STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Apple macOS 26 (Tahoe) Security Technical Implementation Guide

Version

V1R2

Benchmark ID

Apple_macOS_26_STIG

Total Checks

160

Tags

other

CAT I: 13CAT II: 145CAT III: 2

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (160)

V-277028MEDIUMThe macOS system must prevent Apple Watch from terminating a session lock.V-277029MEDIUMThe macOS system must enforce screen saver password.V-277030MEDIUMThe macOS system must enforce session lock no more than five seconds after screen saver is started.V-277031MEDIUMThe macOS system must configure user session lock when a smart token is removed.V-277032MEDIUMThe macOS system must disable hot corners.V-277033MEDIUMThe macOS system must prevent AdminHostInfo from being available at LoginWindow.V-277034MEDIUMThe macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.V-277035MEDIUMThe macOS system must enforce time synchronization.V-277036MEDIUMThe macOS system must limit consecutive failed login attempts to three.V-277037MEDIUMThe macOS system must display a policy banner at remote login.V-277038MEDIUMThe macOS system must enforce SSH to display a policy banner.V-277039MEDIUMThe macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.V-277040MEDIUMThe macOS system must configure audit log files to not contain access control lists (ACLs).V-277041MEDIUMThe macOS system must configure the audit log folder to not contain access control lists (ACLs).V-277042MEDIUMThe macOS system must disable FileVault automatic login.V-277043MEDIUMThe macOS system must configure SSHD ClientAliveInterval to 900.V-277044MEDIUMThe macOS system must configure SSHD ClientAliveCountMax to 1.V-277045MEDIUMThe macOS system must set login grace time to 30.V-277046HIGHThe macOS system must limit SSHD to FIPS-compliant connections.V-277047HIGHThe macOS system must limit SSH to FIPS-compliant connections.V-277048MEDIUMThe macOS system must set account lockout time to 15 minutes.V-277049MEDIUMThe macOS system must enforce screen saver timeout.V-277050MEDIUMThe macOS system must disable login to other users' active and locked sessions.V-277051MEDIUMThe macOS system must disable root login.V-277052MEDIUMThe macOS system must configure the SSH ServerAliveInterval to 900.V-277053MEDIUMThe macOS system must configure SSHD channel timeout to 900.V-277054MEDIUMThe macOS system must configure SSHD unused connection timeout to 900.V-277055MEDIUMThe macOS system must set SSH Active Server Alive Maximum to 0.V-277056MEDIUMThe macOS system must enforce auto logout after 86400 seconds of inactivity.V-277057MEDIUMThe macOS system must be configured to use an authorized time server.V-277058MEDIUMThe macOS system must enable the time synchronization daemon.V-277059MEDIUMThe macOS system must configure sudo to log events.V-277060MEDIUMThe macOS system must be configured to audit all administrative action events.V-277061MEDIUMThe macOS system must be configured to audit all login and logout events.V-277062MEDIUMThe macOS system must enable security auditing.V-277063MEDIUMThe macOS system must configure audit log files to be owned by root.V-277064MEDIUMThe macOS system must configure audit log folders to be owned by root.V-277065MEDIUMThe macOS system must configure the audit log files group to wheel.V-277066MEDIUMThe macOS system must configure the audit log folders group to wheel.V-277067MEDIUMThe macOS system must configure audit log files to mode 440 or less permissive.V-277068MEDIUMThe macOS system must configure audit log folders to mode 700 or less permissive.V-277069MEDIUMThe macOS system must be configured to audit all deletions of object attributes.V-277070MEDIUMThe macOS system must be configured to audit all changes of object attributes.V-277071MEDIUMThe macOS system must be configured to audit all failed read actions on the system.V-277072MEDIUMThe macOS system must be configured to audit all failed write actions on the system.V-277073MEDIUMThe macOS system must be configured to audit all failed program execution on the system.V-277074LOWThe macOS system must configure audit retention to seven days.V-277075MEDIUMThe macOS system must configure audit capacity warning.V-277076MEDIUMThe macOS system must configure audit failure notification.V-277077MEDIUMThe macOS system must be configured to audit all authorization and authentication events.V-277078MEDIUMThe macOS system must set smart card certificate trust to moderate.V-277079MEDIUMThe macOS system must disable root login for SSH.V-277080MEDIUMThe macOS system must configure audit_control group to wheel.V-277081MEDIUMThe macOS system must configure audit_control owner to root.V-277082MEDIUMThe macOS system must configure audit_control owner to mode 440 or less permissive.V-277083MEDIUMThe macOS system must configure audit_control to not contain access control lists (ACLs).V-277084HIGHThe macOS system must disable password authentication for SSH.V-277085MEDIUMThe macOS system must disable Server Message Block (SMB) sharing.V-277086MEDIUMThe macOS system must disable Network File System (NFS) service.V-277087MEDIUMThe macOS system must disable Location Services.V-277088MEDIUMThe macOS system must disable Bonjour multicast.V-277089MEDIUMThe macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.V-277090MEDIUMThe macOS system must disable Internet Sharing.V-277091MEDIUMThe macOS system must disable the built-in web server.V-277092MEDIUMThe macOS system must disable AirDrop.V-277093MEDIUMThe macOS system must disable FaceTime.app.V-277094MEDIUMThe macOS system must disable the iCloud Calendar services.V-277095MEDIUMThe macOS system must disable iCloud Reminders.V-277096MEDIUMThe macOS system must disable iCloud Address Book.V-277097MEDIUMThe macOS system must disable iCloud Mail.V-277098MEDIUMThe macOS system must disable iCloud Notes.V-277099MEDIUMThe macOS system must disable the camera.V-277100MEDIUMThe macOS system must disable Siri.V-277101MEDIUMThe macOS system must disable sending diagnostic and usage data to Apple.V-277102MEDIUMThe macOS system must disable Remote Apple Events.V-277103MEDIUMThe macOS system must disable sending audio recordings and transcripts to Apple.V-277104MEDIUMThe macOS system must disable sending search data from Spotlight to Apple.V-277105MEDIUMThe macOS system must disable Apple ID setup during Setup Assistant.V-277106MEDIUMThe macOS system must disable Privacy Setup services during Setup Assistant.V-277107MEDIUMThe macOS system must disable iCloud storage setup during Setup Assistant.V-277108HIGHThe macOS system must disable Trivial File Transfer Protocol (TFTP) service.V-277109MEDIUMThe macOS system must disable Siri Setup during Setup Assistant.V-277110MEDIUMThe macOS system must disable iCloud Keychain Sync.V-277111MEDIUMThe macOS system must disable iCloud Document Sync.V-277112MEDIUMThe macOS system must disable iCloud Bookmarks.V-277113MEDIUMThe macOS system must disable iCloud Photo Library.V-277114MEDIUMThe macOS system must disable Screen Sharing and Apple Remote Desktop.V-277115MEDIUMThe macOS system must disable the System Settings pane for Wallet and Apple Pay.V-277116MEDIUMThe macOS system must disable the system settings pane for Siri.V-277117HIGHThe macOS system must apply gatekeeper settings to block applications from unidentified developers.V-277118HIGHThe macOS system must disable Bluetooth when no approved device is connected.V-277119MEDIUMThe macOS system must disable the guest account.V-277120HIGHThe macOS system must enable gatekeeper.V-277121HIGHThe macOS system must disable unattended or automatic login to the system.V-277122MEDIUMThe macOS system must secure users' home folders.V-277123HIGHThe macOS system must require an administrator password to modify systemwide preferences.V-277124MEDIUMThe macOS system must disable Airplay Receiver.V-277125MEDIUMThe macOS system must disable TouchID for unlocking the device.V-277126MEDIUMThe macOS system must disable Media Sharing.V-277127MEDIUMThe macOS system must disable Bluetooth Sharing.V-277128MEDIUMThe macOS system must disable AppleID and internet Account Modification.V-277129MEDIUMThe macOS system must disable Content Caching service.V-277130MEDIUMThe macOS system must disable iCloud Desktop and Document folder sync.V-277131MEDIUMThe macOS system must disable iCloud Game Center.V-277132MEDIUMThe macOS system must disable iCloud Private Relay.V-277133MEDIUMThe macOS system must disable Find My service.V-277134MEDIUMThe macOS system must disable Personalized Advertising.V-277135MEDIUMThe macOS system must disable sending Siri and Dictation information to Apple.V-277136MEDIUMThe macOS system must enforce On Device Dictation.V-277137MEDIUMThe macOS system must disable Dictation.V-277138MEDIUMThe macOS system must disable Printer Sharing.V-277139MEDIUMThe macOS system must disable Remote Management.V-277140MEDIUMThe macOS system must disable the Bluetooth System Settings pane.V-277141MEDIUMThe macOS system must disable the iCloud Freeform services.V-277142MEDIUMThe macOS system must disable iPhone Mirroring.V-277143MEDIUMThe macOS system must issue or obtain public key certificates from an approved service provider.V-277144MEDIUMThe macOS system must require that passwords contain a minimum of one numeric character.V-277145MEDIUMThe macOS system must restrict maximum password lifetime to 60 days.V-277146MEDIUMThe macOS system must require a minimum password length of 14 characters.V-277147MEDIUMThe macOS system must require that passwords contain a minimum of one special character.V-277148MEDIUMThe macOS system must disable password hints.V-277149MEDIUMThe macOS system must remove password hints from user accounts.V-277150MEDIUMThe macOS system must enforce smart card authentication.V-277151MEDIUMThe macOS system must allow smart card authentication.V-277152MEDIUMThe macOS system must enforce multifactor authentication for login.V-277153MEDIUMThe macOS system must enforce multifactor authentication for the su command.V-277154MEDIUMThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.V-277155MEDIUMThe macOS system must require that passwords contain a minimum of one lowercase character and one uppercase character.V-277156MEDIUMThe macOS system must set minimum password lifetime to 24 hours.V-277157MEDIUMThe macOS system must disable accounts after 35 days of inactivity.V-277158MEDIUMThe macOS system must configure Apple System Log (ASL) files owned by root and group to wheel.V-277159MEDIUMThe macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive.V-277160MEDIUMThe macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.V-277161MEDIUMThe macOS system must configure system log files owned by root and group to wheel.V-277162MEDIUMThe macOS system must configure system log files to mode 640 or less permissive.V-277163LOWThe macOS system must configure install.log retention to 365.V-277164MEDIUMThe macOS system must configure sudoers timestamp type.V-277165HIGHThe macOS system must ensure System Integrity Protection (SIP) is enabled.V-277166HIGHThe macOS system must enforce FileVault.V-277167MEDIUMThe macOS system must enable macOS Application Firewall.V-277168MEDIUMThe macOS system must configure the login window to prompt for username and password.V-277169MEDIUMThe macOS system must disable the TouchID prompt during Setup Assistant.V-277170MEDIUMThe macOS system must disable the Screen Time prompt during Setup Assistant.V-277171MEDIUMThe macOS system must disable Unlock with Apple Watch during Setup Assistant.V-277172MEDIUMThe macOS system must disable Handoff.V-277173MEDIUMThe macOS system must disable proximity-based password sharing requests.V-277174MEDIUMThe macOS system must disable Erase Content and Settings.V-277175MEDIUMThe macOS system must enable Authenticated Root.V-277176MEDIUMThe macOS system must prohibit user installation of software into /users/.V-277177MEDIUMThe macOS system must authorize USB devices before allowing connection.V-277178MEDIUMThe macOS system must ensure Secure Boot level is set to "full".V-277179MEDIUMThe macOS system must enforce enrollment in Mobile Device Management (MDM).V-277180MEDIUMThe macOS system must enable Recovery Lock.V-277181MEDIUMThe macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.V-277182MEDIUMThe macOS system must disable Genmoji AI Creation.V-277183MEDIUMThe macOS system must disable Apple Intelligence Image Playground.V-277184MEDIUMThe macOS system must disable Apple Intelligence Writing Tools.V-277185HIGHThe macOS system must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-279329MEDIUMThe macOS system must disable Apple Intelligence during Setup Assistant.V-282964HIGHThe macOS system must be a version supported by the vendor.