Apple macOS 14 (Sonoma) Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2024-01-10
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
b
The macOS system must prevent Apple Watch from terminating a session lock.
AC-11 - Medium - CCI-000056 - V-259418 - SV-259418r940876_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000056
Version
APPL-14-000001
Vuln IDs
  • V-259418
Rule IDs
  • SV-259418r940876_rule
Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using authorized identification and authentication procedures.
Checks: C-63157r940874_chk

Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAutoUnlock').js EOS If the result is not "false", this is a finding.

Fix: F-63065r940875_fix

Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must enforce screen saver password.
AC-11 - Medium - CCI-000056 - V-259419 - SV-259419r940879_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000056
Version
APPL-14-000002
Vuln IDs
  • V-259419
Rule IDs
  • SV-259419r940879_rule
Users must authenticate when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
Checks: C-63158r940877_chk

Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('askForPassword').js EOS If the result is not "true", this is a finding.

Fix: F-63066r940878_fix

Configure the macOS system to prompt users to enter a password to unlock the screen saver by installing the "com.apple.screensaver" configuration profile.

b
The macOS system must enforce session lock no more than five seconds after screen saver is started.
AC-11 - Medium - CCI-000056 - V-259420 - SV-259420r940882_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000056
Version
APPL-14-000003
Vuln IDs
  • V-259420
Rule IDs
  • SV-259420r940882_rule
A screen saver must be enabled and the system must be configured to require a password to unlock once the screensaver has been on for a maximum of five seconds. An unattended system with an excessive grace period is vulnerable to a malicious user.
Checks: C-63159r940880_chk

Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command: /usr/bin/osascript -l JavaScript << EOS function run() { let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('askForPasswordDelay')) if ( delay <= 5 ) { return("true") } else { return("false") } } EOS If the result is not "true", this is a finding.

Fix: F-63067r940881_fix

Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "com.apple.screensaver" configuration profile.

b
The macOS system must configure user session lock when a smart token is removed.
AC-11 - Medium - CCI-000058 - V-259421 - SV-259421r940885_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000058
Version
APPL-14-000005
Vuln IDs
  • V-259421
Rule IDs
  • SV-259421r940885_rule
The screen lock must be configured to initiate automatically when the smart token is removed from the system. Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absence. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token.
Checks: C-63160r940883_chk

Verify the macOS system is configured to lock the user session when a smart token is removed with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('tokenRemovalAction').js EOS If the result is not "1", this is a finding.

Fix: F-63068r940884_fix

Configure the macOS system to lock the user session when a smart token is removed by installing the "com.apple.security.smartcard" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.

b
The macOS system must disable hot corners.
AC-11 - Medium - CCI-000060 - V-259422 - SV-259422r940888_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000060
Version
APPL-14-000007
Vuln IDs
  • V-259422
Rule IDs
  • SV-259422r940888_rule
Hot corners must be disabled. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot corners can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.
Checks: C-63161r940886_chk

Verify the macOS system is configured to disable hot corners with the following command: /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '"wvous-bl-corner" = 0|"wvous-br-corner" = 0|"wvous-tl-corner" = 0|"wvous-tr-corner" = 0' If the result is not "4", this is a finding.

Fix: F-63069r940887_fix

Configure the macOS system to disable hot corners by installing the "com.apple.ManagedClient.preferences" configuration profile.

b
The macOS system must prevent AdminHostInfo from being available at LoginWindow.
AC-11 - Medium - CCI-000057 - V-259423 - SV-259423r940891_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
APPL-14-000009
Vuln IDs
  • V-259423
Rule IDs
  • SV-259423r940891_rule
The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, IP Address, and operating system version and build to be displayed.
Checks: C-63162r940889_chk

Verify the macOS system is configured to prevent AdminHostInfo from being available at LoginWindow with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectIsForcedForKey('AdminHostInfo') EOS If the result is not "false", this is a finding.

Fix: F-63070r940890_fix

Configure the macOS system to prevent AdminHostInfo from being available at LoginWindow by installing the "com.apple.loginwindow" configuration profile.

b
The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.
AC-2 - Medium - CCI-000016 - V-259424 - SV-259424r940894_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000016
Version
APPL-14-000012
Vuln IDs
  • V-259424
Rule IDs
  • SV-259424r940894_rule
The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. If temporary or emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary or emergency accounts must be set to 72 hours (or less) when the temporary or emergency account is created. If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary or emergency accounts defined on the system, this is Not Applicable. Satisfies: SRG-OS-000002-GPOS-00002,SRG-OS-000123-GPOS-00064
Checks: C-63163r940892_chk

Verify if a password policy is enforced by a directory service by asking the system administrator (SA) or information system security officer (ISSO). If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary or emergency accounts defined on the system, this is Not Applicable. To check if the password policy is configured to disable a temporary or emergency account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username: /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is no output, and password policy is not controlled by a directory service, this is a finding. Otherwise, look for the line "<key>policyCategoryAuthentication</key>". In the array that follows, there should be a <dict> section that contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds too great an amount of time to "policyAttributeCreationTime", this is a finding.

Fix: F-63071r940893_fix

This setting may be enforced using local policy or by a directory service. To set local policy to disable a temporary or emergency user, create a plain text file containing the following: <dict> <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime &lt; policyAttributeCreationTime+259299</string> <key>policyIdentifier</key> <string>Disable Tmp Accounts </string> </dict> </array> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username" and the path to the file in place of "/path/to/file". /usr/bin/pwpolicy -u username setaccountpolicies /path/to/file

b
The macOS system must enforce time synchronization.
AU-8 - Medium - CCI-001891 - V-259425 - SV-259425r940897_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
APPL-14-000014
Vuln IDs
  • V-259425
Rule IDs
  • SV-259425r940897_rule
Time synchronization must be enforced on all networked systems. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Satisfies: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144
Checks: C-63164r940895_chk

Verify the macOS system is configured to enforce time synchronization with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.timed')\ .objectForKey('TMAutomaticTimeOnlyEnabled').js EOS If the result is not "true", this is a finding.

Fix: F-63072r940896_fix

Configure the macOS system to enforce time synchronization by installing the "com.apple.timed" configuration profile.

b
The macOS system must employ automated mechanisms to determine the state of system components.
SI-2 - Medium - CCI-001233 - V-259426 - SV-259426r940900_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-001233
Version
APPL-14-000015
Vuln IDs
  • V-259426
Rule IDs
  • SV-259426r940900_rule
The macOS system must employ automated mechanisms to determine the state of system components. The DOD requires the installation and use of an approved endpoint security solution to be implemented on the operating system. For additional information, reference all applicable OPORDs and FRAGOs on SIPRNet.
Checks: C-63165r940898_chk

Verify the macOS system is configured with automated mechanisms to determine the state of system components. Ask the system administrator (SA) or information system security officer (ISSO) if the approved endpoint security solution is loaded on the system. If the installed components of the endpoint security solution are not at the DOD-approved minimal versions, this is a finding.

Fix: F-63073r940899_fix

Install the approved endpoint security solution onto the system.

b
The macOS system must be integrated into a directory services infrastructure.
CM-6 - Medium - CCI-000366 - V-259427 - SV-259427r940903_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
APPL-14-000016
Vuln IDs
  • V-259427
Rule IDs
  • SV-259427r940903_rule
A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system.
Checks: C-63166r940901_chk

Verify the macOS system is configured to integrate into a directory service with the following command: /usr/bin/dscl localhost -list . \| /usr/bin/grep -qvE '(Contact\|Search\|Local\|^$)'; /bin/echo $? If the result is not "0", this is a finding.

Fix: F-63074r940902_fix

Configure the macOS system to integrate into an existing directory services infrastructure.

b
The macOS system must limit consecutive failed log on attempts to three.
AC-7 - Medium - CCI-000044 - V-259428 - SV-259428r940906_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
APPL-14-000022
Vuln IDs
  • V-259428
Rule IDs
  • SV-259428r940906_rule
The macOS must be configured to limit the number of failed log on attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of time after. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. Satisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128
Checks: C-63167r940904_chk

Verify the macOS system is configured to limit consecutive failed log on attempts to three with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 &lt;= 3) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding.

Fix: F-63075r940905_fix

Configure the macOS system to limit consecutive failed log on attempts to three by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.

b
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at remote log on.
AC-8 - Medium - CCI-000048 - V-259429 - SV-259429r940909_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
APPL-14-000023
Vuln IDs
  • V-259429
Rule IDs
  • SV-259429r940909_rule
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Satisfies: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
Checks: C-63168r940907_chk

Verify the macOS system is configured to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system. Verify the operating system has the correct text listed in the "/etc/banner" file with the following command: /usr/bin/more /etc/banner The command must return the following text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the operating system does not display a logon banner before granting remote access or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding. If the text in the "/etc/banner" file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

Fix: F-63076r940908_fix

Configure the macOS system to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system by creating a text file containing the required DOD text. Name the file "banner" and place it in "/etc/".

b
The macOS system must enforce SSH to display the Standard Mandatory DOD Notice and Consent Banner.
AC-8 - Medium - CCI-000048 - V-259430 - SV-259430r940912_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
APPL-14-000024
Vuln IDs
  • V-259430
Rule IDs
  • SV-259430r940912_rule
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
Checks: C-63169r940910_chk

Verify the macOS system is configured to display the contents of "/etc/banner" before granting access to the system with the following command: /usr/sbin/sshd -G | /usr/bin/grep -c "^banner /etc/banner" If the command does not return "1", this is a finding.

Fix: F-63077r940911_fix

Configure the macOS system to display the contents of "/etc/banner" before granting access to the system by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following: banner /etc/banner

b
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.
AC-8 - Medium - CCI-000048 - V-259431 - SV-259431r940915_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
APPL-14-000025
Vuln IDs
  • V-259431
Rule IDs
  • SV-259431r940915_rule
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder. The banner must be formatted in accordance with DTM-08-060. Satisfies: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088
Checks: C-63170r940913_chk

Verify the macOS system is configured to display a policy banner with the following command: /bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | /usr/bin/tr -d ' ' If "PolicyBanner.rtfd" does not exist, this is a finding. If the permissions for "PolicyBanner.rtfd" are not "644", this is a finding. The banner text of the document must read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the text is not worded exactly this way, this is a finding.

Fix: F-63078r940914_fix

Configure the macOS system to display a policy banner by creating an RTF file containing the required text. Name the file "PolicyBanner.rtfd" and place it in "/Library/Security/". Update the permissions of the "/Library/Security/PolicyBanner.rtfd" file with the following command: /usr/bin/sudo /bin/chmod 644 /Library/Security/PolicyBanner.rtfd

b
The macOS system must configure audit log files to not contain access control lists.
AU-9 - Medium - CCI-000162 - V-259432 - SV-259432r940918_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-000030
Vuln IDs
  • V-259432
Rule IDs
  • SV-259432r940918_rule
The audit log files must not contain access control lists (ACLs). This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63171r940916_chk

Verify the macOS system is configured without ACLs applied to log files with the following command: /bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" If the result is not "0", this is a finding.

Fix: F-63079r940917_fix

Configure the macOS system without ACLs applied to log files with the following command: /bin/chmod -RN /var/audit

b
The macOS system must configure audit log folders to not contain access control lists.
AU-9 - Medium - CCI-000162 - V-259433 - SV-259433r940921_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-000031
Vuln IDs
  • V-259433
Rule IDs
  • SV-259433r940921_rule
The audit log folder must not contain access control lists (ACLs). Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63172r940919_chk

Verify the macOS system is configured without ACLs applied to log folders with the following command: /bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" If the result is not "0", this is a finding.

Fix: F-63080r940920_fix

Configure the macOS system without ACLs applied to log folders with the following command: /bin/chmod -N /var/audit

b
The macOS system must disable FileVault automatic log on.
AC-3 - Medium - CCI-000213 - V-259434 - SV-259434r940924_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-000033
Vuln IDs
  • V-259434
Rule IDs
  • SV-259434r940924_rule
If FileVault is enabled, automatic log on must be disabled, so that both FileVault and login window authentication are required. The default behavior of macOS when FileVault is enabled is to automatically log on to the computer once successfully passing user's FileVault credentials. Note: DisableFDEAutoLogin does not have to be set on Apple Silicon-based macOS systems that are smartcard enforced, as smartcards are available at preboot.
Checks: C-63173r940922_chk

Verify the macOS system is configured to disable filevault automatic login with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('DisableFDEAutoLogin').js EOS If the result is not "true", this is a finding.

Fix: F-63081r940923_fix

Configure the macOS system to disable filevault automatic login by installing the "com.apple.loginwindow" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.

b
The macOS system must configure SSHD ClientAliveInterval to 900.
SC-10 - Medium - CCI-001133 - V-259435 - SV-259435r940927_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
APPL-14-000051
Vuln IDs
  • V-259435
Rule IDs
  • SV-259435r940927_rule
If SSHD is enabled, then it must be configured with the Client Alive Interval set to 900. Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. This setting works in conjunction with ClientAliveCountMax to determine the termination of the connection after the threshold has been reached. Note: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Checks: C-63174r940925_chk

Verify the macOS system is configured to set the SSHD ClientAliveInterval to 900 with the following command: /usr/sbin/sshd -G | /usr/bin/awk '/clientaliveinterval/{print $2}' If the result is not "900", this is a finding.

Fix: F-63082r940926_fix

Configure the macOS system to set the SSHD ClientAliveInterval to 900 with the following command: include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'clientaliveinterval 900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "clientaliveinterval 900" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done

b
The macOS system must configure SSHD ClientAliveCountMax to 1.
SC-10 - Medium - CCI-001133 - V-259436 - SV-259436r940930_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
APPL-14-000052
Vuln IDs
  • V-259436
Rule IDs
  • SV-259436r940930_rule
If SSHD is enabled it must be configured with the Client Alive Maximum Count set to 1. This will set the number of client alive messages which may be sent without the SSH server receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, the SSH server will disconnect the client, terminating the session. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. Note: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Checks: C-63175r940928_chk

Verify the macOS system is configured to set the SSHD ClientAliveCountMax to 1 with the following command: /usr/sbin/sshd -G | /usr/bin/awk '/clientalivecountmax/{print $2}' If the result is not "1", this is a finding.

Fix: F-63083r940929_fix

Configure the macOS system to set the SSHD ClientAliveCountMax to 1 with the following command: include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'clientalivecountmax 1' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "clientalivecountmax 1" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done

b
The macOS system must set Login Grace Time to 30.
SC-10 - Medium - CCI-001133 - V-259437 - SV-259437r940933_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
APPL-14-000053
Vuln IDs
  • V-259437
Rule IDs
  • SV-259437r940933_rule
If SSHD is enabled, then it must be configured to wait only 30 seconds before timing out logon attempts. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Checks: C-63176r940931_chk

Verify the macOS system is configured to set Login Grace Time to 30 with the following command: /usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}' If the result is not "30", this is a finding.

Fix: F-63084r940932_fix

Configure the macOS system to set Login Grace Time to 30 with the following command: include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'logingracetime 30' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "logingracetime 30" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done

c
The macOS system must limit SSHD to FIPS-compliant connections.
AC-17 - High - CCI-000068 - V-259438 - SV-259438r945374_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
APPL-14-000054
Vuln IDs
  • V-259438
Rule IDs
  • SV-259438r945374_rule
If SSHD is enabled then it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. Operating systems utilizing encryption must use FIPS validated mechanisms for authenticating to cryptographic modules. Note: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information. Satisfies: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174,SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223
Checks: C-63177r945373_chk

Verify the macOS system is configured to limit SSHD to FIPS-compliant connections with the following command: fips_sshd_config=("Ciphers [email protected]" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]" "HostKeyAlgorithms ecdsa-sha2-nistp256,[email protected]" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]" "CASignatureAlgorithms ecdsa-sha2-nistp256") total=0 for config in $fips_sshd_config; do total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total) done echo $total If the result is not "7", this is a finding.

Fix: F-63085r945374_fix

Configure the macOS system to limit SSHD to FIPS-compliant connections with the following command: fips_sshd_config="Ciphers [email protected] HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected] HostKeyAlgorithms ecdsa-sha2-nistp256,[email protected] KexAlgorithms ecdh-sha2-nistp256 MACs hmac-sha2-256 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected] CASignatureAlgorithms ecdsa-sha2-nistp256" /bin/echo "${fips_sshd_config}" > /etc/ssh/sshd_config.d/fips_sshd_config

c
The macOS system must limit SSH to FIPS-compliant connections.
AC-17 - High - CCI-000068 - V-259439 - SV-259439r945376_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
APPL-14-000057
Vuln IDs
  • V-259439
Rule IDs
  • SV-259439r945376_rule
SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. Operating systems utilizing encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules. Note: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information. Satisfies: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000250-GPOS-00093,SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223
Checks: C-63178r945375_chk

Verify the macOS system is configured to limit SSH to FIPS-compliant connections with the following command: fips_ssh_config="Host * Ciphers [email protected] HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected] HostKeyAlgorithms ecdsa-sha2-nistp256,[email protected] KexAlgorithms ecdh-sha2-nistp256 MACs hmac-sha2-256 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected] CASignatureAlgorithms ecdsa-sha2-nistp256" /usr/bin/grep -c "$fips_ssh_config" /etc/ssh/ssh_config.d/fips_ssh_config If the result is not "8", this is a finding.

Fix: F-63086r945376_fix

Configure the macOS system to limit SSH to FIPS-compliant connections with the following command: fips_ssh_config="Host * Ciphers [email protected] HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected] HostKeyAlgorithms ecdsa-sha2-nistp256,[email protected] KexAlgorithms ecdh-sha2-nistp256 MACs hmac-sha2-256 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected] CASignatureAlgorithms ecdsa-sha2-nistp256" /bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config

b
The macOS system must set account lockout time to 15 minutes.
AC-7 - Medium - CCI-000044 - V-259440 - SV-259440r940942_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
APPL-14-000060
Vuln IDs
  • V-259440
Rule IDs
  • SV-259440r940942_rule
The macOS must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. Satisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128
Checks: C-63179r940940_chk

Verify the macOS system is configured to set account lockout time to 15 minutes with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="autoEnableInSeconds"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 &gt;= 15 ) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding.

Fix: F-63087r940941_fix

Configure the macOS system to set account lockout time to 15 minutes by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile or by a directory service.

b
The macOS system must enforce screen saver timeout.
AC-11 - Medium - CCI-000057 - V-259441 - SV-259441r940945_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
APPL-14-000070
Vuln IDs
  • V-259441
Rule IDs
  • SV-259441r940945_rule
The screen saver timeout must be set to 900 seconds or a shorter length of time. This rule ensures that a full session lock is triggered within no more than 900 seconds of inactivity.
Checks: C-63180r940943_chk

Verify the macOS system is configured to initiate the screen saver timeout after 15 minutes of inactivity with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS function run() { let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('idleTime')) if ( timeout &lt;= 900 ) { return("true") } else { return("false") } } EOS If the result is not "true", this is a finding.

Fix: F-63088r940944_fix

Configure the macOS system to initiate the screen saver after 15 minutes of inactivity by installing the "com.apple.screensaver" configuration profile.

b
The macOS system must enable SSH server for remote access sessions.
AC-3 - Medium - CCI-000213 - V-259442 - SV-259442r940948_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-000080
Vuln IDs
  • V-259442
Rule IDs
  • SV-259442r940948_rule
Remote access sessions must use encrypted methods to protect unauthorized individuals from gaining access. Satisfies: SRG-OS-000080-GPOS-00048,SRG-OS-000113-GPOS-00058,SRG-OS-000425-GPOS-00189,SRG-OS-000426-GPOS-00190
Checks: C-63181r940946_chk

Verify the macOS system is configured to enable SSH server for remote access sessions with the following command: /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" =&gt; enabled' If the result is not "1", this is a finding.

Fix: F-63089r940947_fix

Configure the macOS system to enable SSH server for remote access sessions with the following command: /bin/launchctl enable system/com.openssh.sshd

b
The macOS system must disable logon to other user's active and locked sessions.
IA-2 - Medium - CCI-000764 - V-259443 - SV-259443r943108_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
APPL-14-000090
Vuln IDs
  • V-259443
Rule IDs
  • SV-259443r943108_rule
The ability to log in to another user's active or locked session must be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. Note: Configuring this setting will disable TouchID from unlocking the screensaver.
Checks: C-63182r943106_chk

Verify the macOS system is configured to disable login to other user's active and locked sessions with the following command: /usr/bin/security authorizationdb read system.login.screensaver 2&gt;&amp;1 | /usr/bin/grep -c '&lt;string&gt;authenticate-session-owner&lt;/string&gt;' If the result is not "1", this is a finding.

Fix: F-63090r943107_fix

Configure the macOS system to disable login to other user's active and locked sessions with the following command: /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"

b
The macOS system must disable root logon.
IA-2 - Medium - CCI-000764 - V-259444 - SV-259444r940954_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
APPL-14-000100
Vuln IDs
  • V-259444
Rule IDs
  • SV-259444r940954_rule
To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled. The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root. Satisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151
Checks: C-63183r940952_chk

Verify the macOS system is configured to disable root login with the following command: /usr/bin/dscl . -read /Users/root UserShell 2&gt;&amp;1 | /usr/bin/grep -c "/usr/bin/false" If the result is not "1", this is a finding.

Fix: F-63091r940953_fix

Configure the macOS system to disable root login with the following command: /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

b
The macOS system must configure SSH ServerAliveInterval option set to 900.
SC-10 - Medium - CCI-001133 - V-259445 - SV-259445r940957_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
APPL-14-000110
Vuln IDs
  • V-259445
Rule IDs
  • SV-259445r940957_rule
SSH must be configured with an Active Server Alive Maximum Count set to 900. Setting the Active Server Alive Maximum Count to 900 will log users out after a 900-second interval of inactivity. Note: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Checks: C-63184r940955_chk

Verify the macOS system is configured to set the SSH ServerAliveInterval option set to 900 with the following command: ret="pass" for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 &gt; 500 {print $1}'); do sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveraliveinterval 900") if [[ "$sshCheck" == "0" ]]; then ret="fail" break fi done /bin/echo $ret If the result is not "pass", this is a finding.

Fix: F-63092r940956_fix

Configure the macOS system to set the SSH ServerAliveInterval option set to 900 with the following command: for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' "$c" || /bin/echo 'ServerAliveInterval 900' >> "$c" done done

b
The macOS system must configure SSHD Channel Timeout to 900.
SC-10 - Medium - CCI-001133 - V-259446 - SV-259446r940960_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
APPL-14-000120
Vuln IDs
  • V-259446
Rule IDs
  • SV-259446r940960_rule
If SSHD is enabled it must be configured with session Channel Timeout set to 900. This will set the time out when the session is inactive. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
Checks: C-63185r940958_chk

Verify the macOS system is configured to set the SSHD Channel Timeout to 900 with the following command: /usr/sbin/sshd -G | /usr/bin/awk -F "=" '/channeltimeout session:*/{print $2}' If the result is not "900", this is a finding.

Fix: F-63093r940959_fix

Configure the macOS system to set the SSHD Channel Timeout to 900 with the following command: include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'channeltimeout session:*=900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "channeltimeout session:*=900" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done

b
The macOS system must configure SSHD unused connection timeout to 900.
SC-10 - Medium - CCI-001133 - V-259447 - SV-259447r940963_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
APPL-14-000130
Vuln IDs
  • V-259447
Rule IDs
  • SV-259447r940963_rule
If SSHD is enabled, it must be configured with unused connection timeout set to 900. This will set the timeout when there are no open channels within a session. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
Checks: C-63186r940961_chk

Verify the macOS system is configured to set the SSHD unused connection timeout to 900 with the following command: /usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectionetimeout/{print $2}' If the result is not "900", this is a finding.

Fix: F-63094r940962_fix

Configure the macOS system to set the SSHD unused connection timeout to 900 with the following command: include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'unusedconnectionetimeout 900' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "unusedconnectionetimeout 900" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done

b
The macOS system must set SSH Active Server Alive Maximum to 0.
SC-10 - Medium - CCI-001133 - V-259448 - SV-259448r940966_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
APPL-14-000140
Vuln IDs
  • V-259448
Rule IDs
  • SV-259448r940966_rule
SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. Note: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Checks: C-63187r940964_chk

Verify the macOS system is configured to set SSH Active Server Alive Maximum to 0 with the following command: ret="pass" for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 &gt; 500 {print $1}'); do sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0") if [[ "$sshCheck" == "0" ]]; then ret="fail" break fi done /bin/echo $ret If the result is not "pass", this is a finding.

Fix: F-63095r940965_fix

Configure the macOS system to set SSH Active Server Alive Maximum to 0 with the following command: for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' "$c" || /bin/echo 'ServerAliveCountMax 0' >> "$c" done done

b
The macOS system must enforce auto logout after 86400 seconds of inactivity.
AC-12 - Medium - CCI-002361 - V-259449 - SV-259449r940969_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
APPL-14-000160
Vuln IDs
  • V-259449
Rule IDs
  • SV-259449r940969_rule
Auto logout must be configured to automatically terminate a user session and log out the after 86400 seconds of inactivity. Note: The maximum that macOS can be configured for autologoff is 86400 seconds. [IMPORTANT] ==== The automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information system security officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the automatic logout setting. ====
Checks: C-63188r940967_chk

Verify the macOS system is configured to enforce auto logout after 86400 seconds of inactivity with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\ .objectForKey('com.apple.autologout.AutoLogOutDelay').js EOS If the result is not "86400", this is a finding.

Fix: F-63096r940968_fix

Configure the macOS system to enforce auto logout after 86400 seconds of inactivity by installing the "com.apple.GlobalPreferences" configuration profile.

b
The macOS system must be configured to use an authorized time server.
AU-8 - Medium - CCI-001891 - V-259450 - SV-259450r940972_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
APPL-14-000170
Vuln IDs
  • V-259450
Rule IDs
  • SV-259450r940972_rule
Approved time servers must be the only servers configured for use. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. An authoritative time server is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DOD network. Satisfies: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144
Checks: C-63189r940970_chk

Verify the macOS system is configured to use an authorized time server with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('timeServer').js EOS If the result is not an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network, this is a finding.

Fix: F-63097r940971_fix

Configure the macOS system to use an authorized time server by installing the "com.apple.MCX" configuration profile.

b
The macOS system must enable time synchronization daemon.
AU-8 - Medium - CCI-001891 - V-259451 - SV-259451r940975_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
APPL-14-000180
Vuln IDs
  • V-259451
Rule IDs
  • SV-259451r940975_rule
The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server. Note: The time synchronization daemon is enabled by default on macOS. Satisfies: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144
Checks: C-63190r940973_chk

Verify the macOS system is configured to enable time synchronization daemon with the following command: /bin/launchctl list | /usr/bin/grep -c com.apple.timed If the result is not "1", this is a finding.

Fix: F-63098r940974_fix

Configure the macOS system to enable time synchronization daemon with the following command: /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist

b
The macOS system must be configured to audit all administrative action events.
AC-2 - Medium - CCI-000018 - V-259452 - SV-259452r940978_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
APPL-14-001001
Vuln IDs
  • V-259452
Rule IDs
  • SV-259452r940978_rule
Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include "ad" events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter). Administrative and privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings, are logged by way of the "ad" flag. Satisfies: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000327-GPOS-00127,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000476-GPOS-00221
Checks: C-63191r940976_chk

Verify the macOS system is configured to audit privileged access with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad' If "ad" is not listed in the output, this is a finding.

Fix: F-63099r940977_fix

Configure the macOS system to audit privileged access with the following command: /usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

b
The macOS system must be configured to audit all log on and log out events.
AC-17 - Medium - CCI-000067 - V-259453 - SV-259453r940981_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
APPL-14-001002
Vuln IDs
  • V-259453
Rule IDs
  • SV-259453r940981_rule
The audit system must be configured to record all attempts to log in and out of the system (lo). Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring log on and log out events) mitigates this risk. The information system monitors log on and log out events. Satisfies: SRG-OS-000032-GPOS-00013,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000472-GPOS-00217,SRG-OS-000473-GPOS-00218
Checks: C-63192r940979_chk

Verify the macOS system is configured to audit all log on and log out events with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^lo' If the result is not "1", this is a finding.

Fix: F-63100r940980_fix

Configure the macOS system to audit all log on and log out events with the following command: /usr/bin/grep -qE "^flags.*[^-]lo" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

b
The macOS system must enable security auditing.
AU-3 - Medium - CCI-000130 - V-259454 - SV-259454r940984_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
APPL-14-001003
Vuln IDs
  • V-259454
Rule IDs
  • SV-259454r940984_rule
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system startup. Note: Security auditing is enabled by default on macOS. Satisfies: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000472-GPOS-00217,SRG-OS-000473-GPOS-00218,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000476-GPOS-00221,SRG-OS-000477-GPOS-00222
Checks: C-63193r940982_chk

Verify the macOS system is configured to enable the auditd service with the following command: LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) if [[ $LAUNCHD_RUNNING == 1 ]] &amp;&amp; [[ -e /etc/security/audit_control ]]; then echo "pass" else echo "fail" fi If the result is not "pass", this is a finding.

Fix: F-63101r940983_fix

Configure the macOS system to enable the auditd service with the following command: LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) if [[ ! $LAUNCHD_RUNNING == 1 ]]; then /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist fi if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then /bin/cp /etc/security/audit_control.example /etc/security/audit_control else /usr/bin/touch /etc/security/audit_control fi

b
The macOS system must configure system to shut down upon audit failure.
AU-5 - Medium - CCI-000140 - V-259455 - SV-259455r940987_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
APPL-14-001010
Vuln IDs
  • V-259455
Rule IDs
  • SV-259455r940987_rule
The audit service must be configured to shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: (i) If the failure was caused by the lack of audit record storage capacity, the operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. (ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
Checks: C-63194r940985_chk

Verify the macOS system is configured to shut down upon audit failure with the following command: /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' If the result is not "1", this is a finding.

Fix: F-63102r940986_fix

Configure the macOS system to shut down upon audit failure with the following command: /usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s

b
The macOS system must configure audit log files to be owned by root.
AU-9 - Medium - CCI-000162 - V-259456 - SV-259456r940990_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001012
Vuln IDs
  • V-259456
Rule IDs
  • SV-259456r940990_rule
Audit log files must be owned by root. The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63195r940988_chk

Verify the macOS system is configured with audit log files owned by root with the following command: /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' If the result is not "0", this is a finding.

Fix: F-63103r940989_fix

Configure the macOS system with audit log files owned by root with the following command: /usr/sbin/chown -R root /var/audit/*

b
The macOS system must configure audit log folders to be owned by root.
AU-9 - Medium - CCI-000162 - V-259457 - SV-259457r940993_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001013
Vuln IDs
  • V-259457
Rule IDs
  • SV-259457r940993_rule
Audit log folders must be owned by root. The audit service must be configured to create log folders with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63196r940991_chk

Verify the macOS system is configured with audit log folders owned by root with the following command: /bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}' If the result is not "0", this is a finding.

Fix: F-63104r940992_fix

Configure the macOS system with audit log folders owned by root with the following command: /usr/sbin/chown root /var/audit

b
The macOS system must configure audit log files group to wheel.
AU-9 - Medium - CCI-000162 - V-259458 - SV-259458r940996_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001014
Vuln IDs
  • V-259458
Rule IDs
  • SV-259458r940996_rule
Audit log files must have the group set to wheel. The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63197r940994_chk

Verify the macOS system is configured with audit log files group-owned by wheel with the following command: /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}' If the result is not "0", this is a finding.

Fix: F-63105r940995_fix

Configure the macOS system with audit log files group-owned by wheel with the following command: /usr/bin/chgrp -R wheel /var/audit/*

b
The macOS system must configure audit log folders group to wheel.
AU-9 - Medium - CCI-000162 - V-259459 - SV-259459r940999_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001015
Vuln IDs
  • V-259459
Rule IDs
  • SV-259459r940999_rule
Audit log folders must have the group set to wheel. The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63198r940997_chk

Verify the macOS system is configured with audit log folders group-owned by wheel with the following command: /bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}' If the result is not "0", this is a finding.

Fix: F-63106r940998_fix

Configure the macOS system with audit log folders group-owned by wheel with the following command: /usr/bin/chgrp wheel /var/audit

b
The macOS system must configure audit log files to mode 440 or less permissive.
AU-9 - Medium - CCI-000162 - V-259460 - SV-259460r941002_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001016
Vuln IDs
  • V-259460
Rule IDs
  • SV-259460r941002_rule
The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files must be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying, or deleting audit logs. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63199r941000_chk

Verify the macOS system is configured with audit log files set to mode 440 or less with the following command: /bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' If the result is not "0", this is a finding.

Fix: F-63107r941001_fix

Configure the macOS system with audit log files set to mode 440 with the following command: /bin/chmod 440 /var/audit/*

b
The macOS system must configure audit log folders to mode 700 or less permissive.
AU-9 - Medium - CCI-000162 - V-259461 - SV-259461r941005_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001017
Vuln IDs
  • V-259461
Rule IDs
  • SV-259461r941005_rule
The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. Because audit logs contain sensitive data about the system and users, the audit service must be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying, or deleting audit logs. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63200r941003_chk

Verify the macOS system is configured with audit log folders set to mode 700 or less permissive with the following command: /usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') If the result is not a mode of 700 or less permissive, this is a finding.

Fix: F-63108r941004_fix

Configure the macOS system with audit log folders set to mode 700 with the following command: /bin/chmod 700 /var/audit

b
The macOS system must be configured to audit all deletions of object attributes.
AU-9 - Medium - CCI-000162 - V-259462 - SV-259462r941008_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001020
Vuln IDs
  • V-259462
Rule IDs
  • SV-259462r941008_rule
The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd). ***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000064-GPOS-00033,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
Checks: C-63201r941006_chk

Verify the macOS system is configured to audit all deletions of object attributes with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fd' If the result is not "1", this is a finding.

Fix: F-63109r941007_fix

Configure the macOS system to audit all deletions of object attributes with the following command: /usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s

b
The macOS system must be configured to audit all changes of object attributes.
AU-9 - Medium - CCI-000162 - V-259463 - SV-259463r941011_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001021
Vuln IDs
  • V-259463
Rule IDs
  • SV-259463r941011_rule
The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000064-GPOS-00033,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
Checks: C-63202r941009_chk

Verify the macOS system is configured to audit all changes of object attributes with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm' If the result is not "1", this is a finding.

Fix: F-63110r941010_fix

Configure the macOS system to audit all changes of object attributes with the following command: /usr/bin/grep -qE "^flags.*fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s

b
The macOS system must be configured to audit all failed read actions on the system.
AU-9 - Medium - CCI-000162 - V-259464 - SV-259464r941014_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001022
Vuln IDs
  • V-259464
Rule IDs
  • SV-259464r941014_rule
The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. Satisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000057-GPOS-00027,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219
Checks: C-63203r941012_chk

Verify the macOS system is configured to audit all failed read actions on the system with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fr' If the result is not "1", this is a finding.

Fix: F-63111r941013_fix

Configure the macOS system to audit all failed read actions on the system with the following command: /usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s

b
The macOS system must be configured to audit all failed write actions on the system.
AU-9 - Medium - CCI-000162 - V-259465 - SV-259465r941017_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001023
Vuln IDs
  • V-259465
Rule IDs
  • SV-259465r941017_rule
The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. Satisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000057-GPOS-00027,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
Checks: C-63204r941015_chk

Verify the macOS system is configured to audit all failed write actions on the system with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw' If the result is not "1", this is a finding.

Fix: F-63112r941016_fix

Configure the macOS system to audit all failed write actions on the system with the following command: /usr/bin/grep -qE "^flags.*-fw" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s

b
The macOS system must be configured to audit all failed program execution on the system.
AU-12 - Medium - CCI-000172 - V-259466 - SV-259466r941020_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
APPL-14-001024
Vuln IDs
  • V-259466
Rule IDs
  • SV-259466r941020_rule
The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. Satisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000365-GPOS-00152,SRG-OS-000458-GPOS-00203,SRG-OS-000465-GPOS-00209
Checks: C-63205r941018_chk

Verify the macOS system is configured to audit all failed program execution on the system with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' If the result is not "1", this is a finding.

Fix: F-63113r941019_fix

Configure the macOS system to audit all failed program execution on the system with the following command: /usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s

a
The macOS system must configure audit retention to seven days.
AU-4 - Low - CCI-001849 - V-259467 - SV-259467r941023_rule
RMF Control
AU-4
Severity
Low
CCI
CCI-001849
Version
APPL-14-001029
Vuln IDs
  • V-259467
Rule IDs
  • SV-259467r941023_rule
The audit service must be configured to require records be kept for an organizational defined value before deletion, unless the system uses a central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
Checks: C-63206r941021_chk

Verify the macOS system is configured audit retention to seven days with the following command: /usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control If the result is not "7d", this is a finding.

Fix: F-63114r941022_fix

Configure the macOS system to set audit retention to seven days with the following command: /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s

b
The macOS system must configure audit capacity warning.
AU-5 - Medium - CCI-000139 - V-259468 - SV-259468r941026_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
APPL-14-001030
Vuln IDs
  • V-259468
Rule IDs
  • SV-259468r941026_rule
The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs. Satisfies: SRG-OS-000046-GPOS-00022,SRG-OS-000343-GPOS-00134
Checks: C-63207r941024_chk

Verify the macOS system is configured to require a minimum of 25 percent free disk space for audit record storage with the following command: /usr/bin/awk -F: '/^minfree/{print $2}' /etc/security/audit_control If the result is not "25", this is a finding.

Fix: F-63115r941025_fix

Configure the macOS system to require a minimum of 25 percent free disk space for audit record storage with the following command: /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/sbin/audit -s

b
The macOS system must configure audit failure notification.
AU-5 - Medium - CCI-000140 - V-259469 - SV-259469r941029_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
APPL-14-001031
Vuln IDs
  • V-259469
Rule IDs
  • SV-259469r941029_rule
The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. Satisfies: SRG-OS-000047-GPOS-00023,SRG-OS-000344-GPOS-00135
Checks: C-63208r941027_chk

Verify the macOS system is configured to produce audit failure notification with the following command: /usr/bin/grep -c "logger -s -p" /etc/security/audit_warn If the result is not "1", this is a finding.

Fix: F-63116r941028_fix

Configure the macOS system to produce audit failure notification with the following command: /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s

b
The macOS system must configure system to audit all authorization and authentication events.
AU-12 - Medium - CCI-000172 - V-259470 - SV-259470r941032_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
APPL-14-001044
Vuln IDs
  • V-259470
Rule IDs
  • SV-259470r941032_rule
The auditing system must be configured to flag authorization and authentication (aa) events. Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter). Satisfies: SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000475-GPOS-00220,SRG-OS-000477-GPOS-00222
Checks: C-63209r941030_chk

Verify the macOS system is configured to audit logon events with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa' If the result is not "1", this is a finding.

Fix: F-63117r941031_fix

Configure the macOS system to audit logon events with the following command: /usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s

b
The macOS system must set smart card certificate trust to moderate.
IA-5 - Medium - CCI-000185 - V-259471 - SV-259471r941035_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
APPL-14-001060
Vuln IDs
  • V-259471
Rule IDs
  • SV-259471r941035_rule
The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smart card must meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smart card certificate trust level to moderate, the system will execute a soft revocation, i.e., if the OCSP/CRL server is unreachable, authentication will still succeed. Note: Before applying this setting, refer to the smart card supplemental guidance. Satisfies: SRG-OS-000066-GPOS-00034,SRG-OS-000377-GPOS-00162,SRG-OS-000384-GPOS-00167,SRG-OS-000403-GPOS-00182
Checks: C-63210r941033_chk

Verify the macOS system is configured to check the revocation status of user certificates with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('checkCertificateTrust').js EOS If the result is not "2", this is a finding.

Fix: F-63118r941034_fix

Configure the macOS system to check the revocation status of user certificates by installing the "com.apple.security.smartcard" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.

b
The macOS system must disable root logon for SSH.
IA-2 - Medium - CCI-000770 - V-259472 - SV-259472r941038_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
APPL-14-001100
Vuln IDs
  • V-259472
Rule IDs
  • SV-259472r941038_rule
If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled. The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151
Checks: C-63211r941036_chk

Verify the macOS system is configured to disable root login for SSH with the following command: /usr/sbin/sshd -G | /usr/bin/awk '/permitrootlogin/{print $2}' If the result is not "no", this is a finding.

Fix: F-63119r941037_fix

Configure the macOS system to disable root login for SSH with the following command: include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'permitrootlogin no' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "permitrootlogin no" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done

b
The macOS system must configure audit_control group to wheel.
AU-9 - Medium - CCI-000162 - V-259473 - SV-259473r941041_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001110
Vuln IDs
  • V-259473
Rule IDs
  • SV-259473r941041_rule
/etc/security/audit_control must have the group set to wheel. The audit service must be configured with the correct group ownership to prevent normal users from manipulation audit log configurations. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000063-GPOS-00032,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63212r941039_chk

Verify the macOS system is configured with the audit_control group to wheel with the following command: /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}' If the result is not "0", this is a finding.

Fix: F-63120r941040_fix

Configure the macOS system with the audit_control group to wheel with the following command: /usr/bin/chgrp wheel /etc/security/audit_control

b
The macOS system must configure audit_control owner to root.
AU-9 - Medium - CCI-000162 - V-259474 - SV-259474r941044_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001120
Vuln IDs
  • V-259474
Rule IDs
  • SV-259474r941044_rule
/etc/security/audit_control must have the owner set to root. The audit service must be configured with the correct ownership to prevent normal users from manipulation audit log configurations. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000063-GPOS-00032,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63213r941042_chk

Verify the macOS system is configured with the audit_control owner to root with the following command: /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}' If the result is not "0", this is a finding.

Fix: F-63121r941043_fix

Configure the macOS system with the audit_control owner to root with the following command: /usr/sbin/chown root /etc/security/audit_control

b
The macOS system must configure audit_control to mode 440 or less permissive.
AU-9 - Medium - CCI-000162 - V-259475 - SV-259475r941047_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001130
Vuln IDs
  • V-259475
Rule IDs
  • SV-259475r941047_rule
/etc/security/audit_control must be configured so that it is readable only by the root user and group wheel. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000063-GPOS-00032,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63214r941045_chk

Verify the macOS system is configured audit_control to mode 440 or less with the following command: /bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs If the results are not "0", this is a finding.

Fix: F-63122r941046_fix

Configure the macOS system with the audit_control to mode 440 with the following command: /bin/chmod 440 /etc/security/audit_control

b
The macOS system must configure audit_control to not contain access control lists.
AU-9 - Medium - CCI-000162 - V-259476 - SV-259476r941050_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
APPL-14-001140
Vuln IDs
  • V-259476
Rule IDs
  • SV-259476r941050_rule
/etc/security/audit_control must not contain Access Control Lists (ACLs). /etc/security/audit_control contains sensitive configuration data about the audit service. This rule ensures that the audit service is configured to be readable and writable only by system administrators in order to prevent normal users from manipulating audit logs. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000063-GPOS-00032,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
Checks: C-63215r941048_chk

Verify the macOS system is configured without ACLs applied to audit_control with the following command: /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" If the result is not "0", this is a finding.

Fix: F-63123r941049_fix

Configure the macOS system without ACLs applied to audit_control with the following command: /bin/chmod -N /etc/security/audit_control

c
The macOS system must disable password authentication for SSH.
IA-5 - High - CCI-000186 - V-259477 - SV-259477r941053_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000186
Version
APPL-14-001150
Vuln IDs
  • V-259477
Rule IDs
  • SV-259477r941053_rule
If remote logon through SSH is enabled, password-based authentication must be disabled for user logon. All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000067-GPOS-00035,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000125-GPOS-00065,SRG-OS-000375-GPOS-00160
Checks: C-63216r941051_chk

Verify the macOS system is configured to disable password authentication for SSH with the following command: /usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)' If the result is not "2", this is a finding.

Fix: F-63124r941052_fix

Configure the macOS system to disable password authentication for SSH with the following command: include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi echo "passwordauthentication no" >> "${include_dir}01-mscp-sshd.conf" echo "kbdinteractiveauthentication no" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done

b
The macOS system must disable Server Message Block sharing.
AC-3 - Medium - CCI-000213 - V-259478 - SV-259478r941056_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002001
Vuln IDs
  • V-259478
Rule IDs
  • SV-259478r941056_rule
Support for Server Message Block (SMB) file sharing is nonessential and must be disabled. The information system must be configured to provide only essential capabilities.
Checks: C-63217r941054_chk

Verify the macOS system is configured to disable Server Message Block sharing with the following command: /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.smbd" =&gt; disabled' If the result is not "1", this is a finding.

Fix: F-63125r941055_fix

Configure the macOS system to disable Server Message Block sharing with the following command: /bin/launchctl disable system/com.apple.smbd The system may need to be restarted for the update to take effect.

b
The macOS system must disable Network File System service.
AC-3 - Medium - CCI-000213 - V-259479 - SV-259479r941059_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002003
Vuln IDs
  • V-259479
Rule IDs
  • SV-259479r941059_rule
Support for Network File Systems (NFS) services is nonessential and, therefore, must be disabled.
Checks: C-63218r941057_chk

Verify the macOS system is configured to disable network file system service with the following command: /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.nfsd" =&gt; disabled' If the result is not "1", this is a finding.

Fix: F-63126r941058_fix

Configure the macOS system to disable network file system service with the following command: /bin/launchctl disable system/com.apple.nfsd The system may need to be restarted for the update to take effect.

b
The macOS system must disable Location Services.
CM-7 - Medium - CCI-000381 - V-259480 - SV-259480r941062_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002004
Vuln IDs
  • V-259480
Rule IDs
  • SV-259480r941062_rule
The information system must be configured to provide only essential capabilities. Disabling Location Services helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling.
Checks: C-63219r941060_chk

Verify the macOS system is configured to disable Location Services with the following command: /usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\ .objectForKey('LocationServicesEnabled').js EOS If the result is not "false", this is a finding.

Fix: F-63127r941061_fix

Configure the macOS system to disable Location Services with the following command: /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false; /bin/launchctl kickstart -k system/com.apple.locationd The system may need to be restarted for the update to take effect.

b
The macOS system must disable Bonjour multicast.
CM-7 - Medium - CCI-000381 - V-259481 - SV-259481r941065_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002005
Vuln IDs
  • V-259481
Rule IDs
  • SV-259481r941065_rule
Bonjour multicast advertising must be disabled to prevent the system from broadcasting its presence and available services over network interfaces.
Checks: C-63220r941063_chk

Verify the macOS system is configured to disable Bonjour multicast with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\ .objectForKey('NoMulticastAdvertisements').js EOS If the result is not "true", this is a finding.

Fix: F-63128r941064_fix

Configure the macOS system to disable Bonjour multicast by installing the "com.apple.mDNSResponder" configuration profile.

b
The macOS system must disable Unix-to-Unix Copy Protocol service.
AC-3 - Medium - CCI-000213 - V-259482 - SV-259482r941068_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002006
Vuln IDs
  • V-259482
Rule IDs
  • SV-259482r941068_rule
The system must not have the Unix-to-Unix Copy Protocol (UUCP) service active. UUCP, a set of programs that enable the sending of files between different Unix systems as well as sending commands to be executed on another system, is not essential and must be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. Note: UUCP service is disabled at startup by default macOS.
Checks: C-63221r941066_chk

Verify the macOS system is configured to disable Unix-to-Unix copy protocol service with the following command: /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" =&gt; disabled' If the result is not "1", this is a finding.

Fix: F-63129r941067_fix

Configure the macOS system to disable Unix-to-Unix copy protocol service with the following command: /bin/launchctl disable system/com.apple.uucp The system may need to be restarted for the update to take effect.

b
The macOS system must disable Internet Sharing.
CM-7 - Medium - CCI-000381 - V-259483 - SV-259483r941071_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002007
Vuln IDs
  • V-259483
Rule IDs
  • SV-259483r941071_rule
If the system does not require Internet Sharing, support for it is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Disabling Internet sharing helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling.
Checks: C-63222r941069_chk

Verify the macOS system is configured to disable Internet Sharing with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('forceInternetSharingOff').js EOS If the result is not "true", this is a finding.

Fix: F-63130r941070_fix

Configure the macOS system to disable Internet Sharing by installing the "com.apple.MCX" configuration profile.

b
The macOS system must disable the built-in web server.
AC-3 - Medium - CCI-000213 - V-259484 - SV-259484r941074_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002008
Vuln IDs
  • V-259484
Rule IDs
  • SV-259484r941074_rule
The built-in web server is a nonessential service built into macOS and must be disabled. Note: The built in web server service is disabled at startup by default macOS.
Checks: C-63223r941072_chk

Verify the macOS system is configured to disable the built-in web server with the following command: /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" =&gt; disabled' If the result is not "1", this is a finding.

Fix: F-63131r941073_fix

Configure the macOS system to disable the built-in web server with the following command: /bin/launchctl disable system/org.apache.httpd The system may need to be restarted for the update to take effect.

b
The macOS system must disable AirDrop.
AC-3 - Medium - CCI-000213 - V-259485 - SV-259485r941077_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002009
Vuln IDs
  • V-259485
Rule IDs
  • SV-259485r941077_rule
AirDrop must be disabled to prevent file transfers to or from unauthorized devices. AirDrop allows users to share and receive files from other nearby Apple devices. Satisfies: SRG-OS-000080-GPOS-00048,SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118
Checks: C-63224r941075_chk

Verify the macOS system is configured to disable AirDrop with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAirDrop').js EOS If the result is not "false", this is a finding.

Fix: F-63132r941076_fix

Configure the macOS system to disable AirDrop by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable FaceTime.app.
CM-7 - Medium - CCI-000381 - V-259486 - SV-259486r945377_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002010
Vuln IDs
  • V-259486
Rule IDs
  • SV-259486r945377_rule
The macOS built-in FaceTime.app must be disabled. The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. [IMPORTANT] ==== Apple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third-party software may be required to fulfill the compliance requirements. ====
Checks: C-63225r941078_chk

Verify the macOS system is configured to disable FaceTime.app with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Applications/FaceTime.app" &amp;&amp; pref1 == true ){ return("true") } } return("false") } EOS If the result is not "true", this is a finding.

Fix: F-63133r941079_fix

Configure the macOS system to disable FaceTime.app by installing the "com.apple.applicationaccess.new" configuration profile.

b
The macOS system must disable the iCloud Calendar services.
CM-7 - Medium - CCI-000381 - V-259487 - SV-259487r941083_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002012
Vuln IDs
  • V-259487
Rule IDs
  • SV-259487r941083_rule
The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization must be controlled by an organization approved service.
Checks: C-63226r941081_chk

Verify the macOS system is configured to disable iCloud Calendar services with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudCalendar').js EOS If the result is not "false", this is a finding.

Fix: F-63134r941082_fix

Configure the macOS system to disable iCloud Calendar services by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Reminders.
CM-7 - Medium - CCI-000381 - V-259488 - SV-259488r941086_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002013
Vuln IDs
  • V-259488
Rule IDs
  • SV-259488r941086_rule
The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization must be controlled by an organization approved service.
Checks: C-63227r941084_chk

Verify the macOS system is configured to disable iCloud Reminders with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudReminders').js EOS If the result is not "false", this is a finding.

Fix: F-63135r941085_fix

Configure the macOS system to disable iCloud Reminders by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Address Book.
CM-7 - Medium - CCI-000381 - V-259489 - SV-259489r941089_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002014
Vuln IDs
  • V-259489
Rule IDs
  • SV-259489r941089_rule
The macOS built-in Contacts.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization must be controlled by an organization approved service.
Checks: C-63228r941087_chk

Verify the macOS system is configured to disable iCloud Address Book with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudAddressBook').js EOS If the result is not "false", this is a finding.

Fix: F-63136r941088_fix

Configure the macOS system to disable iCloud Address Book by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Mail.
CM-7 - Medium - CCI-000381 - V-259490 - SV-259490r941092_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002015
Vuln IDs
  • V-259490
Rule IDs
  • SV-259490r941092_rule
The macOS built-in Mail.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization must be controlled by an organization approved service.
Checks: C-63229r941090_chk

Verify the macOS system is configured to disable iCloud Mail with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudMail').js EOS If the result is not "false", this is a finding.

Fix: F-63137r941091_fix

Configure the macOS system to disable iCloud Mail by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Notes.
CM-7 - Medium - CCI-000381 - V-259491 - SV-259491r941095_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002016
Vuln IDs
  • V-259491
Rule IDs
  • SV-259491r941095_rule
The macOS built-in Notes.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization must be controlled by an organization approved service.
Checks: C-63230r941093_chk

Verify the macOS system is configured to disable iCloud Notes with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudNotes').js EOS If the result is not "false", this is a finding.

Fix: F-63138r941094_fix

Configure the macOS system to disable iCloud Notes by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable the camera.
CM-7 - Medium - CCI-000381 - V-259492 - SV-259492r941098_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002017
Vuln IDs
  • V-259492
Rule IDs
  • SV-259492r941098_rule
macOS must be configured to disable the camera.
Checks: C-63231r941096_chk

Verify the macOS system is configured to disable the camera with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCamera').js EOS If the result is not "false", this is a finding.

Fix: F-63139r941097_fix

Configure the macOS system to disable the camera by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable Siri.
CM-7 - Medium - CCI-000381 - V-259493 - SV-259493r941101_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002020
Vuln IDs
  • V-259493
Rule IDs
  • SV-259493r941101_rule
Support for Siri is nonessential and must be disabled. The information system must be configured to provide only essential capabilities.
Checks: C-63232r941099_chk

Verify the macOS system is configured to disable Siri with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAssistant').js EOS If the result is not "false", this is a finding.

Fix: F-63140r941100_fix

Configure the macOS system to disable Siri by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable sending diagnostic and usage data to Apple.
SI-11 - Medium - CCI-001312 - V-259494 - SV-259494r941104_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
APPL-14-002021
Vuln IDs
  • V-259494
Rule IDs
  • SV-259494r941104_rule
The ability to submit diagnostic data to Apple must be disabled. The information system must be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. Satisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084
Checks: C-63233r941102_chk

Verify the macOS system is configured to disable sending diagnostic and usage data to Apple with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS function run() { let pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\ .objectForKey('AutoSubmit').js let pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowDiagnosticSubmission').js if ( pref1 == false &amp;&amp; pref2 == false ){ return("true") } else { return("false") } } EOS If the result is not "true", this is a finding.

Fix: F-63141r941103_fix

Configure the macOS system to disable sending diagnostic and usage data to Apple by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable Remote Apple Events.
AC-3 - Medium - CCI-000213 - V-259495 - SV-259495r941107_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002022
Vuln IDs
  • V-259495
Rule IDs
  • SV-259495r941107_rule
If the system does not require Remote Apple Events, support for Apple Remote Events is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. Satisfies: SRG-OS-000080-GPOS-00048,SRG-OS-000096-GPOS-00050
Checks: C-63234r941105_chk

Verify the macOS system is configured to disable Remote Apple Events with the following command: /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AEServer" =&gt; disabled' If the result is not "1", this is a finding.

Fix: F-63142r941106_fix

Configure the macOS system to disable Remote Apple Events with the following commands: /usr/sbin/systemsetup -setremoteappleevents off /bin/launchctl disable system/com.apple.AEServer Note: Systemsetup with -setremoteappleevents flag will fail unless Full Disk Access to systemsetup or its parent process is granted. This requires supervision.

b
The macOS system must disable Apple ID setup during Setup Assistant.
CM-7 - Medium - CCI-000381 - V-259496 - SV-259496r941110_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002035
Vuln IDs
  • V-259496
Rule IDs
  • SV-259496r941110_rule
The prompt for Apple ID setup during Setup Assistant must be disabled. macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first log on.
Checks: C-63235r941108_chk

Verify the macOS system is configured to disable Apple ID setup during Setup Assistant with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipCloudSetup').js EOS If the result is not "true", this is a finding.

Fix: F-63143r941109_fix

Configure the macOS system to disable Apple ID setup during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.

b
The macOS system must disable Privacy Setup services during Setup Assistant.
CM-7 - Medium - CCI-000381 - V-259497 - SV-259497r941113_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002036
Vuln IDs
  • V-259497
Rule IDs
  • SV-259497r941113_rule
The prompt for Privacy Setup services during Setup Assistant must be disabled. Organizations must apply organizationwide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, must be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organizationwide settings.
Checks: C-63236r941111_chk

Verify the macOS system is configured to disable Privacy Setup services during Setup Assistant with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipPrivacySetup').js EOS If the result is not "true", this is a finding.

Fix: F-63144r941112_fix

Configure the macOS system to disable Privacy Setup services during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.

b
The macOS system must disable iCloud Storage Setup during Setup Assistant.
CM-7 - Medium - CCI-000381 - V-259498 - SV-259498r941116_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002037
Vuln IDs
  • V-259498
Rule IDs
  • SV-259498r941116_rule
The prompt to set up iCloud storage services during Setup Assistant must be disabled. The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data.
Checks: C-63237r941114_chk

Verify the macOS system is configured to disable iCloud Storage Setup during Setup Assistant with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipiCloudStorageSetup').js EOS If the result is not "true", this is a finding.

Fix: F-63145r941115_fix

Configure the macOS system to disable iCloud Storage Setup during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.

c
The macOS system must disable Trivial File Transfer Protocol service.
IA-5 - High - CCI-000197 - V-259499 - SV-259499r941119_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
APPL-14-002038
Vuln IDs
  • V-259499
Rule IDs
  • SV-259499r941119_rule
If the system does not require Trivial File Transfer Protocol (TFTP), support it is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Note: TFTP service is disabled at startup by default macOS. Satisfies: SRG-OS-000074-GPOS-00042,SRG-OS-000080-GPOS-00048
Checks: C-63238r941117_chk

Verify the macOS system is configured to disable trivial file transfer protocol service with the following command: /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" =&gt; disabled' If the result is not "1", this is a finding.

Fix: F-63146r941118_fix

Configure the macOS system to disable trivial file transfer protocol service with the following command: /bin/launchctl disable system/com.apple.tftpd The system may need to be restarted for the update to take effect.

b
The macOS system must disable Siri Setup during Setup Assistant.
CM-7 - Medium - CCI-000381 - V-259500 - SV-259500r941122_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002039
Vuln IDs
  • V-259500
Rule IDs
  • SV-259500r941122_rule
The prompt for Siri during Setup Assistant must be disabled. Organizations must apply organizationwide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, must be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organizationwide settings.
Checks: C-63239r941120_chk

Verify the macOS system is configured to disable Siri Setup during Setup Assistant with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipSiriSetup').js EOS If the result is not "true", this is a finding.

Fix: F-63147r941121_fix

Configure the macOS system to disable Siri Setup during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.

b
The macOS system must disable iCloud Keychain synchronization.
CM-7 - Medium - CCI-000381 - V-259501 - SV-259501r941125_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002040
Vuln IDs
  • V-259501
Rule IDs
  • SV-259501r941125_rule
The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization must be controlled by an organization approved service.
Checks: C-63240r941123_chk

Verify the macOS system is configured to disable iCloud Keychain synchronization with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudKeychainSync').js EOS If the result is not "false", this is a finding.

Fix: F-63148r941124_fix

Configure the macOS system to disable iCloud Keychain synchronization by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Document synchronization.
CM-7 - Medium - CCI-000381 - V-259502 - SV-259502r941128_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002041
Vuln IDs
  • V-259502
Rule IDs
  • SV-259502r941128_rule
The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nonapproved storage. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization must be controlled by an organization approved service.
Checks: C-63241r941126_chk

Verify the macOS system is configured to disable iCloud Document synchronization with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudDocumentSync').js EOS If the result is not "false", this is a finding.

Fix: F-63149r941127_fix

Configure the macOS system to disable iCloud Document synchronization by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Bookmarks.
CM-7 - Medium - CCI-000381 - V-259503 - SV-259503r941131_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002042
Vuln IDs
  • V-259503
Rule IDs
  • SV-259503r941131_rule
The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization must be controlled by an organization approved service.
Checks: C-63242r941129_chk

Verify the macOS system is configured to disable iCloud Bookmarks with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudBookmarks').js EOS If the result is not "false", this is a finding.

Fix: F-63150r941130_fix

Configure the macOS system to disable iCloud Bookmarks by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Photo Library.
CM-7 - Medium - CCI-000381 - V-259504 - SV-259504r941134_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002043
Vuln IDs
  • V-259504
Rule IDs
  • SV-259504r941134_rule
The macOS built-in Photos.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization must be controlled by an organization approved service.
Checks: C-63243r941132_chk

Verify the macOS system is configured to disable the iCloud Photo Library with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudPhotoLibrary').js EOS If the result is not "false", this is a finding.

Fix: F-63151r941133_fix

Configure the macOS system to disable the iCloud Photo Library by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable Screen Sharing and Apple Remote Desktop.
AC-3 - Medium - CCI-000213 - V-259505 - SV-259505r941137_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002050
Vuln IDs
  • V-259505
Rule IDs
  • SV-259505r941137_rule
Support for both Screen Sharing and Apple Remote Desktop (ARD) is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling.
Checks: C-63244r941135_chk

Verify the macOS system is configured to disable Screen Sharing and Apple Remote Desktop with the following command: /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" =&gt; disabled' If the result is not "1", this is a finding.

Fix: F-63152r941136_fix

Configure the macOS system to disable Screen Sharing and Apple Remote Desktop with the following command: /bin/launchctl disable system/com.apple.screensharing The system may need to be restarted for the update to take effect. Note: This will apply to the whole system.

b
The macOS system must disable the TouchID System Settings pane.
CM-7 - Medium - CCI-000381 - V-259506 - SV-259506r941140_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002051
Vuln IDs
  • V-259506
Rule IDs
  • SV-259506r941140_rule
The System Settings pane for TouchID must be disabled. Disabling the System Settings pane prevents the users from configuring TouchID.
Checks: C-63245r941138_chk

Verify the macOS system is configured to disable the TouchID System Settings pane with the following command: /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.Touch-ID-Settings.extension" If the result is not "1", this is a finding.

Fix: F-63153r941139_fix

Configure the macOS system to disable the TouchID System Settings pane by installing the "com.apple.systempreferences" configuration profile.

b
The macOS system must disable the System Settings pane for Wallet and Apple Pay.
CM-7 - Medium - CCI-000381 - V-259507 - SV-259507r941143_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002052
Vuln IDs
  • V-259507
Rule IDs
  • SV-259507r941143_rule
The System Settings pane for Wallet and Apple Pay must be disabled. Disabling the System Settings pane prevents the users from configuring Wallet and Apple Pay.
Checks: C-63246r941141_chk

Verify the macOS system is configured to disable the System Settings pane for Wallet and Apple Pay with the following command: /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.WalletSettingsExtension" If the result is not "1", this is a finding.

Fix: F-63154r941142_fix

Configure the macOS system to disable the System Settings pane for Wallet and Apple Pay by installing the "com.apple.systempreferences" configuration profile.

b
The macOS system must disable the system settings pane for Siri.
CM-7 - Medium - CCI-000381 - V-259508 - SV-259508r941146_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002053
Vuln IDs
  • V-259508
Rule IDs
  • SV-259508r941146_rule
The System Settings pane for Siri must be hidden. Hiding the System Settings pane prevents the users from configuring Siri.
Checks: C-63247r941144_chk

Verify the macOS system is configured to disable the system settings pane for Siri with the following command: /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.Siri-Settings.extension If the result is not "1", this is a finding.

Fix: F-63155r941145_fix

Configure the macOS system to disable the system settings pane for Siri by installing the "com.apple.systempreferences" configuration profile.

c
The macOS system must apply gatekeeper settings to block applications from unidentified developers.
CM-5 - High - CCI-001749 - V-259509 - SV-259509r941149_rule
RMF Control
CM-5
Severity
High
CCI
CCI-001749
Version
APPL-14-002060
Vuln IDs
  • V-259509
Rule IDs
  • SV-259509r941149_rule
The information system implements cryptographic mechanisms to authenticate software prior to installation. Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party.
Checks: C-63248r941147_chk

Verify the macOS system is configured to apply gatekeeper settings to block applications from unidentified developers with the following command: /usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled" If the result is not "1", this is a finding.

Fix: F-63156r941148_fix

Configure the macOS system to apply gatekeeper settings to block applications from unidentified developers with the following command: /usr/sbin/spctl --global-enable; /usr/sbin/spctl --enable

c
The macOS system must disable Bluetooth when no approved device is connected.
SC-8 - High - CCI-002418 - V-259510 - SV-259510r941152_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
APPL-14-002062
Vuln IDs
  • V-259510
Rule IDs
  • SV-259510r941152_rule
The macOS system must be configured to disable Bluetooth unless an approved device is connected. [IMPORTANT] ==== Information system security officers (ISSOs) may make the risk-based decision not to disable Bluetooth to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== Satisfies: SRG-OS-000423-GPOS-00187,SRG-OS-000481-GPOS-00481
Checks: C-63249r941150_chk

Verify the macOS system is configured to disable Bluetooth with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\ .objectForKey('DisableBluetooth').js EOS If the result is not "true", this is a finding.

Fix: F-63157r941151_fix

Configure the macOS system to disable Bluetooth by installing the "com.apple.MCXBluetooth" configuration profiles.

b
The macOS system must disable the guest account.
CM-5 - Medium - CCI-001813 - V-259511 - SV-259511r941155_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
APPL-14-002063
Vuln IDs
  • V-259511
Rule IDs
  • SV-259511r941155_rule
Guest access must be disabled. Turning off guest access prevents anonymous users from accessing files.
Checks: C-63250r941153_chk

Verify the macOS system is configured to disable the guest account with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('DisableGuestAccount')) let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('EnableGuestAccount')) if ( pref1 == true &amp;&amp; pref2 == false ) { return("true") } else { return("false") } } EOS If the result is not "true", this is a finding.

Fix: F-63158r941154_fix

Configure the macOS system to disable the guest account by installing the "com.apple.MCX" configuration profile.

c
The macOS system must enable Gatekeeper.
CM-5 - High - CCI-001749 - V-259512 - SV-259512r941158_rule
RMF Control
CM-5
Severity
High
CCI
CCI-001749
Version
APPL-14-002064
Vuln IDs
  • V-259512
Rule IDs
  • SV-259512r941158_rule
Gatekeeper must be enabled. Gatekeeper is a security feature that ensures applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party. Administrator users will still have the option to override these settings on a case-by-case basis.
Checks: C-63251r941156_chk

Verify the macOS system is configured to enable gatekeeper with the following command: /usr/sbin/spctl --status | /usr/bin/grep -c "assessments enabled" If the result is not "1", this is a finding.

Fix: F-63159r941157_fix

Configure the macOS system to enable gatekeeper with the following command: /usr/sbin/spctl --global-enable

b
The macOS system must disable unattended or automatic log on to the system.
CM-6 - Medium - CCI-000366 - V-259513 - SV-259513r941161_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
APPL-14-002066
Vuln IDs
  • V-259513
Rule IDs
  • SV-259513r941161_rule
Automatic logon must be disabled. When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk.
Checks: C-63252r941159_chk

Verify the macOS system is configured to disable unattended or automatic logon to the system with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js EOS If the result is not "true", this is a finding.

Fix: F-63160r941160_fix

Configure the macOS system to disable unattended or automatic logon to the system by installing the "com.apple.loginwindow" configuration profile.

b
The macOS system must secure user's home folders.
CM-6 - Medium - CCI-000366 - V-259514 - SV-259514r941164_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
APPL-14-002068
Vuln IDs
  • V-259514
Rule IDs
  • SV-259514r941164_rule
The system must be configured to prevent access to other user's home folders. The default behavior of macOS is to allow all valid users access to the top level of every other user's home folder while restricting access only to the Apple default folders within.
Checks: C-63253r941162_chk

Verify the macOS system is configured so that permissions are set correctly on user home directories with the following command: /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs If the result is not "0", this is a finding.

Fix: F-63161r941163_fix

Configure the macOS system to set the appropriate permissions for each user on the system with the following command: IFS=$'\n' for userDirs in $( /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \( -perm 700 -o -perm 711 \) | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" ); do /bin/chmod og-rwx "$userDirs" done unset IFS

c
The macOS system must require administrator privileges to modify systemwide settings.
AC-6 - High - CCI-002235 - V-259515 - SV-259515r941167_rule
RMF Control
AC-6
Severity
High
CCI
CCI-002235
Version
APPL-14-002069
Vuln IDs
  • V-259515
Rule IDs
  • SV-259515r941167_rule
The system must be configured to require an administrator password in order to modify the systemwide preferences in System Settings. Some Preference Panes in System Settings contain settings that affect the entire system. Requiring a password to unlock these systemwide settings reduces the risk of a nonauthorized user modifying system configurations.
Checks: C-63254r941165_chk

Verify the macOS system is configured to require administrator privileges to modify systemwide settings with the following command: authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine") result="1" for section in ${authDBs[@]}; do if [[ $(/usr/bin/security -q authorizationdb read "$section" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), "shared")]/following-sibling::*[1])' -) != "false" ]]; then result="0" fi done echo $result If the result is not "1", this is a finding.

Fix: F-63162r941166_fix

Configure the macOS system to require administrator privileges to modify systemwide settings with the following command: authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine") for section in ${authDBs[@]}; do /usr/bin/security -q authorizationdb read "$section" > "/tmp/$section.plist" key_value=$(/usr/libexec/PlistBuddy -c "Print :shared" "/tmp/$section.plist" 2>&1) if [[ "$key_value" == *"Does Not Exist"* ]]; then /usr/libexec/PlistBuddy -c "Add :shared bool false" "/tmp/$section.plist" else /usr/libexec/PlistBuddy -c "Set :shared false" "/tmp/$section.plist" fi /usr/bin/security -q authorizationdb write "$section" < "/tmp/$section.plist" done

b
The macOS system must disable Airplay Receiver.
CM-7 - Medium - CCI-000381 - V-259516 - SV-259516r941170_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002080
Vuln IDs
  • V-259516
Rule IDs
  • SV-259516r941170_rule
Airplay Receiver allows users to send content from another Apple device to be displayed on the screen as it is being played from another device. Support for Airplay Receiver is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Satisfies: SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118
Checks: C-63255r941168_chk

Verify the macOS system is configured to disable Airplay Receiver with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAirPlayIncomingRequests').js EOS If the result is not "false", this is a finding.

Fix: F-63163r941169_fix

Configure the macOS system to disable Airplay Receiver by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable TouchID for unlocking the device.
AC-11 - Medium - CCI-000056 - V-259517 - SV-259517r941173_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000056
Version
APPL-14-002090
Vuln IDs
  • V-259517
Rule IDs
  • SV-259517r941173_rule
TouchID enables the ability to unlock a macOS system with a user's fingerprint. TouchID must be disabled for "Unlocking your Mac" on all macOS devices that are capable of using TouchID. The system must remain locked until the user establishes access using an authorized identification and authentication method.
Checks: C-63256r941171_chk

Verify the macOS system is configured to disable TouchID for unlocking the device with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFingerprintForUnlock').js EOS If the result is not "false", this is a finding.

Fix: F-63164r941172_fix

Configure the macOS system to disable TouchID for unlocking the device by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable Media Sharing.
AC-3 - Medium - CCI-000213 - V-259518 - SV-259518r941176_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002100
Vuln IDs
  • V-259518
Rule IDs
  • SV-259518r941176_rule
Media sharing must be disabled. When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system must be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. Note: The Media Sharing preference panel will still allow "Home Sharing" and "Share media with guests" to be checked but the service will not be enabled.
Checks: C-63257r941174_chk

Verify the macOS system is configured to disable media sharing with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('homeSharingUIStatus')) let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('legacySharingUIStatus')) let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\ .objectForKey('mediaSharingUIStatus')) if ( pref1 == 0 &amp;&amp; pref2 == 0 &amp;&amp; pref3 == 0 ) { return("true") } else { return("false") } } EOS If the result is not "true", this is a finding.

Fix: F-63165r941175_fix

Configure the macOS system to disable media sharing by installing the "com.apple.preferences.sharing.SharingPrefsExtension" configuration profile.

b
The macOS system must disable Bluetooth sharing.
AC-3 - Medium - CCI-000213 - V-259519 - SV-259519r941179_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-002110
Vuln IDs
  • V-259519
Rule IDs
  • SV-259519r941179_rule
Bluetooth Sharing must be disabled. Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. [NOTE] ==== The check and fix are for the currently logged on user. To get the currently logged on user, run the following. [source,bash] ---- CURRENT_USER=$( /usr/sbin/scutil
Checks: C-63258r941177_chk

Verify the macOS system is configured to disable Bluetooth sharing with the following command: /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled If the result is not "0", this is a finding.

Fix: F-63166r941178_fix

Configure the macOS system to disable Bluetooth sharing with the following command: /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false

b
The macOS system must disable AppleID and Internet Account modifications.
CM-7 - Medium - CCI-000381 - V-259520 - SV-259520r941182_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002120
Vuln IDs
  • V-259520
Rule IDs
  • SV-259520r941182_rule
The system must disable account modification. Account modification includes adding additional or modifying internet accounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane. This prevents the addition of unauthorized accounts. [IMPORTANT] ==== Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information system security officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ====
Checks: C-63259r941180_chk

Verify the macOS system is configured to disable account modification with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowAccountModification').js EOS If the result is not "false", this is a finding.

Fix: F-63167r941181_fix

Configure the macOS system to disable account modification by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable CD/DVD Sharing.
CM-7 - Medium - CCI-000381 - V-259521 - SV-259521r941185_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002130
Vuln IDs
  • V-259521
Rule IDs
  • SV-259521r941185_rule
CD/DVD Sharing must be disabled.
Checks: C-63260r941183_chk

Verify the macOS system is configured to disable CD/DVD Sharing with the following command: /usr/bin/pgrep -q ODSAgent; /bin/echo $? If the result is not "1", this is a finding.

Fix: F-63168r941184_fix

Configure the macOS system to disable CD/DVD Sharing with the following command: /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.ODSAgent.plist

b
The macOS system must disable content caching service.
CM-7 - Medium - CCI-000381 - V-259522 - SV-259522r941188_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002140
Vuln IDs
  • V-259522
Rule IDs
  • SV-259522r941188_rule
Content caching must be disabled. Content caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server.
Checks: C-63261r941186_chk

Verify the macOS system is configured to disable content caching service with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowContentCaching').js EOS If the result is not "false", this is a finding.

Fix: F-63169r941187_fix

Configure the macOS system to disable content caching service by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud desktop and document folder synchronization.
CM-7 - Medium - CCI-000381 - V-259523 - SV-259523r941191_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002150
Vuln IDs
  • V-259523
Rule IDs
  • SV-259523r941191_rule
The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization must be controlled by an organization approved service.
Checks: C-63262r941189_chk

Verify the macOS system is configured to disable iCloud desktop and document folder synchronization with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudDesktopAndDocuments').js EOS If the result is not "false", this is a finding.

Fix: F-63170r941190_fix

Configure the macOS system to disable iCloud desktop and document folder synchronization by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Game Center.
CM-7 - Medium - CCI-000381 - V-259524 - SV-259524r941194_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002160
Vuln IDs
  • V-259524
Rule IDs
  • SV-259524r941194_rule
This works only with supervised devices (MDM) and allows Apple Game Center to be disabled. The rationale is Game Center is using Apple ID and will share data on AppleID-based services; therefore, Game Center must be disabled. This setting also prohibits the functionality of adding friends to Game Center.
Checks: C-63263r941192_chk

Verify the macOS system is configured to disable iCloud Game Center with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowGameCenter').js EOS If the result is not "false", this is a finding.

Fix: F-63171r941193_fix

Configure the macOS system to disable iCloud Game Center by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable iCloud Private Relay.
CM-7 - Medium - CCI-000381 - V-259525 - SV-259525r941197_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002170
Vuln IDs
  • V-259525
Rule IDs
  • SV-259525r941197_rule
Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled. Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com.
Checks: C-63264r941195_chk

Verify the macOS system is configured to disable the iCloud Private Relay with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudPrivateRelay').js EOS If the result is not "false", this is a finding.

Fix: F-63172r941196_fix

Configure the macOS system to disable the iCloud Private Relay by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable Find My service.
CM-7 - Medium - CCI-000381 - V-259526 - SV-259526r941200_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002180
Vuln IDs
  • V-259526
Rule IDs
  • SV-259526r941200_rule
The Find My service must be disabled. A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.
Checks: C-63265r941198_chk

Verify the macOS system is configured to disable Find My service with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFindMyDevice')) let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowFindMyFriends')) let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\ .objectForKey('DisableFMMiCloudSetting')) if ( pref1 == false &amp;&amp; pref2 == false &amp;&amp; pref3 == true ) { return("true") } else { return("false") } } EOS If the result is not "true", this is a finding.

Fix: F-63173r941199_fix

Configure the macOS system to disable Find My service by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable password autofill.
CM-7 - Medium - CCI-000381 - V-259527 - SV-259527r941203_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002190
Vuln IDs
  • V-259527
Rule IDs
  • SV-259527r941203_rule
Password Autofill must be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature must be disabled to prevent users from being prompted to save passwords in applications.
Checks: C-63266r941201_chk

Verify the macOS system is configured to disable password autofill with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowPasswordAutoFill').js EOS If the result is not "false", this is a finding.

Fix: F-63174r941202_fix

Configure the macOS system to disable password autofill by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable personalized advertising.
CM-7 - Medium - CCI-000381 - V-259528 - SV-259528r941206_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002200
Vuln IDs
  • V-259528
Rule IDs
  • SV-259528r941206_rule
Ad tracking and targeted ads must be disabled. The information system must be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements.
Checks: C-63267r941204_chk

Verify the macOS system is configured to disable personalized advertising with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowApplePersonalizedAdvertising').js EOS If the result is not "false", this is a finding.

Fix: F-63175r941205_fix

Configure the macOS system to disable personalized advertising by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable sending Siri and Dictation information to Apple.
CM-7 - Medium - CCI-000381 - V-259529 - SV-259529r941209_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002210
Vuln IDs
  • V-259529
Rule IDs
  • SV-259529r941209_rule
The ability for Apple to store and review audio of Siri and Dictation interactions must be disabled. The information system must be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple.
Checks: C-63268r941207_chk

Verify the macOS system is configured to disable sending Siri and Dictation information to Apple with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\ .objectForKey('Siri Data Sharing Opt-In Status').js EOS If the result is not "2", this is a finding.

Fix: F-63176r941208_fix

Configure the macOS system to disable sending Siri and Dictation information to Apple by installing the "com.apple.assistant.support" configuration profile.

b
The macOS system must enforce on device dictation.
CM-7 - Medium - CCI-000381 - V-259530 - SV-259530r941212_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002220
Vuln IDs
  • V-259530
Rule IDs
  • SV-259530r941212_rule
Dictation must be restricted to on device only to prevent potential data exfiltration. The information system must be configured to provide only essential capabilities.
Checks: C-63269r941210_chk

For Intel-based systems, this is not applicable. Verify the macOS system is configured to enforce on device dictation with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('forceOnDeviceOnlyDictation').js EOS If the result is not "true", this is a finding.

Fix: F-63177r941211_fix

Configure the macOS system to enforce on device dictation by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable dictation.
CM-7 - Medium - CCI-000381 - V-259531 - SV-259531r941215_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002230
Vuln IDs
  • V-259531
Rule IDs
  • SV-259531r941215_rule
Dictation must be disabled on Intel-based Macs as the feature On Device Dictation is only available on Apple Silicon devices.
Checks: C-63270r941213_chk

For Apple Silicon-based systems, this is not applicable. Verify the macOS system is configured to disable dictation with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowDictation').js EOS If the result is not "false", this is a finding.

Fix: F-63178r941214_fix

Configure the macOS system to disable dictation by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable Printer Sharing.
CM-7 - Medium - CCI-000381 - V-259532 - SV-259532r941218_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002240
Vuln IDs
  • V-259532
Rule IDs
  • SV-259532r941218_rule
Printer Sharing must be disabled.
Checks: C-63271r941216_chk

Verify the macOS system is configured to disable Printer Sharing with the following command: /usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0" If the result is not "1", this is a finding.

Fix: F-63179r941217_fix

Configure the macOS system to disable Printer Sharing with the following commands: /usr/sbin/cupsctl --no-share-printers /usr/bin/lpstat -p | awk '{print $2}'| /usr/bin/xargs -I{} lpadmin -p {} -o printer-is-shared=false

b
The macOS system must disable Remote Management.
CM-7 - Medium - CCI-000381 - V-259533 - SV-259533r941221_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002250
Vuln IDs
  • V-259533
Rule IDs
  • SV-259533r941221_rule
Remote Management must be disabled.
Checks: C-63272r941219_chk

Verify the macOS system is configured to disable Remote Management with the following command: /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0" If the result is not "1", this is a finding.

Fix: F-63180r941220_fix

Configure the macOS system to disable Remote Management with the following commands: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop

b
The macOS system must disable the Bluetooth system settings pane.
CM-7 - Medium - CCI-000381 - V-259534 - SV-259534r941224_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002260
Vuln IDs
  • V-259534
Rule IDs
  • SV-259534r941224_rule
The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration.
Checks: C-63273r941222_chk

Verify the macOS system is configured to disable the Bluetooth system settings pane with the following command: /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.BluetoothSettings If the result is not "1", this is a finding.

Fix: F-63181r941223_fix

Configure the macOS system to disable the Bluetooth system settings pane by installing the "com.apple.systempreferences" configuration profiles.

b
The macOS system must disable the iCloud Freeform services.
CM-7 - Medium - CCI-000381 - V-259535 - SV-259535r941227_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-002270
Vuln IDs
  • V-259535
Rule IDs
  • SV-259535r941227_rule
The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization must be controlled by an organization approved service.
Checks: C-63274r941225_chk

Verify the macOS system is configured to disable iCloud Freeform services with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCloudFreeform').js EOS If the result is not "false", this is a finding.

Fix: F-63182r941226_fix

Configure the macOS system to disable iCloud Freeform services by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must issue or obtain public key certificates from an approved service provider.
SC-23 - Medium - CCI-002470 - V-259536 - SV-259536r941230_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
APPL-14-003001
Vuln IDs
  • V-259536
Rule IDs
  • SV-259536r941230_rule
The organization must issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain.
Checks: C-63275r941228_chk

Verify the macOS system is configured to issue or obtain public key certificates from an approved service provider with the following command: /usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}' If the result does not contain a list of approved certificate authorities, this is a finding.

Fix: F-63183r941229_fix

Configure the macOS system to issue or obtain public key certificates from an approved service provider by obtaining the approved certificates from the appropriate authority and install them to the System Keychain.

b
The macOS system must require passwords contain a minimum of one numeric character.
IA-5 - Medium - CCI-000194 - V-259537 - SV-259537r941233_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
APPL-14-003007
Vuln IDs
  • V-259537
Rule IDs
  • SV-259537r941233_rule
The macOS must be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.
Checks: C-63276r941231_chk

Verify the macOS system is configured to require passwords contain a minimum of one numeric character with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyIdentifier"]/following-sibling::*[1]/text()' - | /usr/bin/grep "requireAlphanumeric" -c If the result is not "1", this is a finding.

Fix: F-63184r941232_fix

Configure the macOS system to require passwords contain a minimum of one numeric character by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.

b
The macOS system must restrict maximum password lifetime to 60 days.
IA-5 - Medium - CCI-000199 - V-259538 - SV-259538r941236_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
APPL-14-003008
Vuln IDs
  • V-259538
Rule IDs
  • SV-259538r941236_rule
The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.
Checks: C-63277r941234_chk

Verify the macOS system is configured to restrict maximum password lifetime to 60 days with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeExpiresEveryNDays"]/following-sibling::*[1]/text()' - If the result is not "60" or less, this is a finding.

Fix: F-63185r941235_fix

Configure the macOS system to restrict maximum password lifetime to 60 days by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.

b
The macOS system must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-259539 - SV-259539r941239_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
APPL-14-003009
Vuln IDs
  • V-259539
Rule IDs
  • SV-259539r941239_rule
The macOS must be configured to enforce a password history of at least five previous passwords when a password is created. This rule ensures that users are not allowed to reuse a password that was used in any of the five previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.
Checks: C-63278r941237_chk

Verify the macOS system is configured to prohibit password reuse for a minimum of five generations with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 &gt;= 5 ) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding.

Fix: F-63186r941238_fix

Configure the macOS system to prohibit password reuse for five generations by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.

b
The macOS system must require a minimum password length of 14 characters.
IA-5 - Medium - CCI-000205 - V-259540 - SV-259540r941242_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
APPL-14-003010
Vuln IDs
  • V-259540
Rule IDs
  • SV-259540r941242_rule
The macOS must be configured to require a minimum of 14 characters be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.
Checks: C-63279r941240_chk

Verify the macOS system is configured to enforce a minimum 14-character password length with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.{14,}'\''")])' - If the result is not "true", this is a finding.

Fix: F-63187r941241_fix

Configure the macOS system to enforce a 14-character password length by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.

b
The macOS system must require passwords contain a minimum of one special character.
IA-5 - Medium - CCI-001619 - V-259541 - SV-259541r941245_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
APPL-14-003011
Vuln IDs
  • V-259541
Rule IDs
  • SV-259541r941245_rule
The macOS must be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.
Checks: C-63280r941243_chk

Verify the macOS system is configured to require passwords contain a minimum of one special character with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){1,}'\''")])' - If the result is not "true", this is a finding.

Fix: F-63188r941244_fix

Configure the macOS system to require passwords contain a minimum of one special character by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.

b
The macOS system must disable password hints.
IA-6 - Medium - CCI-000206 - V-259542 - SV-259542r941248_rule
RMF Control
IA-6
Severity
Medium
CCI
CCI-000206
Version
APPL-14-003012
Vuln IDs
  • V-259542
Rule IDs
  • SV-259542r941248_rule
Password hints must be disabled. Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.
Checks: C-63281r941246_chk

Verify the macOS system is configured to disable password hints with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('RetriesUntilHint').js EOS If the result is not "0", this is a finding.

Fix: F-63189r941247_fix

Configure the macOS system to disable password hints by installing the "com.apple.loginwindow" configuration profile.

b
The macOS system must enable firmware password.
CM-6 - Medium - CCI-000366 - V-259543 - SV-259543r941251_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
APPL-14-003013
Vuln IDs
  • V-259543
Rule IDs
  • SV-259543r941251_rule
A firmware password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools. To set a firmware passcode use the following command: [source,bash] ---- /usr/sbin/firmwarepasswd -setpasswd ---- Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call and provide proof of purchase before the firmware binary will be generated. Note: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices.
Checks: C-63282r941249_chk

For Apple Silicon systems, this is not applicable. Verify the macOS system is configured with a firmware password with the following command: /usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes" If the result is not "1", this is a finding.

Fix: F-63190r941250_fix

Configure the macOS system with a firmware password with the following command: /usr/sbin/firmwarepasswd -setpasswd Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.

b
The macOS system must remove password hints from user accounts.
IA-6 - Medium - CCI-000206 - V-259544 - SV-259544r941254_rule
RMF Control
IA-6
Severity
Medium
CCI
CCI-000206
Version
APPL-14-003014
Vuln IDs
  • V-259544
Rule IDs
  • SV-259544r941254_rule
User accounts must not contain password hints. Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.
Checks: C-63283r941252_chk

Verify the macOS system is configured to remove password hints from user accounts with the following command: /usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs If the result is not "0", this is a finding.

Fix: F-63191r941253_fix

Configure the macOS system to remove password hints from user accounts with the following command: for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do /usr/bin/dscl . -delete /Users/$u hint done

b
The macOS system must enforce smart card authentication.
IA-5 - Medium - CCI-000186 - V-259545 - SV-259545r941257_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
APPL-14-003020
Vuln IDs
  • V-259545
Rule IDs
  • SV-259545r941257_rule
Smart card authentication must be enforced. The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access. When enforceSmartCard is set to "true", the smart card must be used for logon, authorization, and unlocking the screensaver. CAUTION: enforceSmartCard will apply to the whole system. No users will be able to log on with their password unless the profile is removed or a user is exempt from smart card enforcement. Note: enforceSmartcard requires allowSmartcard to be set to true in order to work. Satisfies: SRG-OS-000067-GPOS-00035,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161
Checks: C-63284r941255_chk

Verify the macOS system is configured to enforce multifactor authentication with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('enforceSmartCard').js EOS If the result is not "true", this is a finding.

Fix: F-63192r941256_fix

Configure the macOS system to enforce multifactor authentication by installing the "com.apple.security.smartcard" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.

b
The macOS system must allow smart card authentication.
IA-5 - Medium - CCI-000187 - V-259546 - SV-259546r941260_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000187
Version
APPL-14-003030
Vuln IDs
  • V-259546
Rule IDs
  • SV-259546r941260_rule
Smart card authentication must be allowed. The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access. When enabled, the smart card can be used for logon, authorization, and screen saver unlocking. Satisfies: SRG-OS-000068-GPOS-00036,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000376-GPOS-00161
Checks: C-63285r941258_chk

Verify the macOS system is configured to allow smart card authentication with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('allowSmartCard').js EOS If the result is not "true", this is a finding.

Fix: F-63193r941259_fix

Configure the macOS system to enforce multifactor authentication by installing the "com.apple.security.smartcard" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.

b
The macOS system must enforce multifactor authentication for logon.
IA-2 - Medium - CCI-000765 - V-259547 - SV-259547r941263_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000765
Version
APPL-14-003050
Vuln IDs
  • V-259547
Rule IDs
  • SV-259547r941263_rule
The system must be configured to enforce multifactor authentication. All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. Note: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057
Checks: C-63286r941261_chk

Verify the macOS system is configured to enforce multifactor authentication for login with the following command: /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login If the result is not "2", this is a finding.

Fix: F-63194r941262_fix

Configure the macOS system to enforce multifactor authentication for login with the following commands: /bin/cat > /etc/pam.d/login << LOGIN_END # login: auth account password session auth sufficient pam_smartcard.so auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass auth required pam_deny.so account required pam_nologin.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session required pam_uwtmp.so session optional pam_mount.so LOGIN_END /bin/chmod 644 /etc/pam.d/login /usr/sbin/chown root:wheel /etc/pam.d/login

b
The macOS system must enforce multifactor authentication for the su command.
IA-2 - Medium - CCI-000765 - V-259548 - SV-259548r941266_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000765
Version
APPL-14-003051
Vuln IDs
  • V-259548
Rule IDs
  • SV-259548r941266_rule
The system must be configured such that, when the su command is used, multifactor authentication is enforced. All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. Note: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057
Checks: C-63287r941264_chk

Verify the macOS system is configured to enforce multifactor authentication for the su command with the following command: /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su If the result is not "2", this is a finding.

Fix: F-63195r941265_fix

Configure the macOS system to enforce multifactor authentication for the su command with the following commands: /bin/cat > /etc/pam.d/su << SU_END # su: auth account password session auth sufficient pam_smartcard.so auth required pam_rootok.so auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe account required pam_permit.so account required pam_opendirectory.so no_check_shell password required pam_opendirectory.so session required pam_launchd.so SU_END # Fix new file ownership and permissions /bin/chmod 644 /etc/pam.d/su /usr/sbin/chown root:wheel /etc/pam.d/su

b
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
IA-2 - Medium - CCI-000765 - V-259549 - SV-259549r941269_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000765
Version
APPL-14-003052
Vuln IDs
  • V-259549
Rule IDs
  • SV-259549r941269_rule
The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. Note: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057
Checks: C-63288r941267_chk

Verify the macOS system is configured to enforce multifactor authentication for privilege escalation through the sudo command with the following command: /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo If the result is not "2", this is a finding.

Fix: F-63196r941268_fix

Configure the macOS system to enforce multifactor authentication for privilege escalation through the sudo command with the following commands: /bin/cat > /etc/pam.d/sudo << SUDO_END # sudo: auth account password session auth sufficient pam_smartcard.so auth required pam_opendirectory.so auth required pam_deny.so account required pam_permit.so password required pam_deny.so session required pam_permit.so SUDO_END /bin/chmod 444 /etc/pam.d/sudo /usr/sbin/chown root:wheel /etc/pam.d/sudo

b
The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character.
IA-5 - Medium - CCI-000192 - V-259550 - SV-259550r941272_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
APPL-14-003060
Vuln IDs
  • V-259550
Rule IDs
  • SV-259550r941272_rule
The macOS be configured to require at least one lowercase character and one uppercase character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules. Note: The configuration profile generated must be installed from an MDM server. Satisfies: SRG-OS-000069-GPOS-00037,SRG-OS-000070-GPOS-00038
Checks: C-63289r941270_chk

Verify the macOS system is configured to require passwords contain a minimum of one lowercase character and one uppercase character with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''.*[A-Z]{1,}[a-z]{1,}.*'\''")])' - If the result is not "true", this is a finding.

Fix: F-63197r941271_fix

Configure the macOS system to require at least one lowercase character and one uppercase character in password complexity by installing the "com.apple.mobiledevice.passwordpolicy" configuration profile.

b
The macOS system must set minimum password lifetime to 24 hours.
IA-5 - Medium - CCI-000198 - V-259551 - SV-259551r941275_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
APPL-14-003070
Vuln IDs
  • V-259551
Rule IDs
  • SV-259551r941275_rule
The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.
Checks: C-63290r941273_chk

Verify the macOS system is configured to set minimum password lifetime to 24 hours with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 &gt;= 24 ) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding.

Fix: F-63198r941274_fix

Configure the macOS system to set minimum password lifetime to 24 hours. This setting may be enforced using local policy or by a directory service. To set local policy to require a minimum password lifetime, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributeLastPasswordChangeTime &lt; policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)</string> <key>policyIdentifier</key> <string>Minimum Password Lifetime</string> <key>policyParameters</key> <dict> <key>policyAttributeMinimumLifetimeHours</key> <integer>24</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- Note: Refer to the password policy supplemental on more information on how to implement password policies on macOS.

b
The macOS system must disable accounts after 35 days of inactivity.
IA-4 - Medium - CCI-000795 - V-259552 - SV-259552r941278_rule
RMF Control
IA-4
Severity
Medium
CCI
CCI-000795
Version
APPL-14-003080
Vuln IDs
  • V-259552
Rule IDs
  • SV-259552r941278_rule
The macOS must be configured to disable accounts after 35 days of inactivity. This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection.
Checks: C-63291r941276_chk

Verify the macOS system is configured to disable accounts after 35 days of inactivity with the following command: /usr/bin/pwpolicy -getaccountpolicies 2&gt; /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeInactiveDays"]/following-sibling::integer[1]/text()' - If the result is not "35", this is a finding.

Fix: F-63199r941277_fix

Configure the macOS system to disable accounts after 35 days of inactivity with the following command: This setting may be enforced using local policy or by a directory service. To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following <dict> within the "policyCategoryAuthentication": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributeLastAuthenticationTime &gt; policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)</string> <key>policyIdentifier</key> <string>Inactive Account</string> <key>policyParameters</key> <dict> <key>policyAttributeInactiveDays</key> <integer>35</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- Note: Refer to the password policy supplemental on more information on how to implement password policies on macOS.

b
The macOS system must configure Apple System Log files to be owned by root and group to wheel.
SI-11 - Medium - CCI-001312 - V-259553 - SV-259553r941281_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
APPL-14-004001
Vuln IDs
  • V-259553
Rule IDs
  • SV-259553r941281_rule
The Apple System Logs (ASL) must be owned by root. ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated. Satisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084
Checks: C-63292r941279_chk

Verify the macOS system is configured with Apple System Log files owned by root and group to wheel with the following command: /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^&gt;' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2&gt; /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' If the result is not "0", this is a finding.

Fix: F-63200r941280_fix

Configure the macOS system with Apple System Log files owned by root and group to wheel with the following command: /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')

b
The macOS system must configure Apple System Log files to mode 640 or less permissive.
SI-11 - Medium - CCI-001312 - V-259554 - SV-259554r941284_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
APPL-14-004002
Vuln IDs
  • V-259554
Rule IDs
  • SV-259554r941284_rule
The Apple System Logs (ASL) must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files must be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying, or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. Satisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084
Checks: C-63293r941282_chk

Verify the macOS system is configured with Apple System Log files to mode 640 or less permissive with the following command: /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^&gt;' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2&gt; /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' If the result is not "0", this is a finding.

Fix: F-63201r941283_fix

Configure the macOS system with Apple System Log files to mode 640 with the following command: /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F":" '!/640/{print $2}')

b
The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
IA-11 - Medium - CCI-002038 - V-259555 - SV-259555r941287_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002038
Version
APPL-14-004022
Vuln IDs
  • V-259555
Rule IDs
  • SV-259555r941287_rule
The file /etc/sudoers must include a timestamp_timout of 0. Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability or change user authenticators, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158
Checks: C-63294r941285_chk

Verify the macOS system requires reauthentication when using the "sudo" command to elevate privileges with the following command: /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes" If the result is not "1", this is a finding.

Fix: F-63202r941286_fix

Configure the macOS system to require reauthentication when using "sudo" with the following command: /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \; /bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp

b
The macOS system must configure system log files to be owned by root and group to wheel.
SI-11 - Medium - CCI-001312 - V-259556 - SV-259556r941290_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
APPL-14-004030
Vuln IDs
  • V-259556
Rule IDs
  • SV-259556r941290_rule
The system log files must be owned by root. System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. Satisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084
Checks: C-63295r941288_chk

Verify the macOS system is configured with system log files owned by root and group to wheel with the following command: /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2&gt; /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' If the result is not "0", this is a finding.

Fix: F-63203r941289_fix

Configure the macOS system with system log files owned by root and group to wheel with the following command: /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}')

b
The macOS system must configure system log files to mode 640 or less permissive.
SI-11 - Medium - CCI-001312 - V-259557 - SV-259557r941293_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
APPL-14-004040
Vuln IDs
  • V-259557
Rule IDs
  • SV-259557r941293_rule
The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files must be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying, or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk. Satisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084
Checks: C-63296r941291_chk

Verify the macOS system is configured with system log files set to mode 640 or less permissive with the following command: /usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2&gt; /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' If the result is not "0", this is a finding.

Fix: F-63204r941292_fix

Configure the macOS system with system log files set to mode 640 or less permissive with the following command: /bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F":" '!/640/{print $2}')

a
The macOS system must configure install.log retention to 365.
AU-4 - Low - CCI-001849 - V-259558 - SV-259558r941296_rule
RMF Control
AU-4
Severity
Low
CCI
CCI-001849
Version
APPL-14-004050
Vuln IDs
  • V-259558
Rule IDs
  • SV-259558r941296_rule
The install.log must be configured to require records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility.
Checks: C-63297r941294_chk

Verify the macOS system is configured with install.log retention to 365 with the following command: /usr/sbin/aslmanager -dd 2&gt;&amp;1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i&lt;=NR;i++) { if ($i == "TTL" &amp;&amp; $(i+2) &gt;= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count &gt; 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}' If the result is not "yes", this is a finding.

Fix: F-63205r941295_fix

Configure the macOS system with install.log retention to 365 with the following command: /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install Note: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed.

b
The macOS system must configure sudoers timestamp type.
IA-11 - Medium - CCI-002038 - V-259559 - SV-259559r941299_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002038
Version
APPL-14-004060
Vuln IDs
  • V-259559
Rule IDs
  • SV-259559r941299_rule
The file /etc/sudoers must be configured to not include a timestamp_type of global or ppid and be configured for timestamp record types of tty. This rule ensures that the "sudo" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement. Satisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157
Checks: C-63298r941297_chk

Verify the macOS system is configured with sudoers timestamp type with the following command: /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/awk -F": " '/Type of authentication timestamp record/{print $2}' If the result is not "tty", this is a finding.

Fix: F-63206r941298_fix

Configure the macOS system with sudoers timestamp type with the following command: /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_type/d; /!tty_tickets/d' '{}' \;

c
The macOS system must ensure System Integrity Protection is enabled.
AU-6 - High - CCI-000154 - V-259560 - SV-259560r941302_rule
RMF Control
AU-6
Severity
High
CCI
CCI-000154
Version
APPL-14-005001
Vuln IDs
  • V-259560
Rule IDs
  • SV-259560r941302_rule
System Integrity Protection (SIP) must be enabled. SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents nonprivileged users from granting other users direct access to the contents of their home directories and folders. Note: SIP is enabled by default in macOS. Satisfies: SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000062-GPOS-00031,SRG-OS-000080-GPOS-00048,SRG-OS-000122-GPOS-00063,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000259-GPOS-00100,SRG-OS-000278-GPOS-00108,SRG-OS-000350-GPOS-00138
Checks: C-63299r941300_chk

Verify the macOS system is configured to enable System Integrity Protection with the following command: /usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.' If the result is not "1", this is a finding. /usr/bin/grep -c "logger -s -p" /etc/security/audit_warn If the result is not "1", this is a finding.

Fix: F-63207r941301_fix

Configure the macOS system to enable "System Integrity Protection" by booting into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the following command: /usr/bin/csrutil enable

c
The macOS system must enforce FileVault.
SC-28 - High - CCI-001199 - V-259561 - SV-259561r941305_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
APPL-14-005020
Vuln IDs
  • V-259561
Rule IDs
  • SV-259561r941305_rule
FileVault must be enforced. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Satisfies: SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183,SRG-OS-000405-GPOS-00184
Checks: C-63300r941303_chk

Verify the macOS system is configured to enforce FileVault with the following command: dontAllowDisable=$(/usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('dontAllowFDEDisable').js EOS ) fileVault=$(/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On.") if [[ "$dontAllowDisable" == "true" ]] &amp;&amp; [[ "$fileVault" == 1 ]]; then echo "1" else echo "0" fi If the result is not "1", this is a finding.

Fix: F-63208r941304_fix

Note: Refer to the FileVault supplemental to implement this rule.

b
The macOS system must enable the application firewall.
CM-6 - Medium - CCI-000366 - V-259562 - SV-259562r941308_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
APPL-14-005050
Vuln IDs
  • V-259562
Rule IDs
  • SV-259562r941308_rule
The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled. When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.
Checks: C-63301r941306_chk

Verify the macOS system is configured to enable the application firewall with the following command: profile="$(/usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableFirewall').js EOS )" plist="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2&gt;/dev/null)" if [[ "$profile" == "true" ]] &amp;&amp; [[ "$plist" =~ [1,2] ]]; then echo "true" else echo "false" fi If the result is not "true", this is a finding.

Fix: F-63209r941307_fix

Configure the macOS system to enable the application firewall with the following command: /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1

b
The macOS system must configure login window to prompt for username and password.
IA-2 - Medium - CCI-000764 - V-259563 - SV-259563r941311_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
APPL-14-005052
Vuln IDs
  • V-259563
Rule IDs
  • SV-259563r941311_rule
The login window must be configured to prompt all users for both a username and a password. By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system.
Checks: C-63302r941309_chk

Verify the macOS system is configured to prompt for username and password at the login window with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('SHOWFULLNAME').js EOS If the result is not "true", this is a finding.

Fix: F-63210r941310_fix

Configure the macOS system to prompt for username and password at the logon window by installing the "com.apple.loginwindow" configuration profile.

b
The macOS system must disable TouchID prompt during Setup Assistant.
CM-7 - Medium - CCI-000381 - V-259564 - SV-259564r941314_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-005054
Vuln IDs
  • V-259564
Rule IDs
  • SV-259564r941314_rule
The prompt for TouchID during Setup Assistant must be disabled. macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential, and therefore must be disabled to prevent against the risk of individuals electing to enable TouchID to override organizationwide settings.
Checks: C-63303r941312_chk

Verify the macOS system is configured to disable TouchID prompt during Setup Assistant with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipTouchIDSetup').js EOS If the result is not "true", this is a finding.

Fix: F-63211r941313_fix

Configure the macOS system to disable TouchID prompt during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.

b
The macOS system must disable Screen Time prompt during Setup Assistant.
CM-7 - Medium - CCI-000381 - V-259565 - SV-259565r941317_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-005055
Vuln IDs
  • V-259565
Rule IDs
  • SV-259565r941317_rule
The prompt for Screen Time setup during Setup Assistant must be disabled.
Checks: C-63304r941315_chk

Verify the macOS system is configured to disable Screen Time prompt during Setup Assistant with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipScreenTime').js EOS If the result is not "true", this is a finding.

Fix: F-63212r941316_fix

Configure the macOS system to disable Screen Time prompt during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.

b
The macOS system must disable Unlock with Apple Watch during Setup Assistant.
CM-7 - Medium - CCI-000381 - V-259566 - SV-259566r941320_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-005056
Vuln IDs
  • V-259566
Rule IDs
  • SV-259566r941320_rule
The prompt for Apple Watch unlock setup during Setup Assistant must be disabled. Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
Checks: C-63305r941318_chk

Verify the macOS system is configured to disable Unlock with Apple Watch during Setup Assistant with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipUnlockWithWatch').js EOS If the result is not "true", this is a finding.

Fix: F-63213r941319_fix

Configure the macOS system to disable Unlock with Apple Watch during Setup Assistant by installing the "com.apple.SetupAssistant.managed" configuration profile.

b
The macOS system must disable Handoff.
AC-3 - Medium - CCI-000213 - V-259567 - SV-259567r941323_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-005058
Vuln IDs
  • V-259567
Rule IDs
  • SV-259567r941323_rule
Handoff must be disabled. Handoff allows users to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices. Satisfies: SRG-OS-000080-GPOS-00048,SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118
Checks: C-63306r941321_chk

Verify the macOS system is configured to disable handoff with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowActivityContinuation').js EOS If the result is not "false", this is a finding.

Fix: F-63214r941322_fix

Configure the macOS system to disable handoff by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable proximity-based password sharing requests.
CM-7 - Medium - CCI-000381 - V-259568 - SV-259568r941326_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-005060
Vuln IDs
  • V-259568
Rule IDs
  • SV-259568r941326_rule
Proximity-based password sharing requests must be disabled. The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature must be disabled to prevent passwords from being shared.
Checks: C-63307r941324_chk

Verify the macOS system is configured to disable proximity-based password sharing requests with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowPasswordProximityRequests').js EOS If the result is not "false", this is a finding.

Fix: F-63215r941325_fix

Configure the macOS system to disable proximity-based password sharing requests by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must disable Erase Content and Settings.
CM-7 - Medium - CCI-000381 - V-259569 - SV-259569r941329_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
APPL-14-005061
Vuln IDs
  • V-259569
Rule IDs
  • SV-259569r941329_rule
Erase Content and Settings must be disabled.
Checks: C-63308r941327_chk

Verify the macOS system is configured to disable Erase Content and Settings with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowEraseContentAndSettings').js EOS If the result is not "false", this is a finding.

Fix: F-63216r941328_fix

Configure the macOS system to disable Erase Content and Settings by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must enable Authenticated Root.
AC-3 - Medium - CCI-000213 - V-259570 - SV-259570r941332_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
APPL-14-005070
Vuln IDs
  • V-259570
Rule IDs
  • SV-259570r941332_rule
Authenticated Root must be enabled. When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. Note: Authenticated Root is enabled by default on macOS systems. WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
Checks: C-63309r941330_chk

Verify the macOS system is configured to enable authenticated root with the following command: /usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled' If the result is not "1", this is a finding.

Fix: F-63217r941331_fix

Configure the macOS system to enable authenticated root with the following command: /usr/bin/csrutil authenticated-root enable Note: To reenable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.

b
The macOS system must prohibit user installation of software into /users/.
CM-11 - Medium - CCI-001812 - V-259571 - SV-259571r941335_rule
RMF Control
CM-11
Severity
Medium
CCI
CCI-001812
Version
APPL-14-005080
Vuln IDs
  • V-259571
Rule IDs
  • SV-259571r941335_rule
Users must not be allowed to install software into /users/. Allowing users who do not possess explicit privileges to install software presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. [IMPORTANT] ==== Apple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third-party software may be required to fulfill the compliance requirements. ====
Checks: C-63310r941333_chk

Verify the macOS system is configured to prohibit user installation of software into /users/ with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Users/" &amp;&amp; pref1 == true ){ return("true") } } return("false") } EOS If the result is not "true", this is a finding.

Fix: F-63218r941334_fix

Configure the macOS system to prohibit user installation of software into /users/ by installing the "com.apple.applicationaccess.new" configuration profile.

b
The macOS system must authorize USB devices before allowing connection.
IA-3 - Medium - CCI-001958 - V-259572 - SV-259572r941338_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
APPL-14-005090
Vuln IDs
  • V-259572
Rule IDs
  • SV-259572r941338_rule
USB devices connected to a Mac must be authorized. [IMPORTANT] ==== This feature is removed if a smart card is paired or smart card attribute mapping is configured. ====
Checks: C-63311r941336_chk

Verify the macOS system is configured to authorize USB devices before allowing connection with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowUSBRestrictedMode')) if ( pref1 == false ) { return("false") } else { return("true") } } EOS If the result is not "true", this is a finding.

Fix: F-63219r941337_fix

Configure the macOS system to authorize USB devices before allowing connection by installing the "com.apple.applicationaccess" configuration profile.

b
The macOS system must ensure secure boot level set to full.
SI-6 - Medium - CCI-002696 - V-259573 - SV-259573r941341_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002696
Version
APPL-14-005100
Vuln IDs
  • V-259573
Rule IDs
  • SV-259573r941341_rule
The Secure Boot security setting must be set to full. Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. Note: This will only return a proper result on T2 or Apple Silicon Macs. Satisfies: SRG-OS-000445-GPOS-00199,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201
Checks: C-63312r941339_chk

Verify the macOS system is configured to ensure secure boot level set to full using the following command: /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" If the result is not "1", this is a finding.

Fix: F-63220r941340_fix

Configure the macOS system to ensure secure boot level set to full by booting into Recovery Mode and enable Full Secure Boot.

b
The macOS system must enforce enrollment in mobile device management.
CM-6 - Medium - CCI-000366 - V-259574 - SV-259574r941344_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
APPL-14-005110
Vuln IDs
  • V-259574
Rule IDs
  • SV-259574r941344_rule
Users must enroll their Mac in a Mobile Device Management (MDM) software. User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include: * Allowed Kernel Extensions * Allowed Approved System Extensions * Privacy Preferences Policy Control Payload * ExtensibleSingleSignOn * FDEFileVault In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM: * Activation Lock Bypass * Access to Bootstrap Tokens * Scheduling Software Updates * Query list and delete local users
Checks: C-63313r941342_chk

Verify the macOS system is configured to enforce enrollment in mobile device management with the following command: /usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)" If the result is not "1", this is a finding.

Fix: F-63221r941343_fix

Configure the macOS system by ensuring that system is enrolled via UAMDM.

b
The macOS system must enable recovery lock.
CM-6 - Medium - CCI-000366 - V-259575 - SV-259575r941347_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
APPL-14-005120
Vuln IDs
  • V-259575
Rule IDs
  • SV-259575r941347_rule
A recovery lock password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices.
Checks: C-63314r941345_chk

For non-Apple Silicon systems, this is not applicable. Verify the macOS system is configured with recovery lock with the following command: /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1" If the result is not "1", this is a finding.

Fix: F-63222r941346_fix

Configure the macOS system with recovery lock with the SetRecoveryLock command. This can be used to set a Recovery Lock password and must be from the MDM.

b
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
CM-6 - Medium - CCI-000366 - V-259576 - SV-259576r941350_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
APPL-14-005130
Vuln IDs
  • V-259576
Rule IDs
  • SV-259576r941350_rule
Software Update must be configured to update XProtect Remediator and Gatekeeper automatically. This setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. https://support.apple.com/en-us/HT207005 Note: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.
Checks: C-63315r941348_chk

Verify the macOS system is configured to enforce installation of XProtect Remediator and Gatekeeper updates automatically with the following command: /usr/bin/osascript -l JavaScript &lt;&lt; EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ .objectForKey('ConfigDataInstall').js EOS If the result is not "true", this is a finding.

Fix: F-63223r941349_fix

Configure the macOS system to enforce installation of XProtect Remediator and Gatekeeper updates automatically by installing the "com.apple.SoftwareUpdate" configuration profile.