13:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Apple macOS 14 (Sonoma) Security Technical Implementation Guide"}],["$","span",null,{"className":"bg-badge-archived-bg text-badge-archived-text rounded-full px-3 py-1 text-xs font-medium","children":"Archived"}],["$","$L1d",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","2","R","3"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Jan 30, 2025"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"S-fca2b2173fd76f1334f4d92ff6d1c6cbbb052813","children":"S-fca2b2173fd76f1334f4d92ff6d1c6cbbb052813"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":155}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",10]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",143]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",2]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Apple%20macOS%2014%20(Sonoma)%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Apple%20macOS%2014%20(Sonoma)%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Apple%20macOS%2014%20(Sonoma)%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],false]}]]}],["$","$L1e",null,{"checks":[{"id":"fc896c8e-d74c-4017-b523-6c670cabb1b5","vulnId":"V-259418","severity":"medium","ruleTitle":"The macOS system must prevent Apple Watch from terminating a session lock.","description":"Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using authorized identification and authentication procedures.","checkContent":"Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowAutoUnlock').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"10c0aba7-6500-4c00-9c68-d3111e28c9b9","vulnId":"V-259419","severity":"medium","ruleTitle":"The macOS system must enforce screen saver password.","description":"Users must authenticate when unlocking the screen saver.\n\nThe screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.","checkContent":"Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\\\n.objectForKey('askForPassword').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to prompt users to enter a password to unlock the screen saver by installing the \"com.apple.screensaver\" configuration profile."},{"id":"67e3ca5e-9724-44fc-9a27-dad0f731de5f","vulnId":"V-259420","severity":"medium","ruleTitle":"The macOS system must enforce session lock no more than five seconds after screen saver is started.","description":"A screen saver must be enabled and the system must be configured to require a password to unlock once the screensaver has been on for a maximum of five seconds.\n\nAn unattended system with an excessive grace period is vulnerable to a malicious user.","checkContent":"Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\nfunction run() {\n let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\\\n.objectForKey('askForPasswordDelay'))\n if ( delay <= 5 ) {\n return(\"true\")\n } else {\n return(\"false\")\n }\n}\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the \"com.apple.screensaver\" configuration profile."},{"id":"4d9382a2-0c0d-40cb-9586-696841218b99","vulnId":"V-259421","severity":"medium","ruleTitle":"The macOS system must configure user session lock when a smart token is removed.","description":"The screen lock must be configured to initiate automatically when the smart token is removed from the system.\n\nSession locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absence. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token.","checkContent":"Verify the macOS system is configured to lock the user session when a smart token is removed with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\\\n.objectForKey('tokenRemovalAction').js\nEOS\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to lock the user session when a smart token is removed by installing the \"com.apple.security.smartcard\" configuration profile.\n\nNote: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile."},{"id":"c4a1b588-462d-4cee-b6c4-38ca10543ff1","vulnId":"V-259422","severity":"medium","ruleTitle":"The macOS system must disable hot corners.","description":"Hot corners must be disabled.\n\nThe information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot corners can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.","checkContent":"Verify the macOS system is configured to disable hot corners with the following command:\n\n/usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '\"wvous-bl-corner\" = 0|\"wvous-br-corner\" = 0|\"wvous-tl-corner\" = 0|\"wvous-tr-corner\" = 0'\n\nIf the result is not \"4\", this is a finding.","fixText":"Configure the macOS system to disable hot corners by installing the \"com.apple.ManagedClient.preferences\" configuration profile."},{"id":"d819bac4-c104-46c2-8c39-970e1ef10b85","vulnId":"V-259423","severity":"medium","ruleTitle":"The macOS system must prevent AdminHostInfo from being available at LoginWindow.","description":"The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, IP Address, and operating system version and build to be displayed.","checkContent":"Verify the macOS system is configured to prevent AdminHostInfo from being available at LoginWindow with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\\\n.objectIsForcedForKey('AdminHostInfo')\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to prevent AdminHostInfo from being available at LoginWindow by installing the \"com.apple.loginwindow\" configuration profile."},{"id":"bc26c624-1485-49c8-b5c6-0f8d869fdda4","vulnId":"V-259424","severity":"medium","ruleTitle":"The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.","description":"$1f","checkContent":"$20","fixText":"This setting may be enforced using local policy or by a directory service.\n\nTo set local policy to disable a temporary or emergency user, create a plain text file containing the following:\n\n\npolicyCategoryAuthentication\n\n\npolicyContent\npolicyAttributeCurrentTime < policyAttributeCreationTime+259299\npolicyIdentifier\nDisable Tmp Accounts \n\n\n\n\nAfter saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of \"username\" and the path to the file in place of \"/path/to/file\".\n\n/usr/bin/pwpolicy -u username setaccountpolicies /path/to/file"},{"id":"11b6617e-cd15-425b-8067-82b046642b39","vulnId":"V-259425","severity":"medium","ruleTitle":"The macOS system must enforce time synchronization.","description":"Time synchronization must be enforced on all networked systems.\n\nThis rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nSatisfies: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144","checkContent":"Verify the macOS system is configured to enforce time synchronization with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.timed')\\\n.objectForKey('TMAutomaticTimeOnlyEnabled').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to enforce time synchronization by installing the \"com.apple.timed\" configuration profile."},{"id":"5f960495-a05c-42d1-a7b2-b463572e3659","vulnId":"V-259428","severity":"medium","ruleTitle":"The macOS system must limit consecutive failed log on attempts to three.","description":"The macOS must be configured to limit the number of failed log on attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of time after.\n\nThis rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.\n\nSatisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128","checkContent":"Verify the macOS system is configured to limit consecutive failed log on attempts to three with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()=\"policyAttributeMaximumFailedAuthentications\"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= 3) {print \"yes\"} else {print \"no\"}}'\n\nIf the result is not \"yes\", this is a finding.","fixText":"Configure the macOS system to limit consecutive failed log on attempts to three by installing the \"com.apple.mobiledevice.passwordpolicy\" configuration profile or by a directory service."},{"id":"221841d0-34fd-4220-8b95-997ccabae369","vulnId":"V-259429","severity":"medium","ruleTitle":"The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at remote log on.","description":"Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with DTM-08-060.\n\nSatisfies: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007","checkContent":"$21","fixText":"Configure the macOS system to display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the operating system by creating a text file containing the required DOD text.\n\nName the file \"banner\" and place it in \"/etc/\"."},{"id":"1c8f37c7-aeaa-4f1a-bf61-4befac459918","vulnId":"V-259430","severity":"medium","ruleTitle":"The macOS system must enforce SSH to display the Standard Mandatory DOD Notice and Consent Banner.","description":"Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with DTM-08-060.\n\nNote: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n\nSatisfies: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007","checkContent":"Verify the macOS system is configured to display the contents of \"/etc/banner\" before granting access to the system with the following command:\n\n/usr/sbin/sshd -G | /usr/bin/grep -c \"^banner /etc/banner\"\n\nIf the command does not return \"1\", this is a finding.","fixText":"Configure the macOS system to display the contents of \"/etc/banner\" before granting access to the system by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:\n\nbanner /etc/banner"},{"id":"1cbb78ed-9688-4f5c-b3ed-70ab222631b6","vulnId":"V-259431","severity":"medium","ruleTitle":"The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.","description":"Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe policy banner will show if a \"PolicyBanner.rtf\" or \"PolicyBanner.rtfd\" exists in the \"/Library/Security\" folder.\n\nThe banner must be formatted in accordance with DTM-08-060.\n\nSatisfies: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088","checkContent":"$22","fixText":"Configure the macOS system to display a policy banner by creating an RTF file containing the required text. Name the file \"PolicyBanner.rtfd\" and place it in \"/Library/Security/\".\n\nUpdate the permissions of the \"/Library/Security/PolicyBanner.rtfd\" file with the following command:\n\n/usr/bin/sudo /bin/chmod 644 /Library/Security/PolicyBanner.rtfd"},{"id":"e033efe3-53bc-4818-9244-d354793cf338","vulnId":"V-259432","severity":"medium","ruleTitle":"The macOS system must configure audit log files to not contain access control lists.","description":"The audit log files must not contain access control lists (ACLs).\n\nThis rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured without ACLs applied to log files with the following command:\n\n/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\"\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system without ACLs applied to log files with the following command:\n\n/bin/chmod -RN /var/audit"},{"id":"9e2294ee-ff2e-4bb5-beb1-887a63239fe1","vulnId":"V-259433","severity":"medium","ruleTitle":"The macOS system must configure audit log folders to not contain access control lists.","description":"The audit log folder must not contain access control lists (ACLs).\n\nAudit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured without ACLs applied to log folders with the following command:\n\n/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\"\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system without ACLs applied to log folders with the following command:\n\n/bin/chmod -N /var/audit"},{"id":"b30e9d79-5c3d-4d05-bcce-5d21e9b14b1d","vulnId":"V-259434","severity":"medium","ruleTitle":"The macOS system must disable FileVault automatic log on.","description":"If FileVault is enabled, automatic log on must be disabled, so that both FileVault and login window authentication are required.\n\nThe default behavior of macOS when FileVault is enabled is to automatically log on to the computer once successfully passing user's FileVault credentials.\n\nNote: DisableFDEAutoLogin does not have to be set on Apple Silicon-based macOS systems that are smartcard enforced, as smartcards are available at preboot.","checkContent":"Verify the macOS system is configured to disable filevault automatic login with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\\\n.objectForKey('DisableFDEAutoLogin').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable filevault automatic login by installing the \"com.apple.loginwindow\" configuration profile.\n\nNote: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile."},{"id":"c7b9f40a-2888-40e9-9374-52106b2a8ee1","vulnId":"V-259435","severity":"medium","ruleTitle":"The macOS system must configure SSHD ClientAliveInterval to 900.","description":"If SSHD is enabled, then it must be configured with the Client Alive Interval set to 900.\n\nSets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.\n\nThis setting works in conjunction with ClientAliveCountMax to determine the termination of the connection after the threshold has been reached.\n\nNote: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken.\n\nNote: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.","checkContent":"Verify the macOS system is configured to set the SSHD ClientAliveInterval to 900 with the following command:\n\n/usr/sbin/sshd -G | /usr/bin/awk '/clientaliveinterval/{print $2}'\n\nIf the result is not \"900\", this is a finding.","fixText":"Configure the macOS system to set the SSHD ClientAliveInterval to 900 with the following command:\n\ninclude_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')\n\nif [[ -z $include_dir ]]; then\n /usr/bin/sed -i.bk \"1s/.*/Include \\/etc\\/ssh\\/sshd_config.d\\/\\*/\" /etc/ssh/sshd_config\nfi\n\n/usr/bin/grep -qxF 'clientaliveinterval 900' \"${include_dir}01-mscp-sshd.conf\" 2>/dev/null || echo \"clientaliveinterval 900\" >> \"${include_dir}01-mscp-sshd.conf\"\n\nfor file in $(ls ${include_dir}); do\n if [[ \"$file\" == \"100-macos.conf\" ]]; then\n continue\n fi\n if [[ \"$file\" == \"01-mscp-sshd.conf\" ]]; then\n break\n fi\n /bin/mv ${include_dir}${file} ${include_dir}20-${file}\ndone"},{"id":"b6006c4c-aaf0-4c68-8df3-30af85f8a49a","vulnId":"V-259436","severity":"medium","ruleTitle":"The macOS system must configure SSHD ClientAliveCountMax to 1.","description":"If SSHD is enabled it must be configured with the Client Alive Maximum Count set to 1.\n\nThis will set the number of client alive messages which may be sent without the SSH server receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, the SSH server will disconnect the client, terminating the session. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive.\n\nNote: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken.\n\nNote: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.","checkContent":"Verify the macOS system is configured to set the SSHD ClientAliveCountMax to 1 with the following command:\n\n/usr/sbin/sshd -G | /usr/bin/awk '/clientalivecountmax/{print $2}'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to set the SSHD ClientAliveCountMax to 1 with the following command:\n\ninclude_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')\n\nif [[ -z $include_dir ]]; then\n /usr/bin/sed -i.bk \"1s/.*/Include \\/etc\\/ssh\\/sshd_config.d\\/\\*/\" /etc/ssh/sshd_config\nfi\n\n/usr/bin/grep -qxF 'clientalivecountmax 1' \"${include_dir}01-mscp-sshd.conf\" 2>/dev/null || echo \"clientalivecountmax 1\" >> \"${include_dir}01-mscp-sshd.conf\"\n\nfor file in $(ls ${include_dir}); do\n if [[ \"$file\" == \"100-macos.conf\" ]]; then\n continue\n fi\n if [[ \"$file\" == \"01-mscp-sshd.conf\" ]]; then\n break\n fi\n /bin/mv ${include_dir}${file} ${include_dir}20-${file}\ndone"},{"id":"3741ace6-9317-442f-929d-09df0ee05394","vulnId":"V-259437","severity":"medium","ruleTitle":"The macOS system must set Login Grace Time to 30.","description":"If SSHD is enabled, then it must be configured to wait only 30 seconds before timing out logon attempts.\n\nNote: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.","checkContent":"Verify the macOS system is configured to set Login Grace Time to 30 with the following command:\n\n/usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}'\n\nIf the result is not \"30\", this is a finding.","fixText":"Configure the macOS system to set Login Grace Time to 30 with the following command:\n\ninclude_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')\n\nif [[ -z $include_dir ]]; then\n /usr/bin/sed -i.bk \"1s/.*/Include \\/etc\\/ssh\\/sshd_config.d\\/\\*/\" /etc/ssh/sshd_config\nfi\n\n/usr/bin/grep -qxF 'logingracetime 30' \"${include_dir}01-mscp-sshd.conf\" 2>/dev/null || echo \"logingracetime 30\" >> \"${include_dir}01-mscp-sshd.conf\"\n\nfor file in $(ls ${include_dir}); do\n if [[ \"$file\" == \"100-macos.conf\" ]]; then\n continue\n fi\n if [[ \"$file\" == \"01-mscp-sshd.conf\" ]]; then\n break\n fi\n /bin/mv ${include_dir}${file} ${include_dir}20-${file}\ndone"},{"id":"c880265b-a0dd-4b5d-9719-ab7af6d598e8","vulnId":"V-259438","severity":"high","ruleTitle":"The macOS system must limit SSHD to FIPS-compliant connections.","description":"If SSHD is enabled then it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.\n\nOperating systems utilizing encryption must use FIPS validated mechanisms for authenticating to cryptographic modules.\n\nNote: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information.\n\nSatisfies: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174,SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223","checkContent":"Verify the macOS system is configured to limit SSHD to FIPS-compliant connections with the following command:

fips_sshd_config=(\"Ciphers aes128-gcm@openssh.com\" \"HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com\" \"HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com\" \"KexAlgorithms ecdh-sha2-nistp256\" \"MACs hmac-sha2-256\" \"PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com\" \"CASignatureAlgorithms ecdsa-sha2-nistp256\")
total=0
for config in $fips_sshd_config; do
total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c \"$config\") + $total)
done

echo $total

If the result is not \"7\", this is a finding.","fixText":"Configure the macOS system to limit SSHD to FIPS-compliant connections with the following command:

fips_sshd_config=\"Ciphers aes128-gcm@openssh.com
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256\"
/bin/echo \"${fips_sshd_config}\" > /etc/ssh/sshd_config.d/fips_sshd_config"},{"id":"0b76c636-9e2b-4fdf-9240-40583c978393","vulnId":"V-259439","severity":"high","ruleTitle":"The macOS system must limit SSH to FIPS-compliant connections.","description":"SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.\n\nOperating systems utilizing encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules.\n\nNote: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.\n\nSatisfies: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000250-GPOS-00093,SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223","checkContent":"Verify the macOS system is configured to limit SSH to FIPS-compliant connections with the following command:

fips_ssh_config=\"Host *
Ciphers aes128-gcm@openssh.com
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256\"
/usr/bin/grep -c \"$fips_ssh_config\" /etc/ssh/ssh_config.d/fips_ssh_config

If the result is not \"8\", this is a finding.","fixText":"Configure the macOS system to limit SSH to FIPS-compliant connections with the following command:

fips_ssh_config=\"Host *
Ciphers aes128-gcm@openssh.com
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256\"
/bin/echo \"${fips_ssh_config}\" > /etc/ssh/ssh_config.d/fips_ssh_config"},{"id":"c7b33d01-4ca4-496c-91a1-613f77e9591a","vulnId":"V-259440","severity":"medium","ruleTitle":"The macOS system must set account lockout time to 15 minutes.","description":"The macOS must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached.\n\nThis rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.\n\nSatisfies: SRG-OS-000021-GPOS-00005,SRG-OS-000329-GPOS-00128","checkContent":"Verify the macOS system is configured to set account lockout time to 15 minutes with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()=\"autoEnableInSeconds\"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1/60 >= 15 ) {print \"yes\"} else {print \"no\"}}'\n\nIf the result is not \"yes\", this is a finding.","fixText":"Configure the macOS system to set account lockout time to 15 minutes by installing the \"com.apple.mobiledevice.passwordpolicy\" configuration profile or by a directory service."},{"id":"15e48e23-cb21-45f1-9904-9888456c46ba","vulnId":"V-259441","severity":"medium","ruleTitle":"The macOS system must enforce screen saver timeout.","description":"The screen saver timeout must be set to 900 seconds or a shorter length of time.\n\nThis rule ensures that a full session lock is triggered within no more than 900 seconds of inactivity.","checkContent":"Verify the macOS system is configured to initiate the screen saver timeout after 15 minutes of inactivity with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\nfunction run() {\n let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\\\n.objectForKey('idleTime'))\n if ( timeout <= 900 ) {\n return(\"true\")\n } else {\n return(\"false\")\n }\n}\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to initiate the screen saver after 15 minutes of inactivity by installing the \"com.apple.screensaver\" configuration profile."},{"id":"2b334e98-c8bd-416a-bb6e-ee117b774074","vulnId":"V-259443","severity":"medium","ruleTitle":"The macOS system must disable logon to other user's active and locked sessions.","description":"The ability to log in to another user's active or locked session must be disabled.\n\nmacOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.\n\nNote: Configuring this setting will disable TouchID from unlocking the screensaver.","checkContent":"Verify the macOS system is configured to disable login to other user's active and locked sessions with the following command:\n\n/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'authenticate-session-owner'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable login to other user's active and locked sessions with the following command:\n\n/usr/bin/security authorizationdb write system.login.screensaver \"authenticate-session-owner\""},{"id":"9712a05d-7f96-4f5b-a401-0f1454be51af","vulnId":"V-259444","severity":"medium","ruleTitle":"The macOS system must disable root logon.","description":"To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.\n\nThe macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.\n\nSatisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151","checkContent":"Verify the macOS system is configured to disable root login with the following command:\n\n/usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c \"/usr/bin/false\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable root login with the following command:\n\n/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false"},{"id":"9116350d-b77d-4b61-841e-0bf1f6993064","vulnId":"V-259445","severity":"medium","ruleTitle":"The macOS system must configure SSH ServerAliveInterval option set to 900.","description":"SSH must be configured with an Active Server Alive Maximum Count set to 900.\n\nSetting the Active Server Alive Maximum Count to 900 will log users out after a 900-second interval of inactivity.\n\nNote: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.","checkContent":"Verify the macOS system is configured to set the SSH ServerAliveInterval option set to 900 with the following command:\n\nret=\"pass\"\nfor u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do\n sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c \"^serveraliveinterval 900\")\n if [[ \"$sshCheck\" == \"0\" ]]; then\n ret=\"fail\"\n break\n fi\ndone\n/bin/echo $ret\n\nIf the result is not \"pass\", this is a finding.","fixText":"Configure the macOS system to set the SSH ServerAliveInterval option set to 900 with the following command:\n\nfor u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do\n config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\\r')\n configarray=( ${(f)config} )\n for c in $configarray; do\n /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' \"$c\" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' \"$c\" || /bin/echo 'ServerAliveInterval 900' >> \"$c\"\n done\ndone"},{"id":"6720778b-1524-4383-9c21-c1683c5eb83d","vulnId":"V-259446","severity":"medium","ruleTitle":"The macOS system must configure SSHD Channel Timeout to 900.","description":"If SSHD is enabled it must be configured with session Channel Timeout set to 900.\n\nThis will set the time out when the session is inactive.\n\nNote: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n\nSatisfies: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109","checkContent":"Verify the macOS system is configured to set the SSHD Channel Timeout to 900 with the following command:\n\n/usr/sbin/sshd -G | /usr/bin/awk -F \"=\" '/channeltimeout session:*/{print $2}'\n\nIf the result is not \"900\", this is a finding.","fixText":"Configure the macOS system to set the SSHD Channel Timeout to 900 with the following command:\n\ninclude_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')\n\nif [[ -z $include_dir ]]; then\n /usr/bin/sed -i.bk \"1s/.*/Include \\/etc\\/ssh\\/sshd_config.d\\/\\*/\" /etc/ssh/sshd_config\nfi\n\n/usr/bin/grep -qxF 'channeltimeout session:*=900' \"${include_dir}01-mscp-sshd.conf\" 2>/dev/null || echo \"channeltimeout session:*=900\" >> \"${include_dir}01-mscp-sshd.conf\"\n\nfor file in $(ls ${include_dir}); do\n if [[ \"$file\" == \"100-macos.conf\" ]]; then\n continue\n fi\n if [[ \"$file\" == \"01-mscp-sshd.conf\" ]]; then\n break\n fi\n /bin/mv ${include_dir}${file} ${include_dir}20-${file}\ndone"},{"id":"d0c8c2f1-643e-451b-b45b-1083ffd3d22d","vulnId":"V-259447","severity":"medium","ruleTitle":"The macOS system must configure SSHD unused connection timeout to 900.","description":"If SSHD is enabled, it must be configured with unused connection timeout set to 900.\n\nThis will set the timeout when there are no open channels within a session.\n\nNote: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n\nSatisfies: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109","checkContent":"Verify the macOS system is configured to set the SSHD unused connection timeout to 900 with the following command:\n\n/usr/sbin/sshd -G | /usr/bin/awk '/unusedconnectiontimeout/{print $2}'\n\nIf the result is not \"900\", this is a finding.","fixText":"Configure the macOS system to set the SSHD unused connection timeout to 900 with the following command:\n\ninclude_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')\n\nif [[ -z $include_dir ]]; then\n /usr/bin/sed -i.bk \"1s/.*/Include \\/etc\\/ssh\\/sshd_config.d\\/\\*/\" /etc/ssh/sshd_config\nfi\n\n/usr/bin/grep -qxF 'unusedconnectiontimeout 900' \"${include_dir}01-mscp-sshd.conf\" 2>/dev/null || echo \"unusedconnectiontimeout 900\" >> \"${include_dir}01-mscp-sshd.conf\"\n\nfor file in $(ls ${include_dir}); do\n if [[ \"$file\" == \"100-macos.conf\" ]]; then\n continue\n fi\n if [[ \"$file\" == \"01-mscp-sshd.conf\" ]]; then\n break\n fi\n /bin/mv ${include_dir}${file} ${include_dir}20-${file}\ndone"},{"id":"4788580d-4a01-44a0-902b-5e8a9fd1bcf9","vulnId":"V-259448","severity":"medium","ruleTitle":"The macOS system must set SSH Active Server Alive Maximum to 0.","description":"SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.\n\nNote: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.","checkContent":"Verify the macOS system is configured to set SSH Active Server Alive Maximum to 0 with the following command:\n\nret=\"pass\"\nfor u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do\n sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c \"^serveralivecountmax 0\")\n if [[ \"$sshCheck\" == \"0\" ]]; then\n ret=\"fail\"\n break\n fi\ndone\n/bin/echo $ret\n\nIf the result is not \"pass\", this is a finding.","fixText":"Configure the macOS system to set SSH Active Server Alive Maximum to 0 with the following command:\n\nfor u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do\n config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\\r')\n configarray=( ${(f)config} )\n for c in $configarray; do\n /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' \"$c\" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' \"$c\" || /bin/echo 'ServerAliveCountMax 0' >> \"$c\"\n done\ndone"},{"id":"c28a1536-2a7a-4e4c-a96c-abe7a325cfac","vulnId":"V-259449","severity":"medium","ruleTitle":"The macOS system must enforce auto logout after 86400 seconds of inactivity.","description":"Auto logout must be configured to automatically terminate a user session and log out the after 86400 seconds of inactivity.\n\nNote: The maximum that macOS can be configured for autologoff is 86400 seconds.\n\n[IMPORTANT]\n====\nThe automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information system security officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the automatic logout setting.\n====","checkContent":"Verify the macOS system is configured to enforce auto logout after 86400 seconds of inactivity with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\\\n.objectForKey('com.apple.autologout.AutoLogOutDelay').js\nEOS\n\nIf the result is not \"86400\", this is a finding.","fixText":"Configure the macOS system to enforce auto logout after 86400 seconds of inactivity by installing the \"com.apple.GlobalPreferences\" configuration profile."},{"id":"3fd947d7-fa17-47d6-ae6e-b303959b6d42","vulnId":"V-259450","severity":"medium","ruleTitle":"The macOS system must be configured to use an authorized time server.","description":"Approved time servers must be the only servers configured for use.\n\nThis rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nAn authoritative time server is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DOD network.\n\nSatisfies: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144","checkContent":"Verify the macOS system is configured to use an authorized time server with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\\\n.objectForKey('timeServer').js\nEOS\n\nIf the result is not an authoritative time server which is synchronized with redundant USNO time servers as designated for the appropriate DOD network, this is a finding.","fixText":"Configure the macOS system to use an authorized time server by installing the \"com.apple.MCX\" configuration profile."},{"id":"8fb1df54-2af7-455a-9141-a33e5e9261df","vulnId":"V-259451","severity":"medium","ruleTitle":"The macOS system must enable time synchronization daemon.","description":"The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server.\n\nNote: The time synchronization daemon is enabled by default on macOS.\n\nSatisfies: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144","checkContent":"Verify the macOS system is configured to enable time synchronization daemon with the following command:\n\n/bin/launchctl list | /usr/bin/grep -c com.apple.timed\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to enable time synchronization daemon with the following command:\n\n/bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist"},{"id":"30b2ece2-e8c4-4c36-9bc5-18cbae59a5bd","vulnId":"V-259452","severity":"medium","ruleTitle":"The macOS system must be configured to audit all administrative action events.","description":"Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include \"ad\" events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter).\n\nAdministrative and privileged access, including administrative use of the command line tools \"kextload\" and \"kextunload\" and changes to configuration settings, are logged by way of the \"ad\" flag.\n\nSatisfies: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000327-GPOS-00127,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000476-GPOS-00221","checkContent":"Verify the macOS system is configured to audit privileged access with the following command:\n\n/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec 'ad'\n\nIf \"ad\" is not listed in the output, this is a finding.","fixText":"Configure the macOS system to audit privileged access with the following command:\n\n/usr/bin/grep -qE \"^flags.*[^-]ad\" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s\n\nA text editor may also be used to implement the required updates to the \"/etc/security/audit_control\" file."},{"id":"d9e59a80-4f09-4fed-b241-5bba3ea6bb4e","vulnId":"V-259453","severity":"medium","ruleTitle":"The macOS system must be configured to audit all log on and log out events.","description":"The audit system must be configured to record all attempts to log in and out of the system (lo).\n\nFrequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring log on and log out events) mitigates this risk.\n\nThe information system monitors log on and log out events.\n\nSatisfies: SRG-OS-000032-GPOS-00013,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000472-GPOS-00217,SRG-OS-000473-GPOS-00218","checkContent":"Verify the macOS system is configured to audit all log on and log out events with the following command:\n\n/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '^lo'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to audit all log on and log out events with the following command:\n\n/usr/bin/grep -qE \"^flags.*[^-]lo\" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/sbin/audit -s\n\nA text editor may also be used to implement the required updates to the \"/etc/security/audit_control\" file."},{"id":"e6a8eb79-3f6f-419e-a9b0-749b90f12186","vulnId":"V-259454","severity":"medium","ruleTitle":"The macOS system must enable security auditing.","description":"$23","checkContent":"Verify the macOS system is configured to enable the auditd service with the following command:\n\nLAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)\nif [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]]; then\n echo \"pass\"\nelse\n echo \"fail\"\nfi\n\nIf the result is not \"pass\", this is a finding.","fixText":"Configure the macOS system to enable the auditd service with the following command:\n\nLAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)\n\nif [[ ! $LAUNCHD_RUNNING == 1 ]]; then\n /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist\nfi\n\nif [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then\n /bin/cp /etc/security/audit_control.example /etc/security/audit_control\nelse\n /usr/bin/touch /etc/security/audit_control\nfi"},{"id":"4700a6ac-f4fa-468a-9ad5-550e481b6832","vulnId":"V-259455","severity":"medium","ruleTitle":"The macOS system must configure system to shut down upon audit failure.","description":"$24","checkContent":"Verify the macOS system is configured to shut down upon audit failure with the following command:\n\n/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec 'ahlt'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to shut down upon audit failure with the following command:\n\n/usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s"},{"id":"6bb32764-eea2-4dde-a619-4c2826875075","vulnId":"V-259456","severity":"medium","ruleTitle":"The macOS system must configure audit log files to be owned by root.","description":"Audit log files must be owned by root.\n\nThe audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs.\n\nAudit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured with audit log files owned by root with the following command:\n\n/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with audit log files owned by root with the following command:\n\n/usr/sbin/chown -R root /var/audit/*"},{"id":"bab81251-531c-4f85-885e-bcb5638d1f22","vulnId":"V-259457","severity":"medium","ruleTitle":"The macOS system must configure audit log folders to be owned by root.","description":"Audit log folders must be owned by root.\n\nThe audit service must be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.\n\nAudit logs contain sensitive data about the system and users. If log folders are set to only be readable and writable by system administrators, the risk is mitigated.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured with audit log folders owned by root with the following command:\n\n/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $3}'\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with audit log folders owned by root with the following command:\n\n/usr/sbin/chown root /var/audit"},{"id":"0d135480-ad23-46b7-93c4-a068b671e076","vulnId":"V-259458","severity":"medium","ruleTitle":"The macOS system must configure audit log files group to wheel.","description":"Audit log files must have the group set to wheel.\n\nThe audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.\n\nAudit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured with audit log files group-owned by wheel with the following command:\n\n/bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$4} END {print s}'\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with audit log files group-owned by wheel with the following command:\n\n/usr/bin/chgrp -R wheel /var/audit/*"},{"id":"8b61621c-e19e-409c-88ea-f4d9b97a4c96","vulnId":"V-259459","severity":"medium","ruleTitle":"The macOS system must configure audit log folders group to wheel.","description":"Audit log folders must have the group set to wheel.\n\nThe audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.\n\nAudit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured with audit log folders group-owned by wheel with the following command:\n\n/bin/ls -dn $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $4}'\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with audit log folders group-owned by wheel with the following command:\n\n/usr/bin/chgrp wheel /var/audit"},{"id":"88dadc12-460e-454f-941f-a01b1c17613f","vulnId":"V-259460","severity":"medium","ruleTitle":"The macOS system must configure audit log files to mode 440 or less permissive.","description":"The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files must be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying, or deleting audit logs.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured with audit log files set to mode 440 or less with the following command:\n\n/bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with audit log files set to mode 440 with the following command:\n\n/bin/chmod 440 /var/audit/*"},{"id":"03625d5b-8aed-4114-8711-088c9e033908","vulnId":"V-259461","severity":"medium","ruleTitle":"The macOS system must configure audit log folders to mode 700 or less permissive.","description":"The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.\n\nBecause audit logs contain sensitive data about the system and users, the audit service must be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying, or deleting audit logs.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured with audit log folders set to mode 700 or less permissive with the following command:\n\n/usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')\n\nIf the result is not a mode of 700 or less permissive, this is a finding.","fixText":"Configure the macOS system with audit log folders set to mode 700 with the following command:\n\n/bin/chmod 700 /var/audit"},{"id":"68d48aca-8bb0-4b81-9210-229442c03db8","vulnId":"V-259462","severity":"medium","ruleTitle":"The macOS system must be configured to audit all deletions of object attributes.","description":"$25","checkContent":"Verify the macOS system is configured to audit all deletions of object attributes with the following command:\n\n/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-fd'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to audit all deletions of object attributes with the following command:\n\n/usr/bin/grep -qE \"^flags.*-fd\" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s"},{"id":"4fd2d6e4-beba-4f97-b134-a01985bf0f1e","vulnId":"V-259463","severity":"medium","ruleTitle":"The macOS system must be configured to audit all changes of object attributes.","description":"$26","checkContent":"Verify the macOS system is configured to audit all changes of object attributes with the following command:\n\n/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '^fm'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to audit all changes of object attributes with the following command:\n\n/usr/bin/grep -qE \"^flags.*fm\" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s"},{"id":"cb5b71b3-3a21-4055-adda-5ec9feac32de","vulnId":"V-259464","severity":"medium","ruleTitle":"The macOS system must be configured to audit all failed read actions on the system.","description":"The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.\n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions).\n\nThis configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file.\n\nWithout auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.\n\nSatisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000057-GPOS-00027,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219","checkContent":"Verify the macOS system is configured to audit all failed read actions on the system with the following command:\n\n/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-fr'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to audit all failed read actions on the system with the following command:\n\n/usr/bin/grep -qE \"^flags.*-fr\" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s"},{"id":"74b99166-a23e-4ce6-b357-b120e57fdbe1","vulnId":"V-259465","severity":"medium","ruleTitle":"The macOS system must be configured to audit all failed write actions on the system.","description":"The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.\n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions).\n\nThis configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file.\n\nWithout auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.\n\nSatisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000057-GPOS-00027,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212","checkContent":"Verify the macOS system is configured to audit all failed write actions on the system with the following command:\n\n/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-fw'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to audit all failed write actions on the system with the following command:\n\n/usr/bin/grep -qE \"^flags.*-fw\" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s"},{"id":"c02a80e1-4623-4533-bb60-361f93132423","vulnId":"V-259466","severity":"medium","ruleTitle":"The macOS system must be configured to audit all failed program execution on the system.","description":"The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.\n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes).\n\nThis configuration ensures that audit lists include events in which program execution has failed.\n\nWithout auditing the enforcement of program execution, it is difficult to identify attempted attacks as there is no audit trail available for forensic investigation.\n\nSatisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000365-GPOS-00152,SRG-OS-000458-GPOS-00203,SRG-OS-000465-GPOS-00209","checkContent":"Verify the macOS system is configured to audit all failed program execution on the system with the following command:\n\n/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec '\\-ex'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to audit all failed program execution on the system with the following command:\n\n/usr/bin/grep -qE \"^flags.*-ex\" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s"},{"id":"35ad86ed-36a7-4408-938b-043b7f7583e2","vulnId":"V-259467","severity":"low","ruleTitle":"The macOS system must configure audit retention to seven days.","description":"The audit service must be configured to require records be kept for an organizational defined value before deletion, unless the system uses a central audit record storage facility.\n\nWhen \"expire-after\" is set to \"7d\", the audit service will not delete audit logs until the log data criteria is met.","checkContent":"Verify the macOS system is configured audit retention to seven days with the following command:\n\n/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control\n\nIf the result is not \"7d\", this is a finding.","fixText":"Configure the macOS system to set audit retention to seven days with the following command:\n\n/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s"},{"id":"bceb92cf-77d8-49ce-81ac-c98a0caf4a6f","vulnId":"V-259468","severity":"medium","ruleTitle":"The macOS system must configure audit capacity warning.","description":"The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value.\n\nThis rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.\n\nSatisfies: SRG-OS-000046-GPOS-00022,SRG-OS-000343-GPOS-00134","checkContent":"Verify the macOS system is configured to require a minimum of 25 percent free disk space for audit record storage with the following command:\n\n/usr/bin/awk -F: '/^minfree/{print $2}' /etc/security/audit_control\n\nIf the result is not \"25\", this is a finding.","fixText":"Configure the macOS system to require a minimum of 25 percent free disk space for audit record storage with the following command:\n\n/usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/sbin/audit -s"},{"id":"dc5072af-78fe-495a-aa85-93ef9f156c0d","vulnId":"V-259469","severity":"medium","ruleTitle":"The macOS system must configure audit failure notification.","description":"The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.\n\nIt is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected.\n\nSatisfies: SRG-OS-000047-GPOS-00023,SRG-OS-000344-GPOS-00135","checkContent":"Verify the macOS system is configured to produce audit failure notification with the following command:\n\n/usr/bin/grep -c \"logger -s -p\" /etc/security/audit_warn\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to produce audit failure notification with the following command:\n\n/usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s"},{"id":"7fcb2eda-9ee0-492f-af45-7cc651be314e","vulnId":"V-259470","severity":"medium","ruleTitle":"The macOS system must configure the system to audit all authorization and authentication events.","description":"The auditing system must be configured to flag authorization and authentication (aa) events.\n\nAuthentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.\n\nAudit records can be generated from various components within the information system (e.g., via a module or policy filter).\n\nSatisfies: SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000475-GPOS-00220,SRG-OS-000477-GPOS-00222","checkContent":"Verify the macOS system is configured to audit logon events with the following command:\n\n/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\\n' | /usr/bin/grep -Ec 'aa'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to audit logon events with the following command:\n\n/usr/bin/grep -qE \"^flags.*[^-]aa\" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s"},{"id":"c12fb3fb-4e60-49f3-8b2d-5d4ea9cd5553","vulnId":"V-259471","severity":"medium","ruleTitle":"The macOS system must set smart card certificate trust to moderate.","description":"The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).\n\nTo prevent the use of untrusted certificates, the certificates on a smart card must meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its \"valid-after\" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking.\n\nBy setting the smart card certificate trust level to moderate, the system will execute a soft revocation, i.e., if the OCSP/CRL server is unreachable, authentication will still succeed.\n\nNote: Before applying this setting, refer to the smart card supplemental guidance.\n\nSatisfies: SRG-OS-000066-GPOS-00034,SRG-OS-000377-GPOS-00162,SRG-OS-000384-GPOS-00167,SRG-OS-000403-GPOS-00182","checkContent":"Verify the macOS system is configured to check the revocation status of user certificates with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\\\n.objectForKey('checkCertificateTrust').js\nEOS\n\nIf the result is not \"2\", this is a finding.","fixText":"Configure the macOS system to check the revocation status of user certificates by installing the \"com.apple.security.smartcard\" configuration profile. \n\nNote: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile."},{"id":"8d272754-f201-4646-a3e9-7a489a6301ad","vulnId":"V-259472","severity":"medium","ruleTitle":"The macOS system must disable root logon for SSH.","description":"If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled.\n\nThe macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.\n\nNote: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n\nSatisfies: SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151","checkContent":"Verify the macOS system is configured to disable root login for SSH with the following command:\n\n/usr/sbin/sshd -G | /usr/bin/awk '/permitrootlogin/{print $2}'\n\nIf the result is not \"no\", this is a finding.","fixText":"Configure the macOS system to disable root login for SSH with the following command:\n\ninclude_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')\n\nif [[ -z $include_dir ]]; then\n /usr/bin/sed -i.bk \"1s/.*/Include \\/etc\\/ssh\\/sshd_config.d\\/\\*/\" /etc/ssh/sshd_config\nfi\n\n/usr/bin/grep -qxF 'permitrootlogin no' \"${include_dir}01-mscp-sshd.conf\" 2>/dev/null || echo \"permitrootlogin no\" >> \"${include_dir}01-mscp-sshd.conf\"\n\nfor file in $(ls ${include_dir}); do\n if [[ \"$file\" == \"100-macos.conf\" ]]; then\n continue\n fi\n if [[ \"$file\" == \"01-mscp-sshd.conf\" ]]; then\n break\n fi\n /bin/mv ${include_dir}${file} ${include_dir}20-${file}\ndone"},{"id":"c3f6ef1a-add7-4ebb-96aa-95a6fca5d2be","vulnId":"V-259473","severity":"medium","ruleTitle":"The macOS system must configure audit_control group to wheel.","description":"/etc/security/audit_control must have the group set to wheel.\n\nThe audit service must be configured with the correct group ownership to prevent normal users from manipulation audit log configurations.\n\nAudit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000063-GPOS-00032,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured with the audit_control group to wheel with the following command:\n\n/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}'\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with the audit_control group to wheel with the following command:\n\n/usr/bin/chgrp wheel /etc/security/audit_control"},{"id":"c8ae84c1-541a-4a82-a353-69f3e5742069","vulnId":"V-259474","severity":"medium","ruleTitle":"The macOS system must configure audit_control owner to root.","description":"/etc/security/audit_control must have the owner set to root.\n\nThe audit service must be configured with the correct ownership to prevent normal users from manipulation audit log configurations.\n\nAudit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000063-GPOS-00032,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured with the audit_control owner to root with the following command:\n\n/bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $3}'\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with the audit_control owner to root with the following command:\n\n/usr/sbin/chown root /etc/security/audit_control"},{"id":"dffee7ad-078f-415e-8ff5-7576d44d01c7","vulnId":"V-259475","severity":"medium","ruleTitle":"The macOS system must configure audit_control to mode 440 or less permissive.","description":"/etc/security/audit_control must be configured so that it is readable only by the root user and group wheel.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000063-GPOS-00032,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured audit_control to mode 440 or less with the following command:\n\n/bin/ls -l /etc/security/audit_control | /usr/bin/awk '!/-r--[r-]-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/xargs\n\nIf the results are not \"0\", this is a finding.","fixText":"Configure the macOS system with the audit_control to mode 440 with the following command:\n\n/bin/chmod 440 /etc/security/audit_control"},{"id":"5ebe84f4-2dab-47b6-8081-be592b3097b9","vulnId":"V-259476","severity":"medium","ruleTitle":"The macOS system must configure audit_control to not contain access control lists.","description":"/etc/security/audit_control must not contain Access Control Lists (ACLs).\n\n/etc/security/audit_control contains sensitive configuration data about the audit service. This rule ensures that the audit service is configured to be readable and writable only by system administrators in order to prevent normal users from manipulating audit logs.\n\nSatisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000063-GPOS-00032,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099","checkContent":"Verify the macOS system is configured without ACLs applied to audit_control with the following command:\n\n/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c \":\"\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system without ACLs applied to audit_control with the following command:\n\n/bin/chmod -N /etc/security/audit_control"},{"id":"40e2a608-0f38-4173-a7e2-0c8479e025c6","vulnId":"V-259477","severity":"high","ruleTitle":"The macOS system must disable password authentication for SSH.","description":"If remote logon through SSH is enabled, password-based authentication must be disabled for user logon.\n\nAll users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.\n\nNote: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.\n\nSatisfies: SRG-OS-000067-GPOS-00035,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000125-GPOS-00065,SRG-OS-000375-GPOS-00160","checkContent":"Verify the macOS system is configured to disable password authentication for SSH with the following command:\n\n/usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\\s+no|kbdinteractiveauthentication\\s+no)'\n\nIf the result is not \"2\", this is a finding.","fixText":"Configure the macOS system to disable password authentication for SSH with the following command:\n\ninclude_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')\nif [[ -z $include_dir ]]; then\n /usr/bin/sed -i.bk \"1s/.*/Include \\/etc\\/ssh\\/sshd_config.d\\/\\*/\" /etc/ssh/sshd_config\nfi\necho \"passwordauthentication no\" >> \"${include_dir}01-mscp-sshd.conf\"\necho \"kbdinteractiveauthentication no\" >> \"${include_dir}01-mscp-sshd.conf\"\n\nfor file in $(ls ${include_dir}); do\n if [[ \"$file\" == \"100-macos.conf\" ]]; then\n continue\n fi\n if [[ \"$file\" == \"01-mscp-sshd.conf\" ]]; then\n break\n fi\n /bin/mv ${include_dir}${file} ${include_dir}20-${file}\ndone"},{"id":"af67bd10-d263-4b35-a42f-ee609203ace9","vulnId":"V-259478","severity":"medium","ruleTitle":"The macOS system must disable Server Message Block sharing.","description":"Support for Server Message Block (SMB) file sharing is nonessential and must be disabled.\n\nThe information system must be configured to provide only essential capabilities.","checkContent":"Verify the macOS system is configured to disable Server Message Block sharing with the following command:\n\n/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.smbd\" => disabled'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable Server Message Block sharing with the following command:\n\n/bin/launchctl disable system/com.apple.smbd\n\nThe system may need to be restarted for the update to take effect."},{"id":"7deeb607-be32-4a5c-a333-65f144a583ca","vulnId":"V-259479","severity":"medium","ruleTitle":"The macOS system must disable Network File System service.","description":"Support for Network File Systems (NFS) services is nonessential and, therefore, must be disabled.","checkContent":"Verify the macOS system is configured to disable network file system service with the following command:\n\n/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.nfsd\" => disabled'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable network file system service with the following command:\n\n/bin/launchctl disable system/com.apple.nfsd\n\nThe system may need to be restarted for the update to take effect."},{"id":"efe69965-5969-41a4-9211-2c12e5fd604d","vulnId":"V-259480","severity":"medium","ruleTitle":"The macOS system must disable Location Services.","description":"The information system must be configured to provide only essential capabilities. Disabling Location Services helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling.","checkContent":"Verify the macOS system is configured to disable Location Services with the following command:\n\n/usr/bin/sudo -u _locationd /usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd')\\\n.objectForKey('LocationServicesEnabled').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable Location Services with the following command:\n\n/usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false; /bin/launchctl kickstart -k system/com.apple.locationd\n\nThe system may need to be restarted for the update to take effect."},{"id":"f51d405b-a95f-4f63-8c72-e22d5406fda2","vulnId":"V-259481","severity":"medium","ruleTitle":"The macOS system must disable Bonjour multicast.","description":"Bonjour multicast advertising must be disabled to prevent the system from broadcasting its presence and available services over network interfaces.","checkContent":"Verify the macOS system is configured to disable Bonjour multicast with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.mDNSResponder')\\\n.objectForKey('NoMulticastAdvertisements').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Bonjour multicast by installing the \"com.apple.mDNSResponder\" configuration profile."},{"id":"ad37c1ed-6454-457c-be4c-9aeca28a0c16","vulnId":"V-259482","severity":"medium","ruleTitle":"The macOS system must disable Unix-to-Unix Copy Protocol service.","description":"The system must not have the Unix-to-Unix Copy Protocol (UUCP) service active.\n\nUUCP, a set of programs that enable the sending of files between different Unix systems as well as sending commands to be executed on another system, is not essential and must be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling.\n\nNote: UUCP service is disabled at startup by default macOS.","checkContent":"Verify the macOS system is configured to disable Unix-to-Unix copy protocol service with the following command:\n\n/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.uucp\" => disabled'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable Unix-to-Unix copy protocol service with the following command:\n\n/bin/launchctl disable system/com.apple.uucp\n\nThe system may need to be restarted for the update to take effect."},{"id":"c8a72ccd-572b-47a8-b790-96ddf649e819","vulnId":"V-259483","severity":"medium","ruleTitle":"The macOS system must disable Internet Sharing.","description":"If the system does not require Internet Sharing, support for it is nonessential and must be disabled.\n\nThe information system must be configured to provide only essential capabilities. Disabling Internet sharing helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling.","checkContent":"Verify the macOS system is configured to disable Internet Sharing with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\\\n.objectForKey('forceInternetSharingOff').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Internet Sharing by installing the \"com.apple.MCX\" configuration profile."},{"id":"f458b0e4-5c7e-4209-aca3-19c2bb5709ad","vulnId":"V-259484","severity":"medium","ruleTitle":"The macOS system must disable the built-in web server.","description":"The built-in web server is a nonessential service built into macOS and must be disabled.\n\nNote: The built in web server service is disabled at startup by default macOS.","checkContent":"Verify the macOS system is configured to disable the built-in web server with the following command:\n\n/bin/launchctl print-disabled system | /usr/bin/grep -c '\"org.apache.httpd\" => disabled'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable the built-in web server with the following command:\n\n/bin/launchctl disable system/org.apache.httpd\n\nThe system may need to be restarted for the update to take effect."},{"id":"d8deb3f0-e78b-446b-91d0-c70962637772","vulnId":"V-259485","severity":"medium","ruleTitle":"The macOS system must disable AirDrop.","description":"AirDrop must be disabled to prevent file transfers to or from unauthorized devices. AirDrop allows users to share and receive files from other nearby Apple devices.\n\nSatisfies: SRG-OS-000080-GPOS-00048,SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118","checkContent":"Verify the macOS system is configured to disable AirDrop with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowAirDrop').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable AirDrop by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"d134b0c2-ba44-4940-8c0c-ffb113e6deb3","vulnId":"V-259486","severity":"medium","ruleTitle":"The macOS system must disable FaceTime.app.","description":"The macOS built-in FaceTime.app must be disabled.

The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access.

[IMPORTANT]
====
Apple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third-party software may be required to fulfill the compliance requirements.
====","checkContent":"Verify the macOS system is configured to disable FaceTime.app with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\nfunction run() {\n let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\\\n .objectForKey('familyControlsEnabled'))\n let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\\\n .objectForKey('pathBlackList').js\n for ( let app in pathlist ) {\n if ( ObjC.unwrap(pathlist[app]) == \"/Applications/FaceTime.app\" && pref1 == true ){\n return(\"true\")\n }\n }\n return(\"false\")\n }\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable FaceTime.app by installing the \"com.apple.applicationaccess.new\" configuration profile."},{"id":"c2c78c21-cda8-4b33-823f-2975f0885342","vulnId":"V-259487","severity":"medium","ruleTitle":"The macOS system must disable the iCloud Calendar services.","description":"The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Calendar services with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudCalendar').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Calendar services by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"4610a38d-1771-44f0-a9de-6daf260b5efd","vulnId":"V-259488","severity":"medium","ruleTitle":"The macOS system must disable iCloud Reminders.","description":"The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Reminders with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudReminders').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Reminders by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"c06c9404-4404-4168-9d28-c6913b4d1355","vulnId":"V-259489","severity":"medium","ruleTitle":"The macOS system must disable iCloud Address Book.","description":"The macOS built-in Contacts.app connection to Apple's iCloud service must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Address Book with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudAddressBook').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Address Book by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"0886adb6-f8b9-4015-9689-1976ae66be6a","vulnId":"V-259490","severity":"medium","ruleTitle":"The macOS system must disable iCloud Mail.","description":"The macOS built-in Mail.app connection to Apple's iCloud service must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Mail with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudMail').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Mail by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"f8c56050-df5a-4e82-a8e1-3fad874586bf","vulnId":"V-259491","severity":"medium","ruleTitle":"The macOS system must disable iCloud Notes.","description":"The macOS built-in Notes.app connection to Apple's iCloud service must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Notes with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudNotes').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Notes by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"8ed2aced-23d4-4ef3-9afc-30ca6102cb09","vulnId":"V-259492","severity":"medium","ruleTitle":"The macOS system must disable the camera.","description":"macOS must be configured to disable the camera.","checkContent":"$27","fixText":"Configure the macOS system to disable the camera by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"8c536648-315d-42a9-8904-5f4c1f8b1514","vulnId":"V-259493","severity":"medium","ruleTitle":"The macOS system must disable Siri.","description":"Support for Siri is nonessential and must be disabled.\n\nThe information system must be configured to provide only essential capabilities.","checkContent":"Verify the macOS system is configured to disable Siri with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowAssistant').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable Siri by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"c9a0c2c6-902e-454d-8c85-4a5a6d7c4d62","vulnId":"V-259494","severity":"medium","ruleTitle":"The macOS system must disable sending diagnostic and usage data to Apple.","description":"The ability to submit diagnostic data to Apple must be disabled.\n\nThe information system must be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple.\n\nSatisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084","checkContent":"Verify the macOS system is configured to disable sending diagnostic and usage data to Apple with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\nfunction run() {\nlet pref1 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SubmitDiagInfo')\\\n.objectForKey('AutoSubmit').js\nlet pref2 = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowDiagnosticSubmission').js\nif ( pref1 == false && pref2 == false ){\n return(\"true\")\n} else {\n return(\"false\")\n}\n}\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable sending diagnostic and usage data to Apple by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"06eba22a-9436-41b7-b6e0-3fee90bfc71b","vulnId":"V-259495","severity":"medium","ruleTitle":"The macOS system must disable Remote Apple Events.","description":"If the system does not require Remote Apple Events, support for Apple Remote Events is nonessential and must be disabled.\n\nThe information system must be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling.\n\nSatisfies: SRG-OS-000080-GPOS-00048,SRG-OS-000096-GPOS-00050","checkContent":"Verify the macOS system is configured to disable Remote Apple Events with the following command:\n\n/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.AEServer\" => disabled'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable Remote Apple Events with the following commands:\n\n/usr/sbin/systemsetup -setremoteappleevents off\n/bin/launchctl disable system/com.apple.AEServer\n\nNote: Systemsetup with -setremoteappleevents flag will fail unless Full Disk Access to systemsetup or its parent process is granted. This requires supervision."},{"id":"00eb9745-2dcc-41a8-8313-9c97a57c8c01","vulnId":"V-259496","severity":"medium","ruleTitle":"The macOS system must disable Apple ID setup during Setup Assistant.","description":"The prompt for Apple ID setup during Setup Assistant must be disabled.\n\nmacOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first log on.","checkContent":"Verify the macOS system is configured to disable Apple ID setup during Setup Assistant with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\\\n.objectForKey('SkipCloudSetup').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Apple ID setup during Setup Assistant by installing the \"com.apple.SetupAssistant.managed\" configuration profile."},{"id":"1bdbd4cc-2c2f-4a0c-9f40-4b9da6df11e4","vulnId":"V-259497","severity":"medium","ruleTitle":"The macOS system must disable Privacy Setup services during Setup Assistant.","description":"The prompt for Privacy Setup services during Setup Assistant must be disabled.\n\nOrganizations must apply organizationwide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, must be disabled to prevent against the risk of individuals electing privacy settings with the potential to override organizationwide settings.","checkContent":"Verify the macOS system is configured to disable Privacy Setup services during Setup Assistant with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\\\n.objectForKey('SkipPrivacySetup').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Privacy Setup services during Setup Assistant by installing the \"com.apple.SetupAssistant.managed\" configuration profile."},{"id":"b91965e3-138f-4d87-95f8-e3472cb85ee2","vulnId":"V-259498","severity":"medium","ruleTitle":"The macOS system must disable iCloud Storage Setup during Setup Assistant.","description":"The prompt to set up iCloud storage services during Setup Assistant must be disabled.\n\nThe default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data.","checkContent":"Verify the macOS system is configured to disable iCloud Storage Setup during Setup Assistant with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\\\n.objectForKey('SkipiCloudStorageSetup').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Storage Setup during Setup Assistant by installing the \"com.apple.SetupAssistant.managed\" configuration profile."},{"id":"ebd2ebec-36e5-4ccb-9c7f-41c771923c75","vulnId":"V-259499","severity":"high","ruleTitle":"The macOS system must disable Trivial File Transfer Protocol service.","description":"If the system does not require Trivial File Transfer Protocol (TFTP), support it is nonessential and must be disabled.\n\nThe information system must be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information.\n\nNote: TFTP service is disabled at startup by default macOS.\n\nSatisfies: SRG-OS-000074-GPOS-00042,SRG-OS-000080-GPOS-00048","checkContent":"Verify the macOS system is configured to disable trivial file transfer protocol service with the following command:\n\n/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.tftpd\" => disabled'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable trivial file transfer protocol service with the following command:\n\n/bin/launchctl disable system/com.apple.tftpd\n\nThe system may need to be restarted for the update to take effect."},{"id":"6b07ad7a-5f0f-4523-bf97-40132ecf3c31","vulnId":"V-259500","severity":"medium","ruleTitle":"The macOS system must disable Siri Setup during Setup Assistant.","description":"The prompt for Siri during Setup Assistant must be disabled.\n\nOrganizations must apply organizationwide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, must be disabled to prevent against the risk of individuals electing Siri settings with the potential to override organizationwide settings.","checkContent":"Verify the macOS system is configured to disable Siri Setup during Setup Assistant with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\\\n.objectForKey('SkipSiriSetup').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Siri Setup during Setup Assistant by installing the \"com.apple.SetupAssistant.managed\" configuration profile."},{"id":"640d2015-2e54-4f91-8633-e9e1cb73cd6f","vulnId":"V-259501","severity":"medium","ruleTitle":"The macOS system must disable iCloud Keychain synchronization.","description":"The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Keychain synchronization with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudKeychainSync').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Keychain synchronization by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"cd279459-30cc-40bf-8941-8253eb09a8f3","vulnId":"V-259502","severity":"medium","ruleTitle":"The macOS system must disable iCloud Document synchronization.","description":"The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nonapproved storage.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Document synchronization with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudDocumentSync').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Document synchronization by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"218aaaf4-e1b6-489f-ae60-e32cb2434a3f","vulnId":"V-259503","severity":"medium","ruleTitle":"The macOS system must disable iCloud Bookmarks.","description":"The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Bookmarks with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudBookmarks').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Bookmarks by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"da251c1f-a20b-4f56-8e24-151329381537","vulnId":"V-259504","severity":"medium","ruleTitle":"The macOS system must disable iCloud Photo Library.","description":"The macOS built-in Photos.app connection to Apple's iCloud service must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable the iCloud Photo Library with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudPhotoLibrary').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable the iCloud Photo Library by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"1ea250c7-b64b-43d7-a08b-3631c0dfcaae","vulnId":"V-259505","severity":"medium","ruleTitle":"The macOS system must disable Screen Sharing and Apple Remote Desktop.","description":"Support for both Screen Sharing and Apple Remote Desktop (ARD) is nonessential and must be disabled.\n\nThe information system must be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling.","checkContent":"Verify the macOS system is configured to disable Screen Sharing and Apple Remote Desktop with the following command:\n\n/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.screensharing\" => disabled'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable Screen Sharing and Apple Remote Desktop with the following command:\n\n/bin/launchctl disable system/com.apple.screensharing\n\nThe system may need to be restarted for the update to take effect.\nNote: This will apply to the whole system."},{"id":"fd37807a-9cda-408f-a7e4-c5f81777327c","vulnId":"V-259506","severity":"medium","ruleTitle":"The macOS system must disable the TouchID System Settings pane.","description":"The System Settings pane for TouchID must be disabled.\n\nDisabling the System Settings pane prevents the users from configuring TouchID.","checkContent":"Verify the macOS system is configured to disable the TouchID System Settings pane with the following command:\n\n/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()=\"DisabledSystemSettings\"]/following-sibling::*[1]' - | /usr/bin/grep -c \"com.apple.Touch-ID-Settings.extension\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable the TouchID System Settings pane by installing the \"com.apple.systempreferences\" configuration profile."},{"id":"f4b30fd0-1e87-4286-867d-31c9df674232","vulnId":"V-259507","severity":"medium","ruleTitle":"The macOS system must disable the System Settings pane for Wallet and Apple Pay.","description":"The System Settings pane for Wallet and Apple Pay must be disabled.\n\nDisabling the System Settings pane prevents the users from configuring Wallet and Apple Pay.","checkContent":"Verify the macOS system is configured to disable the System Settings pane for Wallet and Apple Pay with the following command:\n\n/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()=\"DisabledSystemSettings\"]/following-sibling::*[1]' - | /usr/bin/grep -c \"com.apple.WalletSettingsExtension\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable the System Settings pane for Wallet and Apple Pay by installing the \"com.apple.systempreferences\" configuration profile."},{"id":"82467816-e877-4fd3-80f7-c3383a5ea7a3","vulnId":"V-259508","severity":"medium","ruleTitle":"The macOS system must disable the system settings pane for Siri.","description":"The System Settings pane for Siri must be hidden.\n\nHiding the System Settings pane prevents the users from configuring Siri.","checkContent":"Verify the macOS system is configured to disable the system settings pane for Siri with the following command:\n\n/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()=\"DisabledSystemSettings\"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.Siri-Settings.extension\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable the system settings pane for Siri by installing the \"com.apple.systempreferences\" configuration profile."},{"id":"c8013087-86e2-4824-b60f-bda66450283e","vulnId":"V-259509","severity":"high","ruleTitle":"The macOS system must apply gatekeeper settings to block applications from unidentified developers.","description":"The information system implements cryptographic mechanisms to authenticate software prior to installation.\n\nGatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party.","checkContent":"Verify the macOS system is configured to apply gatekeeper settings to block applications from unidentified developers with the following command:\n\n/usr/sbin/spctl --status --verbose | /usr/bin/grep -c \"developer id enabled\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to apply gatekeeper settings to block applications from unidentified developers with the following command:\n\n/usr/sbin/spctl --global-enable; /usr/sbin/spctl --enable"},{"id":"2c12fa39-1031-4d9a-98f2-45a5ac1208a8","vulnId":"V-259510","severity":"high","ruleTitle":"The macOS system must disable Bluetooth when no approved device is connected.","description":"The macOS system must be configured to disable Bluetooth unless an approved device is connected.\n\n[IMPORTANT]\n====\nInformation system security officers (ISSOs) may make the risk-based decision not to disable Bluetooth to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization.\n====\n\nSatisfies: SRG-OS-000423-GPOS-00187,SRG-OS-000481-GPOS-00481","checkContent":"Verify the macOS system is configured to disable Bluetooth with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\\\n.objectForKey('DisableBluetooth').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Bluetooth by installing the \"com.apple.MCXBluetooth\" configuration profiles."},{"id":"4745990f-fd5e-4d1a-b50c-61837a980a40","vulnId":"V-259511","severity":"medium","ruleTitle":"The macOS system must disable the guest account.","description":"Guest access must be disabled.\n\nTurning off guest access prevents anonymous users from accessing files.","checkContent":"Verify the macOS system is configured to disable the guest account with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\nfunction run() {\n let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\\\n.objectForKey('DisableGuestAccount'))\n let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\\\n.objectForKey('EnableGuestAccount'))\n if ( pref1 == true && pref2 == false ) {\n return(\"true\")\n } else {\n return(\"false\")\n }\n}\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable the guest account by installing the \"com.apple.MCX\" configuration profile."},{"id":"b4a3ea6a-d2e6-4cfd-8829-45392f7023cb","vulnId":"V-259512","severity":"high","ruleTitle":"The macOS system must enable Gatekeeper.","description":"Gatekeeper must be enabled.\n\nGatekeeper is a security feature that ensures applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.\n\nAdministrator users will still have the option to override these settings on a case-by-case basis.","checkContent":"Verify the macOS system is configured to enable gatekeeper with the following command:\n\n/usr/sbin/spctl --status | /usr/bin/grep -c \"assessments enabled\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to enable gatekeeper with the following command:\n\n/usr/sbin/spctl --global-enable"},{"id":"5a8e78d0-b10e-4349-98cb-94604f33cc39","vulnId":"V-259513","severity":"medium","ruleTitle":"The macOS system must disable unattended or automatic log on to the system.","description":"Automatic logon must be disabled.\n\nWhen automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk.","checkContent":"Verify the macOS system is configured to disable unattended or automatic logon to the system with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\\\n.objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable unattended or automatic logon to the system by installing the \"com.apple.loginwindow\" configuration profile."},{"id":"768a5d50-60b9-47a7-bf7b-950d68eb25b1","vulnId":"V-259514","severity":"medium","ruleTitle":"The macOS system must secure user's home folders.","description":"The system must be configured to prevent access to other user's home folders.\n\nThe default behavior of macOS is to allow all valid users access to the top level of every other user's home folder while restricting access only to the Apple default folders within.","checkContent":"Verify the macOS system is configured so that permissions are set correctly on user home directories with the following command:\n\n/usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \$ -perm 700 -o -perm 711 \$ | /usr/bin/grep -v \"Shared\" | /usr/bin/grep -v \"Guest\" | /usr/bin/wc -l | /usr/bin/xargs\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system to set the appropriate permissions for each user on the system with the following command:\n\nIFS=$'\\n'\nfor userDirs in $( /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d ! \$ -perm 700 -o -perm 711 \$ | /usr/bin/grep -v \"Shared\" | /usr/bin/grep -v \"Guest\" ); do\n /bin/chmod og-rwx \"$userDirs\"\ndone\nunset IFS"},{"id":"bd4408f4-a411-4fd2-99c7-1f90bc521697","vulnId":"V-259515","severity":"high","ruleTitle":"The macOS system must require administrator privileges to modify systemwide settings.","description":"The system must be configured to require an administrator password in order to modify the systemwide preferences in System Settings.\n\nSome Preference Panes in System Settings contain settings that affect the entire system. Requiring a password to unlock these systemwide settings reduces the risk of a nonauthorized user modifying system configurations.","checkContent":"Verify the macOS system is configured to require administrator privileges to modify systemwide settings with the following command:\n\nauthDBs=(\"system.preferences\" \"system.preferences.energysaver\" \"system.preferences.network\" \"system.preferences.printing\" \"system.preferences.sharing\" \"system.preferences.softwareupdate\" \"system.preferences.startupdisk\" \"system.preferences.timemachine\")\nresult=\"1\"\nfor section in ${authDBs[@]}; do\n if [[ $(/usr/bin/security -q authorizationdb read \"$section\" | /usr/bin/xmllint -xpath 'name(//*[contains(text(), \"shared\")]/following-sibling::*[1])' -) != \"false\" ]]; then\n result=\"0\"\n fi\ndone\necho $result\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to require administrator privileges to modify systemwide settings with the following command:\n\nauthDBs=(\"system.preferences\" \"system.preferences.energysaver\" \"system.preferences.network\" \"system.preferences.printing\" \"system.preferences.sharing\" \"system.preferences.softwareupdate\" \"system.preferences.startupdisk\" \"system.preferences.timemachine\")\n\nfor section in ${authDBs[@]}; do\n/usr/bin/security -q authorizationdb read \"$section\" > \"/tmp/$section.plist\"\nkey_value=$(/usr/libexec/PlistBuddy -c \"Print :shared\" \"/tmp/$section.plist\" 2>&1)\nif [[ \"$key_value\" == *\"Does Not Exist\"* ]]; then\n /usr/libexec/PlistBuddy -c \"Add :shared bool false\" \"/tmp/$section.plist\"\nelse\n /usr/libexec/PlistBuddy -c \"Set :shared false\" \"/tmp/$section.plist\"\nfi\n /usr/bin/security -q authorizationdb write \"$section\" < \"/tmp/$section.plist\"\ndone"},{"id":"287a7651-8b8d-4ded-abc3-3e758a4ccb70","vulnId":"V-259516","severity":"medium","ruleTitle":"The macOS system must disable Airplay Receiver.","description":"Airplay Receiver allows users to send content from another Apple device to be displayed on the screen as it is being played from another device.\n\nSupport for Airplay Receiver is nonessential and must be disabled.\n\nThe information system must be configured to provide only essential capabilities.\n\nSatisfies: SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118","checkContent":"Verify the macOS system is configured to disable Airplay Receiver with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowAirPlayIncomingRequests').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable Airplay Receiver by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"cb780c22-07f3-4d60-a941-97243767958a","vulnId":"V-259517","severity":"medium","ruleTitle":"The macOS system must disable TouchID for unlocking the device.","description":"TouchID enables the ability to unlock a macOS system with a user's fingerprint.\n\nTouchID must be disabled for \"Unlocking your Mac\" on all macOS devices that are capable of using TouchID.\n\nThe system must remain locked until the user establishes access using an authorized identification and authentication method.","checkContent":"Verify the macOS system is configured to disable TouchID for unlocking the device with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowFingerprintForUnlock').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable TouchID for unlocking the device by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"2e07ea52-be9b-4162-b196-908cb638d277","vulnId":"V-259518","severity":"medium","ruleTitle":"The macOS system must disable Media Sharing.","description":"Media sharing must be disabled.\n\nWhen Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet.\n\nThe information system must be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk.\n\nNote: The Media Sharing preference panel will still allow \"Home Sharing\" and \"Share media with guests\" to be checked but the service will not be enabled.","checkContent":"Verify the macOS system is configured to disable media sharing with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\nfunction run() {\n let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\\\n .objectForKey('homeSharingUIStatus'))\n let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\\\n .objectForKey('legacySharingUIStatus'))\n let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.preferences.sharing.SharingPrefsExtension')\\\n .objectForKey('mediaSharingUIStatus'))\n if ( pref1 == 0 && pref2 == 0 && pref3 == 0 ) {\n return(\"true\")\n } else {\n return(\"false\")\n }\n}\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable media sharing by installing the \"com.apple.preferences.sharing.SharingPrefsExtension\" configuration profile."},{"id":"be5a65c6-4d00-4e84-b407-3ec6e25cd758","vulnId":"V-259519","severity":"medium","ruleTitle":"The macOS system must disable Bluetooth sharing.","description":"Bluetooth Sharing must be disabled.\n\nBluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated.\n\n[NOTE]\n====\nThe check and fix are for the currently logged on user. To get the currently logged on user, run the following.\n[source,bash]\n----\nCURRENT_USER=$( /usr/sbin/scutil <<< \"show State:/Users/ConsoleUser\" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )\n----\n====\n\nSatisfies: SRG-OS-000080-GPOS-00048,SRG-OS-000095-GPOS-00049","checkContent":"Verify the macOS system is configured to disable Bluetooth sharing with the following command:\n\n/usr/bin/sudo -u \"$CURRENT_USER\" /usr/bin/defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system to disable Bluetooth sharing with the following command:\n\n/usr/bin/sudo -u \"$CURRENT_USER\" /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false"},{"id":"e292206e-4ba0-4881-8460-3ebdeb87b0cf","vulnId":"V-259520","severity":"medium","ruleTitle":"The macOS system must disable AppleID and Internet Account modifications.","description":"The system must disable account modification. \n\nAccount modification includes adding additional or modifying internet accounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane.\n \nThis prevents the addition of unauthorized accounts.\n\n[IMPORTANT]\n====\nSome organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information system security officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.\n====","checkContent":"Verify the macOS system is configured to disable account modification with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowAccountModification').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable account modification by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"2582c349-f167-4360-b5a8-1ba84086a574","vulnId":"V-259521","severity":"medium","ruleTitle":"The macOS system must disable CD/DVD Sharing.","description":"CD/DVD Sharing must be disabled.","checkContent":"Verify the macOS system is configured to disable CD/DVD Sharing with the following command:\n\n/usr/bin/pgrep -q ODSAgent; /bin/echo $?\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable CD/DVD Sharing with the following command:\n\n/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.ODSAgent.plist"},{"id":"77044a1f-846e-4c1b-8c15-c3382d13956e","vulnId":"V-259522","severity":"medium","ruleTitle":"The macOS system must disable content caching service.","description":"Content caching must be disabled.\n\nContent caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server.","checkContent":"Verify the macOS system is configured to disable content caching service with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowContentCaching').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable content caching service by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"7326858b-2b13-4f51-a3a7-7e8ad23898aa","vulnId":"V-259523","severity":"medium","ruleTitle":"The macOS system must disable iCloud desktop and document folder synchronization.","description":"The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud desktop and document folder synchronization with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudDesktopAndDocuments').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud desktop and document folder synchronization by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"06114512-64a2-49f3-b8ed-5bd617689305","vulnId":"V-259524","severity":"medium","ruleTitle":"The macOS system must disable iCloud Game Center.","description":"This works only with supervised devices (MDM) and allows Apple Game Center to be disabled. The rationale is Game Center is using Apple ID and will share data on AppleID-based services; therefore, Game Center must be disabled. This setting also prohibits the functionality of adding friends to Game Center.","checkContent":"Verify the macOS system is configured to disable iCloud Game Center with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowGameCenter').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Game Center by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"f16a42b2-b28b-43df-ad50-09d7d0cfcc68","vulnId":"V-259525","severity":"medium","ruleTitle":"The macOS system must disable iCloud Private Relay.","description":"Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled.\n\nNetwork administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com.","checkContent":"Verify the macOS system is configured to disable the iCloud Private Relay with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudPrivateRelay').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable the iCloud Private Relay by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"5e9030fe-0edc-4ec5-88b8-64ca38f364c0","vulnId":"V-259526","severity":"medium","ruleTitle":"The macOS system must disable Find My service.","description":"The Find My service must be disabled.\n\nA Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service.\n\nApple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.","checkContent":"Verify the macOS system is configured to disable Find My service with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\nfunction run() {\n let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowFindMyDevice'))\n let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowFindMyFriends'))\n let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\\\n.objectForKey('DisableFMMiCloudSetting'))\n if ( pref1 == false && pref2 == false && pref3 == true ) {\n return(\"true\")\n } else {\n return(\"false\")\n }\n}\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Find My service by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"ab327304-5e1d-41e2-8769-77626d18103c","vulnId":"V-259527","severity":"medium","ruleTitle":"The macOS system must disable password autofill.","description":"Password Autofill must be disabled.\n\nmacOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature must be disabled to prevent users from being prompted to save passwords in applications.","checkContent":"Verify the macOS system is configured to disable password autofill with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowPasswordAutoFill').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable password autofill by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"9b64df6e-c0f3-4515-8ddb-9a09b4c8bc39","vulnId":"V-259528","severity":"medium","ruleTitle":"The macOS system must disable personalized advertising.","description":"Ad tracking and targeted ads must be disabled.\n\nThe information system must be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements.","checkContent":"Verify the macOS system is configured to disable personalized advertising with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowApplePersonalizedAdvertising').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable personalized advertising by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"143ee707-35c7-4487-b438-8f7a5a09973d","vulnId":"V-259529","severity":"medium","ruleTitle":"The macOS system must disable sending Siri and Dictation information to Apple.","description":"The ability for Apple to store and review audio of Siri and Dictation interactions must be disabled.\n\nThe information system must be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple.","checkContent":"Verify the macOS system is configured to disable sending Siri and Dictation information to Apple with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\\\n.objectForKey('Siri Data Sharing Opt-In Status').js\nEOS\n\nIf the result is not \"2\", this is a finding.","fixText":"Configure the macOS system to disable sending Siri and Dictation information to Apple by installing the \"com.apple.assistant.support\" configuration profile."},{"id":"75a8fa1f-bb7d-4349-807f-11a779b0b432","vulnId":"V-259530","severity":"medium","ruleTitle":"The macOS system must enforce on device dictation.","description":"Dictation must be restricted to on device only to prevent potential data exfiltration.\n\nThe information system must be configured to provide only essential capabilities.","checkContent":"For Intel-based systems, this is not applicable.\n\nVerify the macOS system is configured to enforce on device dictation with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('forceOnDeviceOnlyDictation').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to enforce on device dictation by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"b7d141d0-90df-4e88-a448-118c79b9c429","vulnId":"V-259531","severity":"medium","ruleTitle":"The macOS system must disable dictation.","description":"Dictation must be disabled on Intel-based Macs as the feature On Device Dictation is only available on Apple Silicon devices.","checkContent":"For Apple Silicon-based systems, this is not applicable.\n\nVerify the macOS system is configured to disable dictation with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowDictation').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable dictation by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"b0c37d5f-0316-44de-85e5-61a16a972a54","vulnId":"V-259532","severity":"medium","ruleTitle":"The macOS system must disable Printer Sharing.","description":"Printer Sharing must be disabled.","checkContent":"Verify the macOS system is configured to disable Printer Sharing with the following command:\n\n/usr/sbin/cupsctl | /usr/bin/grep -c \"_share_printers=0\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable Printer Sharing with the following commands:\n\n/usr/sbin/cupsctl --no-share-printers\n/usr/bin/lpstat -p | awk '{print $2}'| /usr/bin/xargs -I{} lpadmin -p {} -o printer-is-shared=false"},{"id":"73ec84d0-2830-4f40-b00a-5feb08114fde","vulnId":"V-259533","severity":"medium","ruleTitle":"The macOS system must disable Remote Management.","description":"Remote Management must be disabled.","checkContent":"Verify the macOS system is configured to disable Remote Management with the following command:\n\n/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c \"RemoteDesktopEnabled = 0\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable Remote Management with the following commands:\n\n/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"},{"id":"c080c607-ed6f-4b91-8209-6391905bfe14","vulnId":"V-259534","severity":"medium","ruleTitle":"The macOS system must disable the Bluetooth system settings pane.","description":"The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration.","checkContent":"Verify the macOS system is configured to disable the Bluetooth system settings pane with the following command:\n\n/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()=\"DisabledSystemSettings\"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.BluetoothSettings\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to disable the Bluetooth system settings pane by installing the \"com.apple.systempreferences\" configuration profiles."},{"id":"e912d2df-0bed-46cf-9b9e-af5a63a76758","vulnId":"V-259535","severity":"medium","ruleTitle":"The macOS system must disable the iCloud Freeform services.","description":"The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled.\n\nApple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization must be controlled by an organization approved service.","checkContent":"Verify the macOS system is configured to disable iCloud Freeform services with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowCloudFreeform').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable iCloud Freeform services by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"30435d87-dda9-4d98-9999-63197fef86c0","vulnId":"V-259536","severity":"medium","ruleTitle":"The macOS system must issue or obtain public key certificates from an approved service provider.","description":"The organization must issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain.","checkContent":"Verify the macOS system is configured to issue or obtain public key certificates from an approved service provider with the following command:\n\n/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'\"' '/labl/ {print $4}'\n\nIf the result does not contain a list of approved certificate authorities, this is a finding.","fixText":"Configure the macOS system to issue or obtain public key certificates from an approved service provider by obtaining the approved certificates from the appropriate authority and install them to the System Keychain."},{"id":"e8e3db9a-0144-4e10-9bb6-10a6d03ebcc3","vulnId":"V-259537","severity":"medium","ruleTitle":"The macOS system must require passwords contain a minimum of one numeric character.","description":"The macOS must be configured to require at least one numeric character be used when a password is created.\n\nThis rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.\n\nNote: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.","checkContent":"Verify the macOS system is configured to require passwords contain a minimum of one numeric character with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()=\"policyIdentifier\"]/following-sibling::*[1]/text()' - | /usr/bin/grep \"requireAlphanumeric\" -c\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to require passwords contain a minimum of one numeric character by installing the \"com.apple.mobiledevice.passwordpolicy\" configuration profile."},{"id":"c773b40a-07d4-4834-9f30-e58a0818cb49","vulnId":"V-259538","severity":"medium","ruleTitle":"The macOS system must restrict maximum password lifetime to 60 days.","description":"The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days.\n\nThis rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system.\n\nNote: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.","checkContent":"Verify the macOS system is configured to restrict maximum password lifetime to 60 days with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()=\"policyAttributeExpiresEveryNDays\"]/following-sibling::*[1]/text()' -\n\nIf the result is not \"60\" or less, this is a finding.","fixText":"Configure the macOS system to restrict maximum password lifetime to 60 days by installing the \"com.apple.mobiledevice.passwordpolicy\" configuration profile."},{"id":"4d328f8a-a3cd-4dcd-9179-363339def7d1","vulnId":"V-259540","severity":"medium","ruleTitle":"The macOS system must require a minimum password length of 14 characters.","description":"The macOS must be configured to require a minimum of 14 characters be used when a password is created.\n\nThis rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.\n\nNote: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.","checkContent":"Verify the macOS system is configured to enforce a minimum 14-character password length with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),\"policyAttributePassword matches '\\''.{14,}'\\''\")])' -\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to enforce a 14-character password length by installing the \"com.apple.mobiledevice.passwordpolicy\" configuration profile."},{"id":"b956503a-ef61-4a6d-b6f4-8f8e71478b70","vulnId":"V-259541","severity":"medium","ruleTitle":"The macOS system must require passwords contain a minimum of one special character.","description":"The macOS must be configured to require at least one special character be used when a password is created.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.\n\nThis rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.\n\nNote: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.","checkContent":"Verify the macOS system is configured to require passwords contain a minimum of one special character with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),\"policyAttributePassword matches '\\''(.*[^a-zA-Z0-9].*){1,}'\\''\")])' -\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to require passwords contain a minimum of one special character by installing the \"com.apple.mobiledevice.passwordpolicy\" configuration profile."},{"id":"7cff4098-fbf3-4eb9-b8cc-8f57de7d6d6e","vulnId":"V-259542","severity":"medium","ruleTitle":"The macOS system must disable password hints.","description":"Password hints must be disabled.\n\nPassword hints leak information about passwords that are currently in use and can lead to loss of confidentiality.","checkContent":"Verify the macOS system is configured to disable password hints with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\\\n.objectForKey('RetriesUntilHint').js\nEOS\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system to disable password hints by installing the \"com.apple.loginwindow\" configuration profile."},{"id":"c4fff35b-dd67-41c1-8cb0-c8883fc61c8e","vulnId":"V-259543","severity":"medium","ruleTitle":"The macOS system must enable firmware password.","description":"A firmware password must be enabled and set.\n\nSingle user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the \"Option\" key down during startup. Setting a firmware password restricts access to these tools.\n\nTo set a firmware passcode use the following command:\n\n[source,bash]\n----\n/usr/sbin/firmwarepasswd -setpasswd\n----\n\nNote: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call and provide proof of purchase before the firmware binary will be generated.\n\nNote: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices.","checkContent":"For Apple Silicon systems, this is not applicable.\n\nVerify the macOS system is configured with a firmware password with the following command:\n\n/usr/sbin/firmwarepasswd -check | /usr/bin/grep -c \"Password Enabled: Yes\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system with a firmware password with the following command:\n\n/usr/sbin/firmwarepasswd -setpasswd\n\nNote: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated."},{"id":"688ed5b5-9b45-4100-b1f9-661856c26084","vulnId":"V-259544","severity":"medium","ruleTitle":"The macOS system must remove password hints from user accounts.","description":"User accounts must not contain password hints. Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.","checkContent":"Verify the macOS system is configured to remove password hints from user accounts with the following command:\n\n/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system to remove password hints from user accounts with the following command:\n\nfor u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do\n /usr/bin/dscl . -delete /Users/$u hint\ndone"},{"id":"2802e6f4-409d-46b8-bf77-b582c37e3e1d","vulnId":"V-259545","severity":"medium","ruleTitle":"The macOS system must enforce smart card authentication.","description":"Smart card authentication must be enforced.\n\nThe use of smart card credentials facilitates standardization and reduces the risk of unauthorized access.\n\nWhen enforceSmartCard is set to \"true\", the smart card must be used for logon, authorization, and unlocking the screen saver.\n\nCAUTION: enforceSmartCard will apply to the whole system. No users will be able to log on with their password unless the profile is removed or a user is exempt from smart card enforcement.\n\nNote: enforceSmartcard requires allowSmartcard to be set to true in order to work.\n\nSatisfies: SRG-OS-000067-GPOS-00035,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161","checkContent":"Verify the macOS system is configured to enforce multifactor authentication with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\\\n.objectForKey('enforceSmartCard').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to enforce multifactor authentication by installing the \"com.apple.security.smartcard\" configuration profile.\n\nNote: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile."},{"id":"4da36a84-cfcf-435b-90f2-39a21d0134ab","vulnId":"V-259546","severity":"medium","ruleTitle":"The macOS system must allow smart card authentication.","description":"Smart card authentication must be allowed.\n\nThe use of smart card credentials facilitates standardization and reduces the risk of unauthorized access.\n\nWhen enabled, the smart card can be used for logon, authorization, and screen saver unlocking.\n\nSatisfies: SRG-OS-000068-GPOS-00036,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000376-GPOS-00161","checkContent":"Verify the macOS system is configured to allow smart card authentication with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\\\n.objectForKey('allowSmartCard').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to enforce multifactor authentication by installing the \"com.apple.security.smartcard\" configuration profile.\n\nNote: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile."},{"id":"6d9076eb-7f30-4de2-87e8-0129259484dd","vulnId":"V-259547","severity":"medium","ruleTitle":"The macOS system must enforce multifactor authentication for logon.","description":"The system must be configured to enforce multifactor authentication.\n\nAll users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.\n\nIMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.\n\nNote: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.\n\nSatisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057","checkContent":"Verify the macOS system is configured to enforce multifactor authentication for login with the following command:\n\n/usr/bin/grep -Ec '^(auth\\s+sufficient\\s+pam_smartcard.so|auth\\s+required\\s+pam_deny.so)' /etc/pam.d/login\n\nIf the result is not \"2\", this is a finding.","fixText":"Configure the macOS system to enforce multifactor authentication for login with the following commands:\n\n/bin/cat > /etc/pam.d/login << LOGIN_END\n# login: auth account password session\nauth sufficient pam_smartcard.so\nauth optional pam_krb5.so use_kcminit\nauth optional pam_ntlm.so try_first_pass\nauth optional pam_mount.so try_first_pass\nauth required pam_opendirectory.so try_first_pass\nauth required pam_deny.so\naccount required pam_nologin.so\naccount required pam_opendirectory.so\npassword required pam_opendirectory.so\nsession required pam_launchd.so\nsession required pam_uwtmp.so\nsession optional pam_mount.so\nLOGIN_END\n\n/bin/chmod 644 /etc/pam.d/login\n/usr/sbin/chown root:wheel /etc/pam.d/login"},{"id":"4f6485d1-c8dc-42de-be69-30403ebb1e26","vulnId":"V-259548","severity":"medium","ruleTitle":"The macOS system must enforce multifactor authentication for the su command.","description":"The system must be configured such that, when the su command is used, multifactor authentication is enforced.\n\nAll users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.\n\nIMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.\n\nNote: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.\n\nSatisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057","checkContent":"Verify the macOS system is configured to enforce multifactor authentication for the su command with the following command:\n\n/usr/bin/grep -Ec '^(auth\\s+sufficient\\s+pam_smartcard.so|auth\\s+required\\s+pam_rootok.so)' /etc/pam.d/su\n\nIf the result is not \"2\", this is a finding.","fixText":"Configure the macOS system to enforce multifactor authentication for the su command with the following commands:\n\n/bin/cat > /etc/pam.d/su << SU_END\n# su: auth account password session\nauth sufficient pam_smartcard.so\nauth required pam_rootok.so\nauth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe\naccount required pam_permit.so\naccount required pam_opendirectory.so no_check_shell\npassword required pam_opendirectory.so\nsession required pam_launchd.so\nSU_END\n\n# Fix new file ownership and permissions\n/bin/chmod 644 /etc/pam.d/su\n/usr/sbin/chown root:wheel /etc/pam.d/su"},{"id":"6e4995e8-a311-43b2-b8e7-0dd83c925943","vulnId":"V-259549","severity":"medium","ruleTitle":"The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.","description":"The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.\n\nAll users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.\n\nIMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.\n\nNote: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system.\n\nSatisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057","checkContent":"Verify the macOS system is configured to enforce multifactor authentication for privilege escalation through the sudo command with the following command:\n\n/usr/bin/grep -Ec '^(auth\\s+sufficient\\s+pam_smartcard.so|auth\\s+required\\s+pam_deny.so)' /etc/pam.d/sudo\n\nIf the result is not \"2\", this is a finding.","fixText":"Configure the macOS system to enforce multifactor authentication for privilege escalation through the sudo command with the following commands:\n\n/bin/cat > /etc/pam.d/sudo << SUDO_END\n# sudo: auth account password session\nauth sufficient pam_smartcard.so\nauth required pam_opendirectory.so\nauth required pam_deny.so\naccount required pam_permit.so\npassword required pam_deny.so\nsession required pam_permit.so\nSUDO_END\n\n/bin/chmod 444 /etc/pam.d/sudo\n/usr/sbin/chown root:wheel /etc/pam.d/sudo"},{"id":"bb4a62d8-8107-4a99-9424-9809b1e2f181","vulnId":"V-259550","severity":"medium","ruleTitle":"The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character.","description":"The macOS be configured to require at least one lowercase character and one uppercase character be used when a password is created.\n\nThis rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.\n\nNote: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.\n\nNote: The configuration profile generated must be installed from an MDM server.\n\nSatisfies: SRG-OS-000069-GPOS-00037,SRG-OS-000070-GPOS-00038","checkContent":"Verify the macOS system is configured to require passwords contain a minimum of one lowercase character and one uppercase character with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),\"policyAttributePassword matches '\\''^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$'\\''\")])' -\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to require at least one lowercase character and one uppercase character in password complexity by installing the \"com.apple.mobiledevice.passwordpolicy\" configuration profile."},{"id":"657b0cda-1ce0-4db3-a37b-e02520a83fe7","vulnId":"V-259551","severity":"medium","ruleTitle":"The macOS system must set minimum password lifetime to 24 hours.","description":"The macOS must be configured to enforce a minimum password lifetime limit of 24 hours.\n\nThis rule discourages users from cycling through their previous passwords to get back to a preferred one.\n\nNote: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.","checkContent":"Verify the macOS system is configured to set minimum password lifetime to 24 hours with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()=\"policyAttributeMinimumLifetimeHours\"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= 24 ) {print \"yes\"} else {print \"no\"}}'\n\nIf the result is not \"yes\", this is a finding.","fixText":"Configure the macOS system to set minimum password lifetime to 24 hours.\n\nThis setting may be enforced using local policy or by a directory service.\n\nTo set local policy to require a minimum password lifetime, edit the current password policy to contain the following within the \"policyCategoryPasswordContent\":\n\n[source,xml]\n----\n\npolicyContent\npolicyAttributeLastPasswordChangeTime < policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)\npolicyIdentifier\nMinimum Password Lifetime\npolicyParameters\n\npolicyAttributeMinimumLifetimeHours\n24\n\n\n----\nAfter saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of \"$pwpolicy_file\".\n\n[source,bash]\n----\n/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file\n----"},{"id":"66230ff2-4c6a-4576-aa72-c8298bdd7c8c","vulnId":"V-259552","severity":"medium","ruleTitle":"The macOS system must disable accounts after 35 days of inactivity.","description":"The macOS must be configured to disable accounts after 35 days of inactivity.\n\nThis rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection.","checkContent":"Verify the macOS system is configured to disable accounts after 35 days of inactivity with the following command:\n\n/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()=\"policyAttributeInactiveDays\"]/following-sibling::integer[1]/text()' -\n\nIf the result is not \"35\", this is a finding.","fixText":"Configure the macOS system to disable accounts after 35 days of inactivity with the following command.\n\nThis setting may be enforced using local policy or by a directory service.\n\nTo set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following within the \"policyCategoryAuthentication\":\n\n[source,xml]\n----\n\npolicyContent\npolicyAttributeLastAuthenticationTime > policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)\npolicyIdentifier\nInactive Account\npolicyParameters\n\npolicyAttributeInactiveDays\n35\n\n\n----\nAfter saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of \"$pwpolicy_file\".\n\n[source,bash]\n----\n/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file\n----"},{"id":"cc342f5b-121f-4f66-aba1-685fddbbfc69","vulnId":"V-259553","severity":"medium","ruleTitle":"The macOS system must configure Apple System Log files to be owned by root and group to wheel.","description":"The Apple System Logs (ASL) must be owned by root.\n\nASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated.\n\nSatisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084","checkContent":"Verify the macOS system is configured with Apple System Log files owned by root and group to wheel with the following command: \n\n/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with Apple System Log files owned by root and group to wheel with the following command:\n\n/usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/awk -F\":\" '!/^root:wheel:/{print $3}')"},{"id":"ba873b0a-3adb-410d-be27-1d4e2b36f9ec","vulnId":"V-259554","severity":"medium","ruleTitle":"The macOS system must configure Apple System Log files to mode 640 or less permissive.","description":"The Apple System Logs (ASL) must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files must be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying, or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.\n\nSatisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084","checkContent":"Verify the macOS system is configured with Apple System Log files to mode 640 or less permissive with the following command:\n\n/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with Apple System Log files to mode 640 with the following command:\n\n/bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk -F\":\" '!/640/{print $2}')"},{"id":"52095996-97c5-4f1c-9bf5-f9ce59e4f367","vulnId":"V-259555","severity":"medium","ruleTitle":"The macOS system must require users to reauthenticate for privilege escalation when using the \"sudo\" command.","description":"The file /etc/sudoers must include a timestamp_timout of 0.\n\nWithout reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability or change user authenticators, it is critical the user reauthenticate.\n\nSatisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158","checkContent":"Verify the macOS system requires reauthentication when using the \"sudo\" command to elevate privileges with the following command:\n\n/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c \"Authentication timestamp timeout: 0.0 minutes\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to require reauthentication when using \"sudo\" with the following command:\n\n/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \\;\n/bin/echo \"Defaults timestamp_timeout=0\" >> /etc/sudoers.d/mscp"},{"id":"a84fd1fa-f468-4006-a15c-668b1c4da94e","vulnId":"V-259556","severity":"medium","ruleTitle":"The macOS system must configure system log files to be owned by root and group to wheel.","description":"The system log files must be owned by root.\n\nSystem logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.\n\nSatisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084","checkContent":"Verify the macOS system is configured with system log files owned by root and group to wheel with the following command: \n\n/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with system log files owned by root and group to wheel with the following command: \n\n/usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F\":\" '!/^root:wheel:/{print $3}')"},{"id":"e3c91382-437c-4943-a82e-b050f7dfb1b0","vulnId":"V-259557","severity":"medium","ruleTitle":"The macOS system must configure system log files to mode 640 or less permissive.","description":"The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files must be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying, or deleting audit logs. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.\n\nSatisfies: SRG-OS-000205-GPOS-00083,SRG-OS-000206-GPOS-00084","checkContent":"Verify the macOS system is configured with system log files set to mode 640 or less permissive with the following command:\n\n/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '\n\nIf the result is not \"0\", this is a finding.","fixText":"Configure the macOS system with system log files set to mode 640 or less permissive with the following command:\n\n/bin/chmod 640 $(/usr/bin/stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/640/{print $1}' | awk -F\":\" '!/640/{print $2}')"},{"id":"4ab0b362-6ce8-4992-9102-92944a73447b","vulnId":"V-259558","severity":"low","ruleTitle":"The macOS system must configure install.log retention to 365.","description":"The install.log must be configured to require records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility.","checkContent":"Verify the macOS system is configured with install.log retention to 365 with the following command:\n\n/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\\/var\\/log\\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == \"TTL\" && $(i+2) >= 365) { ttl=\"True\" }; if ($i == \"MAX\") {max=\"True\"}}} END{if (count > 1) { print \"Multiple config files for /var/log/install, manually remove\"} else if (ttl != \"True\") { print \"TTL not configured\" } else if (max == \"True\") { print \"Max Size is configured, must be removed\" } else { print \"Yes\" }}'\n\nIf the result is not \"yes\", this is a finding.","fixText":"Configure the macOS system with install.log retention to 365 with the following command:\n\n/usr/bin/sed -i '' \"s/\\* file \\/var\\/log\\/install.log.*/\\* file \\/var\\/log\\/install.log format='\\$\$\\(Time\$\$JZ\$\\) \\$Host \\$\$Sender\$\\[\\$\$PID\\\$\\]: \\$Message' rotate=utc compress file_max=50M size_only ttl=365/g\" /etc/asl/com.apple.install\n\nNote: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed."},{"id":"62b77a14-3666-4e01-a8e9-6e3f9fdbd6aa","vulnId":"V-259559","severity":"medium","ruleTitle":"The macOS system must configure sudoers timestamp type.","description":"The file /etc/sudoers must be configured to not include a timestamp_type of global or ppid and be configured for timestamp record types of tty.\n\nThis rule ensures that the \"sudo\" command will prompt for the administrator's password at least once in each newly opened terminal window. This prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session by bypassing the normal password prompt requirement.\n\nSatisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157","checkContent":"Verify the macOS system is configured with sudoers timestamp type with the following command:\n\n/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/awk -F\": \" '/Type of authentication timestamp record/{print $2}'\n\nIf the result is not \"tty\", this is a finding.","fixText":"Configure the macOS system with sudoers timestamp type with the following command:\n\n/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_type/d; /!tty_tickets/d' '{}' \\;"},{"id":"4379319a-9efc-4e4d-ad46-67e59700c377","vulnId":"V-259560","severity":"high","ruleTitle":"The macOS system must ensure System Integrity Protection is enabled.","description":"$28","checkContent":"Verify the macOS system is configured to enable System Integrity Protection with the following command:\n\n/usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to enable \"System Integrity Protection\" by booting into \"Recovery\" mode, launch \"Terminal\" from the \"Utilities\" menu, and run the following command:\n\n/usr/bin/csrutil enable"},{"id":"73b9d62f-3937-41d5-b8cc-c3dcf1d8d592","vulnId":"V-259561","severity":"high","ruleTitle":"The macOS system must enforce FileVault.","description":"FileVault must be enforced.\n\nThe information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.\n\nSatisfies: SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183,SRG-OS-000405-GPOS-00184","checkContent":"Verify the macOS system is configured to enforce FileVault with the following command:\n\ndontAllowDisable=$(/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\\\n.objectForKey('dontAllowFDEDisable').js\nEOS\n)\nfileVault=$(/usr/bin/fdesetup status | /usr/bin/grep -c \"FileVault is On.\")\nif [[ \"$dontAllowDisable\" == \"true\" ]] && [[ \"$fileVault\" == 1 ]]; then\n echo \"1\"\nelse\n echo \"0\"\nfi\n\nIf the result is not \"1\", this is a finding.","fixText":"Note: Refer to the FileVault supplemental to implement this rule."},{"id":"25186732-a419-4782-a67c-bb62390d37f1","vulnId":"V-259562","severity":"medium","ruleTitle":"The macOS system must enable the application firewall.","description":"The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled.\n\nWhen the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.","checkContent":"Verify the macOS system is configured to enable the application firewall with the following command:\n\nprofile=\"$(/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\\\n.objectForKey('EnableFirewall').js\nEOS\n)\"\n\nplist=\"$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null)\"\n\nif [[ \"$profile\" == \"true\" ]] && [[ \"$plist\" =~ [1,2] ]]; then\n echo \"true\"\nelse\n echo \"false\"\nfi\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to enable the application firewall with the following command:\n\n/usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1"},{"id":"f74e606b-e900-4b1c-9509-63f3c79999aa","vulnId":"V-259563","severity":"medium","ruleTitle":"The macOS system must configure login window to prompt for username and password.","description":"The login window must be configured to prompt all users for both a username and a password.\n\nBy default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system.","checkContent":"Verify the macOS system is configured to prompt for username and password at the login window with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\\\n.objectForKey('SHOWFULLNAME').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to prompt for username and password at the logon window by installing the \"com.apple.loginwindow\" configuration profile."},{"id":"819cacc5-ae02-4ca4-a615-475c1b9b19af","vulnId":"V-259564","severity":"medium","ruleTitle":"The macOS system must disable TouchID prompt during Setup Assistant.","description":"The prompt for TouchID during Setup Assistant must be disabled.\n\nmacOS prompts new users through enabling TouchID during Setup Assistant; this is not essential, and therefore must be disabled to prevent against the risk of individuals electing to enable TouchID to override organizationwide settings.","checkContent":"Verify the macOS system is configured to disable TouchID prompt during Setup Assistant with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\\\n.objectForKey('SkipTouchIDSetup').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable TouchID prompt during Setup Assistant by installing the \"com.apple.SetupAssistant.managed\" configuration profile."},{"id":"bb810de3-a458-4c46-8771-b59a1ff3f4e6","vulnId":"V-259565","severity":"medium","ruleTitle":"The macOS system must disable Screen Time prompt during Setup Assistant.","description":"The prompt for Screen Time setup during Setup Assistant must be disabled.","checkContent":"Verify the macOS system is configured to disable Screen Time prompt during Setup Assistant with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\\\n.objectForKey('SkipScreenTime').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Screen Time prompt during Setup Assistant by installing the \"com.apple.SetupAssistant.managed\" configuration profile."},{"id":"0f0ab71d-75ae-4ca5-8c6c-8942de97abd0","vulnId":"V-259566","severity":"medium","ruleTitle":"The macOS system must disable Unlock with Apple Watch during Setup Assistant.","description":"The prompt for Apple Watch unlock setup during Setup Assistant must be disabled.\n\nDisabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.","checkContent":"Verify the macOS system is configured to disable Unlock with Apple Watch during Setup Assistant with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\\\n.objectForKey('SkipUnlockWithWatch').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to disable Unlock with Apple Watch during Setup Assistant by installing the \"com.apple.SetupAssistant.managed\" configuration profile."},{"id":"4e00e19f-d539-43e8-904e-6d200bac2d47","vulnId":"V-259567","severity":"medium","ruleTitle":"The macOS system must disable Handoff.","description":"Handoff must be disabled.\n\nHandoff allows users to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices.\n\nSatisfies: SRG-OS-000080-GPOS-00048,SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118","checkContent":"Verify the macOS system is configured to disable handoff with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowActivityContinuation').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable handoff by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"a17c2c35-702e-4b9c-aa39-b6c5cd9d1a5e","vulnId":"V-259568","severity":"medium","ruleTitle":"The macOS system must disable proximity-based password sharing requests.","description":"Proximity-based password sharing requests must be disabled.\n\nThe default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature must be disabled to prevent passwords from being shared.","checkContent":"Verify the macOS system is configured to disable proximity-based password sharing requests with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowPasswordProximityRequests').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable proximity-based password sharing requests by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"89ef4b35-24f7-4c2f-933e-3ca8350635e4","vulnId":"V-259569","severity":"medium","ruleTitle":"The macOS system must disable Erase Content and Settings.","description":"Erase Content and Settings must be disabled.","checkContent":"Verify the macOS system is configured to disable Erase Content and Settings with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n.objectForKey('allowEraseContentAndSettings').js\nEOS\n\nIf the result is not \"false\", this is a finding.","fixText":"Configure the macOS system to disable Erase Content and Settings by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"864b0abc-b37e-4cff-afd1-5ce857f09fdd","vulnId":"V-259570","severity":"medium","ruleTitle":"The macOS system must enable Authenticated Root.","description":"Authenticated Root must be enabled.\n\nWhen Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.\n\nNote: Authenticated Root is enabled by default on macOS systems.\n\nWARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.","checkContent":"Verify the macOS system is configured to enable authenticated root with the following command:\n\n/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to enable authenticated root with the following command:\n\n/usr/bin/csrutil authenticated-root enable\n\nNote: To reenable \"Authenticated Root\", boot the affected system into \"Recovery\" mode, launch \"Terminal\" from the \"Utilities\" menu, and run the command."},{"id":"24da3096-531a-499b-bff1-7e90013ae718","vulnId":"V-259571","severity":"medium","ruleTitle":"The macOS system must prohibit user installation of software into /users/.","description":"Users must not be allowed to install software into /users/.\n\nAllowing users who do not possess explicit privileges to install software presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.\n\n[IMPORTANT]\n====\nApple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third-party software may be required to fulfill the compliance requirements.\n====","checkContent":"Verify the macOS system is configured to prohibit user installation of software into /users/ with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\nfunction run() {\n let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\\\n .objectForKey('familyControlsEnabled'))\n let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\\\n .objectForKey('pathBlackList').js\n for ( let app in pathlist ) {\n if ( ObjC.unwrap(pathlist[app]) == \"/Users/\" && pref1 == true ){\n return(\"true\")\n }\n }\n return(\"false\")\n }\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to prohibit user installation of software into /users/ by installing the \"com.apple.applicationaccess.new\" configuration profile."},{"id":"dc46170e-76ac-48f3-b36a-2eaa96fb7c18","vulnId":"V-259572","severity":"medium","ruleTitle":"The macOS system must authorize USB devices before allowing connection.","description":"USB devices connected to a Mac must be authorized.\n\n[IMPORTANT]\n====\nThis feature is removed if a smart card is paired or smart card attribute mapping is configured.\n====","checkContent":"Verify the macOS system is configured to authorize USB devices before allowing connection with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n function run() {\n let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\\\n .objectForKey('allowUSBRestrictedMode'))\n if ( pref1 == false ) {\n return(\"false\")\n } else {\n return(\"true\")\n }\n }\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to authorize USB devices before allowing connection by installing the \"com.apple.applicationaccess\" configuration profile."},{"id":"1729443f-6aab-4ecb-b372-08ef2f0705d9","vulnId":"V-259573","severity":"medium","ruleTitle":"The macOS system must ensure secure boot level set to full.","description":"The Secure Boot security setting must be set to full.\n\nFull security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot.\n\nNote: This will only return a proper result on T2 or Apple Silicon Macs.\n\nSatisfies: SRG-OS-000445-GPOS-00199,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201","checkContent":"Verify the macOS system is configured to ensure secure boot level set to full using the following command:\n\n/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c \"SecureBootLevel = full\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system to ensure secure boot level set to full by booting into Recovery Mode and enable Full Secure Boot."},{"id":"a98613d0-75f7-4633-af6e-4db92917827c","vulnId":"V-259574","severity":"medium","ruleTitle":"The macOS system must enforce enrollment in mobile device management.","description":"Users must enroll their Mac in a Mobile Device Management (MDM) software.\n\nUser Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include:\n\n* Allowed Kernel Extensions\n* Allowed Approved System Extensions\n* Privacy Preferences Policy Control Payload\n* ExtensibleSingleSignOn\n* FDEFileVault\n\nIn macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM:\n\n* Activation Lock Bypass\n* Access to Bootstrap Tokens\n* Scheduling Software Updates\n* Query list and delete local users","checkContent":"Verify the macOS system is configured to enforce enrollment in mobile device management with the following command:\n\n/usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c \"Yes (User Approved)\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system by ensuring that system is enrolled via UAMDM."},{"id":"94a26469-6db1-4f95-bb21-417630e5beae","vulnId":"V-259575","severity":"medium","ruleTitle":"The macOS system must enable recovery lock.","description":"A recovery lock password must be enabled and set.\n\nSingle user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools.\n\nIMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices.","checkContent":"For non-Apple Silicon systems, this is not applicable.\n\nVerify the macOS system is configured with recovery lock with the following command:\n\n/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c \"IsRecoveryLockEnabled = 1\"\n\nIf the result is not \"1\", this is a finding.","fixText":"Configure the macOS system with recovery lock with the SetRecoveryLock command. This can be used to set a Recovery Lock password and must be from the MDM."},{"id":"965303c9-f677-4c72-b553-873bb53cb8b3","vulnId":"V-259576","severity":"medium","ruleTitle":"The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.","description":"Software Update must be configured to update XProtect Remediator and Gatekeeper automatically.\n\nThis setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted.\n\nhttps://support.apple.com/en-us/HT207005\n\nNote: Software update will automatically update XProtect Remediator and Gatekeeper by default in the macOS.","checkContent":"Verify the macOS system is configured to enforce installation of XProtect Remediator and Gatekeeper updates automatically with the following command:\n\n/usr/bin/osascript -l JavaScript << EOS\n$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\\\n.objectForKey('ConfigDataInstall').js\nEOS\n\nIf the result is not \"true\", this is a finding.","fixText":"Configure the macOS system to enforce installation of XProtect Remediator and Gatekeeper updates automatically by installing the \"com.apple.SoftwareUpdate\" configuration profile."}]}]]}]

Apple macOS 14 (Sonoma) Security Technical Implementation Guide

Checks (155)