter their passwords when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
Checks: C-60827r905057_chk

Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAutoUnlock" allowAutoUnlock = 0; If there is no result or "allowAutoUnlock" is not set to "0", this is a finding.

Fix: F-60768r905058_fix

Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the "Restrictions Policy" configuration profile.

b
The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
AC-11 - Medium - CCI-000056 - V-257143 - SV-257143r905062_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000056
Version
APPL-13-000002
Vuln IDs
  • V-257143
Rule IDs
  • SV-257143r905062_rule
Users must be prompted to enter their passwords when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
Checks: C-60828r905060_chk

Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -w "askForPassword" askForPassword = 1; If there is no result, or if "askForPassword" is not set to "1", this is a finding.

Fix: F-60769r905061_fix

Configure the macOS system to prompt users to enter a password to unlock the screen saver by installing the "Login Window Policy" configuration profile.

b
The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
AC-11 - Medium - CCI-000056 - V-257144 - SV-257144r905065_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000056
Version
APPL-13-000003
Vuln IDs
  • V-257144
Rule IDs
  • SV-257144r905065_rule
A screen saver must be enabled and set to require a password to unlock. An excessive grace period impacts the ability for a session to be truly locked, requiring authentication to unlock.
Checks: C-60829r905063_chk

Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "askForPasswordDelay" askForPasswordDelay = 5; If there is no result, or if "askForPasswordDelay" is not set to "5" or less, this is a finding.

Fix: F-60770r905064_fix

Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "Login Window Policy" configuration profile.

b
The macOS system must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-257145 - SV-257145r905068_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
APPL-13-000004
Vuln IDs
  • V-257145
Rule IDs
  • SV-257145r905068_rule
A screen saver must be enabled and set to require a password to unlock. The timeout must be set to 15 minutes of inactivity. This mitigates the risk that a user might forget to manually lock the screen before stepping away from the computer. A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
Checks: C-60830r905066_chk

Verify the macOS system is configured to initiate the screen saver after 15 minutes of inactivity with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "loginWindowIdleTime" loginWindowIdleTime = 900; If there is no result, or if "idleTime" is not set to "900" seconds or less, this is a finding.

Fix: F-60771r905067_fix

Configure the macOS system to initiate the screen saver after 15 minutes of inactivity by installing the "Login Window Policy" configuration profile.

b
The macOS system must be configured to lock the user session when a smart token is removed.
AC-11 - Medium - CCI-000058 - V-257146 - SV-257146r905071_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000058
Version
APPL-13-000005
Vuln IDs
  • V-257146
Rule IDs
  • SV-257146r905071_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems must provide users with the ability to manually invoke a session lock so users may secure their session should they need to temporarily vacate the immediate physical vicinity.
Checks: C-60831r905069_chk

Verify the macOS system is configured to lock the user session when a smart token is removed with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "tokenRemovalAction" tokenRemovalAction = 1; If there is no result, or if "tokenRemovalAction" is not set to "1", this is a finding.

Fix: F-60772r905070_fix

Configure the macOS system to lock the user session when a smart token is removed by installing the "Smart Card Policy" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

b
The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
AC-11 - Medium - CCI-000060 - V-257147 - SV-257147r905074_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000060
Version
APPL-13-000006
Vuln IDs
  • V-257147
Rule IDs
  • SV-257147r905074_rule
A default screen saver must be configured for all users, as the screen saver will act as a session timeout lock for the system and must conceal the contents of the screen from unauthorized users. The screen saver must not display any sensitive information or reveal the contents of the locked session screen. Publicly viewable images can include static or dynamic images such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen.
Checks: C-60832r905072_chk

Verify the macOS system is configured with a screen saver with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "moduleName" moduleName = Ventura; If there is no result or the "moduleName" is undefined, this is a finding.

Fix: F-60773r905073_fix

Configure the macOS system with a screen saver by installing the "Login Window Policy" configuration profile.

b
The macOS system must be configured to disable hot corners.
AC-11 - Medium - CCI-000060 - V-257148 - SV-257148r905077_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000060
Version
APPL-13-000007
Vuln IDs
  • V-257148
Rule IDs
  • SV-257148r905077_rule
Although hot corners can be used to initiate a session lock or launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.
Checks: C-60833r905075_chk

Verify the macOS system is configured to disable hot corners with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "wvous" "wvous-bl-corner" = 0; "wvous-br-corner" = 0; "wvous-tl-corner" = 0; "wvous-tr-corner" = 0; If the command does not return the following, this is a finding. "wvous-bl-corner = 0; wvous-br-corner = 0; wvous-tl-corner = 0; wvous-tr-corner = 0;"

Fix: F-60774r905076_fix

Configure the macOS system to disable hot corners by installing the "Custom Policy" configuration profile.

b
The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours.
AC-2 - Medium - CCI-000016 - V-257150 - SV-257150r905083_rule
RMF Control
AC-2
Severity
M
CCI
CCI-000016
Version
APPL-13-000012
Vuln IDs
  • V-257150
Rule IDs
  • SV-257150r905083_rule
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DOD-defined time period of 72 hours. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064
Checks: C-60835r905081_chk

Verify the macOS system is configured with a policy via directory service to disable temporary or emergency accounts after 72 hours by asking the System Administrator (SA) or Information System Security Officer (ISSO). If a policy is not set by a directory service, a password policy must be set with the "pwpolicy" utility. The variable names may differ depending on how the policy was set. If temporary or emergency accounts are not defined on the macOS system, this is not applicable. Verify the macOS system is configured with a policy to disable temporary or emergency accounts after 72 hours with the following command: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is no output and password policy is not controlled by a directory service, this is a finding. Otherwise, look for the line "<key>policyCategoryAuthentication</key>". In the array that follows, a <dict> section contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds more than 72 hours to "policyAttributeCreationTime", this is a finding.

Fix: F-60776r905082_fix

Configure the macOS system to disable temporary or emergency accounts after 72 hours. This setting may be enforced using local policy or by a directory service. To set local policy to disable a temporary or emergency user, create a plain text file containing the following: <dict> <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime &lt; policyAttributeCreationTime+259299</string> <key>policyIdentifier</key> <string>Disable Tmp Accounts </string> </dict> </array> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file". /usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file

b
The macOS system must compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS).
AU-8 - Medium - CCI-001891 - V-257151 - SV-257151r922872_rule
RMF Control
AU-8
Severity
M
CCI
CCI-001891
Version
APPL-13-000014
Vuln IDs
  • V-257151
Rule IDs
  • SV-257151r922872_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
Checks: C-60836r922871_chk

Verify the macOS system is configured with the timed service enabled and an authorized time server with the following commands: /usr/bin/sudo /usr/sbin/systemsetup -getusingnetworktime Network Time: On If "Network Time" is not set to "On", this is a finding. /usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver If no time server is configured, or if an unapproved time server is in use, this is a finding.

Fix: F-60777r905085_fix

Configure the macOS system to enable the timed service and set an authorized time server with the following commands: /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver "server"

b
The macOS system must use an Endpoint Security Solution (ESS) and implement all DOD required modules.
SI-2 - Medium - CCI-001233 - V-257152 - SV-257152r905089_rule
RMF Control
SI-2
Severity
M
CCI
CCI-001233
Version
APPL-13-000015
Vuln IDs
  • V-257152
Rule IDs
  • SV-257152r905089_rule
The macOS system must employ automated mechanisms to determine the state of system components. The DOD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNet.
Checks: C-60837r905087_chk

Verify the macOS system is configured with an approved ESS solution. If an approved ESS solution is not installed, this is a finding. Verify that all installed components of the ESS solution are at the DOD-approved minimal version. If the installed components are not at the DOD-approved minimal versions, this is a finding.

Fix: F-60778r905088_fix

Configure the macOS system with an approved ESS solution and ensure that all components are at least updated to their DOD-approved minimal versions.

c
The macOS system must be integrated into a directory services infrastructure.
CM-6 - High - CCI-000366 - V-257153 - SV-257153r905092_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
APPL-13-000016
Vuln IDs
  • V-257153
Rule IDs
  • SV-257153r905092_rule
Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions allow centralized management of users and passwords.
Checks: C-60838r905090_chk

If the macOS system is using a mandatory Smart Card Policy, this requirement is not applicable. Verify the macOS system is configured to integrate into a directory service with the following command: /usr/bin/dscl localhost -list . | /usr/bin/grep "Active Directory" If no results are returned, this is a finding.

Fix: F-60779r905091_fix

Configure the macOS system to integrate into an existing directory services infrastructure.

b
The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.
AC-7 - Medium - CCI-002238 - V-257154 - SV-257154r905095_rule
RMF Control
AC-7
Severity
M
CCI
CCI-002238
Version
APPL-13-000022
Vuln IDs
  • V-257154
Rule IDs
  • SV-257154r905095_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-60839r905093_chk

Verify the macOS system is configured to enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "maxFailedAttempts\|minutesUntilFailedLoginReset" maxFailedAttempts = 3; minutesUntilFailedLoginReset = 15; If "maxFailedAttempts" is not set to "3" and "minutesUntilFailedLoginReset" is not set to "15", this is a finding.

Fix: F-60780r905094_fix

Configure the macOS system to enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked by installing the "Passcode Policy" configuration profile or by a directory service.

b
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system.
AC-8 - Medium - CCI-000048 - V-257155 - SV-257155r905098_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
APPL-13-000023
Vuln IDs
  • V-257155
Rule IDs
  • SV-257155r905098_rule
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060.
Checks: C-60840r905096_chk

If SSH is not being used, this is not applicable. Verify the macOS system is configured to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system. Check to see if the operating system has the correct text listed in the "/etc/banner" file with the following command: /usr/bin/more /etc/banner The command must return the following text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the operating system does not display a logon banner before granting remote access or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding. If the text in the "/etc/banner" file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

Fix: F-60781r905097_fix

Configure the macOS system to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system by creating a text file containing the required DOD text. Name the file "banner" and place it in "/etc/".

b
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH.
AC-8 - Medium - CCI-000048 - V-257156 - SV-257156r905101_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
APPL-13-000024
Vuln IDs
  • V-257156
Rule IDs
  • SV-257156r905101_rule
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007
Checks: C-60841r905099_chk

If SSH is not being used, this is not applicable. Verify the macOS system is configured to display the contents of "/etc/banner" before granting access to the system with the following command: /usr/bin/grep -r Banner /etc/ssh/sshd_config* Banner /etc/banner If the sshd Banner configuration option does not point to "/etc/banner", this is a finding. If conflicting results are returned, this is a finding.

Fix: F-60782r905100_fix

Configure the macOS system to display the contents of "/etc/banner" before granting access to the system with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/^#Banner.*/Banner \/etc\/banner/' /etc/ssh/sshd_config

b
The macOS system must be configured so that any connection to the system must display the Standard Mandatory DOD Notice and Consent Banner before granting GUI access to the system.
AC-8 - Medium - CCI-000048 - V-257157 - SV-257157r905104_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
APPL-13-000025
Vuln IDs
  • V-257157
Rule IDs
  • SV-257157r905104_rule
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088
Checks: C-60842r905102_chk

Verify the macOS system is configured to display a policy banner with the following command: /bin/ls -l /Library/Security/PolicyBanner.rtfd -rw-r--r--@ 1 admin sheel 37 Jan 27 11:18 /Library/Security/PolicyBanner.rtfd If "PolicyBanner.rtfd" does not exist, this is a finding. If the permissions for "PolicyBanner.rtfd" are not "644", this is a finding. The banner text of the document must read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the text is not worded exactly this way, this is a finding.

Fix: F-60783r905103_fix

Configure the macOS system to display a policy banner by creating an RTF file containing the required text. Name the file "PolicyBanner.rtfd" and place it in "/Library/Security/". Update the permissions of the "/Library/Security/PolicyBanner.rtfd" file with the following command: /usr/bin/sudo /bin/chmod 644 /Library/Security/PolicyBanner.rtfd

b
The macOS system must be configured so that log files do not contain access control lists (ACLs).
AU-9 - Medium - CCI-000162 - V-257158 - SV-257158r905107_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
APPL-13-000030
Vuln IDs
  • V-257158
Rule IDs
  • SV-257158r905107_rule
The audit service must be configured to create log files with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084
Checks: C-60843r905105_chk

Verify the macOS system is configured without ACLs applied to log files with the following command: /usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current In the output from the above command, ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,readextattr,readsecurity"). If any ACLs exists, this is a finding.

Fix: F-60784r905106_fix

Configure the macOS system so that log files do not contain ACLs with the following command: /usr/bin/sudo /bin/chmod -N [audit log file]

b
The macOS system must be configured so that log folders do not contain access control lists (ACLs).
AU-9 - Medium - CCI-000162 - V-257159 - SV-257159r905110_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
APPL-13-000031
Vuln IDs
  • V-257159
Rule IDs
  • SV-257159r905110_rule
The audit service must be configured to create log folders with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
Checks: C-60844r905108_chk

Verify the macOS system is configured without ACLs applied to log folders with the following command: /usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') In the output from the above command, ACLs will be listed under any folder that may contain them (e.g., "0: group:admin allow list,readattr,readextattr,readsecurity"). If any ACLs exists, this is a finding.

Fix: F-60785r905109_fix

Configure the macOS system so that log folders do not contain ACLs with the following command: /usr/bin/sudo /bin/chmod -N [audit log folder]

b
The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
CM-6 - Medium - CCI-000366 - V-257160 - SV-257160r905113_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-000032
Vuln IDs
  • V-257160
Rule IDs
  • SV-257160r905113_rule
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
Checks: C-60845r905111_chk

Verify the macOS system is configured with dedicated user accounts to decrypt the hard disk upon startup with the following command: /usr/bin/sudo /usr/bin/fdesetup list fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A If any unauthorized users are listed, this is a finding. Verify that the shell for authorized FileVault users is set to "/usr/bin/false" to prevent console logons: /usr/bin/sudo /usr/bin/dscl . read /Users/&lt;FileVault_User&gt; UserShell UserShell: /usr/bin/false If the FileVault users' shell is not set to "/usr/bin/false", this is a finding.

Fix: F-60786r905112_fix

Configure the macOS system with a dedicated user account to decrypt the hard disk at startup and disable the logon ability of the newly created user account with the following commands: /usr/bin/sudo /usr/bin/fdesetup add -user <username> /usr/bin/sudo /usr/bin/dscl . change /Users/<FileVault_User> UserShell </path/to/current/shell> /usr/bin/false Remove all FileVault logon access from each user account defined on the system that is not a designated FileVault user: /usr/bin/sudo /usr/bin/fdesetup remove -user <username>

b
The macOS system must be configured to disable password forwarding for FileVault.
CM-6 - Medium - CCI-000366 - V-257161 - SV-257161r905116_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-000033
Vuln IDs
  • V-257161
Rule IDs
  • SV-257161r905116_rule
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
Checks: C-60846r905114_chk

Verify the macOS system is configured to disable password forwarding with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableFDEAutoLogin" DisableFDEAutoLogin = 1; If "DisableFDEAutoLogin" is not set to a value of "1", this is a finding.

Fix: F-60787r905115_fix

Configure the macOS system to disable password forwarding by installing the "Smart Card Policy" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

b
The macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.
SC-10 - Medium - CCI-001133 - V-257162 - SV-257162r922873_rule
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
APPL-13-000051
Vuln IDs
  • V-257162
Rule IDs
  • SV-257162r922873_rule
SSH options ClientAliveInterval and ClientAliveCountMax are used in combination to monitor SSH connections. If an SSH client is deemed unresponsive, sshd will terminate the connection. An example would be if a client lost network connectivity the SSH connection to the server would be unresponsive and therefore sshd would terminate the connection after the ClientAliveCountMax and ClientAliveInterval thresholds have been met. The ClientAliveInterval is a timeout measured in seconds. After which if no data is received from the client, sshd will request a response through the encrypted tunnel from the client. The default is "0", indicating no messages will be sent. The ClientAliveCountMax is the number of client alive messages that can be sent from the server without receiving a reply from the client. If this threshold is met, sshd will terminate the session. Setting the ClientAliveCountMax to "0" disables connection termination.
Checks: C-60847r905117_chk

If SSH is not being used, this is not applicable. Verify the macOS system is configured with the SSH daemon "ClientAliveInterval" option set to "900" or less with the following command: /usr/bin/grep -r ^ClientAliveInterval /etc/ssh/sshd_config* If "ClientAliveInterval" is not configured or has a value of "0", this is a finding. If "ClientAliveInterval" is not "900" or less, this is a finding. If conflicting results are returned, this is a finding.

Fix: F-60788r905118_fix

Configure the macOS system to set the SSH daemon "ClientAliveInterval" option to "900" with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 900/' /etc/ssh/sshd_config

b
The macOS system must be configured with the SSH daemon ClientAliveCountMax option set to 1.
SC-10 - Medium - CCI-001133 - V-257163 - SV-257163r905122_rule
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
APPL-13-000052
Vuln IDs
  • V-257163
Rule IDs
  • SV-257163r905122_rule
Terminating an idle session within a short time reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element. SSH options ClientAliveInterval and ClientAliveCountMax are used in combination to monitor SSH connections. If an SSH client is deemed unresponsive, sshd will terminate the connection. An example would be if a client lost network connectivity the SSH connection to the server would be unresponsive and therefore sshd would terminate the connection after the ClientAliveCountMax and ClientAliveInterval thresholds have been met. The ClientAliveInterval is a timeout measured in seconds. After which if no data is received from the client, sshd will request a response through the encrypted tunnel from the client. The default is 0, indicating no messages will be sent. The ClientAliveCountMax is the number of client alive messages that can be sent from the server without receiving a reply from the client. If this threshold is met, sshd will terminate the session. Setting the ClientAliveCountMax to 0 disables connection termination.
Checks: C-60848r905120_chk

If SSH is not being used, this is not applicable. Verify the macOS system is configured with the SSH daemon "ClientAliveCountMax" option set to "1" with the following command: /usr/bin/grep -r ^ClientAliveCountMax /etc/ssh/sshd_config* If the setting is not "ClientAliveCountMax 1", this is a finding. If conflicting results are returned, this is a finding.

Fix: F-60789r905121_fix

Configure the macOS system to set the SSH daemon "ClientAliveCountMax" option to "1" with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 1/' /etc/ssh/sshd_config

b
The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.
SC-10 - Medium - CCI-001133 - V-257164 - SV-257164r905125_rule
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
APPL-13-000053
Vuln IDs
  • V-257164
Rule IDs
  • SV-257164r905125_rule
SSH must be configured to log users out after a 15-minute interval of inactivity and to wait only 30 seconds before timing out logon attempts. Terminating an idle session within a short time reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.
Checks: C-60849r905123_chk

If SSH is not being used, this is not applicable. Verify the macOS system is configured with the SSH daemon "LoginGraceTime" option set to "30" or less with the following command: /usr/bin/grep -r ^LoginGraceTime /etc/ssh/sshd_config* If "LoginGraceTime" is not configured or has a value of "0", this is a finding. If "LoginGraceTime" is not set to "30" or less, this is a finding. If conflicting results are returned, this is a finding.

Fix: F-60790r905124_fix

Configure the macOS system to set the SSH daemon "LoginGraceTime" option to "30" with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config

c
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
AC-17 - High - CCI-000068 - V-257165 - SV-257165r919351_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
APPL-13-000054
Vuln IDs
  • V-257165
Rule IDs
  • SV-257165r919351_rule
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Checks: C-60850r919350_chk

Verify the macOS system is configured to use approved SSH ciphers within the SSH server configuration with the following command: /usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "ciphers" ciphers aes128-gcm@openssh.com If any ciphers other than "aes128-gcm@openssh.com" are listed, or the "ciphers" keyword is missing, this is a finding.

Fix: F-60791r916570_fix

Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following: Ciphers aes128-gcm@openssh.com The SSH service must be restarted for changes to take effect.

c
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
AC-17 - High - CCI-000068 - V-257166 - SV-257166r919353_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
APPL-13-000055
Vuln IDs
  • V-257166
Rule IDs
  • SV-257166r919353_rule
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175
Checks: C-60851r919352_chk

Verify the macOS system is configured to use approved SSH MACs within the SSH server configuration with the following command: /usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "macs" macs hmac-sha2-256 If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

Fix: F-60792r916573_fix

Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following: MACs hmac-sha2-256 The SSH service must be restarted for changes to take effect.

c
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
AC-17 - High - CCI-000068 - V-257167 - SV-257167r919355_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
APPL-13-000056
Vuln IDs
  • V-257167
Rule IDs
  • SV-257167r919355_rule
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176
Checks: C-60852r919354_chk

Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH server configuration with the following command: /usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "kexalgorithms" kexalgorithms ecdh-sha2-nistp256 If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.

Fix: F-60793r916576_fix

Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following: KexAlgorithms ecdh-sha2-nistp256 The SSH service must be restarted for changes to take effect.

b
The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all nonlocal maintenance and diagnostic sessions.
AC-2 - Medium - CCI-000018 - V-257168 - SV-257168r905137_rule
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
APPL-13-001001
Vuln IDs
  • V-257168
Rule IDs
  • SV-257168r905137_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Administrative and privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings, are logged by way of the "ad" flag. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000327-GPOS-00127, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222
Checks: C-60853r905135_chk

Verify the macOS system is configured to audit privileged access with the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control If "ad" is not listed in the output, this is a finding.

Fix: F-60794r905136_fix

Configure the macOS system to audit privileged access with the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

b
The macOS system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
AC-17 - Medium - CCI-000067 - V-257169 - SV-257169r905140_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
APPL-13-001002
Vuln IDs
  • V-257169
Rule IDs
  • SV-257169r905140_rule
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges to proceed. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Attempts to log in as another user are logged by way of the "lo" flag. Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000462-GPOS-00206
Checks: C-60854r905138_chk

Verify the macOS system is configured to audit attempts to access/modify privileges with the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control If "lo" is not listed in the result of the check, this is a finding.

Fix: F-60795r905139_fix

Configure the macOS system to audit attempts to access/modify privileges with the following command: /usr/bin/sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

b
The macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.
AU-3 - Medium - CCI-000130 - V-257170 - SV-257170r905143_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
APPL-13-001003
Vuln IDs
  • V-257170
Rule IDs
  • SV-257170r905143_rule
Without establishing what type of events occurred, when they occurred, and by whom, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000055-GPOS-00026, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000303-GPOS-00120, SRG-OS-000337-GPOS-00129, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146
Checks: C-60855r905141_chk

Verify the macOS system is configured to enable the auditd service with the following command: /bin/launchctl print-disabled system| /usr/bin/grep com.apple.auditd "com.apple.auditd" =&gt; enabled If the results are not "com.apple.auditd =&gt; enabled", this is a finding.

Fix: F-60796r905142_fix

Configure the macOS system to enable the auditd service with the following command: /usr/bin/sudo /bin/launchctl enable system/com.apple.auditd The system may need to be restarted for the update to take effect.

b
The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).
AU-5 - Medium - CCI-000140 - V-257171 - SV-257171r905146_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000140
Version
APPL-13-001010
Vuln IDs
  • V-257171
Rule IDs
  • SV-257171r905146_rule
The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity are no longer recorded and malicious activity could go undetected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: (i) If the failure was caused by the lack of audit record storage capacity, the operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. (ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
Checks: C-60856r905144_chk

Verify the macOS system is configured to shut down upon audit failure with the following command: /usr/bin/sudo /usr/bin/grep ^policy /etc/security/audit_control | /usr/bin/grep ahlt If there is no result, this is a finding.

Fix: F-60797r905145_fix

Configure the macOS system to shut down upon audit failure by editing the "/etc/security/audit_control" file and updating the policy value to include "ahlt" with the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

b
The macOS system must be configured with audit log files owned by root.
AU-9 - Medium - CCI-000162 - V-257172 - SV-257172r905149_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
APPL-13-001012
Vuln IDs
  • V-257172
Rule IDs
  • SV-257172r905149_rule
The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by root or administrative users with sudo, the risk is mitigated.
Checks: C-60857r905147_chk

Verify the macOS system is configured with audit log files owned by root with the following command: /usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current If the files are not owned by root, this is a finding.

Fix: F-60798r905148_fix

Configure the macOS system with audit log files owned by root with the following command: /usr/bin/sudo chown root [audit log file]

b
The macOS system must be configured with audit log folders owned by root.
AU-9 - Medium - CCI-000162 - V-257173 - SV-257173r905152_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
APPL-13-001013
Vuln IDs
  • V-257173
Rule IDs
  • SV-257173r905152_rule
The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
Checks: C-60858r905150_chk

Verify the macOS system is configured with audit log folders owned by root with the following command: /usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') If the folders are not owned by root, this is a finding.

Fix: F-60799r905151_fix

Configure the macOS system with audit log folders owned by root with the following command: /usr/bin/sudo chown root [audit log folder]

b
The macOS system must be configured with audit log files group-owned by wheel.
AU-9 - Medium - CCI-000162 - V-257174 - SV-257174r905155_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
APPL-13-001014
Vuln IDs
  • V-257174
Rule IDs
  • SV-257174r905155_rule
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
Checks: C-60859r905153_chk

Verify the macOS system is configured with audit log files group-owned by wheel with the following command: /usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current If the files are not group-owned by wheel, this is a finding.

Fix: F-60800r905154_fix

Configure the macOS system with audit log files group-owned by wheel with the following command: /usr/bin/sudo chgrp wheel [audit log file]

b
The macOS system must be configured with audit log folders group-owned by wheel.
AU-9 - Medium - CCI-000162 - V-257175 - SV-257175r905158_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
APPL-13-001015
Vuln IDs
  • V-257175
Rule IDs
  • SV-257175r905158_rule
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
Checks: C-60860r905156_chk

Verify the macOS system is configured with audit log folders group-owned by wheel with the following command: /usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') If the folders are not group-owned by wheel, this is a finding.

Fix: F-60801r905157_fix

Configure the macOS system with audit log folders group-owned by wheel with the following command: /usr/bin/sudo chgrp wheel [audit log folder]

b
The macOS system must be configured with audit log files set to mode 440 or less permissive.
AU-9 - Medium - CCI-000162 - V-257176 - SV-257176r905161_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
APPL-13-001016
Vuln IDs
  • V-257176
Rule IDs
  • SV-257176r905161_rule
The audit service must be configured to create log files with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated.
Checks: C-60861r905159_chk

Verify the macOS system is configured with audit log files set to mode 440 or less with the following command: /usr/bin/sudo /bin/ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/grep -v current If the files are not mode 440 or less, this is a finding.

Fix: F-60802r905160_fix

Configure the macOS system with audit log files set to mode 440 with the following command: /usr/bin/sudo /bin/chmod 440 [audit log file]

b
The macOS system must be configured with audit log folders set to mode 700 or less permissive.
AU-9 - Medium - CCI-000162 - V-257177 - SV-257177r905164_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
APPL-13-001017
Vuln IDs
  • V-257177
Rule IDs
  • SV-257177r905164_rule
The audit service must be configured to create log folders with the correct permissions to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable only by root or administrative users with sudo, the risk is mitigated. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Checks: C-60862r905162_chk

Verify the macOS system is configured with audit log folders set to mode 700 or less with the following command: /usr/bin/sudo /bin/ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') If the folders are not set to mode 700 or less, this is a finding.

Fix: F-60803r905163_fix

Configure the macOS system with audit log folders set to mode 700 with the following command: /usr/bin/sudo /bin/chmod 700 [audit log folder]

b
The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.
AU-12 - Medium - CCI-000172 - V-257178 - SV-257178r905167_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
APPL-13-001020
Vuln IDs
  • V-257178
Rule IDs
  • SV-257178r905167_rule
By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. Enforcement actions are logged by way of the "fm" flag, which audits permission changes; "-fr" and "-fw", which denote failed attempts to read or write to a file; and "-fd", which audits failed file deletion. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000474-GPOS-00219
Checks: C-60863r905165_chk

Verify the macOS system is configured to audit enforcement actions with the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control If "fm", "-fr", "-fw", and "-fd" are not listed in the result of the check, this is a finding.

Fix: F-60804r905166_fix

Configure the macOS system to audit enforcement actions with the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,fm,-fr,-fw,-fd/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

a
The macOS system must allocate audit record storage capacity to store at least seven days of audit records when audit records are not immediately sent to a central audit record storage facility.
AU-4 - Low - CCI-001849 - V-257179 - SV-257179r905170_rule
RMF Control
AU-4
Severity
L
CCI
CCI-001849
Version
APPL-13-001029
Vuln IDs
  • V-257179
Rule IDs
  • SV-257179r905170_rule
The audit service must be configured to require that records are kept for seven days or longer before deletion when there is no central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old.
Checks: C-60864r905168_chk

Verify the macOS system is configured to store at least seven days of audit records with the following command: /usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control expire-after:7d If "expire-after" is not set to "7d" or greater, this is a finding.

Fix: F-60805r905169_fix

Configure the macOS system to store seven days of audit records with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s Alternatively, use a text editor to update the "/etc/security/audit_control" file.

a
The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
AU-5 - Low - CCI-001855 - V-257180 - SV-257180r905173_rule
RMF Control
AU-5
Severity
L
CCI
CCI-001855
Version
APPL-13-001030
Vuln IDs
  • V-257180
Rule IDs
  • SV-257180r905173_rule
The audit service must be configured to require a minimum percentage of free disk space to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs. When "minfree" is set to 25 percent, security personnel are notified immediately when the storage volume is 75 percent full and are able to plan for audit record storage capacity expansion.
Checks: C-60865r905171_chk

Verify the macOS system is configured to require a minimum of 25 percent free disk space for audit record storage with the following command: /usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control minfree:25 If "minfree" is not set to "25", this is a finding.

Fix: F-60806r905172_fix

Configure the macOS system to require 25 percent free disk space for audit record storage with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s Alternatively, use a text editor to update the "/etc/security/audit_control" file.

b
The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
AU-5 - Medium - CCI-001858 - V-257181 - SV-257181r905176_rule
RMF Control
AU-5
Severity
M
CCI
CCI-001858
Version
APPL-13-001031
Vuln IDs
  • V-257181
Rule IDs
  • SV-257181r905176_rule
The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Checks: C-60866r905174_chk

Verify the macOS system is configured to print error messages to the console with the following command: /usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn logger -s -p security.warning "audit warning: $type $argument" If the argument "-s" is missing, or if "audit_warn" has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.

Fix: F-60807r905175_fix

Configure the macOS system to print error messages to the console with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/bin/sudo /usr/sbin/audit -s Alternatively, use a text editor to update the "/etc/security/audit_warn" file.

b
The macOS system must generate audit records for DOD-defined events such as successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.
AU-12 - Medium - CCI-000172 - V-257182 - SV-257182r905179_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
APPL-13-001044
Vuln IDs
  • V-257182
Rule IDs
  • SV-257182r905179_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Logon events are logged by way of the "aa" flag. Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220
Checks: C-60867r905177_chk

Verify the macOS system is configured to audit logon events with the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control If "aa" is not listed in the result of the check, this is a finding.

Fix: F-60808r905178_fix

Configure the macOS system to audit logon events with the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

b
The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
IA-5 - Medium - CCI-000186 - V-257183 - SV-257183r905182_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000186
Version
APPL-13-001060
Vuln IDs
  • V-257183
Rule IDs
  • SV-257183r905182_rule
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. DOD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. Satisfies: SRG-OS-000067-GPOS-00035, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000384-GPOS-00167, SRG-OS-000403-GPOS-00182
Checks: C-60868r905180_chk

Verify the macOS system is configured to check the revocation status of user certificates with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "checkCertificateTrust" checkCertificateTrust = 1; If there is no result, or if "checkCertificateTrust" is not set to "1" or greater, this is a finding.

Fix: F-60809r905181_fix

Configure the macOS system to check the revocation status of user certificates by installing the "Smart Card Policy" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

b
The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
IA-2 - Medium - CCI-000770 - V-257184 - SV-257184r905185_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
APPL-13-001100
Vuln IDs
  • V-257184
Rule IDs
  • SV-257184r905185_rule
Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administrators must only run commands as root after first authenticating with their individual usernames and passwords.
Checks: C-60869r905183_chk

If SSH is not being used, this is not applicable. Verify the macOS system is configured to disable root logins over SSH with the following command: /usr/bin/grep -r ^PermitRootLogin /etc/ssh/sshd_config* If there is no result, or the result is set to "yes", this is a finding. If conflicting results are returned, this is a finding.

Fix: F-60810r905184_fix

Configure the macOS system to disable root logins over SSH with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

b
The macOS system must be configured to disable SMB File Sharing unless it is required.
CM-7 - Medium - CCI-000381 - V-257185 - SV-257185r905188_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002001
Vuln IDs
  • V-257185
Rule IDs
  • SV-257185r905188_rule
File sharing is usually nonessential and must be disabled if not required. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
Checks: C-60870r905186_chk

Verify the macOS system is configured to disable the SMB File Sharing service with the following command: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.smbd "com.apple.smbd" =&gt; disabled If the results are not "com.apple.smbd =&gt; disabled" or SMB file sharing has not been documented with the ISSO as an operational requirement, this is a finding.

Fix: F-60811r905187_fix

Configure the macOS system to disable the SMB File Sharing service with the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd The system may need to be restarted for the update to take effect.

b
The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.
CM-7 - Medium - CCI-000381 - V-257186 - SV-257186r905191_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002003
Vuln IDs
  • V-257186
Rule IDs
  • SV-257186r905191_rule
If the system does not require access to NFS file shares or is not acting as an NFS server, support for NFS is nonessential and NFS services must be disabled. NFS is a network file system protocol supported by UNIX-like operating systems. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
Checks: C-60871r905189_chk

Verify the macOS system is configured to disable the NFS daemon with the following command: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.nfsd "com.apple.nfsd" =&gt; disabled If the results are not "com.apple.nfsd =&gt; disabled" or the use of NFS has not been documented with the ISSO as an operational requirement, this is a finding.

Fix: F-60812r905190_fix

Configure the macOS system to disable the NFS daemon with the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd The system may need to be restarted for the update to take effect.

b
The macOS system must be configured to disable Location Services.
CM-7 - Medium - CCI-000381 - V-257187 - SV-257187r905194_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002004
Vuln IDs
  • V-257187
Rule IDs
  • SV-257187r905194_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. Location Services must be disabled.
Checks: C-60872r905192_chk

Verify the macOS system is configured to disable Location Services with the following command: /usr/bin/sudo /usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd | /usr/bin/grep "LocationServicesEnabled" LocationServicesEnabled = 0; If "LocationServicesEnabled" is not set to "0" and the AO has not authorized the use of location services, this is a finding.

Fix: F-60813r905193_fix

Configure the macOS system to disable Location Services with the following command: /usr/bin/sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false The system may need to be restarted for the update to take effect.

b
The macOS system must be configured to disable Bonjour multicast advertising.
CM-7 - Medium - CCI-000381 - V-257188 - SV-257188r905197_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002005
Vuln IDs
  • V-257188
Rule IDs
  • SV-257188r905197_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. Bonjour multicast advertising must be disabled on the system.
Checks: C-60873r905195_chk

Verify the macOS system is configured to disable Bonjour multicast advertising with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "NoMulticastAdvertisements" NoMulticastAdverstisements = 1; If there is no result, or if "NoMulticastAdvertisements" is not set to "1", this is a finding.

Fix: F-60814r905196_fix

Configure the macOS system to disable Bonjour multicast advertising by installing the "Custom Policy" configuration profile.

b
The macOS system must be configured to disable the UUCP service.
CM-7 - Medium - CCI-000381 - V-257189 - SV-257189r905200_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002006
Vuln IDs
  • V-257189
Rule IDs
  • SV-257189r905200_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The system must not have the UUCP service active.
Checks: C-60874r905198_chk

Verify the macOS system is configured to disable the UUCP service with the following command: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.uucp "com.apple.uucp" =&gt; disabled If the results are not "com.apple.uucp =&gt; disabled", this is a finding.

Fix: F-60815r905199_fix

Configure the macOS system to disable the UUCP service with the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.uucp The system may need to be restarted for the update to take effect.

b
The macOS system must be configured to disable Internet Sharing.
CM-7 - Medium - CCI-000381 - V-257190 - SV-257190r905203_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002007
Vuln IDs
  • V-257190
Rule IDs
  • SV-257190r905203_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. Internet Sharing is nonessential and must be disabled.
Checks: C-60875r905201_chk

Verify the macOS system is configured to disable Internet Sharing with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "forceInternetSharingOff" forceInternetSharingOff = 1; If there is no result, or if "forceInternetSharingOff" is not set to "1", this is a finding.

Fix: F-60816r905202_fix

Configure the macOS system to disable Internet Sharing by installing the "Custom Policy" configuration profile.

b
The macOS system must be configured to disable Web Sharing.
CM-7 - Medium - CCI-000381 - V-257191 - SV-257191r905206_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002008
Vuln IDs
  • V-257191
Rule IDs
  • SV-257191r905206_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. Web Sharing is nonessential and must be disabled.
Checks: C-60876r905204_chk

Verify the macOS system is configured to disable Web Sharing with the following command: /bin/launchctl print-disabled system | /usr/bin/grep org.apache.httpd "org.apache.httpd" =&gt; disabled If the results are not "org.apache.httpd =&gt; disabled", this is a finding.

Fix: F-60817r905205_fix

Configure the macOS system to disable Web Sharing with the following command: /usr/bin/sudo /bin/launchctl disable system/org.apache.httpd The system may need to be restarted for the update to take effect.

a
The macOS system must be configured to disable AirDrop.
CM-7 - Low - CCI-000381 - V-257192 - SV-257192r905209_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
APPL-13-002009
Vuln IDs
  • V-257192
Rule IDs
  • SV-257192r905209_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems can provide a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality-of-life issues. AirDrop must be disabled. Note: There is a known bug in the graphical user interface where the user can toggle AirDrop in the UI, which indicates the service has been turned on, but it remains disabled if the Restrictions Profile has been applied.
Checks: C-60877r905207_chk

Verify the macOS system is configured to disable AirDrop with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAirDrop" allowAirDrop = 0; If there is no result, or if "allowAirDrop" is not set to "0", this is a finding.

Fix: F-60818r905208_fix

Configure the macOS system to disable AirDrop by installing the "Restrictions Policy" configuration profile.

a
The macOS system must be configured to disable the iCloud Calendar services.
CM-7 - Low - CCI-000381 - V-257193 - SV-257193r905212_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
APPL-13-002012
Vuln IDs
  • V-257193
Rule IDs
  • SV-257193r905212_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Calendar application's connections to Apple's iCloud must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60878r905210_chk

Verify the macOS system is configured to disable iCloud Calendar services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudCalendar" allowCloudCalendar = 0; If there is no result, or if "allowCloudCalendar" is not set to "0", this is a finding.

Fix: F-60819r905211_fix

Configure the macOS system to disable iCloud Calendar services by installing the "Restrictions Policy" configuration profile.

a
The macOS system must be configured to disable the iCloud Reminders services.
CM-7 - Low - CCI-000381 - V-257194 - SV-257194r905215_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
APPL-13-002013
Vuln IDs
  • V-257194
Rule IDs
  • SV-257194r905215_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Reminder application's connections to Apple's iCloud must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60879r905213_chk

Verify the macOS system is configured to disable iCloud Reminders services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudReminders" allowCloudReminders = 0; If there is no result, or if "allowCloudReminders" is not set to "0", this is a finding.

Fix: F-60820r905214_fix

Configure the macOS system to disable iCloud Reminders services by installing the "Restrictions Policy" configuration profile.

a
The macOS system must be configured to disable iCloud Address Book services.
CM-7 - Low - CCI-000381 - V-257195 - SV-257195r905218_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
APPL-13-002014
Vuln IDs
  • V-257195
Rule IDs
  • SV-257195r905218_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Address Book(Contacts) application's connections to Apple's iCloud must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60880r905216_chk

Verify the macOS system is configured to disable iCloud Address Book services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudAddressBook" allowCloudAddressBook = 0; If there is no result, or if "allowCloudAddressBook" is not set to "0", this is a finding.

Fix: F-60821r905217_fix

Configure the macOS system to disable iCloud Address Book services by installing the "Restrictions Policy" configuration profile.

a
The macOS system must be configured to disable the iCloud Mail services.
CM-7 - Low - CCI-000381 - V-257196 - SV-257196r905221_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
APPL-13-002015
Vuln IDs
  • V-257196
Rule IDs
  • SV-257196r905221_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Mail application's connections to Apple's iCloud must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60881r905219_chk

Verify the macOS system is configured to disable iCloud Mail services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudMail" allowCloudMail = 0; If there is no result, or if "allowCloudMail" is not set to "0", this is a finding.

Fix: F-60822r905220_fix

Configure the macOS system to disable iCloud Mail services by installing the "Restrictions Policy" configuration profile.

a
The macOS system must be configured to disable the iCloud Notes services.
CM-7 - Low - CCI-000381 - V-257197 - SV-257197r905224_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
APPL-13-002016
Vuln IDs
  • V-257197
Rule IDs
  • SV-257197r905224_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Notes application's connections to Apple's iCloud must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60882r905222_chk

Verify the macOS system is configured to disable iCloud Notes services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudNotes" allowCloudNotes = 0; If there is no result, or if "allowCloudNotes" is not set to "0", this is a finding.

Fix: F-60823r905223_fix

Configure the macOS system to disable iCloud Notes services by installing the "Restrictions Policy" configuration profile.

b
The macOS system must cover or disable the built-in or attached camera when not in use.
CM-7 - Medium - CCI-000381 - V-257198 - SV-257198r905227_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002017
Vuln IDs
  • V-257198
Rule IDs
  • SV-257198r905227_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants carry out the disconnect activity without having to go through complex and tedious procedures. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60883r905225_chk

If the device or operating system does not have a camera installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding. For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. If the camera is not disconnected, covered, or physically disabled, the following configuration is required: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCamera" allowCamera = 0; If the result is "allowCamera = 1" and the collaborative computing device has not been authorized for use, this is a finding.

Fix: F-60824r905226_fix

Configure the macOS system to disable the built-in camera by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable Siri and dictation.
CM-7 - Medium - CCI-000381 - V-257199 - SV-257199r922885_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002020
Vuln IDs
  • V-257199
Rule IDs
  • SV-257199r922885_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. Siri and dictation must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60884r922884_chk

To check if Siri and dictation has been disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -e "Ironwood Allowed" If the output is not: "Ironwood Allowed = 0", this is a finding.

Fix: F-60825r905229_fix

Configure the macOS system to disable Siri and dictation by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable sending diagnostic and usage data to Apple.
CM-7 - Medium - CCI-000382 - V-257200 - SV-257200r905233_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
APPL-13-002021
Vuln IDs
  • V-257200
Rule IDs
  • SV-257200r905233_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. Sending diagnostic data to Apple must be disabled.
Checks: C-60885r905231_chk

Verify the macOS system is configured to disable sending diagnostic and usage data to Apple with the following command: /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowDiagnosticSubmission" allowDiagnosticSubmission = 0; If there is no result, or if "allowDiagnosticSubmission" is not set to "0", this is a finding. Alternatively, the settings are found in System Settings &gt;&gt; Privacy &amp; Security &gt;&gt; Privacy &gt;&gt; Analytics &amp; Improvements. If the box "Share Mac Analytics" is checked, this is a finding. If the box "Improve Siri &amp; Dictation" is checked, this is a finding. If the box "Share with app developers" is checked, this is a finding.

Fix: F-60826r905232_fix

Configure the macOS system to disable sending diagnostic and usage data to Apple by installing the "Restrictions Policy" configuration profile. Alternatively, the settings can be configured in System Settings >> Privacy & Security >> Privacy >> Analytics & Improvements by performing the following: - Uncheck the box, "Share Mac Analytics". - Uncheck the box "Improve Siri & Dictation". - Uncheck the box "Share with app developers".

b
The macOS system must be configured to disable Remote Apple Events.
CM-7 - Medium - CCI-000382 - V-257201 - SV-257201r905236_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
APPL-13-002022
Vuln IDs
  • V-257201
Rule IDs
  • SV-257201r905236_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. Remote Apple Events must be disabled.
Checks: C-60886r905234_chk

Verify the macOS system is configured to disable Remote Apple Events with the following command: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.AEServer "com.apple.AEServer" =&gt; disabled If the results are not "com.apple.AEServer =&gt; disabled", this is a finding.

Fix: F-60827r905235_fix

Configure the macOS system to disable Remote Apple Events with the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.AEServer The system may need to be restarted for the update to take effect.

c
The macOS system must be configured to disable the system preference pane for Apple ID.
CM-7 - High - CCI-001774 - V-257202 - SV-257202r905239_rule
RMF Control
CM-7
Severity
H
CCI
CCI-001774
Version
APPL-13-002031
Vuln IDs
  • V-257202
Rule IDs
  • SV-257202r905239_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and thus can remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Apple ID System Preference Pane must be disabled.
Checks: C-60887r905237_chk

Verify the macOS system is configured to disable access to the Apple ID preference pane with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes" If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.AppleIDPrefPane", this is a finding.

Fix: F-60828r905238_fix

Configure the macOS system to disable access to the Apple ID preference pane by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable the system preference pane for Internet Accounts.
CM-7 - Medium - CCI-000381 - V-257203 - SV-257203r905242_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002032
Vuln IDs
  • V-257203
Rule IDs
  • SV-257203r905242_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Internet Accounts System Preference Pane must be disabled.
Checks: C-60888r905240_chk

Verify the macOS system is configured to disable access to the Internet Accounts preference pane with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes" If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.internetaccounts", this is a finding.

Fix: F-60829r905241_fix

Configure the macOS system to disable access to the Internet Accounts preference pane by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable the Cloud Setup services.
CM-7 - Medium - CCI-000381 - V-257204 - SV-257204r905245_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002035
Vuln IDs
  • V-257204
Rule IDs
  • SV-257204r905245_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60889r905243_chk

Verify the macOS system is configured to disable the Cloud Setup services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipCloudSetup" SkipCloudSetup = 1; If there is no result, or if "SkipCloudSetup" is not set to "1", this is a finding.

Fix: F-60830r905244_fix

Configure the macOS system to disable the Cloud Setup services by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable the Privacy Setup services.
CM-7 - Medium - CCI-000381 - V-257205 - SV-257205r905248_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002036
Vuln IDs
  • V-257205
Rule IDs
  • SV-257205r905248_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60890r905246_chk

Verify the macOS system is configured to disable the Privacy Setup services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipPrivacySetup" SkipPrivacySetup = 1; If there is no result, or if "SkipPrivacySetup" is not set to "1", this is a finding.

Fix: F-60831r905247_fix

Configure the macOS system to disable the Privacy Setup services by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable the Cloud Storage Setup services.
CM-7 - Medium - CCI-000381 - V-257206 - SV-257206r905251_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002037
Vuln IDs
  • V-257206
Rule IDs
  • SV-257206r905251_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60891r905249_chk

Verify the macOS system is configured to disable the Cloud Storage Setup services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipiCloudStorageSetup" SkipiCloudStorageSetup = 1; If there is no result, or if "SkipiCloudStorageSetup" is not set to "1", this is a finding.

Fix: F-60832r905250_fix

Configure the macOS system to disable the Cloud Storage Setup services by installing the "Restrictions Policy" configuration profile.

c
The macOS system must be configured to disable the "tftp" service.
IA-5 - High - CCI-000197 - V-257207 - SV-257207r905254_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
APPL-13-002038
Vuln IDs
  • V-257207
Rule IDs
  • SV-257207r905254_rule
The "tftp" service must be disabled as it sends all data in a clear-text form that can be easily intercepted and read. The data needs to be protected at all times during transmission, and encryption is the standard method for protecting data in transit. If the data is not encrypted during transmission, it can be plainly read (i.e., clear text) and easily compromised. Disabling "ftp" is one way to mitigate this risk. Administrators must be instructed to use an alternate service for data transmission that uses encryption, such as SFTP. Additionally, the "tftp" service uses UDP, which is not secure.
Checks: C-60892r905252_chk

Verify the macOS system is configured to disable the tfptd service with the following command: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.tftpd "com.apple.tftpd" =&gt; disabled If the results are not "com.apple.tftpd =&gt; disabled", this is a finding.

Fix: F-60833r905253_fix

Configure the macOS system to disable the "tftpd" service with the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.tftpd The system may need to be restarted for the update to take effect.

b
The macOS system must be configured to disable the Siri Setup services.
CM-7 - Medium - CCI-000381 - V-257208 - SV-257208r905257_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002039
Vuln IDs
  • V-257208
Rule IDs
  • SV-257208r905257_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Siri setup pop-up must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60893r905255_chk

Verify the macOS system is configured to disable the Siri Setup services with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipSiriSetup" SkipSiriSetup = 1; If there is no result, or if "SkipSiriSetup" is not set to "1", this is a finding.

Fix: F-60834r905256_fix

Configure the macOS system to disable the Siri Setup services by installing the "Restrictions Policy" configuration profile.

b
The macOS system must disable iCloud Keychain synchronization.
CM-7 - Medium - CCI-000381 - V-257209 - SV-257209r905260_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002040
Vuln IDs
  • V-257209
Rule IDs
  • SV-257209r905260_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. Keychain synchronization must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60894r905258_chk

Verify the macOS system is configured to disable iCloud Keychain synchronization with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudKeychainSync" allowCloudKeychainSync = 0; If there is no result, or if "allowCloudKeychainSync" is not set to "0", this is a finding.

Fix: F-60835r905259_fix

Configure the macOS system to disable iCloud Keychain synchronization by installing the "Restrictions Policy" configuration profile.

b
The macOS system must disable iCloud Document synchronization.
CM-7 - Medium - CCI-000381 - V-257210 - SV-257210r905263_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002041
Vuln IDs
  • V-257210
Rule IDs
  • SV-257210r905263_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. iCloud Document synchronization must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60895r905261_chk

Verify the macOS system is configured to disable iCloud Document synchronization with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudDocumentSync" allowCloudDocumentSync = 0; If there is no result, or if "allowCloudDocumentSync" is not set to "0", this is a finding.

Fix: F-60836r905262_fix

Configure the macOS system to disable iCloud Document synchronization by installing the "Restrictions Policy" configuration profile.

b
The macOS system must disable iCloud Bookmark synchronization.
CM-7 - Medium - CCI-000381 - V-257211 - SV-257211r905266_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002042
Vuln IDs
  • V-257211
Rule IDs
  • SV-257211r905266_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. iCloud Bookmark syncing must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60896r905264_chk

Verify the macOS system is configured to disable iCloud Bookmark synchronization with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudBookmarks" allowCloudBookmarks = 0; If there is no result, or if "allowCloudBookmarks" is not set to "0", this is a finding.

Fix: F-60837r905265_fix

Configure the macOS system to disable iCloud Bookmark synchronization by installing the "Restrictions Policy" configuration profile.

b
The macOS system must disable the iCloud Photo Library.
CM-7 - Medium - CCI-000381 - V-257212 - SV-257212r905269_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002043
Vuln IDs
  • V-257212
Rule IDs
  • SV-257212r905269_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The iCloud Photo Library must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60897r905267_chk

Verify the macOS system is configured to disable the iCloud Photo Library with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowCloudPhotoLibrary" allowCloudPhotoLibrary = 0; If there is no result, or if "allowCloudPhotoLibrary" is not set to "0", this is a finding.

Fix: F-60838r905268_fix

Configure the macOS system to disable the iCloud Photo Library by installing the "Restrictions Policy" configuration profile.

b
The macOS system must disable the Screen Sharing feature.
CM-6 - Medium - CCI-000366 - V-257213 - SV-257213r905272_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-002050
Vuln IDs
  • V-257213
Rule IDs
  • SV-257213r905272_rule
The Screen Sharing feature allows remote users to view or control the desktop of the current user. A malicious user can take advantage of screen sharing to gain full access to the system remotely, either with stolen credentials or by guessing the username and password. Disabling Screen Sharing mitigates this risk.
Checks: C-60898r905270_chk

Verify the macOS system is configured to disable the Screen Sharing feature with the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.screensharing "com.apple.screensharing =&gt; disabled" If "com.apple.screensharing" is not set to "disabled", this is a finding.

Fix: F-60839r905271_fix

Configure the macOS system to disable the Screen Sharing service with the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing The system may need to be restarted for the update to take effect.

b
The macOS system must be configured to disable the system preference pane for TouchID and Password.
CM-7 - Medium - CCI-000381 - V-257214 - SV-257214r905275_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002051
Vuln IDs
  • V-257214
Rule IDs
  • SV-257214r905275_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The TouchID & Password preference pane must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60899r905273_chk

Verify the macOS system is configured to disable access to the TouchID &amp; Password preference pane with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes" If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.password", this is a finding.

Fix: F-60840r905274_fix

Configure the macOS system to disable access to the TouchID & Password preference pane by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable the system preference pane for Wallet and ApplePay.
CM-7 - Medium - CCI-000381 - V-257215 - SV-257215r905278_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002052
Vuln IDs
  • V-257215
Rule IDs
  • SV-257215r905278_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Wallet & ApplePay preference pane must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60900r905276_chk

Verify the macOS system is configured to disable access to the Wallet &amp; ApplePay preference pane with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes" If the return is not two arrays "HiddenPreferencePanes" and "DisabledPreferencePanes", each containing "com.apple.preferences.wallet", this is a finding.

Fix: F-60841r905277_fix

Configure the macOS system to disable access to the Wallet & ApplePay preference pane by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable the system preference pane for Siri.
CM-7 - Medium - CCI-000381 - V-257216 - SV-257216r905281_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-002053
Vuln IDs
  • V-257216
Rule IDs
  • SV-257216r905281_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but that cannot be disabled. The Siri preference pane must be disabled. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
Checks: C-60901r905279_chk

Verify the macOS system is configured to disable access to the Siri preference pane with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes" If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preference.speech", this is a finding.

Fix: F-60842r905280_fix

Configure the macOS system to disable access to the Siri preference pane by installing the "Restrictions Policy" configuration profile.

b
The macOS system must only allow applications with a valid digital signature to run.
CM-6 - Medium - CCI-000366 - V-257217 - SV-257217r905284_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-002060
Vuln IDs
  • V-257217
Rule IDs
  • SV-257217r905284_rule
Gatekeeper settings must be configured correctly to only allow the system to run applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
Checks: C-60902r905282_chk

Verify the macOS system is configured to only allow applications with a valid digital signature with the following commands: /usr/sbin/system_profiler SPApplicationsDataType | /usr/bin/grep -B 3 -A 4 -e "Obtained from: Unknown" | /usr/bin/grep -v -e "Location: /Library/Application Support/Script Editor/Templates" -e "Location: /System/Library/" | /usr/bin/awk -F "Location: " '{print $2}' | /usr/bin/sort -u If any results are returned and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify only applications with a valid digital signature are allowed to run: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E "(EnableAssessment | AllowIdentifiedDevelopers)" If the result is not as follows, this is a finding. "AllowIdentifiedDevelopers = 1; EnableAssessment = 1;"

Fix: F-60843r905283_fix

Configure the macOS system to only allow applications with a valid digital signature by installing the "Restrictions Policy" configuration profile.

a
The macOS system must be configured with Bluetooth turned off unless approved by the organization.
IA-3 - Low - CCI-001967 - V-257218 - SV-257218r905287_rule
RMF Control
IA-3
Severity
L
CCI
CCI-001967
Version
APPL-13-002062
Vuln IDs
  • V-257218
Rule IDs
  • SV-257218r905287_rule
Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice, and pointing devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. Satisfies: SRG-OS-000379-GPOS-00164, SRG-OS-000481-GPOS-00481
Checks: C-60903r905285_chk

Verify the macOS system is configured to disable Bluetooth with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableBluetooth" DisableBluetooth = 1; If the result is not "DisableBluetooth = 1" and the use of Bluetooth has not been documented with the ISSO as an operational requirement, this is a finding. Verify the macOS system is configured to disable access to the Bluetooth preference pane with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 6 "DisabledPreferencePanes" If the result is not an array listing "DisabledPreferencePanes" containing "com.apple.preferences.Bluetooth" and the use of Bluetooth has not been documented with the ISSO as an operational requirement, this is a finding.

Fix: F-60844r905286_fix

Configure the macOS system to disable Bluetooth and disable access to the Bluetooth preference pane by installing the "Custom Policy" and "Restrictions Policy" configuration profiles.

c
The macOS system must disable the guest account.
CM-5 - High - CCI-001813 - V-257219 - SV-257219r922875_rule
RMF Control
CM-5
Severity
H
CCI
CCI-001813
Version
APPL-13-002063
Vuln IDs
  • V-257219
Rule IDs
  • SV-257219r922875_rule
Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals must be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).
Checks: C-60904r922874_chk

Verify the macOS system is configured to disable the guest account with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "GuestAccount" DisableGuestAccount = 1; EnableGuestAccount = 0; If the result are not "DisableGuestAccount = 1" and "EnableGuestAccount = 0", this is a finding.

Fix: F-60845r905289_fix

Configure the macOS system to disable the guest account by installing the "Login Window Policy" configuration profile.

c
The macOS system must have the security assessment policy subsystem enabled.
CM-5 - High - CCI-001749 - V-257220 - SV-257220r905293_rule
RMF Control
CM-5
Severity
H
CCI
CCI-001749
Version
APPL-13-002064
Vuln IDs
  • V-257220
Rule IDs
  • SV-257220r905293_rule
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, software defined by the organization as critical must be signed with a certificate that is recognized and approved by the organization.
Checks: C-60905r905291_chk

Verify the macOS system is configured with the security assessment policy subsystem enabled with the following command: /usr/sbin/spctl --status assessments enabled If "assessments enabled" is not returned, this is a finding.

Fix: F-60846r905292_fix

Configure the macOS system to enable the security assessment policy subsystem by installing the "Custom Policy" configuration profile.

b
The macOS system must not allow an unattended or automatic logon to the system.
CM-6 - Medium - CCI-000366 - V-257221 - SV-257221r905296_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-002066
Vuln IDs
  • V-257221
Rule IDs
  • SV-257221r905296_rule
Failure to restrict system access to authenticated users negatively impacts operating system security.
Checks: C-60906r905294_chk

Verify the macOS system is configured to not allow automatic logon with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableAutoLoginClient" "com.apple.login.mcx.DisableAutoLoginClient" = 1; If "com.apple.login.mcx.DisableAutoLoginClient" is not set to "1", this is a finding.

Fix: F-60847r905295_fix

Configure the macOS system to not allow automatic login by installing the "Login Window Policy" configuration profile.

b
The macOS system must set permissions on user home directories to prevent users from having access to read or modify another user's files.
CM-6 - Medium - CCI-000366 - V-257222 - SV-257222r905299_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-002068
Vuln IDs
  • V-257222
Rule IDs
  • SV-257222r905299_rule
Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures. Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230
Checks: C-60907r905297_chk

Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands: /bin/ls -le /Users This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as "staff". The plus(+) sign indicates an associated Access Control List, which must be: 0: group:everyone deny delete For every authorized user account, also run the following command: /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be: drwx------+ 0: group:everyone deny delete The exception is the "Public" directory, whose permissions must match the following: drwxr-xr-x+ 0: group:everyone deny delete If the permissions returned by either of these checks differ from what is shown, this is a finding.

Fix: F-60848r905298_fix

Configure the macOS system to set the appropriate permissions for each user on the system with the following command: /usr/sbin/diskutil resetUserPermissions / DeviceNode UID, where "DeviceNode UID" is the ID number for the user whose home directory permissions need to be repaired.

c
The macOS system must use an approved antivirus program.
CM-6 - High - CCI-000366 - V-257224 - SV-257224r922877_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
APPL-13-002070
Vuln IDs
  • V-257224
Rule IDs
  • SV-257224r922877_rule
An approved antivirus product must be installed and configured to run. Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.
Checks: C-60909r922876_chk

Verify the macOS system has the XProtect service running with the following command: /bin/launchctl list | /usr/bin/grep -cE "(com.apple.XprotectFramework.PluginService$|com.apple.XProtect.daemon.scan$)" If the results show "2", the XProtect Service is running. If the XProtect service is running, verify that it is configured to update automatically by using the following command: /usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist | /usr/bin/grep "ConfigDataInstall" ConfigDataInstall = 1; If the XProtect service is being used and "ConfigDataInstall" is not set to "1", this is a finding. If XProtect is not active on the system, ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved antivirus solution is loaded on the system. The antivirus solution may be bundled with an approved host-based security solution. If there is no local antivirus solution installed on the system, this is a finding.

Fix: F-60850r905304_fix

Configure the macOS system to automatically update XProtect by installing the "Restrictions Policy" configuration profile. If XProtect is not being used, install an approved antivirus solution on the system.

c
The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
IA-5 - High - CCI-000185 - V-257225 - SV-257225r905308_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000185
Version
APPL-13-003001
Vuln IDs
  • V-257225
Rule IDs
  • SV-257225r905308_rule
DOD-approved certificates must be installed to the System Keychain so they will be available to all users. For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations; for example, application-specific time services. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000478-GPOS-00223
Checks: C-60910r905306_chk

Verify the macOS system is configured with approved DOD certificates with the following command: /usr/bin/sudo /usr/bin/security dump-keychain | /usr/bin/grep labl | /usr/bin/awk -F\" '{ print $4 }' If this list contains unapproved certificates, this is a finding.

Fix: F-60851r905307_fix

Configure the macOS system with approved DOD certificates from the appropriate authority. Use Keychain Access from "/Applications/Utilities" to add certificates to the System Keychain or build a certificate root trust payload as described in the supplemental documentation supplied in this STIG package.

b
The macOS system must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-257226 - SV-257226r905311_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000194
Version
APPL-13-003007
Vuln IDs
  • V-257226
Rule IDs
  • SV-257226r905311_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-60911r905309_chk

Verify the macOS system is configured to require at least one numeric character in password complexity with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "requireAlphanumeric" requireAlphanumeric = 1; If the result is not "requireAlphanumeric = 1", this is a finding.

Fix: F-60852r905310_fix

Configure the macOS system to require at least one numeric character in password complexity by installing the "Passcode Policy" configuration profile.

b
The macOS system must enforce a 60-day maximum password lifetime restriction.
IA-5 - Medium - CCI-000199 - V-257227 - SV-257227r905314_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000199
Version
APPL-13-003008
Vuln IDs
  • V-257227
Rule IDs
  • SV-257227r905314_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Checks: C-60912r905312_chk

Verify the macOS system is configured to enforce a 60-day maximum password lifetime with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "maxPINAgeInDays" maxPINAgeInDays = 60; If "maxPINAgeInDays" is set a value greater than "60", this is a finding.

Fix: F-60853r905313_fix

Configure the macOS system to require the enforcement of a 60-day maximum password lifetime by installing the "Passcode Policy" configuration profile.

b
The macOS system must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-257228 - SV-257228r905317_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000200
Version
APPL-13-003009
Vuln IDs
  • V-257228
Rule IDs
  • SV-257228r905317_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed as per policy requirements.
Checks: C-60913r905315_chk

Verify the macOS system is configured to prohibit password reuse for a minimum of five generations with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "pinHistory" pinHistory = 5; If "pinHistory" is not set to "5" or greater, this is a finding.

Fix: F-60854r905316_fix

Configure the macOS system to prohibit password reuse for five generations by installing the "Passcode Policy" configuration profile.

b
The macOS system must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-257229 - SV-257229r905320_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000205
Version
APPL-13-003010
Vuln IDs
  • V-257229
Rule IDs
  • SV-257229r905320_rule
The minimum password length must be set to 15 characters. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-60914r905318_chk

Verify the macOS system is configured to enforce a minimum 15-character password length with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "minLength" minLength = 15; If "minLength" is not set to "15", this is a finding.

Fix: F-60855r905319_fix

Configure the macOS system to enforce a 15-character password length by installing the "Passcode Policy" configuration profile.

b
The macOS system must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-257230 - SV-257230r905323_rule
RMF Control
IA-5
Severity
M
CCI
CCI-001619
Version
APPL-13-003011
Vuln IDs
  • V-257230
Rule IDs
  • SV-257230r905323_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
Checks: C-60915r905321_chk

Verify the macOS system is configured to enforce at least one special character of password complexity with the following commands: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "minComplexChars" minComplexChar = 1; If "minComplexChars" is not set to "1", this is a finding. /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowSimple" allowSimple = 0; If "allowSimple" is not set to "0", this is a finding.

Fix: F-60856r905322_fix

Configure the macOS system to enforce at least one special character of password complexity by installing the "Passcode Policy" configuration profile.

b
The macOS system must be configured to prevent displaying password hints.
CM-6 - Medium - CCI-000366 - V-257231 - SV-257231r905326_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-003012
Vuln IDs
  • V-257231
Rule IDs
  • SV-257231r905326_rule
Password hints leak information about passwords in use and can lead to loss of confidentiality.
Checks: C-60916r905324_chk

Verify the macOS system is configured to prevent displaying passwords hints with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "RetriesUntilHint" RetriesUntilHint = 0; If "RetriesUntilHint" is not set to "0", this is a finding.

Fix: F-60857r905325_fix

Configure the macOS system to prevent displaying password hints by installing the "Login Window Policy" configuration profile.

b
The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.
CM-6 - Medium - CCI-000366 - V-257232 - SV-257232r905329_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-003013
Vuln IDs
  • V-257232
Rule IDs
  • SV-257232r905329_rule
Single user mode and the boot picker, as well as numerous other tools, are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.
Checks: C-60917r905327_chk

For Apple Silicon-based systems, this is not applicable. Verify the macOS system is configured with a firmware password with the following command: /usr/bin/sudo /usr/sbin/firmwarepasswd -check Password Enabled:Yes If "Password Enabled" is not set to "Yes", this is a finding.

Fix: F-60858r905328_fix

Configure the macOS system with a firmware password with the following command: /usr/bin/sudo /usr/sbin/firmwarepasswd -setpasswd Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.

c
The macOS system must use multifactor authentication for local access to privileged and nonprivileged accounts.
IA-5 - High - CCI-000187 - V-257233 - SV-257233r905332_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000187
Version
APPL-13-003020
Vuln IDs
  • V-257233
Rule IDs
  • SV-257233r905332_rule
Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: 1) something a user knows (e.g., password/PIN); 2) something a user has (e.g., cryptographic identification device, token); and 3) something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. The DOD CAC with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055
Checks: C-60918r905330_chk

Verify the macOS system is configured to enforce multifactor authentication with the following commands: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "enforceSmartCard" enforceSmartCard = 1; If "enforceSmartCard" is not set to "1", this is a finding.

Fix: F-60859r905331_fix

Configure the macOS system to enforce multifactor authentication by installing the "Smart Card Policy" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

b
The macOS system must be configured so that the login command requires smart card authentication.
CM-6 - Medium - CCI-000366 - V-257234 - SV-257234r905335_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-003050
Vuln IDs
  • V-257234
Rule IDs
  • SV-257234r905335_rule
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
Checks: C-60919r905333_chk

For systems that are not using smart card authentication, this requirements is not applicable. Verify the macOS system is configured to require smart card authentication for the login command with the following command: /bin/cat /etc/pam.d/login If the text that returns does not include the line "auth sufficient pam_smartcard.so" at the TOP of the listing and "auth required pam_deny.so" as the last entry of the auth management group, this is a finding.

Fix: F-60860r905334_fix

Configure the macOS system to require smart card authentication for the login command with the following procedure: /usr/bin/sudo /bin/cp /etc/pam.d/login /etc/pam.d/login_backup_`date "+%Y-%m-%d_%H:%M"` Replace the contents of "/etc/pam.d/login" with the following: # login: auth account password session auth sufficient pam_smartcard.so auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass auth required pam_deny.so account required pam_nologin.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session required pam_uwtmp.so session optional pam_mount.so

b
The macOS system must be configured so that the su command requires smart card authentication.
CM-6 - Medium - CCI-000366 - V-257235 - SV-257235r905338_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-003051
Vuln IDs
  • V-257235
Rule IDs
  • SV-257235r905338_rule
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
Checks: C-60920r905336_chk

For systems that are not using smart card authentication, this requirement is not applicable. Verify the macOS system is configured to require smart card authentication for the "su" command with the following command: /bin/cat /etc/pam.d/su If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing and the next line is not "auth required pam_rootok.so", this is a finding.

Fix: F-60861r905337_fix

Configure the macOS system to require smart card authentication for the su command with the following procedure: /usr/bin/sudo /bin/cp /etc/pam.d/su /etc/pam.d/su_backup_`date "+%Y-%m-%d_%H:%M"` Replace the contents of "/etc/pam.d/su" with the following: # su: auth account session auth sufficient pam_smartcard.so auth required pam_rootok.so account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe account required pam_opendirectory.so no_check_shell password required pam_opendirectory.so session required pam_launchd.so

b
The macOS system must be configured so that the sudo command requires smart card authentication.
CM-6 - Medium - CCI-000366 - V-257236 - SV-257236r905341_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-003052
Vuln IDs
  • V-257236
Rule IDs
  • SV-257236r905341_rule
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
Checks: C-60921r905339_chk

For systems that are not using smart card authentication, this requirement is not applicable. Verify the macOS system is configured to require smart card authentication for the "sudo" command with the following command: /bin/cat /etc/pam.d/sudo If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the top of the listing and "auth required pam_deny.so" as the last entry of the auth management group, this is a finding.

Fix: F-60862r905340_fix

Configure the macOS system to require smart card authentication for the sudo command with the following procedure: /usr/bin/sudo /bin/cp /etc/pam.d/login /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"` Replace the contents of "/etc/pam.d/sudo" with the following: # sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so auth required pam_deny.so account required pam_permit.so password required pam_deny.so session required pam_permit.so

b
The macOS system must be configured with system log files owned by root and group-owned by wheel or admin.
SI-11 - Medium - CCI-001314 - V-257237 - SV-257237r905344_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
APPL-13-004001
Vuln IDs
  • V-257237
Rule IDs
  • SV-257237r905344_rule
System logs must only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct owner mitigates this risk. Some system log files are controlled by "newsyslog" and "aslmanager".
Checks: C-60922r905342_chk

Verify the macOS system is configured with system log files owned by root or a service account and group-owned by wheel or admin with the commands below. These commands must be run from inside "/var/log". /usr/bin/sudo /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2&gt; /dev/null /usr/bin/sudo /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^&gt;' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2&gt; /dev/null If there are any system log files that are not owned by "root" or a service account and group-owned by "wheel" or "admin", this is a finding.

Fix: F-60863r905343_fix

Configure the macOS system with system log files owned by root or a service account and group-owned by wheel or admin with the following command: /usr/bin/sudo chown root:wheel [log file] Alternatively, if the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and ensure the owner:group column is set to "root:wheel" or the appropriate service account and group. If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and ensure that "uid" and "gid" options are set to a service account and group, respectively.

b
The macOS system must be configured with system log files set to mode 640 or less permissive.
SI-11 - Medium - CCI-001314 - V-257238 - SV-257238r905347_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
APPL-13-004002
Vuln IDs
  • V-257238
Rule IDs
  • SV-257238r905347_rule
System logs must only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.
Checks: C-60923r905345_chk

Verify the macOS system is configured with system log files set to mode 640 or less with the commands below. These commands must be run from inside "/var/log". /usr/bin/sudo /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2&gt; /dev/null /usr/bin/sudo /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^&gt;' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2&gt; /dev/null If the permissions on log files are not "640" or less permissive, this is a finding.

Fix: F-60864r905346_fix

Configure the macOS system with system log files set to mode 640 with the following command: /usr/bin/sudo chmod 640 [log file] Alternatively, if the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640". Or, if the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640".

b
The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
IA-11 - Medium - CCI-002038 - V-257239 - SV-257239r922880_rule
RMF Control
IA-11
Severity
M
CCI
CCI-002038
Version
APPL-13-004022
Vuln IDs
  • V-257239
Rule IDs
  • SV-257239r922880_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
Checks: C-60924r922878_chk

Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command: /usr/bin/sudo /usr/bin/grep -r "timestamp_timeout" /etc/sudoers* /etc/sudoers.d/&lt;customfile&gt;:Defaults timestamp_timeout=0 If conflicting results are returned, this is a finding. If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.

Fix: F-60865r922879_fix

Configure the macOS system to require reauthentication when using the "sudo" command by creating a plain text file in the /private/etc/sudoers.d/ directory containing the following: Defaults timestamp_timeout=0

c
The macOS system must enable System Integrity Protection.
AU-6 - High - CCI-000154 - V-257240 - SV-257240r905353_rule
RMF Control
AU-6
Severity
H
CCI
CCI-000154
Version
APPL-13-005001
Vuln IDs
  • V-257240
Rule IDs
  • SV-257240r905353_rule
System Integrity Protection (SIP) is vital to the protection of the integrity of macOS. SIP restricts what actions can be performed by administrative users, including root, against protected parts of the operating system. SIP protects all system binaries, including audit tools, from unauthorized access by preventing the modification or deletion of system binaries, or the changing of the permissions associated with those binaries. SIP limits the privileges to change software resident within software libraries to processes that have signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. By protecting audit binaries, SIP ensures the presence of an audit record generation capability for DOD-defined auditable events for all operating system components and supports on-demand and after-the-fact reporting requirements. The XProtect program is part of the SIP component and is integral to protecting the operating system from malware and malicious code. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000259-GPOS-00100, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142
Checks: C-60925r905351_chk

Verify the macOS system is configured to enable System Integrity Protection with the following command: /usr/bin/csrutil status System Integrity Protection status: enabled. If the "System Integrity Protection" is not set to "enabled", this is a finding.

Fix: F-60866r905352_fix

Configure the macOS system to enable "System Integrity Protection" by booting into "Recovery" mode, then launch "Terminal" from the "Utilities" menu, and run the following command: /usr/bin/csrutil enable

c
The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
SC-28 - High - CCI-001199 - V-257241 - SV-257241r905356_rule
RMF Control
SC-28
Severity
H
CCI
CCI-001199
Version
APPL-13-005020
Vuln IDs
  • V-257241
Rule IDs
  • SV-257241r905356_rule
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be lost or stolen, and the contents of their data storage (e.g., hard drives and nonvolatile memory) can be read, copied, or altered. By encrypting the system hard drive, the confidentiality and integrity of any data stored on the system is ensured. FileVault Disk Encryption mitigates this risk. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184
Checks: C-60926r905354_chk

Verify the macOS system is configured to enable "FileVault" with the following command: /usr/bin/fdesetup status If "FileVault" is "Off" and the device is a mobile device or the organization has determined that the drive must encrypt data at rest, this is a finding.

Fix: F-60867r905355_fix

Configure the macOS system to enable "FileVault" by opening System Settings >> Privacy & Security >> Security and navigate to the "FileVault" section. Use this panel to configure full-disk encryption. Alternatively, from the command line, run the following command to enable "FileVault": /usr/bin/sudo /usr/bin/fdesetup enable After "FileVault" is initially set up, additional users can be added.

b
The macOS Application Firewall must be enabled.
CM-6 - Medium - CCI-000366 - V-257242 - SV-257242r905359_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-005050
Vuln IDs
  • V-257242
Rule IDs
  • SV-257242r905359_rule
Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
Checks: C-60927r905357_chk

Verify the macOS system is configured to enable the built-in firewall with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "EnableFirewall\|EnableStealthMode" EnableFirewall = 1; EnableStealthMode = 1; If "EnableFirewall" and "EnableStealthMode" are not set to "1", this is a finding.

Fix: F-60868r905358_fix

Configure the macOS system to enable the built-in firewall by installing the "Restrictions Policy" configuration profile.

b
The macOS system must restrict the ability of individuals to use USB storage devices.
CM-6 - Medium - CCI-000366 - V-257243 - SV-257243r905362_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-005051
Vuln IDs
  • V-257243
Rule IDs
  • SV-257243r905362_rule
External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.
Checks: C-60928r905360_chk

Verify the macOS system is configured to disable USB storage devices with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 32 "mount-controls" bd = ( "read-only" ); blankbd = ( deny, eject ); blankcd = ( deny, eject ); blankdvd = ( deny, eject ); cd = ( "read-only" ); "disk-image" = ( "read-only" ); dvd = ( "read-only" ); dvdram = ( deny, eject ); "harddisk-external" = ( deny, eject ); If the result does not match the output above and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix: F-60869r905361_fix

Configure the macOS system to disable USB storage devices by installing the "Restrictions Policy" configuration profile.

b
The macOS system logon window must be configured to prompt for username and password.
CM-6 - Medium - CCI-000366 - V-257244 - SV-257244r905365_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
APPL-13-005052
Vuln IDs
  • V-257244
Rule IDs
  • SV-257244r905365_rule
The logon window must be configured to prompt all users for both a username and a password. By default, the system displays a list of known users at the logon screen. This gives an advantage to an attacker with physical access to the system, as the attacker would only have to guess the password for one of the listed accounts.
Checks: C-60929r905363_chk

Verify the macOS system is configured to prompt for username and password at the logon window with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SHOWFULLNAME" SHOWFULLNAME = 1; If "SHOWFULLNAME" is not set to "1", this is a finding.

Fix: F-60870r905364_fix

Configure the macOS system to prompt for username and password at the logon window by installing the "Login Window Policy" configuration profile.

a
The macOS system must restrict the ability of individuals to write to external optical media.
CM-6 - Low - CCI-000366 - V-257245 - SV-257245r905368_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
APPL-13-005053
Vuln IDs
  • V-257245
Rule IDs
  • SV-257245r905368_rule
External writeable media devices must be disabled for users. External optical media devices can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.
Checks: C-60930r905366_chk

Verify the macOS system is configured to disable writing to external optical media devices with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "BurnSupport" BurnSupport = off; If "BurnSupport" is not set to "off" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix: F-60871r905367_fix

Configure the macOS system to disable writing to external optical media devices by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable prompts to configure Touch ID.
CM-7 - Medium - CCI-000381 - V-257246 - SV-257246r905371_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-005054
Vuln IDs
  • V-257246
Rule IDs
  • SV-257246r905371_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60931r905369_chk

Verify the macOS system is configured to disable prompts to setup TouchID with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipTouchIDSetup" SkipTouchIDSetup = 1; If "SkipTouchIDSetup" is not set to "1", this is a finding.

Fix: F-60872r905370_fix

Configure the macOS system to disable prompts to setup TouchID by installing the "Restrictions Policy" configuration profile.

a
The macOS system must be configured to disable prompts to configure ScreenTime.
CM-7 - Low - CCI-000381 - V-257247 - SV-257247r905374_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
APPL-13-005055
Vuln IDs
  • V-257247
Rule IDs
  • SV-257247r905374_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60932r905372_chk

Verify the macOS system is configured to disable Screentime Setup with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipScreenTime" SkipScreenTime = 1; If "SkipScreenTime" is not set to "1", this is a finding.

Fix: F-60873r905373_fix

Configure the macOS system to disable Screentime Setup by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to disable prompts to configure Unlock with Watch.
CM-7 - Medium - CCI-000381 - V-257248 - SV-257248r905377_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-005056
Vuln IDs
  • V-257248
Rule IDs
  • SV-257248r905377_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60933r905375_chk

Verify the macOS system is configured to disable prompts to setup Unlock with Watch with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "SkipUnlockWithWatch" SkipUnlockWithWatch = 1; If "SkipUnlockWithWatch" is not set to "1", this is a finding.

Fix: F-60874r905376_fix

Configure the macOS system to disable prompts to setup Unlock with Watch by installing the "Restrictions Policy" configuration profile.

a
The macOS system must be configured to prevent activity continuation between Apple devices.
CM-7 - Low - CCI-000381 - V-257249 - SV-257249r905380_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
APPL-13-005058
Vuln IDs
  • V-257249
Rule IDs
  • SV-257249r905380_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60934r905378_chk

Verify the macOS system is configured to prevent activity continuation between Apple devices with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowActivityContinuation" allowActivityContinuation = 0; If "allowActivityContinuation" is not set to "0", this is a finding.

Fix: F-60875r905379_fix

Configure the macOS system to prevent activity continuation between Apple devices by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to prevent password proximity sharing requests from nearby Apple devices.
CM-7 - Medium - CCI-000381 - V-257250 - SV-257250r905383_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-005060
Vuln IDs
  • V-257250
Rule IDs
  • SV-257250r905383_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60935r905381_chk

Verify the macOS system is configured to prevent password proximity sharing with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowPasswordProximityRequests" allowPasswordProximityRequests = 0; If "allowPasswordProximityRequests" is not set to "0", this is a finding.

Fix: F-60876r905382_fix

Configure the macOS system to prevent Configure the macOS system to prevent password proximity sharing by installing the "Restrictions Policy" configuration profile.

b
The macOS system must be configured to prevent users from erasing all system content and settings.
CM-7 - Medium - CCI-000381 - V-257251 - SV-257251r905386_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
APPL-13-005061
Vuln IDs
  • V-257251
Rule IDs
  • SV-257251r905386_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.
Checks: C-60936r905384_chk

Verify the macOS system is configured to prevent users from erasing all system content and settings with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowEraseContentAndSettings" allowEraseContentAndSettings = 0; If "allowEraseContentAndSettings" is not set to "0", this is a finding.

Fix: F-60877r905385_fix

Configure the macOS system to prevent users from erasing all system content and settings by installing the "Restrictions Policy" configuration profile.

c
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
AC-17 - High - CCI-000068 - V-257293 - SV-257293r919358_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
APPL-13-000057
Vuln IDs
  • V-257293
Rule IDs
  • SV-257293r919358_rule
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Checks: C-60980r919356_chk

Verify the macOS system is configured to use approved SSH ciphers within the SSH client configuration with the following command: /usr/bin/sudo /usr/bin/grep -ir "ciphers" /etc/ssh/ssh_config* /etc/ssh/ssh_config.d/fips_ssh_config:Ciphers aes128-gcm@openssh.com If any ciphers other than "aes128-gcm@openssh.com" are listed, or the "ciphers" keyword is missing, this is a finding.

Fix: F-60907r919357_fix

Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following: Ciphers aes128-gcm@openssh.com The SSH service must be restarted for changes to take effect.

c
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
AC-17 - High - CCI-000068 - V-257294 - SV-257294r919361_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
APPL-13-000058
Vuln IDs
  • V-257294
Rule IDs
  • SV-257294r919361_rule
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175
Checks: C-60981r919359_chk

Verify the macOS system is configured to use approved SSH MACs within the SSH client configuration with the following command: /usr/bin/sudo /usr/bin/grep -ir "macs" /etc/ssh/ssh_config* /etc/ssh/ssh_config.d/fips_ssh_config:Macs hmac-sha2-256 If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

Fix: F-60908r919360_fix

Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following: MACs hmac-sha2-256 The SSH service must be restarted for changes to take effect.

c
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
AC-17 - High - CCI-000068 - V-257295 - SV-257295r919364_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
APPL-13-000059
Vuln IDs
  • V-257295
Rule IDs
  • SV-257295r919364_rule
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176
Checks: C-60982r919362_chk

Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH client configuration with the following command: /usr/bin/sudo /usr/bin/grep -ir "kexalgorithms" /etc/ssh/ssh_config* /etc/ssh/ssh_config.d/fips_ssh_config:KexAlgorithms ecdh-sha2-nistp256 If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.

Fix: F-60909r919363_fix

Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following: KexAlgorithms ecdh-sha2-nistp256 The SSH service must be restarted for changes to take effect.

b
The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
AC-6 - Medium - CCI-002235 - V-257776 - SV-257776r922883_rule
RMF Control
AC-6
Severity
M
CCI
CCI-002235
Version
APPL-13-002069
Vuln IDs
  • V-257776
Rule IDs
  • SV-257776r922883_rule
Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.
Checks: C-61517r922881_chk

Verify the macOS system is configured to require authentication to access all system-level preference panes with the following commands: /usr/bin/sudo /usr/bin/security authorizationdb read system.preferences | /usr/bin/grep -A1 shared &lt;key&gt;shared&lt;/key&gt; &lt;false/&gt; If the "shared" key is not set to "false", this is a finding.

Fix: F-61441r922882_fix

Configure the macOS system to require authentication to access all system-level preference panes with the following actions: Copy the authorization database to a file: /usr/bin/sudo /usr/bin/security authorizationdb read system.preferences > ~/Desktop/authdb.txt Edit the "shared" section of the file: <key>shared</key> <false/> Reload the authorization database: /usr/bin/sudo /usr/bin/security authorizationdb write system.preferences < ~/Desktop/authdb.txt