STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Apple macOS 15 (Sequoia) Security Technical Implementation Guide

Version

V1R7

Benchmark ID

Apple_macOS_15_STIG

Total Checks

160

Tags

other

CAT I: 11CAT II: 147CAT III: 2

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (160)

V-268420MEDIUMThe macOS system must prevent Apple Watch from terminating a session lock.V-268421MEDIUMThe macOS system must enforce screen saver password.V-268422MEDIUMThe macOS system must enforce session lock no more than five seconds after screen saver is started.V-268423MEDIUMThe macOS system must configure user session lock when a smart token is removed.V-268424MEDIUMThe macOS system must disable hot corners.V-268425MEDIUMThe macOS system must prevent AdminHostInfo from being available at LoginWindow.V-268426MEDIUMThe macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.V-268427MEDIUMThe macOS system must enforce time synchronization.V-268428MEDIUMThe macOS system must limit consecutive failed login attempts to three.V-268429MEDIUMThe macOS system must display a policy banner at remote login.V-268431MEDIUMThe macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.V-268432MEDIUMThe macOS system must configure audit log files to not contain access control lists (ACLs).V-268433MEDIUMThe macOS system must configure the audit log folder to not contain access control lists (ACLs).V-268434MEDIUMThe macOS system must disable FileVault automatic login.V-268435MEDIUMThe macOS system must configure SSHD ClientAliveInterval to 900.V-268436MEDIUMThe macOS system must configure SSHD ClientAliveCountMax to 1.V-268437MEDIUMThe macOS system must set login grace time to 30.V-268438HIGHThe macOS system must limit SSHD to FIPS-compliant connections.V-268439HIGHThe macOS system must limit SSH to FIPS-compliant connections.V-268440MEDIUMThe macOS system must set account lockout time to 15 minutes.V-268441MEDIUMThe macOS system must enforce screen saver timeout.V-268442MEDIUMThe macOS system must disable login to other users' active and locked sessions.V-268443MEDIUMThe macOS system must disable root login.V-268444MEDIUMThe macOS system must configure the SSH ServerAliveInterval to 900.V-268445MEDIUMThe macOS system must configure SSHD channel timeout to 900.V-268446MEDIUMThe macOS system must configure SSHD unused connection timeout to 900.V-268447MEDIUMThe macOS system must set SSH Active Server Alive Maximum to 0.V-268448MEDIUMThe macOS system must enforce auto logout after 86400 seconds of inactivity.V-268449MEDIUMThe macOS system must be configured to use an authorized time server.V-268450MEDIUMThe macOS system must enable the time synchronization daemon.V-268451MEDIUMThe macOS system must configure sudo to log events.V-268452MEDIUMThe macOS system must be configured to audit all administrative action events.V-268453MEDIUMThe macOS system must be configured to audit all login and logout events.V-268454MEDIUMThe macOS system must enable security auditing.V-268455MEDIUMThe macOS system must be configured to shut down upon audit failure.V-268456MEDIUMThe macOS system must configure audit log files to be owned by root.V-268457MEDIUMThe macOS system must configure audit log folders to be owned by root.V-268458MEDIUMThe macOS system must configure the audit log files group to wheel.V-268459MEDIUMThe macOS system must configure the audit log folders group to wheel.V-268460MEDIUMThe macOS system must configure audit log files to mode 440 or less permissive.V-268461MEDIUMThe macOS system must configure audit log folders to mode 700 or less permissive.V-268462MEDIUMThe macOS system must be configured to audit all deletions of object attributes.V-268463MEDIUMThe macOS system must be configured to audit all changes of object attributes.V-268464MEDIUMThe macOS system must be configured to audit all failed read actions on the system.V-268465MEDIUMThe macOS system must be configured to audit all failed write actions on the system.V-268467LOWThe macOS system must configure audit retention to seven days.V-268468MEDIUMThe macOS system must configure audit capacity warning.V-268469MEDIUMThe macOS system must configure audit failure notification.V-268470MEDIUMThe macOS system must be configured to audit all authorization and authentication events.V-268471MEDIUMThe macOS system must set smart card certificate trust to moderate.V-268472MEDIUMThe macOS system must disable root login for SSH.V-268473MEDIUMThe macOS system must configure audit_control group to wheel.V-268474MEDIUMThe macOS system must configure audit_control owner to root.V-268475MEDIUMThe macOS system must configure audit_control owner to mode 440 or less permissive.V-268477HIGHThe macOS system must disable password authentication for SSH.V-268478MEDIUMThe macOS system must disable Server Message Block (SMB) sharing.V-268479MEDIUMThe macOS system must disable Network File System (NFS) service.V-268480MEDIUMThe macOS system must disable Location Services.V-268481MEDIUMThe macOS system must disable Bonjour multicast.V-268482MEDIUMThe macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.V-268483MEDIUMThe macOS system must disable Internet Sharing.V-268484MEDIUMThe macOS system must disable the built-in web server.V-268485MEDIUMThe macOS system must disable AirDrop.V-268486MEDIUMThe macOS system must disable FaceTime.app.V-268487MEDIUMThe macOS system must disable the iCloud Calendar services.V-268488MEDIUMThe macOS system must disable iCloud Reminders.V-268489MEDIUMThe macOS system must disable iCloud Address Book.V-268490MEDIUMThe macOS system must disable iCloud Mail.V-268491MEDIUMThe macOS system must disable iCloud Notes.V-268492MEDIUMThe macOS system must disable the camera.V-268493MEDIUMThe macOS system must disable Siri.V-268494MEDIUMThe macOS system must disable sending diagnostic and usage data to Apple.V-268495MEDIUMThe macOS system must disable Remote Apple Events.V-268496MEDIUMThe macOS system must disable Apple ID setup during Setup Assistant.V-268497MEDIUMThe macOS system must disable Privacy Setup services during Setup Assistant.V-268498MEDIUMThe macOS system must disable iCloud storage setup during Setup Assistant.V-268499HIGHThe macOS system must disable Trivial File Transfer Protocol (TFTP) service.V-268500MEDIUMThe macOS system must disable Siri Setup during Setup Assistant.V-268501MEDIUMThe macOS system must disable iCloud Keychain Sync.V-268502MEDIUMThe macOS system must disable iCloud Document Sync.V-268503MEDIUMThe macOS system must disable iCloud Bookmarks.V-268504MEDIUMThe macOS system must disable iCloud Photo Library.V-268505MEDIUMThe macOS system must disable Screen Sharing and Apple Remote Desktop.V-268506MEDIUMThe macOS system must disable the System Settings pane for Wallet and Apple Pay.V-268507MEDIUMThe macOS system must disable the system settings pane for Siri.V-268508HIGHThe macOS system must apply gatekeeper settings to block applications from unidentified developers.V-268509HIGHThe macOS system must disable Bluetooth when no approved device is connected.V-268510MEDIUMThe macOS system must disable the guest account.V-268511HIGHThe macOS system must enable gatekeeper.V-268512HIGHThe macOS system must disable unattended or automatic login to the system.V-268513MEDIUMThe macOS system must secure users' home folders.V-268514HIGHThe macOS system must require an administrator password to modify systemwide preferences.V-268515MEDIUMThe macOS system must disable Airplay Receiver.V-268516MEDIUMThe macOS system must disable TouchID for unlocking the device.V-268517MEDIUMThe macOS system must disable Media Sharing.V-268518MEDIUMThe macOS system must disable Bluetooth Sharing.V-268519MEDIUMThe macOS system must disable AppleID and internet Account Modification.V-268521MEDIUMThe macOS system must disable Content Caching service.V-268522MEDIUMThe macOS system must disable iCloud Desktop and Document folder sync.V-268523MEDIUMThe macOS system must disable iCloud Game Center.V-268524MEDIUMThe macOS system must disable iCloud Private Relay.V-268525MEDIUMThe macOS system must disable Find My service.V-268526MEDIUMThe macOS system must disable Personalized Advertising.V-268527MEDIUMThe macOS system must disable sending Siri and Dictation information to Apple.V-268528MEDIUMThe macOS system must enforce On Device Dictation.V-268529MEDIUMThe macOS system must disable Dictation.V-268530MEDIUMThe macOS system must disable Printer Sharing.V-268531MEDIUMThe macOS system must disable Remote Management.V-268532MEDIUMThe macOS system must disable the Bluetooth System Settings pane.V-268533MEDIUMThe macOS system must disable the iCloud Freeform services.V-268534MEDIUMThe macOS system must issue or obtain public key certificates from an approved service provider.V-268535MEDIUMThe macOS system must require that passwords contain a minimum of one numeric character.V-268536MEDIUMThe macOS system must restrict maximum password lifetime to 60 days.V-268537MEDIUMThe macOS system must require a minimum password length of 14 characters.V-268538MEDIUMThe macOS system must require that passwords contain a minimum of one special character.V-268539MEDIUMThe macOS system must disable password hints.V-268540MEDIUMThe macOS system must enable firmware password.V-268541MEDIUMThe macOS system must remove password hints from user accounts.V-268542MEDIUMThe macOS system must enforce smart card authentication.V-268543MEDIUMThe macOS system must allow smart card authentication.V-268544MEDIUMThe macOS system must enforce multifactor authentication for login.V-268545MEDIUMThe macOS system must enforce multifactor authentication for the su command.V-268546MEDIUMThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.V-268547MEDIUMThe macOS system must require that passwords contain a minimum of one lowercase character and one uppercase character.V-268548MEDIUMThe macOS system must set minimum password lifetime to 24 hours.V-268549MEDIUMThe macOS system must disable accounts after 35 days of inactivity.V-268550MEDIUMThe macOS system must configure Apple System Log (ASL) files owned by root and group to wheel.V-268551MEDIUMThe macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive.V-268552MEDIUMThe macOS system must configure system log files owned by root and group to wheel.V-268553MEDIUMThe macOS system must configure system log files to mode 640 or less permissive.V-268554LOWThe macOS system must configure install.log retention to 365.V-268555HIGHThe macOS system must ensure System Integrity Protection is enabled.V-268556HIGHThe macOS system must enforce FileVault.V-268557MEDIUMThe macOS system must enable macOS Application Firewall.V-268558MEDIUMThe macOS system must configure the login window to prompt for username and password.V-268559MEDIUMThe macOS system must disable the TouchID prompt during Setup Assistant.V-268560MEDIUMThe macOS system must disable the Screen Time prompt during Setup Assistant.V-268561MEDIUMThe macOS system must disable Unlock with Apple Watch during Setup Assistant.V-268562MEDIUMThe macOS system must disable Handoff.V-268563MEDIUMThe macOS system must disable proximity-based password sharing requests.V-268564MEDIUMThe macOS system must disable Erase Content and Settings.V-268565MEDIUMThe macOS system must enable Authenticated Root.V-268566MEDIUMThe macOS system must prohibit user installation of software into /users/.V-268567MEDIUMThe macOS system must authorize USB devices before allowing connection.V-268568MEDIUMThe macOS system must ensure Secure Boot level is set to "full".V-268569MEDIUMThe macOS system must enforce enrollment in Mobile Device Management (MDM).V-268570MEDIUMThe macOS system must enable Recovery Lock.V-268571MEDIUMThe macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.V-268572MEDIUMThe macOS system must disable Genmoji.V-268573MEDIUMThe macOS system must disable Apple Intelligence Image Generation.V-268574MEDIUMThe macOS system must disable Apple Intelligence Writing Tools.V-268575MEDIUMThe macOS system must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-269093MEDIUMThe macOS system must enforce SSH to display a policy banner.V-269094MEDIUMThe macOS system must be configured to audit all failed program execution on the system.V-269095MEDIUMThe macOS system must configure audit_control to not contain access control lists (ACLs).V-269096MEDIUMThe macOS system must disable sending audio recordings and transcripts to Apple.V-269566MEDIUMThe macOS system must disable sending search data from Spotlight to Apple.V-272477MEDIUMThe macOS system must disable iPhone Mirroring.V-274880MEDIUMThe macOS system must configure sudoers timestamp type.V-274881MEDIUMThe macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.