#TRUSTED 219b6055a4ac6b799e3ff7331aee323fda9b7df77d5c7553ff7ade2fecfcc2acd5412e02e7f94d7be4c51b303dbccf8872edaff9ad04586b100e3ab85a414a78d0bb14a75907c02860f4424e7e4fd8bfc4d66972a0dabb6c6b76611a5cbc25b7e016dec8ac848b33162fed315f33f5306435ad2990125369c243b5a23a7c13ca2b6cda9c00a84737c9777fd5446aa5ab9d286e2501c2cf8ddccb52fff03f0c345f058fe8b3aad736f514d913b60c23044d90d4dbccfe3068aeefeeca6d931ce71b457a442c0cfd8076b1f33c0fede39ba6f60d7d5a28bcdac94e0d10aecdaefede2f1d25b39626ed60b721676a2b3014c5263640da410a801e908689756dc17d439abad1bbc984f4377b5261ca498c6b4ebc96687d059af898cd900f55a12c3529732ae310d60d6f71bf019a7988566e0dfd58ccb67b997be1260b84197224a53ba1e0323c89fdc605d8806d34324a26de7058955832151bf3bfd04b16584c3caf558b97263cc8350e5d79555d542bfa55affff3d6528b0c339a1a7819ba5f3bde6b06309e8f3afd698fe1c91ca7838f7dba3aff7bf928e2dc53e66f6f9a24bffb2fc3e077e5190acb104f85a7ad6ca5db3b017a5f9a8de5704b81072d49147d4f34cc0a31807f55dcdc2095b46d036dd05d48c6b0a4990d05589bc3f44745f25c37c7f065b1347c3c6393c7194fa2ee70d736c15f9fec4040b81850f1d3d0df
#TRUST-RSA-SHA256 0e3456ac3d67bf1ae9a7ae85802d253804423c9fd352193af77df14ab713705cda33284bd058a1b7be59c1fee0a176a3d2461c28796253db92af9f3c251cad71f98c118811f5e675049e599027f6ff0d3e8543dc940711413d0afdb1a8de34a0359aba1fdb57dc24e72edcf0e9f9cc9ab1e37a49171c6e9bc884cdfc76e65aaede3ec32b2e9b89e5df90fc98f8143c7c0fc324d863454acf47870f256cb35eb13fe6a7a9c58bd56fc4b913f30d8f5ab1dd4c9c719ec324f9222caad686e42a2f3a688746a5239147350e74fb649533907caf5ee0dde9e8be1b17eed3d2bf69567750a40f27ff07e74f0ce79fd8f8a1d96a05ef8143b29bb5205993e8988e30b4b2383a5b05e0e03456db26116faa9b758c3d885a683af2650118a48701dcc0067ab1cfe383b7c58be8a63b897329515c0796dd6a228e4882a3f84f5c67976c1a19247a9695108974a34078726bbc16540bf5285017046e95fe2ca371db9c73e1a71d6b71b75b536d54145d0e9e800f5237ad0114f046d058f53e547b5d5758b0067124a89edfc46a82ef1833a23d4999d9abc06beae31ccbf27a7d6728333f944548b5dc538f55a7a201237254f4af0b26ad5f74341735baf87190fc520a0ce4e7ca8ad94ff09174330f9a64c0253603f484b01dca0c47ba31458802896dec806ec1b63aecf36c3cc4fab810fb077da34ba401a1cd05020069fe436fcb6742cf
#
# This script is Copyright (C) 2004-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
#
# $Revision: 1.6 $
# $Date: 2023/08/22 $
#
# description : This document implements the security configuration as recommended by the
# CIS Apple macOS 13.0 Ventura Benchmark v1.0.0
#
#
#CIS Apple macOS 13.0 Ventura v1.0.0 L1
#
# CIS
# Apple macOS 13.0 Ventura L1
# 1.0.0
# https://workbench.cisecurity.org/files/4159
#
#macos_13,agent,unix,update_20230227
#CSCv6,CSCv7,CSCv8,LEVEL,CCE
#PLATFORM_VERSION
# 13
# MacOS platform version
# MacOS platform version
# STRING
#
#
# ACCESS_WARNING
# This system is reserved for authorized use only and may be monitored.
# Login Window Text
# An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored.
# STRING
#
#
# PASSWORD_LOCKOUT_THRESHOLD
# [1-5]
# Password lockout threshold
# Password lockout threshold found in pwpolicy
# STRING
#
#
# PASSWORD_MINIMUM_LENGTH
# (1[5-9]|[2-9][0-9])
# Password Minimum Length
# Password Minimum Length found in pwpolicy
# STRING
#
#
# PASSWORD_AGE
# true
# Password Age
# Password Age found in pwpolicy
# STRING
#
#
# PASSWORD_HISTORY
# true
# Password History
# Password History found in pwpolicy
# STRING
#
#
#
type : CMD_EXEC
description : "MacOS 13 is installed"
cmd : "/usr/bin/sw_vers | /usr/bin/grep 'ProductVersion'"
expect : "^ProductVersion[\\s]*:[\\s]*13\\."
description : "CIS_Apple_macOS_13.0_Ventura_v1.0.0_L1.audit from CIS Apple macOS 13.0 Ventura Benchmark v1.0.0"
see_also : "https://workbench.cisecurity.org/files/4159"
type : CMD_EXEC
description : "1.1 Ensure All Apple-provided Software Is Current"
info : "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update.
Software updates should be run at minimum every 30 days. Run the following command to verify when software update was previously run:
$ /usr/bin/sudo defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep -e LastFullSuccessfulDate.
The response should be in the last 30 days (Example): LastFullSuccessfulDate = '2020-07-30 12:45:25 +0000';
Rationale:
It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities.
Impact:
Missing patches can lead to more exploit opportunities."
solution : "Graphical Method:
Perform the following to install all available software updates:
Open System Settings
Select General
Select Software Update
Select Update All
Terminal Method:
Run the following command to verify what packages need to be installed:
$ /usr/bin/sudo /usr/sbin/softwareupdate -l
The output will include the following:
Software Update found the following new or updated software:
Run the following command to install all the packages that need to be updated:
$ /usr/bin/sudo /usr/sbin/softwareupdate -i -a -R
Or run the following command to install individual packages:
$ /usr/bin/sudo /usr/sbin/softwareupdate -i ''
example:
$ /usr/bin/sudo /usr/sbin/softwareupdate -l
Software Update Tool
Finding available software
Software Update found the following new or updated software:
* iTunesX-12.8.2
iTunes (12.8.2), 273614K [recommended]
$ /usr/bin/sudo /usr/sbin/softwareupdate -i 'iTunesX-12.8.2'
Software Update Tool
Downloaded iTunes
Installing iTunes
Done with iTunes
Done."
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/softwareupdate -l 2>&1"
expect : "No new software available"
type : MACOSX_OSASCRIPT
description : "1.2 Ensure Auto Update Is Enabled"
info : "Auto Update verifies that your system has the newest security patches and software updates. If 'Automatically check for updates' is not selected, background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.
http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
Rationale:
It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities.
Impact:
Without automatic update, updates may not be made in a timely manner and the system will be exposed to additional risk."
solution : "Graphical Method:
Perform the steps following to enable the system to automatically check for updates:
Open System Settings
Select General
Select Software Update
Select the i
Set Check for updates to enabled
Select Done
Terminal Method:
Run the following command to enable auto update:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.SoftwareUpdate
The key to include is AutomaticCheckEnabled
The key must be set to "
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "AutomaticCheckEnabled"
payload_type : "com.apple.SoftwareUpdate"
type : MACOSX_OSASCRIPT
description : "1.3 Ensure Download New Updates When Available Is Enabled"
info : "In the GUI, both 'Install macOS updates' and 'Install app updates from the App Store' are dependent on whether 'Download new updates when available' is selected.
Rationale:
It is important that a system has the newest updates downloaded so that they can be applied.
Impact:
If 'Download new updates when available' is not selected, updates may not be made in a timely manner and the system will be exposed to additional risk."
solution : "Perform the following to enable the system to automatically check for updates:
Graphical Method:
Open System Settings
Select General
Select Software Update
Select the i
Set Download new updates when available to enabled
Select Done
Terminal Method:
Run the following command to enable auto update:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.SoftwareUpdate
The key to include is AutomaticDownload
The key must be set to "
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "AutomaticDownload"
payload_type : "com.apple.SoftwareUpdate"
type : MACOSX_OSASCRIPT
description : "1.4 Ensure Install of macOS Updates Is Enabled"
info : "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off simply to allow the administrator to contact users in order to verify installation. A dependable, repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off.
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Graphical Method:
Perform the following steps to enable macOS updates to run automatically:
Open System Settings
Select General
Select Software Update
Select the i
Set Install macOS updates to enabled
Select Done
Terminal Method:
Run the following command to to enable automatic checking and installing of macOS updates:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool TRUE
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.SoftwareUpdate
The key to include is AutomaticallyInstallMacOSUpdates
The key must be set to "
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "AutomaticallyInstallMacOSUpdates"
payload_type : "com.apple.SoftwareUpdate"
type : MACOSX_OSASCRIPT
description : "Check for AutoUpdate"
expect : "true"
payload_key : "AutoUpdate"
payload_type : "com.apple.commerce"
type : MACOSX_OSASCRIPT
description : "1.5 Ensure Install Application Updates from the App Store Is Enabled"
info : "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or administrator privileges for end users.
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Graphical Method:
Perform the following steps to enable App Store updates to install automatically:
Open System Settings
Select General
Select Software Update
Select the i
Set Install application updates from the App Store to enabled
Select Done
Terminal Method:
Run the following command to turn on App Store auto updating:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE
Note: This remediation requires a log out and log in to show in the GUI.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.SoftwareUpdate
The key to include is AutomaticallyInstallAppUpdates
The key must be set to "
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "AutoUpdate"
payload_type : "com.apple.commerce"
type : MACOSX_OSASCRIPT
description : "1.5 Ensure Install Application Updates from the App Store Is Enabled"
info : "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or administrator privileges for end users.
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Graphical Method:
Perform the following steps to enable App Store updates to install automatically:
Open System Settings
Select General
Select Software Update
Select the i
Set Install application updates from the App Store to enabled
Select Done
Terminal Method:
Run the following command to turn on App Store auto updating:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE
Note: This remediation requires a log out and log in to show in the GUI.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.SoftwareUpdate
The key to include is AutomaticallyInstallAppUpdates
The key must be set to "
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "AutomaticallyInstallAppUpdates"
payload_type : "com.apple.SoftwareUpdate"
type : MACOSX_OSASCRIPT
description : "1.6 Ensure Install Security Responses and System Files Is Enabled - ConfigDataInstall"
info : "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper. With this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights.
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Graphical Method:
Perform the following steps to enable system data files and security updates to install automatically:
Open System Settings
Select General
Select Software Update
Select the i
Set Install Security Responses and System files to enabled
Select Done
Terminal Method:
Run the following commands to enable automatic checking of system data files and security updates:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.SoftwareUpdate
The key to include is ConfigDataInstall
The key must be set to
The key to also include is CriticalUpdateInstall
The key must be set to "
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|RA-5(2),800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|RA-5(2),800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSCv8|7.7,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|RA-5(2),ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "ConfigDataInstall"
payload_type : "com.apple.SoftwareUpdate"
type : MACOSX_OSASCRIPT
description : "1.6 Ensure Install Security Responses and System Files Is Enabled - CriticalUpdateInstall"
info : "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper. With this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights.
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Graphical Method:
Perform the following steps to enable system data files and security updates to install automatically:
Open System Settings
Select General
Select Software Update
Select the i
Set Install Security Responses and System files to enabled
Select Done
Terminal Method:
Run the following commands to enable automatic checking of system data files and security updates:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.SoftwareUpdate
The key to include is ConfigDataInstall
The key must be set to
The key to also include is CriticalUpdateInstall
The key must be set to "
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|RA-5(2),800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|RA-5(2),800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSCv8|7.7,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|RA-5(2),ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "CriticalUpdateInstall"
payload_type : "com.apple.SoftwareUpdate"
type : MACOSX_OSASCRIPT
description : "1.7 Ensure Software Update Deferment Is Less Than or Equal to 30 Days"
info : "Apple provides the capability to manage software updates on Apple devices through mobile device management. Part of those capabilities permit organizations to defer software updates and allow for testing. Many organizations have specialized software and configurations that may be negatively impacted by Apple updates. If software updates are deferred, they should not be deferred for more than 30 days. This control only verifies that deferred software updates are not deferred for more than 30 days.
Rationale:
Apple software updates almost always include security updates. Attackers evaluate updates to create exploit code in order to attack unpatched systems. The longer a system remains unpatched, the greater an exploit possibility exists in which there are publicly reported vulnerabilities.
Impact:
Some organizations may need more than 30 days to evaluate the impact of software updates."
solution : "Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is enforcedSoftwareUpdateDelay
The key must be set to <1-30>"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "^([0-9]|[12][0-9]|30)$"
payload_key : "enforcedSoftwareUpdateDelay"
payload_type : "com.apple.applicationaccess"
type : MACOSX_OSASCRIPT
description : "Check for globalstate"
expect : "^[12]$"
payload_key : "globalstate"
payload_type : "com.apple.alf"
type : MACOSX_OSASCRIPT
description : "2.2.1 Ensure Firewall Is Enabled"
info : "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall:
Rationale:
A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet.
Impact:
The firewall may block legitimate traffic. Applications that are unsigned will require special handling."
solution : "Graphical Method:
Perform the following steps to turn the firewall on:
Open System Settings
Select Network
Select Firewall
Set Firewall to enabled
Terminal Method:
Run the following command to enable the firewall:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int
For the , use either 1, specific services, or 2, essential services only.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.security.firewall
The key to include is EnableFirewall
The key must be set to "
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.6.1,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.6,800-171|3.14.6,800-171|3.14.7,800-53|AU-6(1),800-53|AU-7,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|IR-4(1),800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53|SC-7,800-53|SC-7(5),800-53|SI-4(2),800-53|SI-4(5),800-53r5|AU-6(1),800-53r5|AU-7,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|IR-4(1),800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,800-53r5|SC-7,800-53r5|SC-7(5),800-53r5|SI-4(2),800-53r5|SI-4(5),CN-L3|7.1.2.2(c),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(d),CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(j),CSCv7|5.1,CSCv7|9.4,CSCv7|9.5,CSCv8|4.1,CSCv8|4.5,CSCv8|13.1,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.AE-5,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-4,CSF|ID.GV-1,CSF|ID.GV-3,CSF|ID.RA-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.IP-8,CSF|PR.PT-1,CSF|PR.PT-3,CSF|PR.PT-4,CSF|RC.RP-1,CSF|RS.AN-1,CSF|RS.AN-3,CSF|RS.CO-2,CSF|RS.CO-3,CSF|RS.RP-1,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-6(1),ITSG-33|AU-7,ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|IR-4(1),ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,ITSG-33|SC-7,ITSG-33|SC-7(5),ITSG-33|SI-4(2),ITSG-33|SI-4(5),LEVEL|1A,NESA|M1.2.2,NESA|M5.2.5,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NESA|T8.2.8,NESA|T8.2.9,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|GS8b,NIAv2|NS25,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.4.1.1,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|7.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.4,TBA-FIISB|43.1,TBA-FIISB|45.2.5"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "^[12]$"
payload_key : "globalstate"
payload_type : "com.apple.alf"
type : MACOSX_OSASCRIPT
description : "2.2.1 Ensure Firewall Is Enabled"
info : "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall:
Rationale:
A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet.
Impact:
The firewall may block legitimate traffic. Applications that are unsigned will require special handling."
solution : "Graphical Method:
Perform the following steps to turn the firewall on:
Open System Settings
Select Network
Select Firewall
Set Firewall to enabled
Terminal Method:
Run the following command to enable the firewall:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int
For the , use either 1, specific services, or 2, essential services only.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.security.firewall
The key to include is EnableFirewall
The key must be set to "
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.6.1,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.6,800-171|3.14.6,800-171|3.14.7,800-53|AU-6(1),800-53|AU-7,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|IR-4(1),800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53|SC-7,800-53|SC-7(5),800-53|SI-4(2),800-53|SI-4(5),800-53r5|AU-6(1),800-53r5|AU-7,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|IR-4(1),800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,800-53r5|SC-7,800-53r5|SC-7(5),800-53r5|SI-4(2),800-53r5|SI-4(5),CN-L3|7.1.2.2(c),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(d),CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(j),CSCv7|5.1,CSCv7|9.4,CSCv7|9.5,CSCv8|4.1,CSCv8|4.5,CSCv8|13.1,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.AE-5,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-4,CSF|ID.GV-1,CSF|ID.GV-3,CSF|ID.RA-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.IP-8,CSF|PR.PT-1,CSF|PR.PT-3,CSF|PR.PT-4,CSF|RC.RP-1,CSF|RS.AN-1,CSF|RS.AN-3,CSF|RS.CO-2,CSF|RS.CO-3,CSF|RS.RP-1,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-6(1),ITSG-33|AU-7,ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|IR-4(1),ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,ITSG-33|SC-7,ITSG-33|SC-7(5),ITSG-33|SI-4(2),ITSG-33|SI-4(5),LEVEL|1A,NESA|M1.2.2,NESA|M5.2.5,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NESA|T8.2.8,NESA|T8.2.9,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|GS8b,NIAv2|NS25,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.4.1.1,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|7.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.4,TBA-FIISB|43.1,TBA-FIISB|45.2.5"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "EnableFirewall"
payload_type : "com.apple.security.firewall"
type : MACOSX_OSASCRIPT
description : "Check for stealthenabled"
expect : "^1$"
payload_key : "stealthenabled"
payload_type : "com.apple.alf"
type : MACOSX_OSASCRIPT
description : "2.2.2 Ensure Firewall Stealth Mode Is Enabled"
info : "While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic.
Rationale:
Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.
Impact:
Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.
This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case, hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses, stealth mode may not be desirable."
solution : "Graphical Method:
Perform the following steps to enable firewall stealth mode:
Open System Settings
Select Network
Select Firewall
Select Options...
Set Enabled stealth mode to enabled
Terminal Method:
Run the following command to enable stealth mode:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Stealth mode enabled
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.security.firewall
The key to include is EnableStealthMode
The key must be set to
Note: This key must be set in the same configuration profile with EnableFirewall set to . If it is set in its own configuration profile, it will fail."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.6,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53|SC-7,800-53|SC-7(5),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|5.1,CSCv7|9.4,CSCv8|4.1,CSCv8|4.5,CSCv8|4.8,CSF|DE.AE-1,CSF|DE.CM-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|GS8b,NIAv2|NS25,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|7.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "^1$"
payload_key : "stealthenabled"
payload_type : "com.apple.alf"
type : MACOSX_OSASCRIPT
description : "2.2.2 Ensure Firewall Stealth Mode Is Enabled"
info : "While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic.
Rationale:
Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.
Impact:
Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.
This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case, hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses, stealth mode may not be desirable."
solution : "Graphical Method:
Perform the following steps to enable firewall stealth mode:
Open System Settings
Select Network
Select Firewall
Select Options...
Set Enabled stealth mode to enabled
Terminal Method:
Run the following command to enable stealth mode:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Stealth mode enabled
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.security.firewall
The key to include is EnableStealthMode
The key must be set to
Note: This key must be set in the same configuration profile with EnableFirewall set to . If it is set in its own configuration profile, it will fail."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-171|3.13.6,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53|SC-7,800-53|SC-7(5),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|5.1,CSCv7|9.4,CSCv8|4.1,CSCv8|4.5,CSCv8|4.8,CSF|DE.AE-1,CSF|DE.CM-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|GS8b,NIAv2|NS25,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|7.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "EnableStealthMode"
payload_type : "com.apple.security.firewall"
type : CMD_EXEC
description : "2.3.3.1 Ensure DVD or CD Sharing Is Disabled"
info : "DVD or CD Sharing allows users to remotely access the system's optical drive. While Apple does not ship Macs with built-in optical drives any longer, external optical drives are still recognized when they are connected. In testing, the sharing of an external optical drive persists when a drive is reconnected.
Rationale:
Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data.
Impact:
Many Apple devices are now sold without optical drives, however drive sharing may be needed for legacy optical media. The media should be explicitly re-shared as needed rather than using a persistent share. Optical drives should not be used for long-term storage. To store necessary data from an optical drive it should be copied to another form of external storage. Optionally, an image can be made of the optical drive so that it is stored in its original form on another form of external storage."
solution : "Graphical Method:
Perform the following steps to disable DVD or CD Sharing:
Open System Settings
Select General
Select Sharing
Set DVD or CD sharing to disabled
Terminal Method:
Run the following command to disable DVD or CD Sharing:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.ODSAgent
Note: If using the Terminal method, the GUI will still show the service checked until after a reboot."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/bin/launchctl list | /usr/bin/grep -c 'com.apple.ODSAgent'"
expect : "0"
type : CMD_EXEC
description : "2.3.3.2 Ensure Screen Sharing Is Disabled"
info : "Screen Sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer.
While mature administration and management does not use graphical connections for standard maintenance, most help desks have capabilities to assist users in performing their work when they have technical issues and need support. Help desks use graphical remote tools to understand what the user sees and assist them so they can get back to work. For MacOS, some of these remote capabilities can use Apple's OS tools. Control is therefore not meant to prohibit the use of a just-in-time graphical view from authorized personnel with authentication controls. Sharing should not be enabled except in narrow windows when help desk support is required.
Rationale:
Disabling Screen Sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer.
Impact:
Help desks may require the periodic use of a graphical connection mechanism to assist users. Any support that relies on native MacOS components will not work unless a scripted solution to enable and disable sharing as neccessary."
solution : "Graphical Method:
Perform the following steps to disable Screen Sharing:
Open System Settings
Select General
Select Sharing
Set Screen Sharing to disabled
Terminal Method:
Run the following command to turn off Screen Sharing:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/bin/launchctl list | /usr/bin/grep -c 'com.apple.screensharing'"
expect : "0"
type : CMD_EXEC
description : "2.3.3.3 Ensure File Sharing Is Disabled"
info : "File sharing from a user workstation creates additional risks, such as:
Open ports are created that can be probed and attacked
Passwords are attached to user accounts for access that may be exposed and endanger other parts of the organizational environment, including directory accounts
Increased complexity makes security more difficult and may expose additional attack vectors
Apple's File Sharing uses the Server Message Block (SMB) protocol to share to other computers that can mount SMB shares. This includes other macOS computers.
Apple warns that SMB sharing stored passwords is less secure, and anyone with system access can gain access to the password for that account. When sharing with SMB, each user accessing the Mac must have SMB enabled. Storing passwords, especially copies of valid directory passwords, decrease security for the directory account and should not be used.
Rationale:
By disabling File Sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced.
Impact:
File Sharing can be used to share documents with other users, but hardened servers should be used rather than user endpoints. Turning on File Sharing increases the visibility and attack surface of a system unnecessarily."
solution : "Graphical Method:
Perform the following steps to disable File Sharing:
Open System Settings
Select General
Select Sharing
Set File Sharing to disabled
Terminal Method:
Run the following command to disable File Sharing:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd"
reference : "800-171|3.1.5,800-171|3.1.6,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|AC-6(2),800-53|AC-6(5),800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-6(2),800-53r5|AC-6(5),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSCv8|5.4,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS13c,NIAv2|SS15a,NIAv2|SS15c,NIAv2|SS16,NIAv2|VL2,NIAv2|VL3a,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|7.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/bin/launchctl list | /usr/bin/grep -c 'com.apple.smbd'"
expect : "0"
type : CMD_EXEC
description : "2.3.3.4 Ensure Printer Sharing Is Disabled"
info : "By enabling Printer Sharing, the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead.
Rationale:
Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
solution : "Graphical Method:
Perform the following steps to disable Printer Sharing:
Open System Settings
Select General
Select Sharing
Set Printer Sharing to disabled
Terminal Method:
Run the following command to disable Printer Sharing:
$ /usr/bin/sudo /usr/sbin/cupsctl --no-share-printers"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/cupsctl | /usr/bin/grep _share_printers"
expect : "_share_printers=0"
type : CMD_EXEC
description : "2.3.3.5 Ensure Remote Login Is Disabled"
info : "Remote Login allows an interactive terminal connection to a computer.
Rationale:
Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers.
macOS does have an IP-based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in the Network sub-section. macOS no longer has TCP Wrappers support built in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Since most macOS computers are mobile workstations, managing IP-based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server.
Impact:
The SSH server built into macOS should not be enabled on a standard user computer, particularly one that changes locations and IP addresses. A standard user that runs local applications, including email, web browser, and productivity tools, should not use the same device as a server. There are Enterprise management toolsets that do utilize SSH. If they are in use, the computer should be locked down to only respond to known, trusted IP addresses and appropriate administrator service accounts.
For macOS computers that are being used for specialized functions, there are several options to harden the SSH server to protect against unauthorized access including brute force attacks. There are some basic criteria that need to be considered:
Do not open an SSH server to the internet without controls in place to mitigate SSH brute force attacks. This is particularly important for systems bound to Directory environments. It is great to have controls in place to protect the system, but if they trigger after the user is already locked out of their account, they are not optimal. If authorization happens after authentication, directory accounts for users that don't even use the system can be locked out.
Do not use SSH key pairs when there is no insight to the security on the client system that will authenticate into the server with a private key. If an attacker gets access to the remote system and can find the key, they may not need a password or a key logger to access the SSH server.
Detailed instructions on hardening an SSH server, if needed, are available in the CIS Linux Benchmarks, but it is beyond the scope of this benchmark."
solution : "Perform the following to disable Remote Login:
Graphical Method:
Perform the following steps to disable Remote Login:
Open System Settings
Select General
Select Sharing
Set Remote Login to disabled
Terminal Method:
Run the following command to disable Remote Login:
$ /usr/bin/sudo /usr/sbin/systemsetup -setremotelogin off
Do you really want to turn remote login off? If you do, you will lose this connection and can only turn it back on locally at the server (yes/no)?
Entering yes will disable remote login.
Additional Information:
man sshd_config"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/systemsetup -getremotelogin"
expect : "^Remote[\\s]*Login:[\\s]*Off$"
system : "Darwin"
type : PROCESS_CHECK
description : "2.3.3.6 Ensure Remote Management Is Disabled"
info : "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs.
The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing.
Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, which is a major concern for mobile systems. As with other sharing options, an open port even for authorized management functions can be attacked, and both unauthorized access and Denial-of-Service vulnerabilities could be exploited. If remote management is required, the pf firewall should restrict access only to known, trusted management consoles. Remote management should not be used across the Internet without the use of a VPN tunnel.
Rationale:
Remote Management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring.
Impact:
Many organizations utilize ARD for client management."
solution : "Graphical Method:
Perform the following steps to disable Remote Management:
Open System Settings
Select General
Select Sharing
Set Remote Management to disabled
Terminal Method:
Run the following command to disable Remote Management:
$ /usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
Starting...
Removed preference to start ARD after reboot.
Done.
Additional Information:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -help"
reference : "800-171|3.1.5,800-171|3.1.6,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|AC-6(2),800-53|AC-6(5),800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-6(2),800-53r5|AC-6(5),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv7|9.2,CSCv7|14.3,CSCv8|4.1,CSCv8|4.8,CSCv8|5.4,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS13c,NIAv2|SS15a,NIAv2|SS15c,NIAv2|SS16,NIAv2|VL2,NIAv2|VL3a,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|7.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
name : "ARDAgent"
status : OFF
type : CMD_EXEC
description : "2.3.3.7 Ensure Remote Apple Events Is Disabled"
info : "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer.
Rationale:
Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system.
Impact:
With remote Apple events turned on, an AppleScript program running on another Mac can interact with the local computer."
solution : "Graphical Method:
Perform the following steps to disable Remote Apple Events:
Open System Settings
Select General
Select Sharing
Set Remote Apple Events to disabled
Terminal Method:
Run the following commands to set Remote Apple Events to Off:
$ /usr/bin/sudo /usr/sbin/systemsetup -setremoteappleevents off
setremoteappleevents: Off"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/systemsetup -getremoteappleevents"
expect : "^Remote Apple Events:[\\s]*Off"
type : MACOSX_OSASCRIPT
description : "Check for forceInternetSharingOff"
expect : "true"
payload_key : "forceInternetSharingOff"
payload_type : "com.apple.MCX"
type : MACOSX_OSASCRIPT
description : "2.3.3.8 Ensure Internet Sharing Is Disabled"
info : "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices.
Rationale:
Disabling Internet Sharing reduces the remote attack surface of the system.
Impact:
Internet Sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices."
solution : "Graphical Method:
Perform the following steps to disable Internet Sharing:
Open System Settings
Select General
Select Sharing
Set Internet Sharing to disabled
Terminal Method:
Run the following command to turn off Internet Sharing:
$ usr/bin/sudo /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
Note: Using the Terminal Method will not be reflected in the GUI, but will disable the underlying service.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is forceInternetSharingOff
The key must be set to "
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "forceInternetSharingOff"
payload_type : "com.apple.MCX"
type : MACOSX_DEFAULTS_READ
description : "2.3.3.8 Ensure Internet Sharing Is Disabled"
info : "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices.
Rationale:
Disabling Internet Sharing reduces the remote attack surface of the system.
Impact:
Internet Sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices."
solution : "Graphical Method:
Perform the following steps to disable Internet Sharing:
Open System Settings
Select General
Select Sharing
Set Internet Sharing to disabled
Terminal Method:
Run the following command to turn off Internet Sharing:
$ usr/bin/sudo /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
Note: Using the Terminal Method will not be reflected in the GUI, but will disable the underlying service.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is forceInternetSharingOff
The key must be set to "
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "Enabled[\\s]*=[\\s]*0;"
managed_path : "/Library/Preferences/SystemConfiguration/"
plist_item : "NAT"
plist_name : "com.apple.nat"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "2.3.3.11 Ensure Bluetooth Sharing Is Disabled"
info : "Bluetooth Sharing allows files to be exchanged with Bluetooth-enabled devices.
Rationale:
Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system.
Impact:
Control 2.1.1 discusses disabling Bluetooth if no paired devices exist. There is a general expectation that Bluetooth peripherals will be used by most users in Apple's ecosystem. It is possible that sharing is required and Bluetooth peripherals are not. Bluetooth must be enabled if sharing is an acceptable use case."
solution : "Graphical Method:
Perform the following steps to disable Bluetooth Sharing:
Open System Settings
Select General
Select Sharing
Set Bluetooth Sharing to disabled
Terminal Method:
Run the following command to disable Bluetooth Sharing is disabled:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-171|3.13.1,800-171|3.13.2,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|MP-2,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|MP-2,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|4.8,CSCv7|5.1,CSCv7|9.2,CSCv7|14.6,CSCv8|3.3,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|MP-2,ITSG-33|MP-2a.,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.2.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.2,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS13c,NIAv2|SS15a,NIAv2|SS15c,NIAv2|SS16,NIAv2|SS29,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|7.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
byhost : YES
not_regex : "1"
plist_item : "PrefKeyServicesEnabled"
plist_name : "com.apple.Bluetooth"
plist_option : CAN_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.3.2.1 Ensure Set Time and Date Automatically Is Enabled"
info : "Correct date and time settings are required for authentication protocols, file creation, modification dates, and log entries.
Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required, use the Date & Time System Preference with each server separated by a space.
Additional Note: The default Apple time server is time.apple.com. Variations include time.euro.apple.com. While it is certainly more efficient to use internal time servers, there is no reason to block access to global Apple time servers or to add a time.apple.com alias to internal DNS records. There are no reports that Apple gathers any information from NTP synchronization, as the computers already phone home to Apple for Apple services including iCloud use and software updates. Best practice is to allow DNS resolution to an authoritative time service for time.apple.com, preferably to connect to Apple servers, but local servers are acceptable as well.
Rationale:
Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features.
Impact:
The timed service will periodically synchronize with named time servers and will make the computer time more accurate."
solution : "Graphical Method:
Perform the following to enable the date and time to be set automatically:
Open System Settings
Select General
Select Date & Time
Set Set time and date automatically to enabled
Note: By default, the operating system will use time.apple.com as the time server. You can change to any time server that meets your organization's requirements.
Terminal Method:
Run the following commands to enable the date and time setting automatically:
$ /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver
setNetworkTimeServer:
$ /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on
setUsingNetworkTime: On
example:
$ /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver time.apple.com
setNetworkTimeServer: time.apple.com
$ /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on
setUsingNetworkTime: On
Run the following commands if you have not set, or need to set, a new time zone:
$ /usr/bin/sudo /usr/sbin/systemsetup -listtimezones
$ /usr/bin/sudo /usr/sbin/systemsetup -settimezone
example:
$ /usr/bin/sudo /usr/sbin/systemsetup -listtimezones
Time Zones:
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
...
$ /usr/bin/sudo /usr/sbin/systemsetup -settimezone America/New_York
Set TimeZone: America/New_York
Additional Information:
To learn more about timed, read: Has anyone got the time? How High Sierra has changed time synchronisation
Note: The profile configuration has been removed since it requires a specific time server to be set."
reference : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1A,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/systemsetup -getusingnetworktime"
expect : "Network Time:[\\s]*On"
type : CMD_EXEC
description : "2.3.2.2 Ensure Time Is Set Within Appropriate Limits"
info : "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems, the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time, this check is not strict, so it may be too great for your organization. ÐÇ¿ÕÌåÓýÊÖ»ú¶Ë organization can adjust to a smaller offset value as needed.
If there are consistent drift issues on the OS, some of the most common drift issues should be investigated:
The chosen time server is not reachable based on network firewall rules on the current network
The computer is offline often and the battery drains, and the network is not immediately available
The chosen time server is a special internal or non-public time server that does not provide a reliable time source
Note: ntpdate has been deprecated with 10.14. sntp replaces that command.
Rationale:
Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind.
Impact:
Accurate time is required for many computer functions."
solution : "Terminal Method:
Run the following commands to ensure your time is set within an appropriate limit:
$ /usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver
The output will include Network Time Server: and the name of your time server
example: Network Time Server: time.apple.com.
$ /usr/bin/sudo /usr/bin/sntp -sS
example:
$ /usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver
Network Time Server: time.apple.com
$ /usr/bin/sudo /usr/bin/sntp -sS time.apple.com
Additional Information:
The associated check will fail if no network connection is available."
reference : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1A,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/systemsetup -getnetworktimeserver | /usr/bin/cut -d ' ' -f 4 | xargs /usr/bin/sntp | /usr/bin/grep '+/-'"
expect : "^[\\-\\+]?([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-6][0-9]|270)\\.([\\d]{1,6})[\\s]+\\+\\/\\-[\\s]+([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-6][0-9]|270)\\.([\\d]{1,6})"
type : MACOSX_OSASCRIPT
description : "Check for screensaver idleTime osascript"
regex : ".* = ([1-9]|[1-9][0-9]|[1-8][0-9][0-9]|900)$"
payload_key : "idleTime"
payload_type : "com.apple.screensaver"
type : MACOSX_OSASCRIPT
description : "2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled"
info : "A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop-down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
Rationale:
Setting an inactivity interval for the screen saver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.
Impact:
If the screen saver is not set, users may leave the computer available for an unauthorized person to access information."
solution : "Graphical Method:
Perform the following to set the screen saver to activate in 20 minutes or less:
Open System Settings
Select Lock Screen
Set Start Screen Saver when inactive to a selection that is 20 minutes or less (<=1200)
Terminal Method:
Run the following command to set individual users to an idle time of the screen saver is set to 20 minutes or less (<=1200):
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 600
$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.screensaver idleTime
600
Note: Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (1200) minutes to avoid any issues.
Profile Method:
The PayloadType string is com.apple.screensaver
The key to include is idleTime
The key must be set to <<=1200>
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "(([1-9]|1[0-4])\.[0-9]+|15\.0)$"
payload_key : "idleTime"
payload_type : "com.apple.screensaver"
type : MACOSX_DEFAULTS_READ
description : "2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled"
info : "A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop-down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
Rationale:
Setting an inactivity interval for the screen saver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.
Impact:
If the screen saver is not set, users may leave the computer available for an unauthorized person to access information."
solution : "Graphical Method:
Perform the following to set the screen saver to activate in 20 minutes or less:
Open System Settings
Select Lock Screen
Set Start Screen Saver when inactive to a selection that is 20 minutes or less (<=1200)
Terminal Method:
Run the following command to set individual users to an idle time of the screen saver is set to 20 minutes or less (<=1200):
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 600
$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.screensaver idleTime
600
Note: Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (1200) minutes to avoid any issues.
Profile Method:
The PayloadType string is com.apple.screensaver
The key to include is idleTime
The key must be set to <<=1200>
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : ".* = *(9[0-9][0-9]|\d{4,})$"
byhost : YES
plist_item : "idleTime"
plist_name : "com.apple.screensaver"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : MACOSX_OSASCRIPT
description : "2.10.2 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPassword"
info : "Sleep and screen saver modes are low power modes that reduce electrical consumption while the system is not in use.
Rationale:
Prompting for a password when waking from sleep or screen saver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence.
Impact:
Without a screenlock in place anyone with physical access to the computer would be logged in and able to use the active user's session."
solution : "Graphical Method:
Perform the following steps to enable a password for unlock after a screen saver begins or after sleep:
Open System Settings
Select Lock Screen
Set Require password after screensaver begins or display is turned off to either After 0 seconds or After 5 seconds
Terminal Method:
Run the following command to require a password to unlock the computer after the screen saver engages or the computer sleeps:
$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock immediate -password
or
$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.screensaver
The key to include is askForPassword
The key must be set to
The key to also include is askForPasswordDelay
The key must be set to <0,5>"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv7|4.2,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "askForPassword"
payload_type : "com.apple.screensaver"
type : MACOSX_OSASCRIPT
description : "2.10.2 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPasswordDelay"
info : "Sleep and screen saver modes are low power modes that reduce electrical consumption while the system is not in use.
Rationale:
Prompting for a password when waking from sleep or screen saver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence.
Impact:
Without a screenlock in place anyone with physical access to the computer would be logged in and able to use the active user's session."
solution : "Graphical Method:
Perform the following steps to enable a password for unlock after a screen saver begins or after sleep:
Open System Settings
Select Lock Screen
Set Require password after screensaver begins or display is turned off to either After 0 seconds or After 5 seconds
Terminal Method:
Run the following command to require a password to unlock the computer after the screen saver engages or the computer sleeps:
$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock immediate -password
or
$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.screensaver
The key to include is askForPassword
The key must be set to
The key to also include is askForPasswordDelay
The key must be set to <0,5>"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv7|4.2,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "^[0-5]$"
payload_key : "askForPasswordDelay"
payload_type : "com.apple.screensaver"
type : MACOSX_OSASCRIPT
description : "2.10.4 Ensure Login Window Displays as Name and Password Is Enabled"
info : "The login window prompts a user for his/her credentials, verifies their authorization level, and then allows or denies the user access to the system.
Rationale:
Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes."
solution : "Graphical Method:
Perform the following steps to ensure the login window display name and password:
Open System Settings
Select Lock Screen
Set 'Login window showstoName and Password'
Terminal Method:
Run the following command to enable the login window to display name and password:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
Note: The GUI will not display the updated setting until the current user(s) logs out.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.loginwindow
The key to include is SHOWFULLNAME
The key must be set to "
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "SHOWFULLNAME"
payload_type : "com.apple.loginwindow"
type : MACOSX_OSASCRIPT
description : "2.10.5 Ensure Show Password Hints Is Disabled"
info : "Password hints are user-created text displayed when an incorrect password is used for an account.
Rationale:
Password hints make it easier for unauthorized persons to gain access to systems by displaying information provided by the user to assist in remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user.
Impact:
The user can set the hint to any value, including the password itself or clues that allow trivial social engineering attacks."
solution : "Graphical Method:
Perform the following steps to disable password hints from being shown:
Open System Settings
Select Lock Screen
Set 'Show password hints' to disabled
Terminal Method:
Run the following command to disable password hints:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.loginwindow
The key to include is RetriesUntilHint
The key must be set to 0"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "0"
payload_key : "RetriesUntilHint"
payload_type : "com.apple.loginwindow"
type : CMD_EXEC
description : "2.11.1 Ensure Users' Accounts Do Not Have a Password Hint"
info : "Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password.
Rationale:
Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks."
solution : "Graphical Method:
Perform the following steps to remove a user's password hint:
Open System Settings
Select Touch ID & Passwords (or Login Password on non-Touch ID Macs)
Select Change...
Change the password and ensure that no text is entered in the Password hint box
Note: This will only change the currently logged-in user's password, and not any others that are not compliant on the Mac. Use the terminal method if multiple users are not in compliance.
Terminal Method:
Run the following command to remove a user's password hint:
$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/ hint
example:
$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/firstuser hint
$ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/seconduser hint
Additional Information:
Organizations might consider entering an organizational help desk phone number or other text (such as a warning to the user). A help desk number is only appropriate for organizations with trained help desk personnel that are validating user identities for password resets."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ if ($2) print $0\" - fail\" }' | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\";}'"
expect : "^pass$"
description : "2.11.2 Audit Touch ID and Wallet & Apple Pay Settings"
info : "Apple has integrated Touch ID with macOS and allows fingerprint use for many common operations. All use of Touch ID requires the presence of a password and the use of that password after every reboot, or when more than 48 hours has elapsed since the device was last unlocked.
Touch ID is a prerequisite for using Apple Pay and Wallet on macOS. Apple Pay allows an Apple account holder to enroll their credit cards in Apple Pay and pay enrolled vendors without using the physical card or number. Apple's service eliminates the requirement to send the credit card number itself to the vendor. Apple Pay on a Mac allows the use of credit cards the user has already enrolled and reduces user risk for credit card purchases.
Rationale:
Touch ID allows for an account-enrolled fingerprint to access a key that uses a previously provided password.
Some environments may have rules around purchases from organizationally managed computers and may want to discourage shopping from them. It is difficult to block access to websites that allow purchases, and Apple Pay has more controls for user protection than the manual entry of credit card information.
Impact:
Touch ID is more convenient for use with aggressive screen lock controls.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Graphical Method:
Perform the following steps to set Touch ID to your organization's settings:
Open System Settings
Select Touch ID & Password
Set the Touch ID settings to your organization's requirements
Select Wallet & Apple Pay
Set the Wallet & Apple Pay settings to your organization's requirements"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|IA-5(1),800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|IA-5(1),800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|4.4,CSCv7|5.1,CSCv8|4.1,CSCv8|5.2,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|IA-5(1),ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.2.3,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,QCSC-v1|13.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4159"
type : MACOSX_OSASCRIPT
description : "Check for DisableGuestAccount"
expect : "true"
payload_key : "DisableGuestAccount"
payload_type : "com.apple.MCX"
type : MACOSX_OSASCRIPT
description : "2.12.1 Ensure Guest Account Is Disabled"
info : "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes and cannot remotely login to the system. All files, caches, and passwords created by the guest user are deleted upon logging out.
Rationale:
Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system.
Impact:
A guest user can use that access to find out additional information about the system and might be able to use privilege escalation vulnerabilities to establish greater access."
solution : "Graphical Method:
Perform the following steps to disable guest account availability:
Open System Settings
Select Users & Groups
Select the i next to the Guest User
Set Allow guests to log in to this computer to disabled
Terminal Method:
Run the following command to disable the guest account:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is DisableGuestAccount
The key must be set to
Additional Information:
By default, the guest account is enabled for access to sharing services but is not allowed to log into the computer.
The guest account does not need a password when it is enabled to log into the computer."
reference : "800-171|3.1.1,800-171|3.1.5,800-171|3.3.8,800-171|3.3.9,800-171|3.5.2,800-53|AC-1,800-53|AC-2,800-53|AC-2(1),800-53|AC-3,800-53|AC-6,800-53|AC-6(1),800-53|AC-6(7),800-53|AU-9(4),800-53|IA-5(1),800-53r5|AC-1,800-53r5|AC-2,800-53r5|AC-2(1),800-53r5|AC-3,800-53r5|AC-6,800-53r5|AC-6(1),800-53r5|AC-6(7),800-53r5|AU-9(4),800-53r5|IA-5(1),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(d),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(e),CN-L3|8.1.4.2(f),CN-L3|8.1.4.3(d),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.1.10.6(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|4.4,CSCv8|5.2,CSCv8|6.2,CSCv8|6.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(b),HIPAA|164.312(d),ISO/IEC-27001|A.9.1.1,ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.5,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.4,ISO/IEC-27001|A.9.4.5,ISO/IEC-27001|A.12.4.2,ITSG-33|AC-1,ITSG-33|AC-2,ITSG-33|AC-2(1),ITSG-33|AC-3,ITSG-33|AC-6,ITSG-33|AC-6(1),ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),ITSG-33|IA-5(1),LEVEL|1A,NESA|M1.1.3,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.2.3,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|AM28,NIAv2|AM29,NIAv2|AM30,NIAv2|AM31,NIAv2|GS3,NIAv2|GS4,NIAv2|GS8c,NIAv2|NS5j,NIAv2|SM5,NIAv2|SM6,NIAv2|SS13c,NIAv2|SS14e,NIAv2|SS15c,NIAv2|SS29,NIAv2|VL3b,PCI-DSSv3.2.1|7.1.2,PCI-DSSv3.2.1|10.5,PCI-DSSv3.2.1|10.5.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,PCI-DSSv4.0|10.3.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|4.1,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "DisableGuestAccount"
payload_type : "com.apple.MCX"
type : MACOSX_OSASCRIPT
description : "2.12.1 Ensure Guest Account Is Disabled"
info : "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes and cannot remotely login to the system. All files, caches, and passwords created by the guest user are deleted upon logging out.
Rationale:
Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system.
Impact:
A guest user can use that access to find out additional information about the system and might be able to use privilege escalation vulnerabilities to establish greater access."
solution : "Graphical Method:
Perform the following steps to disable guest account availability:
Open System Settings
Select Users & Groups
Select the i next to the Guest User
Set Allow guests to log in to this computer to disabled
Terminal Method:
Run the following command to disable the guest account:
$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is DisableGuestAccount
The key must be set to
Additional Information:
By default, the guest account is enabled for access to sharing services but is not allowed to log into the computer.
The guest account does not need a password when it is enabled to log into the computer."
reference : "800-171|3.1.1,800-171|3.1.5,800-171|3.3.8,800-171|3.3.9,800-171|3.5.2,800-53|AC-1,800-53|AC-2,800-53|AC-2(1),800-53|AC-3,800-53|AC-6,800-53|AC-6(1),800-53|AC-6(7),800-53|AU-9(4),800-53|IA-5(1),800-53r5|AC-1,800-53r5|AC-2,800-53r5|AC-2(1),800-53r5|AC-3,800-53r5|AC-6,800-53r5|AC-6(1),800-53r5|AC-6(7),800-53r5|AU-9(4),800-53r5|IA-5(1),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(d),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(e),CN-L3|8.1.4.2(f),CN-L3|8.1.4.3(d),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.1.10.6(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|4.4,CSCv8|5.2,CSCv8|6.2,CSCv8|6.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(b),HIPAA|164.312(d),ISO/IEC-27001|A.9.1.1,ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.5,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.4,ISO/IEC-27001|A.9.4.5,ISO/IEC-27001|A.12.4.2,ITSG-33|AC-1,ITSG-33|AC-2,ITSG-33|AC-2(1),ITSG-33|AC-3,ITSG-33|AC-6,ITSG-33|AC-6(1),ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),ITSG-33|IA-5(1),LEVEL|1A,NESA|M1.1.3,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.2.3,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|AM28,NIAv2|AM29,NIAv2|AM30,NIAv2|AM31,NIAv2|GS3,NIAv2|GS4,NIAv2|GS8c,NIAv2|NS5j,NIAv2|SM5,NIAv2|SM6,NIAv2|SS13c,NIAv2|SS14e,NIAv2|SS15c,NIAv2|SS29,NIAv2|VL3b,PCI-DSSv3.2.1|7.1.2,PCI-DSSv3.2.1|10.5,PCI-DSSv3.2.1|10.5.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,PCI-DSSv4.0|10.3.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|4.1,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "false"
payload_key : "GuestEnabled"
payload_type : "com.apple.loginwindow"
type : CMD_EXEC
description : "2.12.2 Ensure Guest Access to Shared Folders Is Disabled"
info : "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network.
Rationale:
Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system.
Impact:
Unauthorized users could access shared files on the system."
solution : "Graphical Method:
Perform the following steps to no longer allow guest user access to shared folders:
Open System Settings
Select Users & Groups
Select the i next to the Guest User
Set Allow guests to connect to shared folders to disabled
Terminal Method:
Run the following commands to verify that shared folders are not accessible to guest users:
$ /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/sysadminctl -smbGuestAccess status"
expect : "SMB guest access disabled"
type : MACOSX_OSASCRIPT
description : "Check for DisableAutoLoginClient"
expect : "true"
payload_key : "com.apple.login.mcx.DisableAutoLoginClient"
payload_type : "com.apple.loginwindow"
type : MACOSX_OSASCRIPT
description : "2.12.3 Ensure Automatic Login Is Disabled"
info : "The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen.
Rationale:
Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system.
Impact:
If automatic login is not disabled, an unauthorized user could gain access to the system without supplying any credentials."
solution : "Graphical Method:
Perform the following steps to set automatic login to off:
Open System Settings
Select Users & Groups
Set Automatic login in as... to Off
Terminal Method:
Run the following command to disable automatic login:
$ /usr/bin/sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.loginwindow
The key to include is com.apple.login.mcx.DisableAutoLoginClient
The key must be set to
Note: If both the profile is enabled and a user is set to autologin, the profile will take precedent. In this case, the graphical or terminal remediation method should also be applied in case the profile is ever removed."
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv7|4.2,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "com.apple.login.mcx.DisableAutoLoginClient"
payload_type : "com.apple.loginwindow"
type : MACOSX_OSASCRIPT
description : "2.12.3 Ensure Automatic Login Is Disabled"
info : "The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen.
Rationale:
Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system.
Impact:
If automatic login is not disabled, an unauthorized user could gain access to the system without supplying any credentials."
solution : "Graphical Method:
Perform the following steps to set automatic login to off:
Open System Settings
Select Users & Groups
Set Automatic login in as... to Off
Terminal Method:
Run the following command to disable automatic login:
$ /usr/bin/sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.loginwindow
The key to include is com.apple.login.mcx.DisableAutoLoginClient
The key must be set to
Note: If both the profile is enabled and a user is set to autologin, the profile will take precedent. In this case, the graphical or terminal remediation method should also be applied in case the profile is ever removed."
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv7|4.2,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : ""
required : NO
payload_key : "autoLoginUser"
payload_type : "com.apple.loginwindow"
type : MACOSX_OSASCRIPT
description : "Check for allowAirDrop"
expect : "false"
payload_key : "allowAirDrop"
payload_type : "com.apple.applicationaccess"
type : MACOSX_OSASCRIPT
description : "2.3.1.1 Ensure AirDrop Is Disabled"
info : "AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other.
In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you.
While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards. The recommendation against enabling the sharing is not based on any known lack of security in the protocol but for specific user operational concerns.
If AirDrop is enabled the Mac is advertising that a Mac is addressable on the local network and open to either unwanted AirDrop upload requests or for a negotiation on whether the remote user is in the user's contacts list Neither process is desirable.
In most known use cases AirDrop use is ad hoc networking where AirDrop use is where Apple device users decide that a file should be exchanged and opt to use AirDrop which can be abled on the fly for that exchange.
For organizations concerned about any use of AirDrop because of Digital Loss Prevention (DLP) monitoring on other protocols JAMF has an article on reviewing AirDrop logs.
Detecting outbound AirDrop transfers and logging them
Rationale:
AirDrop can allow malicious files to be downloaded from unknown sources. Contacts Only limits may expose personal information to devices in the same area.
Impact:
Disabling AirDrop can limit the ability to move files quickly over the network without using file shares."
solution : "Graphical Method:
Perform the following steps to disable AirDrop:
Open System Settings in the Menu Bar
Select General
Select AirDrop & Handoff
Set AirDrop to No One
Open System Settings
Select Control Center
Set AirDrop to Don't show in Menu Bar
Terminal Method:
Run the following commands to disable AirDrop:
$ /usr/bin/sudo -u defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
example:
$ /usr/bin/sudo -u seconduser defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is allowAirDrop
The key must be set to
Note: AirDrop can only be enabled or disabled through configuration profiles. Any additional settings need to be set through the GUI or CL
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.1.1,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|AC-2(1),800-53|AC-3,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-2(1),800-53r5|AC-3,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|5.1,CSCv7|15.4,CSCv8|4.1,CSCv8|4.8,CSCv8|6.7,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-2(1),ITSG-33|AC-3,ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.2.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.2,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM3,NIAv2|AM28,NIAv2|GS8b,NIAv2|NS5j,NIAv2|SS3,NIAv2|SS14e,NIAv2|SS15a,NIAv2|SS16,NIAv2|SS29,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.3,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "false"
payload_key : "allowAirDrop"
payload_type : "com.apple.applicationaccess"
type : MACOSX_DEFAULTS_READ
description : "2.3.1.1 Ensure AirDrop Is Disabled"
info : "AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other.
In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you.
While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards. The recommendation against enabling the sharing is not based on any known lack of security in the protocol but for specific user operational concerns.
If AirDrop is enabled the Mac is advertising that a Mac is addressable on the local network and open to either unwanted AirDrop upload requests or for a negotiation on whether the remote user is in the user's contacts list Neither process is desirable.
In most known use cases AirDrop use is ad hoc networking where AirDrop use is where Apple device users decide that a file should be exchanged and opt to use AirDrop which can be abled on the fly for that exchange.
For organizations concerned about any use of AirDrop because of Digital Loss Prevention (DLP) monitoring on other protocols JAMF has an article on reviewing AirDrop logs.
Detecting outbound AirDrop transfers and logging them
Rationale:
AirDrop can allow malicious files to be downloaded from unknown sources. Contacts Only limits may expose personal information to devices in the same area.
Impact:
Disabling AirDrop can limit the ability to move files quickly over the network without using file shares."
solution : "Graphical Method:
Perform the following steps to disable AirDrop:
Open System Settings in the Menu Bar
Select General
Select AirDrop & Handoff
Set AirDrop to No One
Open System Settings
Select Control Center
Set AirDrop to Don't show in Menu Bar
Terminal Method:
Run the following commands to disable AirDrop:
$ /usr/bin/sudo -u defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
example:
$ /usr/bin/sudo -u seconduser defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is allowAirDrop
The key must be set to
Note: AirDrop can only be enabled or disabled through configuration profiles. Any additional settings need to be set through the GUI or CL
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.1.1,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|AC-2(1),800-53|AC-3,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-2(1),800-53r5|AC-3,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|5.1,CSCv7|15.4,CSCv8|4.1,CSCv8|4.8,CSCv8|6.7,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-2(1),ITSG-33|AC-3,ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.2.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.2,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM3,NIAv2|AM28,NIAv2|GS8b,NIAv2|NS5j,NIAv2|SS3,NIAv2|SS14e,NIAv2|SS15a,NIAv2|SS16,NIAv2|SS29,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.3,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "1"
plist_item : "DisableAirDrop"
plist_name : "com.apple.NetworkBrowser"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : MACOSX_OSASCRIPT
description : "Check for EnableStealthMode"
expect : "false"
payload_key : "allowAirPlayIncomingRequests"
payload_type : "com.apple.applicationaccess"
type : MACOSX_OSASCRIPT
description : "2.3.1.2 Ensure AirPlay Receiver Is Disabled"
info : "In macOS Monterey (12.0), Apple has added the capability to share content from another Apple device to the screen of a host Mac. While there are many valuable uses of this capability, such sharing on a standard Mac user workstation should be enabled ad hoc as required rather than allowing a continuous sharing service. The feature can be restricted by Apple ID or network and is configured to use by accepting the connection on the Mac. Part of the concern is frequent connection requests may function as a denial-of-service and access control limits may provide too much information to an attacker.
https://macmost.com/how-to-use-a-mac-as-an-airplay-receiver.html
https://support.apple.com/guide/mac-pro-rack/use-airplay-apdf1417128d/mac
Rationale:
This capability appears very useful for kiosk and shared work spaces. The ability to allow by network could be especially useful on segregated guest networks where visitors could share their screens on computers with bigger monitors, including computers connected to projectors.
Impact:
Turning off AirPlay sharing by default will not allow users to share without turning the service on. The service should be enable as needed rather than left on."
solution : "Graphical Method:
Perform the following steps to disable AirPlay Receiver:
Open System Settings
Select General
Select AirDrop & Handoff
Set AirPlay Receiver to disabled
Terminal Method:
For each user, run the following command to disable AirPlay Receiver:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.controlcenter.plist AirplayRecieverEnabled -bool false
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.controlcenter.plist AirplayRecieverEnabled -bool false
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is allowAirPlayIncomingRequests
The key must be set to
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Default Value:
AirPlay Receiver is enabled by default."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "false"
payload_key : "allowAirPlayIncomingRequests"
payload_type : "com.apple.applicationaccess"
type : MACOSX_DEFAULTS_READ
description : "2.3.1.2 Ensure AirPlay Receiver Is Disabled"
info : "In macOS Monterey (12.0), Apple has added the capability to share content from another Apple device to the screen of a host Mac. While there are many valuable uses of this capability, such sharing on a standard Mac user workstation should be enabled ad hoc as required rather than allowing a continuous sharing service. The feature can be restricted by Apple ID or network and is configured to use by accepting the connection on the Mac. Part of the concern is frequent connection requests may function as a denial-of-service and access control limits may provide too much information to an attacker.
https://macmost.com/how-to-use-a-mac-as-an-airplay-receiver.html
https://support.apple.com/guide/mac-pro-rack/use-airplay-apdf1417128d/mac
Rationale:
This capability appears very useful for kiosk and shared work spaces. The ability to allow by network could be especially useful on segregated guest networks where visitors could share their screens on computers with bigger monitors, including computers connected to projectors.
Impact:
Turning off AirPlay sharing by default will not allow users to share without turning the service on. The service should be enable as needed rather than left on."
solution : "Graphical Method:
Perform the following steps to disable AirPlay Receiver:
Open System Settings
Select General
Select AirDrop & Handoff
Set AirPlay Receiver to disabled
Terminal Method:
For each user, run the following command to disable AirPlay Receiver:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.controlcenter.plist AirplayRecieverEnabled -bool false
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.controlcenter.plist AirplayRecieverEnabled -bool false
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is allowAirPlayIncomingRequests
The key must be set to
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Default Value:
AirPlay Receiver is enabled by default."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "0"
byhost : YES
plist_item : "AirplayRecieverEnabled"
plist_name : "com.apple.controlcenter"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.3.4.2 Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled"
info : "One of the most important security tools for data protection on macOS is FileVault. With encryption in place it makes it difficult for an outside party to access your data if they get physical possession of the computer. One very large weakness in data protection with FileVault is the level of protection on backup volumes. If the internal drive is encrypted but the external backup volume that goes home in the same laptop bag is not it is self-defeating. Apple tries to make this mistake easily avoided by providing a checkbox to enable encryption when setting-up a Time Machine backup. Using this option does require some password management, particularly if a large drive is used with multiple computers. A unique complex password to unlock the drive can be stored in keychains on multiple systems for ease of use.
While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult backup volumes should be protected just like boot volumes.
Rationale:
Backup volumes need to be encrypted."
solution : "Graphical Method:
Perform the following steps to enable encryption on the Time Machine drive:
Open System Settings
Select General
Select Time Machine
Select the unencrypted drive
Select - to forget that drive as a destination
Select + to add a different drive as the destination
Select Set Up Disk...
Set Encrypt Backup to enabled
Enter a password in the New Password and the same password in the Re-enter Password fields
A password hint is required, but it is recommended that you do not use any identifying information for the password
Note: In macOS 12.0 Monterey and previous, the existing Time Machine drive could have encryption added without formatting it. This is no longer possible in macOS 13.0 Ventura. If you with to keep previous backups from the unencrypted volume, you will need to manually move those files over to the new encrypted drive."
reference : "800-171|3.5.2,800-171|3.8.9,800-171|3.13.16,800-53|CP-9,800-53|IA-5(1),800-53|SC-28,800-53|SC-28(1),800-53r5|CP-9,800-53r5|IA-5(1),800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|10.4,CSCv7|13.6,CSCv7|14.8,CSCv8|3.6,CSCv8|3.11,CSCv8|11.3,CSF|PR.AC-1,CSF|PR.DS-1,CSF|PR.IP-4,GDPR|32.1.a,GDPR|32.1.b,GDPR|32.1.c,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ISO/IEC-27001|A.12.3.1,ITSG-33|CP-9,ITSG-33|IA-5(1),ITSG-33|SC-28,ITSG-33|SC-28(1),ITSG-33|SC-28a.,LEVEL|1A,NESA|M5.2.3,NESA|T2.2.4,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/defaults read /Library/Preferences/com.apple.TimeMachine.plist | /usr/bin/grep -c NotEncrypted"
expect : "^0$"
type : CMD_EXEC
description : "Check to see if there's a wireless adapter on the system"
cmd : "/usr/sbin/networksetup -listallhardwareports | /usr/bin/grep 'Hardware Port: Wi-fi'"
expect : "Hardware Port: Wi-fi"
type : MACOSX_OSASCRIPT
description : "Check for Wifi setting osascript"
expect : "^18$"
payload_key : "WiFi"
payload_type : "com.apple.controlcenter"
type : MACOSX_OSASCRIPT
description : "2.4.1 Ensure Show Wi-Fi status in Menu Bar Is Enabled"
info : "The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks in order to connect. At the time of this revision, all computers Apple builds have wireless network capability, which has not always been the case. This control only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected, either.
Rationale:
Enabling 'Show Wi-Fi status in menu bar' is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status.
Impact:
The user of the system should have a quick check on their wireless network status available."
solution : "Graphical Method:
Perform the following steps to enable Wi-Fi status in the menu bar:
Open System Settings
Select Control Center
Set Wi-Fi to Show in Menu Bar
Terminal Method:
For each user, run the following command to enable Wi-Fi status in the menu bar:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.controlcenter.plist WiFi -int 2
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.controlcenter.plist WiFi -int 2
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.controlcenter
The key to include is WiFi
The key must be set to 18
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Additional Information:
AirPort is Apple's marketing name for its 802.11x based wireless network interfaces.
Option-click the Wifi icon in the menu bar to find out more information about the connected wireless network."
reference : "800-171|3.1.16,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.15,800-53|AC-18,800-53|CM-6,800-53|CM-7,800-53|SC-23,800-53r5|AC-18,800-53r5|CM-6,800-53r5|CM-7,800-53r5|SC-23,CSCv7|15.4,CSCv7|15.5,CSCv8|4.8,CSCv8|12.6,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T4.5.1,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "^18$"
payload_key : "WiFi"
payload_type : "com.apple.controlcenter"
type : MACOSX_DEFAULTS_READ
description : "2.4.1 Ensure Show Wi-Fi status in Menu Bar Is Enabled"
info : "The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks in order to connect. At the time of this revision, all computers Apple builds have wireless network capability, which has not always been the case. This control only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected, either.
Rationale:
Enabling 'Show Wi-Fi status in menu bar' is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status.
Impact:
The user of the system should have a quick check on their wireless network status available."
solution : "Graphical Method:
Perform the following steps to enable Wi-Fi status in the menu bar:
Open System Settings
Select Control Center
Set Wi-Fi to Show in Menu Bar
Terminal Method:
For each user, run the following command to enable Wi-Fi status in the menu bar:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.controlcenter.plist WiFi -int 2
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.controlcenter.plist WiFi -int 2
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.controlcenter
The key to include is WiFi
The key must be set to 18
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Additional Information:
AirPort is Apple's marketing name for its 802.11x based wireless network interfaces.
Option-click the Wifi icon in the menu bar to find out more information about the connected wireless network."
reference : "800-171|3.1.16,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.15,800-53|AC-18,800-53|CM-6,800-53|CM-7,800-53|SC-23,800-53r5|AC-18,800-53r5|CM-6,800-53r5|CM-7,800-53r5|SC-23,CSCv7|15.4,CSCv7|15.5,CSCv8|4.8,CSCv8|12.6,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T4.5.1,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "18"
byhost : YES
plist_item : "WiFi"
plist_name : "com.apple.controlcenter"
plist_option : CANNOT_BE_NULL
plist_user : "all"
description : "2.4.1 Ensure Show Wi-Fi status in Menu Bar Is Enabled"
info : "The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks in order to connect. At the time of this revision, all computers Apple builds have wireless network capability, which has not always been the case. This control only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected, either.
Rationale:
Enabling 'Show Wi-Fi status in menu bar' is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status.
Impact:
The user of the system should have a quick check on their wireless network status available."
solution : "Graphical Method:
Perform the following steps to enable Wi-Fi status in the menu bar:
Open System Settings
Select Control Center
Set Wi-Fi to Show in Menu Bar
Terminal Method:
For each user, run the following command to enable Wi-Fi status in the menu bar:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.controlcenter.plist WiFi -int 2
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.controlcenter.plist WiFi -int 2
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.controlcenter
The key to include is WiFi
The key must be set to 18
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Additional Information:
AirPort is Apple's marketing name for its 802.11x based wireless network interfaces.
Option-click the Wifi icon in the menu bar to find out more information about the connected wireless network."
reference : "800-171|3.1.16,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.15,800-53|AC-18,800-53|CM-6,800-53|CM-7,800-53|SC-23,800-53r5|AC-18,800-53r5|CM-6,800-53r5|CM-7,800-53r5|SC-23,CSCv7|15.4,CSCv7|15.5,CSCv8|4.8,CSCv8|12.6,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1A,NESA|T4.5.1,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
type : MACOSX_OSASCRIPT
description : "Check for Bluetooth"
expect : "^18$"
payload_key : "Bluetooth"
payload_type : "com.apple.controlcenter"
type : MACOSX_OSASCRIPT
description : "2.4.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled"
info : "By showing the Bluetooth status in the menu bar, a small Bluetooth icon is placed in the menu bar. This icon quickly shows the status of Bluetooth, and can allow the user to quickly turn Bluetooth on or off.
Rationale:
Enabling 'Show Bluetooth status in menu bar' is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, discoverable, what paired devices exist, and what paired devices are currently active.
Impact:
Bluetooth is a useful wireless tool that has been widely exploited when configured improperly. The user should have insight into the Bluetooth status."
solution : "Graphical Method:
Perform the following steps to enable Bluetooth status in the menu bar:
Open System Settings
Select Control Center
Set Bluetooth to Show in Menu Bar
Terminal Method:
For each user, run the following command to enable Bluetooth status in the menu bar:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.controlcenter.plist Bluetooth -int 18
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.controlcenter.plist Bluetooth -int 18
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.controlcenter
The key to include is Bluetooth
The key must be set to 18
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSCv8|13.9,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "^18$"
payload_key : "Bluetooth"
payload_type : "com.apple.controlcenter"
type : MACOSX_DEFAULTS_READ
description : "2.4.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled"
info : "By showing the Bluetooth status in the menu bar, a small Bluetooth icon is placed in the menu bar. This icon quickly shows the status of Bluetooth, and can allow the user to quickly turn Bluetooth on or off.
Rationale:
Enabling 'Show Bluetooth status in menu bar' is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, discoverable, what paired devices exist, and what paired devices are currently active.
Impact:
Bluetooth is a useful wireless tool that has been widely exploited when configured improperly. The user should have insight into the Bluetooth status."
solution : "Graphical Method:
Perform the following steps to enable Bluetooth status in the menu bar:
Open System Settings
Select Control Center
Set Bluetooth to Show in Menu Bar
Terminal Method:
For each user, run the following command to enable Bluetooth status in the menu bar:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost write com.apple.controlcenter.plist Bluetooth -int 18
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost write com.apple.controlcenter.plist Bluetooth -int 18
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.controlcenter
The key to include is Bluetooth
The key must be set to 18
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSCv8|13.9,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "18"
byhost : YES
plist_item : "Bluetooth"
plist_name : "com.apple.controlcenter"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.5.1 Audit Siri Settings"
info : "With macOS 10.12 Sierra, Apple has introduced Siri from iOS to macOS. While there are data spillage concerns with the use of data-gathering personal assistant software, the risk here does not seem greater in sending queries to Apple through Siri than in sending search terms in a browser to Google or Microsoft. While it is possible that Siri will be used for local actions rather than Internet searches, Siri could, in theory, tell Apple about confidential Programs and Projects that should not be revealed. This appears be a usage edge case.
In cases where sensitive or protected data is processed and Siri could expose that information through assisting a user in navigating their machine, it should be disabled. Siri does need to phone home to Apple, so it should not be available from air-gapped networks as part of its requirements.
Most of the use case data published has shown that Siri is a tremendous time saver on iOS where multiple screens and menus need to be navigated through. Information like sports scores, weather, movie times, and simple to-do items on existing calendars can be easily found with Siri. None of the standard use cases should be more risky than already approved activity.
For information on Apple's privacy policy for Siri, click here.
Rationale:
Where 'normal' user activity is already limited, Siri use should be controlled as well.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Graphical Method:
Perform the following steps to set Siri to your organization's parameters:
Open System Preferences
Select Siri
Select the settings that are within your organization's requirements
Select Show All
Select Accessibility
Select Siri
Select Enable Type to Siri to your organization's requirements
Terminal Method:
Run the following commands to enable or disable Siri settings:
$ /usr/bin/sudo -u /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool
$ /usr/bin/sudo -u /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool
$ /usr/bin/sudo -u /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool
$ /usr/bin/sudo -u /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool
$ /usr/bin/sudo -u /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool
After running the default writes, the WindowServer needs to be restarted and the caches cleared. Run the following commands to perform that action:
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool true
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool true
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool false
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
$ /usr/bin/sudo -u seconduser /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool false
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool false
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool false
$ /usr/bin/sudo /usr/bin/killall -HUP cfprefsd
$ /usr/bin/sudo /usr/bin/killall SystemUIServer
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is allowAssistant
Set the key to or based on your organization's requirements
Note: Siri can only be enabled or disabled through configuration profiles. Any additional settings need to be set through either System Settings or Terminal."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/defaults read com.apple.assistant.support.plist | grep -i 'Assistant Enabled'; /usr/bin/defaults read com.apple.Siri.plist | egrep -i '(LockscreenEnabled|StatusMenuVisible|VoiceTriggerUserEnabled|TypeToSiriEnabled)'"
expect : "Manual Review Required"
severity : MEDIUM
type : MACOSX_OSASCRIPT
description : "Check for allowApplePersonalizedAdvertising"
expect : "false"
payload_key : "allowApplePersonalizedAdvertising"
payload_type : "com.apple.applicationaccess"
type : MACOSX_OSASCRIPT
description : "2.6.3 Ensure Limit Ad Tracking Is Enabled"
info : "Apple provides a framework that allows advertisers to target Apple users and end-users with advertisements. While many people prefer to see advertising that is relevant to them and their interests, the detailed information that is collected, correlated, and available to advertisers in repositories via data mining is often disconcerting. This information is valuable to both advertisers and attackers, and has been used with other metadata to reveal users' identities.
Organizations should manage advertising settings on computers rather than allow users to configure the settings.
Apple Information
Ad tracking should be limited on 10.15 and prior.
Rationale:
Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements.
Impact:
Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads."
solution : "Graphical Method:
Perform the following steps to set limited ad tracking:
Open Privacy & Security
Select Apple Advertising
Set Personalized Ads to disabled
Terminal Method:
For each needed user, run the following command to enable limited ad tracking:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults write /Users/seconduser/Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is allowApplePersonalizedAdvertising
The key must be set to
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "false"
payload_key : "allowApplePersonalizedAdvertising"
payload_type : "com.apple.applicationaccess"
type : MACOSX_DEFAULTS_READ
description : "2.6.3 Ensure Limit Ad Tracking Is Enabled"
info : "Apple provides a framework that allows advertisers to target Apple users and end-users with advertisements. While many people prefer to see advertising that is relevant to them and their interests, the detailed information that is collected, correlated, and available to advertisers in repositories via data mining is often disconcerting. This information is valuable to both advertisers and attackers, and has been used with other metadata to reveal users' identities.
Organizations should manage advertising settings on computers rather than allow users to configure the settings.
Apple Information
Ad tracking should be limited on 10.15 and prior.
Rationale:
Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements.
Impact:
Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads."
solution : "Graphical Method:
Perform the following steps to set limited ad tracking:
Open Privacy & Security
Select Apple Advertising
Set Personalized Ads to disabled
Terminal Method:
For each needed user, run the following command to enable limited ad tracking:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults write /Users/seconduser/Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.applicationaccess
The key to include is allowApplePersonalizedAdvertising
The key must be set to
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "0"
plist_item : "allowApplePersonalizedAdvertising"
plist_name : "com.apple.AdLib.plist"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.6.4 Ensure Gatekeeper Is Enabled"
info : "Gatekeeper is Apple's application that utilizes allowlisting to restrict downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. In an update to Gatekeeper in macOS 13 Ventura, Gatekeeper checks every application on every launch, not just quarantined apps.
Rationale:
Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
solution : "Graphical Method:
Perform the following steps to enable Gatekeeper:
Open System Settings
Select Privacy & Security
Set 'Allow apps downloaded from' to 'App Store and identified developers'
Terminal Method:
Run the following command to enable Gatekeeper to allow applications from App Store and identified developers:
$ /usr/bin/sudo /usr/sbin/spctl --master-enable
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.systempolicy.control
The key to include is AllowIdentifiedDevelopers
The key must be set to
The key to also include is EnableAssessment
The key must be set to "
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53|SI-16,800-53r5|SI-3,800-53r5|SI-16,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.2,CSCv7|8.4,CSCv8|10.1,CSCv8|10.2,CSCv8|10.5,CSF|DE.CM-4,CSF|DE.DP-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,ITSG-33|SI-16,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/spctl --status"
expect : "assessments[\\s]*enabled"
type : CMD_EXEC
description : "2.6.5 Ensure FileVault Is Enabled - fdesetup"
info : "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.
FileVault should be used with a saved escrow key to ensure that the owner can decrypt their data if the password is lost.
FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details (see link below under References).
Rationale:
Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it.
Impact:
Mounting a FileVault encrypted volume from an alternate boot source will require a valid password to decrypt it."
solution : "Graphical Method:
Perform the following steps to enable FileVault:
Open System Settings
Select Security & Privacy
Select Turn On...
Note: This will allow you to create a recovery key for FileVault. Keep the key saved securely in case it is needed at a later date.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is dontAllowFDEDisable
The key must be set to
Note: This profile is required to pass the audit."
reference : "800-171|3.5.2,800-171|3.13.16,800-53|IA-5(1),800-53|SC-28,800-53|SC-28(1),800-53r5|IA-5(1),800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|13.6,CSCv7|14.8,CSCv8|3.6,CSCv8|3.11,CSF|PR.AC-1,CSF|PR.DS-1,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ITSG-33|IA-5(1),ITSG-33|SC-28,ITSG-33|SC-28(1),ITSG-33|SC-28a.,LEVEL|1A,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/fdesetup status"
expect : "FileVault[\\s]+is[\\s]+On"
type : MACOSX_OSASCRIPT
description : "2.6.5 Ensure FileVault Is Enabled - dontAllowFDEDisable"
info : "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.
FileVault should be used with a saved escrow key to ensure that the owner can decrypt their data if the password is lost.
FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details (see link below under References).
Rationale:
Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it.
Impact:
Mounting a FileVault encrypted volume from an alternate boot source will require a valid password to decrypt it."
solution : "Graphical Method:
Perform the following steps to enable FileVault:
Open System Settings
Select Security & Privacy
Select Turn On...
Note: This will allow you to create a recovery key for FileVault. Keep the key saved securely in case it is needed at a later date.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is dontAllowFDEDisable
The key must be set to
Note: This profile is required to pass the audit."
reference : "800-171|3.5.2,800-171|3.13.16,800-53|IA-5(1),800-53|SC-28,800-53|SC-28(1),800-53r5|IA-5(1),800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|13.6,CSCv7|14.8,CSCv8|3.6,CSCv8|3.11,CSF|PR.AC-1,CSF|PR.DS-1,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ITSG-33|IA-5(1),ITSG-33|SC-28,ITSG-33|SC-28(1),ITSG-33|SC-28a.,LEVEL|1A,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "dontAllowFDEDisable"
payload_type : "com.apple.MCX"
type : CMD_EXEC
description : "2.6.7 Ensure an Administrator Password Is Required to Access System-Wide Preferences"
info : "System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer.
Rationale:
By requiring a password to unlock system-wide System Preferences, the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes
Impact:
Users will need to enter their password to unlock some additional preference panes that are unlocked by default like Network, Startup and Printers & Scanners."
solution : "Graphical Method:
Perform the following steps to verify that an administrator password is required to access system-wide preferences:
Open System Settings
Select Privacy & Security
Select Advanced
Set Require an administrator password to access system-wide settings to enabled
Terminal Method:
The authorizationdb settings cannot be written to directly, so the plist must be exported out to temporary file. Changes can be made to the temporary plist, then imported back into the authorizationdb settings.
Run the following commands to enable that an administrator password is required to access system-wide preferences:
$ /usr/bin/sudo /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist
YES (0)
$ /usr/bin/sudo /usr/bin/defaults write /tmp/system.preferences.plist shared -bool false
$ /usr/bin/sudo /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist
YES (0)
Additional Information:
Note: In previous OS versions of the macOS Benchmarks, this has been an automated recommendation. In the initial release of macOS 13.0 Ventura, this setting does not apply properly. Once the setting starts applying properly, then the recommendation will move back to automated."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | /usr/bin/grep 'shared' -A1"
expect : ""
type : CMD_EXEC
description : "2.9.1 Ensure Power Nap Is Disabled for Intel Macs"
info : "Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input.
This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used.
The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.
Impact:
Power Nap exists for unattended user application updates like email and social media clients. With Power Nap disabled, the computer will not wake and reconnect to known wireless SSIDs intermittently when slept."
solution : "Graphical Method:
Perform the following steps to disable Power Nap:
Desktop Instructions:
Open System Settings
Select Energy Saver
Set Power Nap to disabled
Select UPS (if applicable)
Set Power Nap to disabled
Laptop Instructions:
Open System Settings
Select Battery
Select Power Adapter (for laptops only)
Set Power Nap to disabled
Select Battery
Set Power Nap to disabled
Select UPS (if applicable)
Set Power Nap to disabled
Terminal Method:
Run the following command to disable Power Nap:
$ /usr/bin/sudo /usr/bin/pmset -a powernap 0
Additional Information:
/usr/bin/man pmset"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/pmset -g everything | /usr/bin/grep -c -E 'powernap[[:space:]]+1'"
expect : "0"
type : CMD_EXEC
description : "Check for Wake On LAN"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep -c '\"Wake On LAN\" = 0'"
expect : "^[1-9]+"
type : CMD_EXEC
description : "Check for Wake On Modem Ring"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep -c '\"Wake On Modem Ring\" = 0'"
expect : "^[1-9]+"
description : "2.9.2 Ensure Wake for Network Access Is Disabled"
info : "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls.
This feature allows other users to be able to access your computer's shared resources, such as shared printers or Apple Music playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer, it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist, the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
Impact:
Management programs like Apple Remote Desktop Administrator use wake-on-LAN to connect with computers. If turned off, such management programs will not be able to wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off this feature.
The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
solution : "Graphical Method:
Perform the following steps to disable Wake for network access:
Desktop Instructions:
Open System Settings
Select Energy Saver
Set Wake for network access to disabled
Laptop Instructions:
Open System Settings
Select Battery
Select Options...
Set Wake for network access to Never
Terminal Method:
Run the following command to disable Wake for network access:
$ /usr/bin/sudo /usr/bin/pmset -a womp 0
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is com.apple.EnergySaver.desktop.ACPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
The key to also include is com.apple.EnergySaver.portable.ACPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
The key to also include is com.apple.EnergySaver.portable.BatteryPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
Note: Both Wake on LAN and Wake on Modem Ring need to be set. Only setting Wake On LAN will allow the profile to install but not set any settings. This profile will only apply the setting at installation and is not sticky.
Additional Information:
/usr/bin/man pmset"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
type : CMD_EXEC
description : "Check for womp"
cmd : "/usr/bin/pmset -g | /usr/bin/grep womp"
expect : "^[\\s]*womp[\\s]*0$"
type : CMD_EXEC
description : "2.9.2 Ensure Wake for Network Access Is Disabled"
info : "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls.
This feature allows other users to be able to access your computer's shared resources, such as shared printers or Apple Music playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer, it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist, the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
Impact:
Management programs like Apple Remote Desktop Administrator use wake-on-LAN to connect with computers. If turned off, such management programs will not be able to wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off this feature.
The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
solution : "Graphical Method:
Perform the following steps to disable Wake for network access:
Desktop Instructions:
Open System Settings
Select Energy Saver
Set Wake for network access to disabled
Laptop Instructions:
Open System Settings
Select Battery
Select Options...
Set Wake for network access to Never
Terminal Method:
Run the following command to disable Wake for network access:
$ /usr/bin/sudo /usr/bin/pmset -a womp 0
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is com.apple.EnergySaver.desktop.ACPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
The key to also include is com.apple.EnergySaver.portable.ACPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
The key to also include is com.apple.EnergySaver.portable.BatteryPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
Note: Both Wake on LAN and Wake on Modem Ring need to be set. Only setting Wake On LAN will allow the profile to install but not set any settings. This profile will only apply the setting at installation and is not sticky.
Additional Information:
/usr/bin/man pmset"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/pmset -g | /usr/bin/grep womp"
expect : "^[\\s]*womp[\\s]*0$"
description : "2.9.2 Ensure Wake for Network Access Is Disabled"
info : "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls.
This feature allows other users to be able to access your computer's shared resources, such as shared printers or Apple Music playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer, it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist, the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
Impact:
Management programs like Apple Remote Desktop Administrator use wake-on-LAN to connect with computers. If turned off, such management programs will not be able to wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off this feature.
The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
solution : "Graphical Method:
Perform the following steps to disable Wake for network access:
Desktop Instructions:
Open System Settings
Select Energy Saver
Set Wake for network access to disabled
Laptop Instructions:
Open System Settings
Select Battery
Select Options...
Set Wake for network access to Never
Terminal Method:
Run the following command to disable Wake for network access:
$ /usr/bin/sudo /usr/bin/pmset -a womp 0
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.MCX
The key to include is com.apple.EnergySaver.desktop.ACPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
The key to also include is com.apple.EnergySaver.portable.ACPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
The key to also include is com.apple.EnergySaver.portable.BatteryPower
The key must be set to:
Wake On LAN0Wake On Modem Ring0
Note: Both Wake on LAN and Wake on Modem Ring need to be set. Only setting Wake On LAN will allow the profile to install but not set any settings. This profile will only apply the setting at installation and is not sticky.
Additional Information:
/usr/bin/man pmset"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
description : "2.8.1 Audit Universal Control Settings"
info : "Universal Control is an Apple feature that allows Mac users to control multiple other Macs and iPads with the same keyboard, mouse, and trackpad using the same Apple ID. The technology relies on already available iCloud services, particularly Handoff.
Universal Control simplifies the use of iCloud connectivity of multiple computers using the same Apple ID. This may simplify data transfer from organizationally-managed and personal devices. The use of the same iCloud account and Handoff is the underlying concern that should be evaluated. The use of the same keyboard or mouse across multiple devices does not by itself decrease organizational security.
Rationale:
The use of devices together when some are organizational and some are not may complicate device management standards.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Graphical Method:
Perform the following steps to set Universal Control to your organization's requirements:
Open System Preferences
Select Display
Select Advanced...
Set the options that meet your organization's requirements
Terminal Method:
Run the following command to enable or disable Universal Control:
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable -bool
$ /usr/bin/sudo -u /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges -bool
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable -bool true
$ /usr/bin/sudo -u firstuser /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges -bool true
$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.universalcontrol Disable -bool false
$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.universalcontrol DisableMagicEdges -bool false
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.universalcontrol
The key to include is Disable
Set the key to or based on your organization's requirements
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Additional Information:
Universal Control: Use a single keyboard and mouse between Mac and iPad
Universal Control: Everything You Need to Know"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
description : "2.13.1 Audit Passwords System Preference Setting"
info : "Apple has provided a new interface in macOS Monterey for managing passwords that mirrors the interfaced capability already available in iOS. Password management in macOS was previously available in both Safari Preferences and in Keychain Access. Apple is attempting to simplify password management for macOS and make the user experience more similar to iOS. Organizations are justifiably concerned about the risk of password managers, particularly as a possible backdoor to improved credential management regimes and greater use of Multi-Factor-Authentication (MFA).
Apple has information posted on this system preference with additional information.
Change Passwords preferences on Mac
A warning icon is shown next to a website for any of the following reasons:
Easily guessed
Appeared in a data leak
Reused on another website
Rationale:
Organizations should remove what passwords can be saved on user computes and the ability of attackers to potentially steal organizational credentials. Limits on password storage must be evaluated based on both user risk and Enterprise risk.
Impact:
Organizations using passwords are constantly reported as having their password databases leaked to the Internet so every password a user has should be unique. Locking down secure password management solutions so that it cannot be used pushes users to password reuse, sticky notes or always open text files with long lists of credentials.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Graphical Method:
Perform the following steps to set Password system settings to your organization's settings:
Open System Settings
Select Passwords
Enter the user's password
Select the Security Recommendations
Remove stored passwords that should not be saved."
reference : "800-171|3.1.1,800-171|3.5.2,800-53|AC-2(1),800-53|IA-5(1),800-53r5|AC-2(1),800-53r5|IA-5(1),CN-L3|7.1.3.2(d),CSCv7|4.4,CSCv8|5.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),ITSG-33|IA-5(1),LEVEL|1M,NESA|T5.2.3,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4159"
description : "2.14.1 Audit Notification & Focus Settings"
info : "Notification capabilities are designed to allow users to receive updates from applications that are not currently in use. These can be background applications or even notices from processes running on a computer that is not currently being actively used. Where the screen of a computer is visible to others other than the logged-in user due to shared working spaces or public spaces, consideration should be given to the exposure of sensitive data in notifications. Applications that use the system-wide application service may be individually managed, and applications that might expose confidential information to unauthorized users should not expose notifications except to the current user, especially on the locked screen when the computer may be unattended.
Rationale:
Some work environments will handle sensitive or confidential information with applications that can provide notifications to anyone who can see the computer screen. Organizations must review the likelihood that information may be exposed inappropriately and suppress notifications where risk is not organizationally accepted.
Impact:
Computer users are often juggling too much information through too many applications that want their attention and are often designed to get attention and never let it go. Notifications are a mechanism that can be used to cut through the deluge and allow important issues to be resolved in a timely way. Global controls on limiting user notifications, even for certain applications, could impact productivity and the timely remediation of issues.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Graphical Method:
Perform the following steps to set Notifications to your organization's requirements:
Open System Settings
Select Notifications
Select any applications that are not in compliance with your organization's requirements
Turn off or mute notifications that may expose information to unauthorized people that might be able to view screens of organizational computers."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
type : CMD_EXEC
description : "3.1 Ensure Security Auditing Is Enabled"
info : "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log.
Rationale:
Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
solution : "Terminal Method:
Perform the following to enable security auditing:
Run the following command to load auditd:
$ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(a),CN-L3|8.1.4.3(b),CSCv7|4.9,CSCv7|6.2,CSCv8|8.2,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.6.2,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/bin/launchctl list | /usr/bin/grep -i auditd"
expect : "com.apple.auditd"
type : FILE_CONTENT_CHECK
description : "3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size - ttl"
info : "macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.
The default value has an 'all_max' file limitation, no reference to a minimum retention, and a less precise rotation argument.
The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year, and depending on the applications a size restriction could compromise the ability to store a full year.
While this Benchmark is not scoring for a rotation flag, the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired.
Please review the File Rotation section in the man page for more information.
man asl.conf
The maximum file size limitation string should be removed 'all_max='
An organization appropriate retention should be added 'ttl='
The rotation should be set with timestamps 'rotate=utc' or 'rotate=local'
Rationale:
Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred.
Impact:
Without log files system maintenance and security forensics cannot be properly performed."
solution : "Terminal Method:
Perform the following to ensure that install logs are retained for at least 365 days:
Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-1,800-53|AU-2,800-53|AU-4,800-53r5|AU-1,800-53r5|AU-2,800-53r5|AU-4,CN-L3|8.1.4.3(a),CSCv7|6.4,CSCv7|6.7,CSCv8|8.1,CSCv8|8.3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-4,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,ITSG-33|AU-4,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.3.1,NESA|T3.6.2,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/4159"
file : "/etc/asl/com.apple.install"
regex : "(?i)ttl(?-i)"
expect : "(?i)ttl(?-i)[\\s]*=[\\s]*(36[5-9]|3[7-9][0-9]|[4-9]\d{2,}|[1-9]\d{3,})"
type : FILE_CONTENT_CHECK_NOT
description : "3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size - all_max"
info : "macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.
The default value has an 'all_max' file limitation, no reference to a minimum retention, and a less precise rotation argument.
The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year, and depending on the applications a size restriction could compromise the ability to store a full year.
While this Benchmark is not scoring for a rotation flag, the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired.
Please review the File Rotation section in the man page for more information.
man asl.conf
The maximum file size limitation string should be removed 'all_max='
An organization appropriate retention should be added 'ttl='
The rotation should be set with timestamps 'rotate=utc' or 'rotate=local'
Rationale:
Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred.
Impact:
Without log files system maintenance and security forensics cannot be properly performed."
solution : "Terminal Method:
Perform the following to ensure that install logs are retained for at least 365 days:
Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-1,800-53|AU-2,800-53|AU-4,800-53r5|AU-1,800-53r5|AU-2,800-53r5|AU-4,CN-L3|8.1.4.3(a),CSCv7|6.4,CSCv7|6.7,CSCv8|8.1,CSCv8|8.3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-4,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,ITSG-33|AU-4,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.3.1,NESA|T3.6.2,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/4159"
file : "/etc/asl/com.apple.install"
regex : "all_max="
expect : "all_max="
type : FILE_CONTENT_CHECK
description : "3.4 Ensure Security Auditing Retention Is Enabled"
info : "The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following:
expire-after:60d OR 5G
This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required.
Rationale:
The audit records need to be retained long enough to be reviewed as necessary.
Impact:
The recommendation is that at least 60 days or 5 gigabytes of audit records are retained. Systems that have very little remaining disk space may have issues retaining sufficient data."
solution : "Terminal Method:
Perform the following to set the audit retention length:
Edit the /etc/security/audit_control file so that expire-after: is at least 60d OR 5G
Default Value:
More info in the man page. To reference the man page use the command $ /usr/bin/man audit_control"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-1,800-53|AU-2,800-53|AU-4,800-53r5|AU-1,800-53r5|AU-2,800-53r5|AU-4,CN-L3|8.1.4.3(a),CSCv7|6.4,CSCv7|6.7,CSCv8|8.1,CSCv8|8.3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-4,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,ITSG-33|AU-4,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.3.1,NESA|T3.6.2,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/4159"
file : "/etc/security/audit_control"
regex : "^expire-after[\\s]*:"
expect : "^expire-after[\\s]*:[\\s]*([6-9][0-9]|[1-9][0-9]{2,})[Dd][\\s]+OR[\\s]+([5-9]|[\\d]{2,})G"
type : FILE_CHECK
description : "3.5 Ensure Access to Audit Records Is Controlled - /etc/security/audit_control"
info : "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
Rationale:
Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated, but the authoritative files should be protected from unauthorized changes.
Impact:
This control is only checking the default configuration to ensure that unwanted access to audit records is not available."
solution : "Terminal Method:
Run the following to commands to set the audit records to the root user and wheel group:
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
$ /usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
$ /usr/bin/sudo /bin/chmod -R o-rw /var/audit/
Note: It is recommended to do a thorough verification process on why the audit logs have been changed before following the remediation steps. If the system has different access controls on the audit logs, and the changes cannot be traced, a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes.
Additional Information:
From ls man page
-e Print the Access Control List (ACL) associated with the file, if
present, in long (-l) output.
More info:
https://www.techrepublic.com/blog/apple-in-the-enterprise/introduction-to-os-x-access-control-lists-acls/
http://ahaack.net/technology/OS-X-Access-Control-Lists-ACL.html"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
file : "/etc/security/audit_control"
owner : "root"
mask : "007"
group : "wheel" || "root"
type : FILE_CHECK
description : "3.5 Ensure Access to Audit Records Is Controlled - /var/audit"
info : "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
Rationale:
Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated, but the authoritative files should be protected from unauthorized changes.
Impact:
This control is only checking the default configuration to ensure that unwanted access to audit records is not available."
solution : "Terminal Method:
Run the following to commands to set the audit records to the root user and wheel group:
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/audit_control
$ /usr/bin/sudo /bin/chmod -R o-rw /etc/security/audit_control
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /var/audit/
$ /usr/bin/sudo /bin/chmod -R o-rw /var/audit/
Note: It is recommended to do a thorough verification process on why the audit logs have been changed before following the remediation steps. If the system has different access controls on the audit logs, and the changes cannot be traced, a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes.
Additional Information:
From ls man page
-e Print the Access Control List (ACL) associated with the file, if
present, in long (-l) output.
More info:
https://www.techrepublic.com/blog/apple-in-the-enterprise/introduction-to-os-x-access-control-lists-acls/
http://ahaack.net/technology/OS-X-Access-Control-Lists-ACL.html"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
file : "/var/audit"
owner : "root"
mask : "007"
group : "wheel" || "root"
type : MACOSX_OSASCRIPT
description : "Check for EnableLogging"
expect : "true"
payload_key : "EnableLogging"
payload_type : "com.apple.security.firewall"
type : MACOSX_OSASCRIPT
description : "Check for LoggingOption"
expect : "detail"
payload_key : "LoggingOption"
payload_type : "com.apple.security.firewall"
type : MACOSX_OSASCRIPT
description : "3.6 Ensure Firewall Logging Is Enabled and Configured - EnableLogging"
info : "The socketfilter Firewall is what is used when the Firewall is turned on in the Security & Privacy Preference Pane. In order to appropriately monitor what access is allowed and denied, logging must be enabled. The logging level must be set to 'detailed' to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examine Firewall connection attempts.
In depth log monitoring on macOS may require changes to the 'Enable-Private-Data' key in SystemLogging.System to ensure more complete logging.
Reviewing macOS Unified Logs
Rationale:
In order to troubleshoot the successes and failures of a Firewall, detailed logging should be enabled.
Impact:
Detailed logging may result in excessive storage."
solution : "Terminal Method:
Run the following command to enable logging of the firewall:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
Setting detail log option
Note: If the Firewall settings are set through a configuration profile, then modifications cannot be done through the command line. If attempted, you will receive the message Firewall settings cannot be modified from command line on managed Mac computers.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.security.firewall
The key to include is EnableFirewall
The key must be set to
The key to also include is EnableLogging
The key must be set to
The key to also include is LoggingOption
The key must be set to detail
Note: Firewall Logging must be enabled with this profile. It can either be set with the Firewall and Stealth Mode (2.5.2.2 and 2.5.2.3) or as a separate profile. Setting logging with its own profile will not cause a conflict."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|AU-2,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53|SC-7,800-53|SC-7(5),800-53r5|AU-2,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(a),CN-L3|8.1.4.3(b),CN-L3|8.1.10.6(j),CSCv7|6.2,CSCv7|6.3,CSCv7|9.2,CSCv8|4.5,CSCv8|8.2,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-2,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.6.2,NESA|T4.5.4,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "EnableLogging"
payload_type : "com.apple.security.firewall"
type : MACOSX_OSASCRIPT
description : "3.6 Ensure Firewall Logging Is Enabled and Configured - LoggingOption"
info : "The socketfilter Firewall is what is used when the Firewall is turned on in the Security & Privacy Preference Pane. In order to appropriately monitor what access is allowed and denied, logging must be enabled. The logging level must be set to 'detailed' to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examine Firewall connection attempts.
In depth log monitoring on macOS may require changes to the 'Enable-Private-Data' key in SystemLogging.System to ensure more complete logging.
Reviewing macOS Unified Logs
Rationale:
In order to troubleshoot the successes and failures of a Firewall, detailed logging should be enabled.
Impact:
Detailed logging may result in excessive storage."
solution : "Terminal Method:
Run the following command to enable logging of the firewall:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
Setting detail log option
Note: If the Firewall settings are set through a configuration profile, then modifications cannot be done through the command line. If attempted, you will receive the message Firewall settings cannot be modified from command line on managed Mac computers.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.security.firewall
The key to include is EnableFirewall
The key must be set to
The key to also include is EnableLogging
The key must be set to
The key to also include is LoggingOption
The key must be set to detail
Note: Firewall Logging must be enabled with this profile. It can either be set with the Firewall and Stealth Mode (2.5.2.2 and 2.5.2.3) or as a separate profile. Setting logging with its own profile will not cause a conflict."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|AU-2,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53|SC-7,800-53|SC-7(5),800-53r5|AU-2,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(a),CN-L3|8.1.4.3(b),CN-L3|8.1.10.6(j),CSCv7|6.2,CSCv7|6.3,CSCv7|9.2,CSCv8|4.5,CSCv8|8.2,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-2,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.6.2,NESA|T4.5.4,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "detail"
payload_key : "LoggingOption"
payload_type : "com.apple.security.firewall"
type : MACOSX_OSASCRIPT
description : "3.6 Ensure Firewall Logging Is Enabled and Configured - EnableLogging"
info : "The socketfilter Firewall is what is used when the Firewall is turned on in the Security & Privacy Preference Pane. In order to appropriately monitor what access is allowed and denied, logging must be enabled. The logging level must be set to 'detailed' to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examine Firewall connection attempts.
In depth log monitoring on macOS may require changes to the 'Enable-Private-Data' key in SystemLogging.System to ensure more complete logging.
Reviewing macOS Unified Logs
Rationale:
In order to troubleshoot the successes and failures of a Firewall, detailed logging should be enabled.
Impact:
Detailed logging may result in excessive storage."
solution : "Terminal Method:
Run the following command to enable logging of the firewall:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
Setting detail log option
Note: If the Firewall settings are set through a configuration profile, then modifications cannot be done through the command line. If attempted, you will receive the message Firewall settings cannot be modified from command line on managed Mac computers.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.security.firewall
The key to include is EnableFirewall
The key must be set to
The key to also include is EnableLogging
The key must be set to
The key to also include is LoggingOption
The key must be set to detail
Note: Firewall Logging must be enabled with this profile. It can either be set with the Firewall and Stealth Mode (2.5.2.2 and 2.5.2.3) or as a separate profile. Setting logging with its own profile will not cause a conflict."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|AU-2,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53|SC-7,800-53|SC-7(5),800-53r5|AU-2,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(a),CN-L3|8.1.4.3(b),CN-L3|8.1.10.6(j),CSCv7|6.2,CSCv7|6.3,CSCv7|9.2,CSCv8|4.5,CSCv8|8.2,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-2,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.6.2,NESA|T4.5.4,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "^1$"
payload_key : "loggingenabled"
payload_type : "com.apple.alf"
type : MACOSX_OSASCRIPT
description : "3.6 Ensure Firewall Logging Is Enabled and Configured - LoggingOption"
info : "The socketfilter Firewall is what is used when the Firewall is turned on in the Security & Privacy Preference Pane. In order to appropriately monitor what access is allowed and denied, logging must be enabled. The logging level must be set to 'detailed' to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examine Firewall connection attempts.
In depth log monitoring on macOS may require changes to the 'Enable-Private-Data' key in SystemLogging.System to ensure more complete logging.
Reviewing macOS Unified Logs
Rationale:
In order to troubleshoot the successes and failures of a Firewall, detailed logging should be enabled.
Impact:
Detailed logging may result in excessive storage."
solution : "Terminal Method:
Run the following command to enable logging of the firewall:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
Setting detail log option
Note: If the Firewall settings are set through a configuration profile, then modifications cannot be done through the command line. If attempted, you will receive the message Firewall settings cannot be modified from command line on managed Mac computers.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.security.firewall
The key to include is EnableFirewall
The key must be set to
The key to also include is EnableLogging
The key must be set to
The key to also include is LoggingOption
The key must be set to detail
Note: Firewall Logging must be enabled with this profile. It can either be set with the Firewall and Stealth Mode (2.5.2.2 and 2.5.2.3) or as a separate profile. Setting logging with its own profile will not cause a conflict."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|AU-2,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53|SC-7,800-53|SC-7(5),800-53r5|AU-2,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(a),CN-L3|8.1.4.3(b),CN-L3|8.1.10.6(j),CSCv7|6.2,CSCv7|6.3,CSCv7|9.2,CSCv8|4.5,CSCv8|8.2,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-2,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.6.2,NESA|T4.5.4,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "^2$"
payload_key : "loggingoption"
payload_type : "com.apple.alf"
type : CMD_EXEC
description : "4.2 Ensure HTTP Server Is Disabled"
info : "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. Apache, however, is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.
Rationale:
Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer.
Impact:
The web server is both a point of attack for the system and a means for unauthorized file transfers."
solution : "Terminal Method:
Run the following command to disable the HTTP server services:
$ sudo /usr/bin/sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/bin/launchctl list | /usr/bin/grep -c 'org.apache.httpd'"
expect : "0"
type : CMD_EXEC
description : "4.3 Ensure NFS Server Is Disabled - com.apple.nfsd"
info : "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer.
The etc/exports file contains the list of NFS shared directories. If the file exists, it is likely that NFS sharing has been enabled in the past or may be available periodically. As an additional check, the audit verifies that there is no /etc/exports file.
Rationale:
File serving should not be done from a user desktop. Dedicated servers should be used. Open ports make it easier to exploit the computer.
Impact:
The nfs server is both a point of attack for the system and a means for unauthorized file transfers."
solution : "Terminal Method:
Run the following command to disable the nfsd fileserver services:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd
Remove the exported Directory listing.
$ /usr/bin/sudo /bin/rm /etc/exports"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/bin/launchctl list | /usr/bin/grep -c 'com.apple.nfsd'"
expect : "0"
type : FILE_CHECK_NOT
description : "4.3 Ensure NFS Server Is Disabled - /etc/exports"
info : "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer.
The etc/exports file contains the list of NFS shared directories. If the file exists, it is likely that NFS sharing has been enabled in the past or may be available periodically. As an additional check, the audit verifies that there is no /etc/exports file.
Rationale:
File serving should not be done from a user desktop. Dedicated servers should be used. Open ports make it easier to exploit the computer.
Impact:
The nfs server is both a point of attack for the system and a means for unauthorized file transfers."
solution : "Terminal Method:
Run the following command to disable the nfsd fileserver services:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd
Remove the exported Directory listing.
$ /usr/bin/sudo /bin/rm /etc/exports"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv7|9.2,CSCv8|4.1,CSCv8|4.8,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
file : "/etc/exports"
type : CMD_EXEC
description : "5.1.1 Ensure Home Folders Are Secure"
info : "By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a 'Documents' folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system.
The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures. Similarly with macOS, users can see into every new Directory that is created because of the default permissions.
Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable.
Rationale:
Allowing all users to view the top level of all networked users' home folder may not be desirable since it may lead to the revelation of sensitive information.
Impact:
If implemented, users will not be able to use the 'Public' folders in other users' home folders. 'Public' folders with appropriate permissions would need to be set up in the /Shared folder."
solution : "Terminal Method:
For each user, run the following command to secure all home folders:
$ /usr/bin/sudo /bin/chmod -R og-rwx /Users/
Alternately, run the following command if there needs to be executable access for a home folder:
$ /usr/bin/sudo /bin/chmod -R og-rw /Users/
example:
$ /usr/bin/sudo /bin/chmod -R og-rw /Users/thirduser/
$ /usr/bin/sudo /bin/chmod -R og-rwx /Users/fourthuser/
# /bin/ls -l /Users/
total 0
drwxr-xr-x+ 12 Guest _guest 384 24 Jul 13:42 Guest
drwxrwxrwt 4 root wheel 128 22 Jul 11:00 Shared
drwx--x--x+ 18 firstuser staff 576 10 Aug 14:36 firstuser
drwx--x--x+ 15 seconduser staff 480 10 Aug 09:16 seconduser
drwx--x--x+ 11 thirduser staff 352 10 Aug 14:53 thirduser
drwx------+ 11 fourthuser staff 352 10 Aug 14:53 fourthuser"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d -not \( -perm 711 -or -perm 700 \) | /usr/bin/grep -v 'Shared' | /usr/bin/grep -v 'Guest' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : CMD_EXEC
description : "5.1.2 Ensure System Integrity Protection Status (SIP) Is Enabled"
info : "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID.
Rationale:
Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP.
Impact:
System binaries and processes could become compromised."
solution : "Terminal Method:
Perform the following steps to enable System Integrity Protection:
Reboot into the Recovery Partition (reboot and hold down Command (CMD) + R)
Select Utilities
Select Terminal
Run the following command:
$ /usr/bin/sudo /usr/bin/csrutil enable
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
Reboot the computer
Note: You should research why the system had SIP disabled. It might be a better option to erase the Mac and reinstall the operating system. That is at your discretion.
Note: You cannot enable System Integrity Protection from the booted operating system. If the remediation is attempted in the booted OS and not the Recovery Partition the output will give the error csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS."
reference : "800-171|3.4.1,800-171|3.4.6,800-171|3.4.7,800-171|3.4.9,800-53|CM-7,800-53|CM-7(1),800-53|CM-7(2),800-53|CM-8(3),800-53|CM-10,800-53|CM-11,800-53|SI-16,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-7(2),800-53r5|CM-8(3),800-53r5|CM-10,800-53r5|CM-11,800-53r5|SI-16,CN-L3|8.1.10.2(a),CN-L3|8.1.10.2(b),CSCv7|2.6,CSCv8|2.3,CSCv8|2.6,CSCv8|10.5,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-7(2),ITSG-33|CM-8(3),ITSG-33|SI-16,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/csrutil status"
expect : "System Integrity Protection status: enabled"
type : CMD_EXEC
description : "5.1.3 Ensure Apple Mobile File Integrity (AMFI) Is Enabled"
info : "Apple Mobile File Integrity (AMFI) was first released in macOS 10.12. The daemon and service block attempts to run unsigned code. AMFI uses lanchd, code signatures, certificates, entitlements, and provisioning profiles to create a filtered entitlement dictionary for an app. AMFI is the macOS kernel module that enforces code-signing and library validation.
Rationale:
Apple Mobile File Integrity validates that application code is validated.
Impact:
Applications could be compromised with malicious code."
solution : "Terminal Method:
Run the following command to enable the Apple Mobile File Integrity service:
$ /usr/bin/sudo /usr/sbin/nvram boot-args=''"
reference : "800-171|3.4.1,800-171|3.4.6,800-171|3.4.7,800-171|3.4.9,800-53|CM-7,800-53|CM-7(1),800-53|CM-7(2),800-53|CM-8(3),800-53|CM-10,800-53|CM-11,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-7(2),800-53r5|CM-8(3),800-53r5|CM-10,800-53r5|CM-11,CN-L3|8.1.10.2(a),CN-L3|8.1.10.2(b),CSCv7|2.6,CSCv8|2.3,CSCv8|2.6,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-7(2),ITSG-33|CM-8(3),LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/nvram -p | /usr/bin/grep -c 'amfi_get_out_of_my_way=1'"
expect : "0"
type : CMD_EXEC
description : "5.1.4 Ensure Sealed System Volume (SSV) Is Enabled"
info : "Sealed System Volume is a security feature introduced in macOS 11.0 Big Sur.
During system installation, a SHA-256 cryptographic hash is calculated for all immutable system files and stored in a Merkle tree which itself is hashed as the Seal. Both are stored in the metadata of the snapshot created of the System volume.
The seal is verified by the boot loader at startup. macOS will not boot if system files have been tampered with. If validation fails, the user will be instructed to reinstall the operating system.
During read operations for files located in the Sealed System Volume, a hash is calculated and compared to the value stored in the Merkle tree.
Rationale:
Running without Sealed System Volume on a production system could run the risk of Apple software that integrates directly with macOS being modified.
Impact:
Apple Software that integrates with the operating system could become compromised."
solution : "If SSV has been disabled, assume that the operating system has been compromised. Back up any files, and do a clean install to a known good Operating System."
reference : "800-171|3.5.2,800-171|3.13.16,800-53|IA-5(1),800-53|SC-28,800-53|SC-28(1),800-53r5|IA-5(1),800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|13.6,CSCv7|14.8,CSCv8|3.6,CSCv8|3.11,CSF|PR.AC-1,CSF|PR.DS-1,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ITSG-33|IA-5(1),ITSG-33|SC-28,ITSG-33|SC-28(1),ITSG-33|SC-28a.,LEVEL|1A,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/csrutil authenticated-root status"
expect : "Authenticated Root status: enabled"
type : CMD_EXEC
description : "5.1.5 Ensure Appropriate Permissions Are Enabled for System Wide Applications"
info : "Applications in the System Applications Directory (/Applications) should be world-executable since that is their reason to be on the system. They should not be world-writable and allow any process or user to alter them for other processes or users to then execute modified versions.
Rationale:
Unauthorized modifications of applications could lead to the execution of malicious code.
Impact:
Applications changed will no longer be world-writable. Depending on the environment, there will be different risk tolerances on each non-conforming application. Global changes should not be performed where mission-critical applications are misconfigured."
solution : "Terminal Method:
Run the following command to change the permissions for each application that does not meet the requirements:
$ /usr/bin/sudo IFS=$'\n'
for apps in $( /usr/bin/find /Applications -iname '*\.app' -type d -perm -2 ); do
/bin/chmod -R o-w '$apps'
done
Note: Global changes should not be performed where mission-critical applications are part of the improperly permissioned applications."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/find /Applications -iname '*\.app' -type d -perm -2 -ls | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : CMD_EXEC
description : "5.1.6 Ensure No World Writable Files Exist in the System Folder"
info : "Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and has inappropriate world-writable permissions.
Macs with writable files in System should be investigated forensically. A file with open writable permissions is a sign of at best a rogue application. It could also be a sign of a computer compromise and a persistent presence on the system.
Rationale:
Folders in /System/Volumes/Data/System should not be world-writable. The audit check excludes the 'Drop Box' folder that is part of Apple's default user template.
Impact:
Changing file permissions could disrupt the use of applications that rely on files in the System Folder with vulnerable permissions."
solution : "Terminal Method:
Run the following command to set permissions so that folders are not world-writable in the /System folder:
$ /usr/bin/sudo IFS=$'\n'
for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v 'Drop Box' ); do
/bin/chmod -R o-w '$sysPermissions'
done"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v 'Drop Box' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : CMD_EXEC
description : "5.2.1 Ensure Password Account Lockout Threshold Is Configured"
info : "The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur.
Ensure that a lockout threshold is part of the password policy on the computer.
Rationale:
The account lockout feature mitigates brute-force password attacks on the system.
Impact:
The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on.
The locked account will auto-unlock after a few minutes when bad password attempts stop. The computer will accept the still-valid password if remembered or recovered."
solution : "Terminal Method:
Run the following command to set the maximum number of failed login attempts to less than or equal to 5:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxFailedLoginAttempts='
Note: When the account lockout threshold is set with pwpolicy, it will also set a reset value to policyAttributeMinutesUntilFailedAuthenticationReset that defaults to 1 minute. You can change this value with the command:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'policyAttributeMinutesUntilFailedAuthenticationReset='
example:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxFailedLoginAttempts=5'
/usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'policyAttributeMinutesUntilFailedAuthenticationReset=10'
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.mobiledevice.passwordpolicy
The key to include is maxFailedAttempts
The key must be set to
Note: When setting the lockout threshold with a mobile configuration profile there is no default reset to the lockout. To set the reset value use the key autoEnableInSeconds and set the key to .
Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release."
reference : "800-171|3.1.1,800-53|AC-1,800-53|AC-2,800-53|AC-2(1),800-53r5|AC-1,800-53r5|AC-2,800-53r5|AC-2(1),CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(e),CN-L3|8.1.10.6(c),CSCv7|16.7,CSCv8|6.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.1.1,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-1,ITSG-33|AC-2,ITSG-33|AC-2(1),LEVEL|1A,NESA|M1.2.2,NIAv2|AM28,NIAv2|AM29,NIAv2|AM30,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()=\"policyAttributeMaximumFailedAuthentications\"]/following-sibling::integer[1]/text()' -"
expect : "^[1-3]$"
type : CMD_EXEC
description : "5.2.2 Ensure Password Minimum Length Is Configured"
info : "A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.
Ensure that a minimum of a 14-character password is part of the password policy on the computer.
Where the confidentiality of encrypted information in FileVault is more of a concern, requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.
Rationale:
Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.
Impact:
Short passwords can be easily attacked."
solution : "Terminal Method:
Run the following command to set the password length to greater than or equal to 14:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'minChars==14>'
example:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'minChars=15'
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.mobiledevice.passwordpolicy
The key to include is minLength
The key must be set to =14>
Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -e \"policyAttributePassword matches\" | /usr/bin/cut -b 46-53 | /usr/bin/cut -d',' -f1 | /usr/bin/cut -d'{' -f2"
expect : "(Must[\\s]+be[\\s]+a[\\s]+minimum[\\s]+of[\\s]+(1[4-9]|2[0-9])[\\s]+characters|Contain[\\s]+at[\\s]+least[\\s]+(1[4-9]|2[0-9])[\\s]+characters)"
type : CMD_EXEC
description : "5.2.7 Ensure Password Age Is Configured"
info : "Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users should reset passwords periodically. This control uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.
Rationale:
Passwords should be changed periodically to reduce exposure.
Impact:
Required password changes will lead to some locked computers requiring admin assistance."
solution : "Terminal Method:
Run the following command to require that passwords expire after at most 365 days:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxMinutesUntilChangePassword='
example:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'maxMinutesUntilChangePassword=43200'
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.mobiledevice.passwordpolicy
The key to include is maxPINAgeInDays
The key must be set to =365>
Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release."
reference : "800-171|3.1.1,800-53|AC-2(3),800-53r5|AC-2(3),CN-L3|7.1.3.2(e),CN-L3|8.1.4.2(c),CSCv7|16.9,CSCv8|5.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.6,ITSG-33|AC-2(3),LEVEL|1A,NIAv2|AM26,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.2"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "pref1=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1 policyAttributeExpiresEveryNDays | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1) && pref2=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1 policyAttributeDaysUntilExpiration | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1) && if [[ \"$pref1\" != \"\" && pref1 -le 365 ]]; then echo \"true\"; elif [[ \"$pref2\" != \"\" && pref2 -le 365 ]]; then echo \"true\"; else echo \"false\"; fi"
expect : "integer.*[1-9]|[1-8][0-9]|90"
type : CMD_EXEC
description : "5.2.8 Ensure Password History Is Configured"
info : "Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users must reset passwords periodically. This control ensures that previous passwords are not reused immediately by keeping a history of previous password hashes. Ensure that password history checks are part of the password policy on the computer. This control checks whether a new password is different than the previous 15. The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak.
Rationale:
Old passwords should not be reused.
Impact:
Required password changes will lead to some locked computers requiring admin assistance."
solution : "Terminal Method:
Run the following command to require that the password must to be different from at least the last 15 passwords:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'usingHistory==15>'
example:
$ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy 'usingHistory=15'
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.mobiledevice.passwordpolicy
The key to include is pinHistory
The key must be set to =24>
Note: The profile method is the preferred method for setting password policy since -setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "pref1=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1 policyAttributePasswordHistoryDepth | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1) && pref2=$(/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A1 policyAttributePasswordHistoryDepth | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1) && if [[ \"$pref1\" != \"\" && pref1 -ge 15 ]]; then echo \"true\"; elif [[ \"$pref2\" != \"\" && pref2 -ge 15 ]]; then echo \"true\"; else echo \"false\"; fi"
expect : "(2[4-9]|[3-9][0-9])"
type : CMD_EXEC
description : "5.3.1 Ensure all user storage APFS volumes are encrypted"
info : "Apple developed a new file system which was first made available in 10.12 and then became the default in 10.13. The file system is optimized for Flash and Solid-State storage and encryption. https://en.wikipedia.org/wiki/Apple_File_System macOS computers generally have several volumes created as part of APFS formatting, including Preboot, Recovery and Virtual Memory (VM), as well as traditional user disks.
All APFS volumes that do not have specific roles and do not require encryption should be encrypted. 'Role' disks include Preboot, Recovery and VM. User disks are labelled with '(No specific role)' by default.
Rationale:
In order to protect user data from loss or tampering volumes, carrying data should be encrypted.
Impact:
While FileVault protects the boot volume, data may be copied to other attached storage and reduce the protection afforded by FileVault. Ensure all user volumes are encrypted to protect data.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Use Disk Utility to erase a user disk and format as APFS (Encrypted).
Note: APFS Encrypted disks will be described as 'FileVault' whether they are the boot volume or not in the ap list."
reference : "800-171|3.5.2,800-171|3.13.16,800-53|IA-5(1),800-53|SC-28,800-53|SC-28(1),800-53r5|IA-5(1),800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|13.6,CSCv7|14.8,CSCv8|3.6,CSCv8|3.11,CSF|PR.AC-1,CSF|PR.DS-1,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ITSG-33|IA-5(1),ITSG-33|SC-28,ITSG-33|SC-28(1),ITSG-33|SC-28a.,LEVEL|1M,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/diskutil ap list | /usr/bin/egrep \"(APFS Volume Disk|FileVault:)\""
expect : "Manual Review Required"
severity : MEDIUM
type : CMD_EXEC
description : "5.3.2 Ensure all user storage CoreStorage volumes are encrypted"
info : "Apple introduced CoreStorage with 10.7. It is used as the default for formatting on macOS volumes prior to 10.13.
All HFS and CoreStorage Volumes should be encrypted.
Rationale:
In order to protect user data from loss or tampering, volumes carrying data should be encrypted.
Impact:
While FileVault protects the boot volume, data may be copied to other attached storage and reduce the protection afforded by FileVault. Ensure all user volumes are encrypted to protect data.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Use Disk Utility to erase a disk and format as macOS Extended (Journaled, Encrypted)."
reference : "800-171|3.5.2,800-171|3.8.5,800-171|3.8.7,800-171|3.13.16,800-53|IA-5(1),800-53|MP-5,800-53|MP-7,800-53|SC-28,800-53|SC-28(1),800-53r5|IA-5(1),800-53r5|MP-5,800-53r5|MP-7,800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CN-L3|8.5.4.1(c),CSCv7|13.6,CSCv7|14.8,CSCv8|3.9,CSCv8|3.11,CSF|PR.AC-1,CSF|PR.DS-1,CSF|PR.PT-2,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ISO/IEC-27001|A.8.3.1,ISO/IEC-27001|A.8.3.3,ITSG-33|IA-5(1),ITSG-33|MP-5,ITSG-33|SC-28,ITSG-33|SC-28(1),ITSG-33|SC-28a.,LEVEL|1M,NESA|T1.4.1,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/sbin/diskutil cs list | /usr/bin/egrep \"(Logical Volume Family|Encryption Type:)\""
expect : "Manual Review Required"
severity : MEDIUM
type : FILE_CHECK
description : "5.4 Ensure the Sudo Timeout Period Is Set to Zero - permissions"
info : "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control, along with the control to use a separate timestamp for each tty, limits the window where an unauthorized user, process, or attacker could utilize legitimate credentials that are valid for longer than required.
Rationale:
The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.
Impact:
This control has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this control too onerous and are better to accept the risk of not requiring a 0 grace period.
In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password."
solution : "Terminal Method:
Run the following command to edit the sudo settings:
$ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/
example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration
Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file.
Add the line Defaults timestamp_timeout=0 to the configuration file.
If /etc/sudoers.d/ is not owned by root or in the wheel group, run the following to change ownership and group:
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/sudoers.d/
Additional Information:
In previous iterations and OS versions of the macOS Benchmark, the guidance was to edit the sudoers file directly. While this would properly configure the OS, any update would change the settings back to the default configuration. Creating a configuration file in the /etc/sudoers.d/ folder will not be modified on an OS update and will keep the proper configuration."
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4159"
file : "/etc/sudoers.d"
owner : "root"
group : "wheel"
type : CMD_EXEC
description : "5.4 Ensure the Sudo Timeout Period Is Set to Zero - timestamp timeout"
info : "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control, along with the control to use a separate timestamp for each tty, limits the window where an unauthorized user, process, or attacker could utilize legitimate credentials that are valid for longer than required.
Rationale:
The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.
Impact:
This control has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this control too onerous and are better to accept the risk of not requiring a 0 grace period.
In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password."
solution : "Terminal Method:
Run the following command to edit the sudo settings:
$ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/
example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration
Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file.
Add the line Defaults timestamp_timeout=0 to the configuration file.
If /etc/sudoers.d/ is not owned by root or in the wheel group, run the following to change ownership and group:
$ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/sudoers.d/
Additional Information:
In previous iterations and OS versions of the macOS Benchmark, the guidance was to edit the sudoers file directly. While this would properly configure the OS, any update would change the settings back to the default configuration. Creating a configuration file in the /etc/sudoers.d/ folder will not be modified on an OS update and will keep the proper configuration."
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/sudo -V | /usr/bin/grep \"Authentication timestamp timeout:\""
expect : "Authentication timestamp timeout: 0.0 minutes"
type : CMD_EXEC
description : "5.5 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo"
info : "Using tty tickets ensures that a user must enter the sudo password in each Terminal session.
With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS.
Rationale:
In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty.
Additional mitigation should be in place to reduce the risk of privilege escalation of background processes.
Impact:
This control should have no user impact. Developers or installers may have issues if background processes are spawned with different interfaces than where sudo was executed."
solution : "Terminal Method:
Run the following command to edit the sudo settings:
$ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/
example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration
Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file.
Add the line Defaults timestamp_type=tty to the configuration file.
Note: The Defaults timestamp_type=tty line can be added to an existing configuration file or a new one. That will depend on your organization's preference and works either way.
Default Value:
If no value is set, the default value of tty_tickets enabled will be used."
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/sudo -V | /usr/bin/grep \"Type of authentication timestamp record: tty\""
expect : "Type of authentication timestamp record: tty"
type : CMD_EXEC
description : "5.6 Ensure the 'root' Account Is Disabled - root Account Is Disabled"
info : "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some versions of Linux, the system administrator may commonly use the root account to perform administrative functions.
Rationale:
Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell).
Impact:
Some legacy POSIX software might expect an available root account."
solution : "Graphical Method:
Perform the following steps to ensure that the root user is disabled:
Open /System/Library/CoreServices/Applications/Directory Utility
Click the lock icon to unlock the service
Click Edit in the menu bar
Click Disable Root User
Terminal Method:
Run the following command to disable the root user:
$ /usr/bin/sudo /usr/sbin/dsenableroot -d
username = root
user password:"
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/dscl . -read /Users/root AuthenticationAuthority"
expect : "(No such key: AuthenticationAuthority|Disabled)"
type : CMD_EXEC
description : "5.7 Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session"
info : "macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions.
Rationale:
Disabling the administrator's and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
Impact:
While Fast user switching is a workaround for some lab environments, especially where there is even less of an expectation of privacy, this setting change may impact some maintenance workflows."
solution : "Terminal Method:
Run the following command to disable a user logging into another user's active and/or locked session:
$ /usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver use-login-window-ui
YES (0)"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c use-login-window-ui"
expect : "1"
type : CMD_EXEC
description : "Check for cpu brand"
cmd : "/usr/sbin/sysctl -n machdep.cpu.brand_string"
expect : "Apple"
description : "5.9 Ensure Legacy EFI Is Valid and Updating - valid"
info : "In order to mitigate firmware attacks, Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
This check is only valid on T1 chips and prior. Neither T2 chips nor Apple silicon require this control check
Rationale:
If the Firmware of a computer has been compromised, the Operating System that the Firmware loads cannot be trusted, either."
solution : "If EFI does not pass the integrity check, you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended.
Additional Information:
EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, and it also determines whether the user can enter single user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode, and protection against firewire DMA attacks. While it was easier in the past to reset the firmware password by removing RAM, it did make tampering slightly harder because having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to manage the firmware password on macOS computers, though some tools did make it much easier.
The EFI password management capability has been replaced in new Apple silicon Macs. The security features are replaced in the Silicon Mac recoveryOS. Long-term it appears that macOS EFI management is a deprecated technology in mixed Intel/Apple Silicon environments.
Apple patched OS X in 10.7 to mitigate the DMA attacks, and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses single user mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.
Starting in late 2010 with the MacBook Air, Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.
Setting the firmware password may be a good practice in some environments. We cannot recommend it as a standard security practice at this time."
reference : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1A"
see_also : "https://workbench.cisecurity.org/files/4159"
description : "5.9 Ensure Legacy EFI Is Valid and Updating - checked regularly"
info : "In order to mitigate firmware attacks, Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
This check is only valid on T1 chips and prior. Neither T2 chips nor Apple silicon require this control check
Rationale:
If the Firmware of a computer has been compromised, the Operating System that the Firmware loads cannot be trusted, either."
solution : "If EFI does not pass the integrity check, you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended.
Additional Information:
EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, and it also determines whether the user can enter single user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode, and protection against firewire DMA attacks. While it was easier in the past to reset the firmware password by removing RAM, it did make tampering slightly harder because having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to manage the firmware password on macOS computers, though some tools did make it much easier.
The EFI password management capability has been replaced in new Apple silicon Macs. The security features are replaced in the Silicon Mac recoveryOS. Long-term it appears that macOS EFI management is a deprecated technology in mixed Intel/Apple Silicon environments.
Apple patched OS X in 10.7 to mitigate the DMA attacks, and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses single user mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.
Starting in late 2010 with the MacBook Air, Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.
Setting the firmware password may be a good practice in some environments. We cannot recommend it as a standard security practice at this time."
reference : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1A"
see_also : "https://workbench.cisecurity.org/files/4159"
type : CMD_EXEC
description : "Check to see if there's an Apple T2 Security Chip on the system"
cmd : "system_profiler SPiBridgeDataType | awk -F: '/Model Name/ {print $NF}' | sed 's/^ *//'"
expect : "Apple T2 Security Chip"
description : "5.9 Ensure Legacy EFI Is Valid and Updating - valid"
info : "In order to mitigate firmware attacks, Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
This check is only valid on T1 chips and prior. Neither T2 chips nor Apple silicon require this control check
Rationale:
If the Firmware of a computer has been compromised, the Operating System that the Firmware loads cannot be trusted, either."
solution : "If EFI does not pass the integrity check, you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended.
Additional Information:
EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, and it also determines whether the user can enter single user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode, and protection against firewire DMA attacks. While it was easier in the past to reset the firmware password by removing RAM, it did make tampering slightly harder because having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to manage the firmware password on macOS computers, though some tools did make it much easier.
The EFI password management capability has been replaced in new Apple silicon Macs. The security features are replaced in the Silicon Mac recoveryOS. Long-term it appears that macOS EFI management is a deprecated technology in mixed Intel/Apple Silicon environments.
Apple patched OS X in 10.7 to mitigate the DMA attacks, and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses single user mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.
Starting in late 2010 with the MacBook Air, Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.
Setting the firmware password may be a good practice in some environments. We cannot recommend it as a standard security practice at this time."
reference : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1A"
see_also : "https://workbench.cisecurity.org/files/4159"
description : "5.9 Ensure Legacy EFI Is Valid and Updating - checked regularly"
info : "In order to mitigate firmware attacks, Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
This check is only valid on T1 chips and prior. Neither T2 chips nor Apple silicon require this control check
Rationale:
If the Firmware of a computer has been compromised, the Operating System that the Firmware loads cannot be trusted, either."
solution : "If EFI does not pass the integrity check, you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended.
Additional Information:
EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, and it also determines whether the user can enter single user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode, and protection against firewire DMA attacks. While it was easier in the past to reset the firmware password by removing RAM, it did make tampering slightly harder because having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to manage the firmware password on macOS computers, though some tools did make it much easier.
The EFI password management capability has been replaced in new Apple silicon Macs. The security features are replaced in the Silicon Mac recoveryOS. Long-term it appears that macOS EFI management is a deprecated technology in mixed Intel/Apple Silicon environments.
Apple patched OS X in 10.7 to mitigate the DMA attacks, and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses single user mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.
Starting in late 2010 with the MacBook Air, Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.
Setting the firmware password may be a good practice in some environments. We cannot recommend it as a standard security practice at this time."
reference : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1A"
see_also : "https://workbench.cisecurity.org/files/4159"
type : CMD_EXEC
description : "5.9 Ensure Legacy EFI Is Valid and Updating - valid"
info : "In order to mitigate firmware attacks, Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
This check is only valid on T1 chips and prior. Neither T2 chips nor Apple silicon require this control check
Rationale:
If the Firmware of a computer has been compromised, the Operating System that the Firmware loads cannot be trusted, either."
solution : "If EFI does not pass the integrity check, you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended.
Additional Information:
EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, and it also determines whether the user can enter single user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode, and protection against firewire DMA attacks. While it was easier in the past to reset the firmware password by removing RAM, it did make tampering slightly harder because having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to manage the firmware password on macOS computers, though some tools did make it much easier.
The EFI password management capability has been replaced in new Apple silicon Macs. The security features are replaced in the Silicon Mac recoveryOS. Long-term it appears that macOS EFI management is a deprecated technology in mixed Intel/Apple Silicon environments.
Apple patched OS X in 10.7 to mitigate the DMA attacks, and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses single user mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.
Starting in late 2010 with the MacBook Air, Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.
Setting the firmware password may be a good practice in some environments. We cannot recommend it as a standard security practice at this time."
reference : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1A"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check"
expect : "No[\\s]+changes[\\s]+detected[\\s]+in[\\s]+primary[\\s]+hashes"
type : CMD_EXEC
description : "5.9 Ensure Legacy EFI Is Valid and Updating - checked regularly"
info : "In order to mitigate firmware attacks, Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
This check is only valid on T1 chips and prior. Neither T2 chips nor Apple silicon require this control check
Rationale:
If the Firmware of a computer has been compromised, the Operating System that the Firmware loads cannot be trusted, either."
solution : "If EFI does not pass the integrity check, you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended.
Additional Information:
EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, and it also determines whether the user can enter single user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode, and protection against firewire DMA attacks. While it was easier in the past to reset the firmware password by removing RAM, it did make tampering slightly harder because having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to manage the firmware password on macOS computers, though some tools did make it much easier.
The EFI password management capability has been replaced in new Apple silicon Macs. The security features are replaced in the Silicon Mac recoveryOS. Long-term it appears that macOS EFI management is a deprecated technology in mixed Intel/Apple Silicon environments.
Apple patched OS X in 10.7 to mitigate the DMA attacks, and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses single user mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.
Starting in late 2010 with the MacBook Air, Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.
Setting the firmware password may be a good practice in some environments. We cannot recommend it as a standard security practice at this time."
reference : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1A"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/bin/launchctl list | /usr/bin/grep com.apple.driver.eficheck"
expect : "com.apple.driver.eficheck"
type : CMD_EXEC
description : "5.10 Ensure the Guest Home Folder Does Not Exist"
info : "In the previous two controls, the guest account login has been disabled and sharing to guests has been disabled, as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed, you have the option to archive it, leave it in place, or delete. In the case of the guest folder, the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed, it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders, as well. Rather than ignoring the folder's continued existence, it is best removed.
Rationale:
The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately.
Impact:
The Guest account should not be necessary after it is disabled, and it will be automatically re-created if the Guest account is re-enabled"
solution : "Terminal Method:
Run the following command to remove the Guest user home folder:
$ /usr/bin/sudo /bin/rm -R /Users/Guest"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/bin/ls /Users/ | /usr/bin/grep Guest | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : MACOSX_DEFAULTS_READ
description : "6.1.1 Ensure Show All Filename Extensions Setting is Enabled"
info : "A filename extension is a suffix added to a base filename that indicates the base filename's file format.
Rationale:
Visible filename extensions allow the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files.
Impact:
The user of the system can open files of unknown or unexpected filetypes if the extension is not visible."
solution : "Graphical Method:
Perform the following steps to ensure file extensions are shown:
Open Finder
Select Finder in the menu bar
Select Settings
Select Advanced
Set Show all filename extensions to enabled
Terminal Method:
Run the following command to enable displaying of file extensions:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true
$ /usr/bin/sudo killall Finder
example:
$ /usr/bin/sudo -u seconduser /usr/bin/defaults write /Users/secondname/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true
$ /usr/bin/sudo killall Finder
Default Value:
Filename extensions are turned off by default."
reference : "800-171|3.4.1,800-171|3.4.7,800-171|3.4.9,800-53|CM-7(2),800-53|CM-8(3),800-53|CM-10,800-53|CM-11,800-53r5|CM-7(2),800-53r5|CM-8(3),800-53r5|CM-10,800-53r5|CM-11,CN-L3|8.1.10.2(a),CN-L3|8.1.10.2(b),CSCv7|2.6,CSCv8|2.3,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7(2),ITSG-33|CM-8(3),LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "1"
plist_item : "AppleShowAllExtensions"
plist_name : ".GlobalPreferences"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "Check for AutoOpenSafedownloads profile"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep AutoOpenSafeDownloads"
expect : "AutoOpenSafeDownloads[\\s]*=[\\s]*0;"
type : CMD_EXEC
description : "6.3.1 Ensure Automatic Opening of Safe Files in Safari Is Disabled"
info : "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari evaluates file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser.
Rationale:
Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input.
Impact:
Apple considers many files that the operating system itself auto-executes as 'safe files.' Many of these files could be malicious and could execute locally without the user even knowing that a file of a specific type had been downloaded."
solution : "Graphical Method:
Perform the following steps to set safe files to not open after downloading in Safari:
Open Safari
Select Safari from the menu bar
Select Settings
Select General
Set Open 'safe' files after downloading to disabled
Terminal Method:
Run the following command to disable safe files from not opening when downloaded in Safari:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is AutoOpenSafeDownloads
The key must be set to:
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|CM-10,800-53|SC-18,800-53|SI-3,800-53|SI-8,800-53r5|CM-10,800-53r5|SC-18,800-53r5|SI-3,800-53r5|SI-8,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|7.1,CSCv7|7.9,CSCv7|8.5,CSCv8|9.1,CSCv8|9.6,CSF|DE.CM-3,CSF|DE.CM-4,CSF|DE.CM-5,CSF|DE.DP-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SC-18,ITSG-33|SI-3,ITSG-33|SI-8,LEVEL|1A,NIAv2|GS8a,NIAv2|SU3,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep AutoOpenSafeDownloads"
expect : "AutoOpenSafeDownloads[\\s]*=[\\s]*0;"
type : MACOSX_DEFAULTS_READ
description : "6.3.1 Ensure Automatic Opening of Safe Files in Safari Is Disabled"
info : "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari evaluates file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser.
Rationale:
Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input.
Impact:
Apple considers many files that the operating system itself auto-executes as 'safe files.' Many of these files could be malicious and could execute locally without the user even knowing that a file of a specific type had been downloaded."
solution : "Graphical Method:
Perform the following steps to set safe files to not open after downloading in Safari:
Open Safari
Select Safari from the menu bar
Select Settings
Select General
Set Open 'safe' files after downloading to disabled
Terminal Method:
Run the following command to disable safe files from not opening when downloaded in Safari:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is AutoOpenSafeDownloads
The key must be set to:
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|CM-10,800-53|SC-18,800-53|SI-3,800-53|SI-8,800-53r5|CM-10,800-53r5|SC-18,800-53r5|SI-3,800-53r5|SI-8,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|7.1,CSCv7|7.9,CSCv7|8.5,CSCv8|9.1,CSCv8|9.6,CSF|DE.CM-3,CSF|DE.CM-4,CSF|DE.CM-5,CSF|DE.DP-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SC-18,ITSG-33|SI-3,ITSG-33|SI-8,LEVEL|1A,NIAv2|GS8a,NIAv2|SU3,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "0"
managed_path : "/Library/Containers"
plist_item : "AutoOpenSafeDownloads"
plist_name : "com.apple.Safari/Data/Library/Preferences/com.apple.Safari"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "Check for WarnAboutFraudulentWebsites"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep WarnAboutFraudulentWebsites"
expect : "WarnAboutFraudulentWebsites[\\s]*=[\\s]*1;"
type : CMD_EXEC
description : "6.3.3 Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled"
info : "Apple uses the Google Safe Browsing API to check for fraudulent websites and report them to the user attempting visit one.
Rationale:
Attackers use crafted web pages to social engineer users to load unwanted content. Warning users prior to loading the content enables better security.
Impact:
Once compromised websites serving malware could be sanitized and remain in the database, though there is no widespread reporting of that risk."
solution : "Graphical Method:
Perform the following steps to set Safari to warn when visiting a fraudulent site:
Open Safari
Select Safari from the menu bar
Select Settings
Select Security
Set Warn when visiting a fraudulent site to enabled
Terminal Method:
Run the following command to enable warn when visiting a fraudulent site in Safari:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is WarnAboutFraudulentWebsites
The key must be set to:
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.1,800-171|3.13.13,800-53|CM-10,800-53|SC-7(3),800-53|SC-7(4),800-53|SC-18,800-53r5|CM-10,800-53r5|SC-7(3),800-53r5|SC-7(4),800-53r5|SC-18,CN-L3|8.1.10.6(j),CSCv7|7.1,CSCv7|7.4,CSCv8|9.1,CSCv8|9.3,CSF|DE.CM-3,CSF|DE.CM-5,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),ITSG-33|SC-18,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SU3,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep WarnAboutFraudulentWebsites"
expect : "WarnAboutFraudulentWebsites[\\s]*=[\\s]*1;"
type : MACOSX_DEFAULTS_READ
description : "6.3.3 Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled"
info : "Apple uses the Google Safe Browsing API to check for fraudulent websites and report them to the user attempting visit one.
Rationale:
Attackers use crafted web pages to social engineer users to load unwanted content. Warning users prior to loading the content enables better security.
Impact:
Once compromised websites serving malware could be sanitized and remain in the database, though there is no widespread reporting of that risk."
solution : "Graphical Method:
Perform the following steps to set Safari to warn when visiting a fraudulent site:
Open Safari
Select Safari from the menu bar
Select Settings
Select Security
Set Warn when visiting a fraudulent site to enabled
Terminal Method:
Run the following command to enable warn when visiting a fraudulent site in Safari:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is WarnAboutFraudulentWebsites
The key must be set to:
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.1,800-171|3.13.13,800-53|CM-10,800-53|SC-7(3),800-53|SC-7(4),800-53|SC-18,800-53r5|CM-10,800-53r5|SC-7(3),800-53r5|SC-7(4),800-53r5|SC-18,CN-L3|8.1.10.6(j),CSCv7|7.1,CSCv7|7.4,CSCv8|9.1,CSCv8|9.3,CSF|DE.CM-3,CSF|DE.CM-5,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),ITSG-33|SC-18,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SU3,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
regex : "1"
managed_path : "/Library/Containers/com.apple.Safari/Data/Library/Preferences/"
plist_item : "WarnAboutFraudulentWebsites"
plist_name : "com.apple.Safari"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "Check for BlockStoragePolicy"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep BlockStoragePolicy"
expect : "BlockStoragePolicy[\\s]*=[\\s]*2;"
type : CMD_EXEC
description : "6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled - BlockStoragePolicy"
info : "There is a vast network of groups that collect, use and sell user data. One method used to collect user data is pay and provide contented and services for website owners, along with that 'assistance' the site owners push tracking cookies on visitors. In many cases the help allows a content owner to keep the site up. The tracking cookies allow information brokers to track web users across visited sites. For better privacy and to provide some resistance to data brokers prevent cross-tracking.
Rationale:
Cross-tracking allows data-brokers to follow you across the Internet to enable their business model of selling personal data. Users should protect their data and not volunteer it to marketing companies.
Impact:
Marketing companies will be unable to target you as effectively."
solution : "Graphical Method:
Perform the following steps to set prevent cross-site tracking in Safari to enabled:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Set Prevent cross-site tracking is enable
Terminal Method:
Run the following command to enable Safari to prevent cross-site tracking:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is BlockStoragePolicy
The key must be set to: 2
The key to also include is WebKitPreferences.storageBlockingPolicy
The key must be set to: 1
The key to also include is WebKitStorageBlockingPolicy
The key must be set to: 1
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep BlockStoragePolicy"
expect : "BlockStoragePolicy[\\s]*=[\\s]*2;"
type : MACOSX_DEFAULTS_READ
description : "6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled - BlockStoragePolicy"
info : "There is a vast network of groups that collect, use and sell user data. One method used to collect user data is pay and provide contented and services for website owners, along with that 'assistance' the site owners push tracking cookies on visitors. In many cases the help allows a content owner to keep the site up. The tracking cookies allow information brokers to track web users across visited sites. For better privacy and to provide some resistance to data brokers prevent cross-tracking.
Rationale:
Cross-tracking allows data-brokers to follow you across the Internet to enable their business model of selling personal data. Users should protect their data and not volunteer it to marketing companies.
Impact:
Marketing companies will be unable to target you as effectively."
solution : "Graphical Method:
Perform the following steps to set prevent cross-site tracking in Safari to enabled:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Set Prevent cross-site tracking is enable
Terminal Method:
Run the following command to enable Safari to prevent cross-site tracking:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is BlockStoragePolicy
The key must be set to: 2
The key to also include is WebKitPreferences.storageBlockingPolicy
The key must be set to: 1
The key to also include is WebKitStorageBlockingPolicy
The key must be set to: 1
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
regex : "2"
managed_path : "/Library/Containers/com.apple.Safari/Data/Library/Preferences/"
plist_item : "BlockStoragePolicy"
plist_name : "com.apple.Safari"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "Check for WebKitPreferences.storageBlockingPolicy"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep WebKitPreferences.storageBlockingPolicy"
expect : "WebKitPreferences.storageBlockingPolicy[\\s]*=[\\s]*1;"
type : CMD_EXEC
description : "6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled - WebKitPreferences.storageBlockingPolicy"
info : "There is a vast network of groups that collect, use and sell user data. One method used to collect user data is pay and provide contented and services for website owners, along with that 'assistance' the site owners push tracking cookies on visitors. In many cases the help allows a content owner to keep the site up. The tracking cookies allow information brokers to track web users across visited sites. For better privacy and to provide some resistance to data brokers prevent cross-tracking.
Rationale:
Cross-tracking allows data-brokers to follow you across the Internet to enable their business model of selling personal data. Users should protect their data and not volunteer it to marketing companies.
Impact:
Marketing companies will be unable to target you as effectively."
solution : "Graphical Method:
Perform the following steps to set prevent cross-site tracking in Safari to enabled:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Set Prevent cross-site tracking is enable
Terminal Method:
Run the following command to enable Safari to prevent cross-site tracking:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is BlockStoragePolicy
The key must be set to: 2
The key to also include is WebKitPreferences.storageBlockingPolicy
The key must be set to: 1
The key to also include is WebKitStorageBlockingPolicy
The key must be set to: 1
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep WebKitPreferences.storageBlockingPolicy"
expect : "WebKitPreferences.storageBlockingPolicy[\\s]*=[\\s]*1;"
type : MACOSX_DEFAULTS_READ
description : "6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled - WebKitPreferences.storageBlockingPolicy"
info : "There is a vast network of groups that collect, use and sell user data. One method used to collect user data is pay and provide contented and services for website owners, along with that 'assistance' the site owners push tracking cookies on visitors. In many cases the help allows a content owner to keep the site up. The tracking cookies allow information brokers to track web users across visited sites. For better privacy and to provide some resistance to data brokers prevent cross-tracking.
Rationale:
Cross-tracking allows data-brokers to follow you across the Internet to enable their business model of selling personal data. Users should protect their data and not volunteer it to marketing companies.
Impact:
Marketing companies will be unable to target you as effectively."
solution : "Graphical Method:
Perform the following steps to set prevent cross-site tracking in Safari to enabled:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Set Prevent cross-site tracking is enable
Terminal Method:
Run the following command to enable Safari to prevent cross-site tracking:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is BlockStoragePolicy
The key must be set to: 2
The key to also include is WebKitPreferences.storageBlockingPolicy
The key must be set to: 1
The key to also include is WebKitStorageBlockingPolicy
The key must be set to: 1
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
regex : "1"
managed_path : "/Library/Containers/com.apple.Safari/Data/Library/Preferences/"
plist_item : "WebKitPreferences.storageBlockingPolicy"
plist_name : "com.apple.Safari"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "Check for WebKitStorageBlockingPolicy"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep WebKitStorageBlockingPolicy"
expect : "WebKitStorageBlockingPolicy[\\s]*=[\\s]*1;"
type : CMD_EXEC
description : "6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled - WebKitStorageBlockingPolicy"
info : "There is a vast network of groups that collect, use and sell user data. One method used to collect user data is pay and provide contented and services for website owners, along with that 'assistance' the site owners push tracking cookies on visitors. In many cases the help allows a content owner to keep the site up. The tracking cookies allow information brokers to track web users across visited sites. For better privacy and to provide some resistance to data brokers prevent cross-tracking.
Rationale:
Cross-tracking allows data-brokers to follow you across the Internet to enable their business model of selling personal data. Users should protect their data and not volunteer it to marketing companies.
Impact:
Marketing companies will be unable to target you as effectively."
solution : "Graphical Method:
Perform the following steps to set prevent cross-site tracking in Safari to enabled:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Set Prevent cross-site tracking is enable
Terminal Method:
Run the following command to enable Safari to prevent cross-site tracking:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is BlockStoragePolicy
The key must be set to: 2
The key to also include is WebKitPreferences.storageBlockingPolicy
The key must be set to: 1
The key to also include is WebKitStorageBlockingPolicy
The key must be set to: 1
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep WebKitStorageBlockingPolicy"
expect : "WebKitStorageBlockingPolicy[\\s]*=[\\s]*1;"
type : MACOSX_DEFAULTS_READ
description : "6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled - WebKitStorageBlockingPolicy"
info : "There is a vast network of groups that collect, use and sell user data. One method used to collect user data is pay and provide contented and services for website owners, along with that 'assistance' the site owners push tracking cookies on visitors. In many cases the help allows a content owner to keep the site up. The tracking cookies allow information brokers to track web users across visited sites. For better privacy and to provide some resistance to data brokers prevent cross-tracking.
Rationale:
Cross-tracking allows data-brokers to follow you across the Internet to enable their business model of selling personal data. Users should protect their data and not volunteer it to marketing companies.
Impact:
Marketing companies will be unable to target you as effectively."
solution : "Graphical Method:
Perform the following steps to set prevent cross-site tracking in Safari to enabled:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Set Prevent cross-site tracking is enable
Terminal Method:
Run the following command to enable Safari to prevent cross-site tracking:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari BlockStoragePolicy -int 2
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.storageBlockingPolicy -int 1
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitStorageBlockingPolicy -int 1
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is BlockStoragePolicy
The key must be set to: 2
The key to also include is WebKitPreferences.storageBlockingPolicy
The key must be set to: 1
The key to also include is WebKitStorageBlockingPolicy
The key must be set to: 1
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
regex : "1"
managed_path : "/Library/Containers/com.apple.Safari/Data/Library/Preferences/"
plist_item : "WebKitStorageBlockingPolicy"
plist_name : "com.apple.Safari"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : MACOSX_DEFAULTS_READ
description : "6.3.6 Ensure Advertising Privacy Protection in Safari Is Enabled"
info : "Apple provides a framework that allows advertisers to target Apple users and end-users with advertisements. While many people prefer that when they see advertising it is relevant to them and their interests, the detailed information that is data mining collected, correlated, and available to advertisers in repositories is often disconcerting. This information is valuable to both advertisers and attackers and has been used with other metadata to reveal users' identities.
Organizations should manage advertising settings on computers rather than allow users to configure the settings.
Apple Information
Ad tracking should be limited on 10.15 and prior.
Rationale:
Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements.
Impact:
Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads."
solution : "Graphical Method:
Perform the following steps to set Safari to allow privacy-preserving measurement of ad effectiveness:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Set Allow privacy-preserving measurement of ad effectiveness to enabled
Terminal Method:
Run the following command to enable allow privacy-preserving measurement of ad effectiveness in Safari:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled -bool true
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
regex : "1"
managed_path : "/Library/Containers/com.apple.Safari/Data/Library/Preferences/"
plist_item : "WebKitPreferences.privateClickMeasurementEnabled"
plist_name : "com.apple.Safari"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "Check for ShowFullURLInSmartSearchField profile"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep ShowFullURLInSmartSearchField"
expect : "ShowFullURLInSmartSearchField[\\s]*=[\\s]*1;"
type : CMD_EXEC
description : "6.3.7 Ensure Show Full Website Address in Safari Is Enabled"
info : "Attackers use websites with malicious or unwanted content to exploit the user or the computer. Part of the attack chain is to lure someone to load their content rather than the desired content. In order to reduce the risk in interacting with unwanted content the full website address should always be displayed in Safari.
Rationale:
Full visibility into what site is being visited is important for privacy and security.
Impact:
Many URLs are very long and complicated, particularly for internal content management systems. Some complete URLS in the Smart Search Field may be difficult to parse."
solution : "Graphical Method:
Perform the following steps to set Safari to show full website addresses:
Open Safari
Select Safari from the menu bar
Select Settings
Select Security
Set Show full website address to enabled
Terminal Method:
Run the following command to enable showing full website addresses in Safari:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is ShowFullURLInSmartSearchField
The key must be set to:
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
cmd : "/usr/bin/profiles -P -o stdout | /usr/bin/grep ShowFullURLInSmartSearchField"
expect : "ShowFullURLInSmartSearchField[\\s]*=[\\s]*1;"
type : MACOSX_DEFAULTS_READ
description : "6.3.7 Ensure Show Full Website Address in Safari Is Enabled"
info : "Attackers use websites with malicious or unwanted content to exploit the user or the computer. Part of the attack chain is to lure someone to load their content rather than the desired content. In order to reduce the risk in interacting with unwanted content the full website address should always be displayed in Safari.
Rationale:
Full visibility into what site is being visited is important for privacy and security.
Impact:
Many URLs are very long and complicated, particularly for internal content management systems. Some complete URLS in the Smart Search Field may be difficult to parse."
solution : "Graphical Method:
Perform the following steps to set Safari to show full website addresses:
Open Safari
Select Safari from the menu bar
Select Settings
Select Security
Set Show full website address to enabled
Terminal Method:
Run the following command to enable showing full website addresses in Safari:
$ /usr/bin/sudo -u /usr/bin/defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is ShowFullURLInSmartSearchField
The key must be set to:
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.13.13,800-53|CM-10,800-53|SC-18,800-53r5|CM-10,800-53r5|SC-18,CSCv7|7.1,CSCv8|9.1,CSF|DE.CM-3,CSF|DE.CM-5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-18,LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
regex : "1"
managed_path : "/Library/Containers/com.apple.Safari/Data/Library/Preferences/"
plist_item : "ShowFullURLInSmartSearchField"
plist_name : "com.apple.Safari"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : MACOSX_OSASCRIPT
description : "Check for SecureKeyboardEntry"
expect : "true"
payload_key : "SecureKeyboardEntry"
payload_type : "com.apple.Terminal"
type : MACOSX_OSASCRIPT
description : "6.4.1 Ensure Secure Keyboard Entry Terminal.app Is Enabled"
info : "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal. Unauthorized applications and malicious code could intercept keystrokes entered in the Terminal.
Rationale:
Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal.
Impact:
Enabling this in Terminal would prevent an application that is otherwise validly intercepting keyboard input from intercepting that input in Terminal.app. This could impact productivity tools."
solution : "Graphical Method:
Perform the following steps to enable secure keyboard entries in Terminal:
Open the Applications folder
Open the Utilities folder
Open Terminal
Select Terminal in the Menu Bar
Set Secure Keyboard Entry to enabled
Terminal Method:
$ /usr/bin/sudo -u /usr/bin/defaults write -app Terminal SecureKeyboardEntry -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write -app Terminal SecureKeyboardEntry -bool true
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Terminal
The key to include is SecureKeyboardEntry
The key must be set to
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|4.1,CSCv7|5.1,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
expect : "true"
payload_key : "SecureKeyboardEntry"
payload_type : "com.apple.Terminal"
type : MACOSX_DEFAULTS_READ
description : "6.4.1 Ensure Secure Keyboard Entry Terminal.app Is Enabled"
info : "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal. Unauthorized applications and malicious code could intercept keystrokes entered in the Terminal.
Rationale:
Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal.
Impact:
Enabling this in Terminal would prevent an application that is otherwise validly intercepting keyboard input from intercepting that input in Terminal.app. This could impact productivity tools."
solution : "Graphical Method:
Perform the following steps to enable secure keyboard entries in Terminal:
Open the Applications folder
Open the Utilities folder
Open Terminal
Select Terminal in the Menu Bar
Set Secure Keyboard Entry to enabled
Terminal Method:
$ /usr/bin/sudo -u /usr/bin/defaults write -app Terminal SecureKeyboardEntry -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write -app Terminal SecureKeyboardEntry -bool true
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Terminal
The key to include is SecureKeyboardEntry
The key must be set to
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|4.1,CSCv7|5.1,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4159"
regex : "1"
plist_item : "SecureKeyboardEntry"
plist_name : "com.apple.Terminal"
plist_option : CANNOT_BE_NULL
plist_user : "all"
description : "CIS_Apple_macOS_13.0_Ventura_v1.0.0_L1.audit from CIS Apple macOS 13.0 Ventura Benchmark v1.0.0"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://workbench.cisecurity.org/files/4159"