Download
| Alert*
|
CCE-50242-7
This control ensures that system and security updates are installed after they are available from Apple. Staying up to date on patches is necessary to reduce the risk of vulnerabilities being exploited. Fix: defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true de ... CCE-50280-7 The owner of csh init files must be root. Fix: chown 0: /etc/csh.cshrc /etc/csh.login /etc/csh.logout CCE-50287-2 The group of the /etc/syslog.conf file must be wheel. The syslog.conf file is the configuration file for the syslogd(8) program. It consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifie ... CCE-50249-2 Apple's File Sharing feature uses a combination of SMB (Windows sharing) and AFP (Mac sharing). According to the benchmark (macOS), by disabling file sharing, the risk of unauthorized access to files stored on the system can be reduced. Fix /bin/launchctl unload -w /System/Library/LaunchDaemons/com. ... CCE-50290-6 The default global umask setting must be set to '027' for user applications. The setting '027' ensures that user created files and directories will be readable, but not writable, by users that share the same group id. Users with a different group id will not be able to read or write those files. Thi ... CCE-50298-9 The group of bash init files must be wheel. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users. Fix: chown :0 /etc/bashrc /etc/profile CCE-50311-0 Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes. This control is only checking the default configuration to ensure that unwanted access to audit r ... CCE-50236-9 Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time. If the screensaver is not set users may leave the computer available for an unauthorized person to access information. Fix: sudo defaults -currentH ... CCE-50262-5 ICMP redirects are broadcast in order to reshape network traffic. A malicious user could use the system to send fake redirect packets and try to force all network traffic to pass through a network sniffer. Disabling ICMP redirect broadcasts mitigates this risk. Fix: To configure the system to not s ... CCE-50293-0 The group of the /etc/services file must be wheel. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name, port number, protocol name, aliases. Fix: c ... CCE-50315-1 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be det ... CCE-50266-6 The audit service must be configured to require that records are kept for 7 days or longer before deletion when there is no central audit record storage facility. When expire-after is set to 7d, the audit service will not delete audit logs until the log data is at least 7 days old. Fix: Edit the /e ... CCE-50321-9 Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, software defined by the organization as critical must be signed with a certificate that is reco ... CCE-50245-0 Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal. Enabling this feature can minimize the risk of a key logger identifying the keys entered into the Terminal. Fix: defaults write ~/Library/Preferences/com.apple.Te ... CCE-50300-3 The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activitity is no longer recorded and malicious activity could go undetected. Audit processing failures include: software/hardware errors; failures in the audit capturing ... CCE-50259-1 The sudo command lets the user run programs as the root user, granting them high levels of configurability within the system. The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leave ... CCE-50256-7 The root account should be disabled on all macOS systems, and a separate administrator 2252 account should be established for each person who will be performing regular administrative tasks. Fix: dscl . -create /Users/root UserShell /usr/bin/false CCE-50217-9 Remote login service _MUST_ be configured to display a policy banner at login. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable f ... CCE-50250-0 When Printer Sharing is enabled, the computer is established as a print server to accept print jobs from other computers. Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system. Using dedicated print servers or direct IP printing ... CCE-50212-0 If remote login through SSH is enabled, smartcard authentication _MUST_ be enforced for user login. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/ssh/sshd_config will be automatically modified to its orig ... CCE-50306-0 To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating system ... CCE-50305-2 Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. If you are NOT using IPv6 disable it. Fix: networksetup -setv6off Ethernet networksetup -setv6off Wi-Fi CCE-50274-0 The group of csh init files must be wheel. Fix: chown :0 /etc/csh.cshrc /etc/csh.login /etc/csh.logout CCE-50297-1 The owner of bash init files must be root. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users. Fix: chown 0: /etc/bashrc /etc/profile CCE-50203-9 The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. Fix: /bin/chmod ... CCE-50243-5 This setting allows macOS updates to be installed automatically once they are available from Apple. Because patches need to be applied as soon as possible, allowing for automatic updates ensures that the user's device is updated in a timely manner rather than be left vulnerable to additional securit ... CCE-50220-3 SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900 or less. Setting the Active Server Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state followin ... CCE-50310-2 Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred. Without log files system maintenance and security forensics cannot be properly performed. ... CCE-50318-5 The macOS system must enforce the limit of time for failed login reset after the account locked out by providing invalid logon attempts by the user. Fix: This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. CCE-50258-3 Allowing guests to connect to shared folders lets users access such folders from different computers on a network. Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and gaining unauthorized access to the system. Fix: defaults write / ... CCE-50246-8 The default global umask setting must be set to '027' for user applications. The setting '027' ensures that user created files and directories will be readable, but not writable, by users that share the same group id. Users with a different group id will not be able to read or write those files. Thi ... CCE-50285-6 The permissionbs of the /etc/services file must be 0644 or less. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name, port number, protocol name, al ... CCE-50224-5 If the system does not require Trivial File Transfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized tran ... CCE-50216-1 Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and ... CCE-50302-9 When automatic logins are enabled, the default user account is automatically logged in at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer in order to log in. Disabling automatic logins mitigates this risk. ... CCE-50221-1 SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. Operating systems utilizing encryption _MUST_ use F ... CCE-50307-8 Bonjour is an auto-discovery mechanism for TCP/IP devices that enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled. Fix: defaults write /Library/Preferences/com.apple.mDNSResp ... CCE-50261-7 The sudo command must be configured to prompt for the administrator user's password at least once in each newly opened Terminal window or remote login session, as this prevents a malicious user from taking advantage of an unlocked computer or an abandoned login session to bypass the normal password ... CCE-50200-5 The audit log files _MUST_ not contain access control lists (ACLs). Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log files that are readable and writable only by system administrators in order to prevent normal users ... CCE-50272-4 The permissions of csh init files must be 644. Fix: chmod 644 /etc/csh.cshrc /etc/csh.login /etc/csh.logout CCE-50319-3 The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity is no longer recorded and malicious activity could go undetected. Audit processing failures include software/hardware errors, failures in the audit capturing me ... CCE-50308-6 It is important that a system has the newest updates downloaded so that they can be applied. Without updates available they may not be made in a timely manner and the system will be exposed to additional risk. Fix: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload ... CCE-50201-3 The audit log folder _MUST_ not contain access control lists (ACLs). Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal use ... CCE-50247-6 Screen sharing is a feature that lets computers on the same network connect to one another and to display the same screen. While sharing screens, the user can control the actions on that computer. The macOS benchmark states that disabling screen sharing mitigates the risk of remote connections being ... CCE-50292-2 Hide or display the sleep, restart, and shutdown buttons, as a group, in the login window. Fix: defaults write /Library/Preferences/com.apple.screensaver PowerOffDisabled -bool True CCE-50265-8 Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store. Administator users will still have the option to override these settings on a per app basis. Gatekeeper is a security feature that ensures that applications must be digita ... CCE-50299-7 IP forwarding for IPv4 must not be enabled, unless the system is a router, as only authorized systems should be permitted to operate as routers. Fix: To configure the system to disable IP forwarding, add the following lines to /etc/sysctl.conf: net.inet.ip.forwarding=0 net.inet6.ip6.forwarding=0 CCE-50281-5 Remote access services, such as those providing remote access to network devices and information systems, increase risk and expose those systems to possible cyber attacks, so all remote access should be closely monitored and audited. Only authorized users should be permitted to remotely access DoD n ... CCE-50208-8 The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; t ... CCE-50312-8 The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the ca ... CCE-50313-6 Using tty tickets ensures that a user must enter the sudo password in each Terminal session. In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an ... CCE-50253-4 The wake for network access feature enables other users to access a computers shared resources even if the computer is in sleep mode. The macOS benchmark states disabling the "wake for network access" feature could mitigate the risk of an attacker remotely waking the system to gain access ... CCE-50230-2 The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could ... CCE-50279-9 The permissions of bash init files must be 444 or as appropriate. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users. Fix: chmod 444 /etc/bashrc /etc/profile CCE-50316-9 Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable a ... CCE-50273-2 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that dete ... CCE-50211-2 The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/pam.d/su will be automatically modified to its ... CCE-50234-4 Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements. Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads. Fix: /usr/bin/defaults ... CCE-50268-2 ICMP Timestamp requests reveal information about the system and can be used to determine which operating system is installed. Precise time data can also be used to launch time based attacks against the system. Configuring the system to drop incoming ICMPv4 timestamp requests mitigates these risks. ... CCE-50252-6 DVD or CD sharing allows other users to remotely access the systems optical drive. Disabling this feature will minimize the risk of an attacker accessing the optical drive and using it as a vector to expose sensitive data. Fix /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.ODSAgen ... CCE-50202-1 Audit log files _MUST_ have the group set to wheel. The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and wr ... CCE-50213-8 A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule. Failure to restrict network connectivity to authorized systems p ... CCE-50314-4 Library Validation protects processes from loading arbitrary libraries, root from becoming more powerful (root may load arbitrary libraries into any process depending on SIP status). Running without Library Validation on a production system runs the risk of the modification of system binaries or c ... CCE-50291-4 The owner of the /etc/services file must be root. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name, port number, protocol name, aliases. Fix: ch ... CCE-50271-6 An attacker might attempt to log in as an authorized user, through stolen credentials, unpatched exploits, or brute force attempts to guess a valid username and password. If a user is attempting to log in to a system at an unusual time, or if there are many failed attempts, there is a possibility th ... CCE-50282-3 The owner of the audit logs must be root. Fix: chown -R 0: /var/audit CCE-50267-4 ICMP redirects are broadcast in order to reshape network traffic. A malicious user could craft fake redirect packets and try to force all network traffic to pass through a network sniffer. If the system is not configured to ignore these packets, it could be suspectible to this kind of attack. Fix: ... CCE-50278-1 The setting controls whether local user accounts are visible in the login window. Fix: defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers -bool True CCE-50205-4 The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enfor ... CCE-50237-7 Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. Fix: /bin/launchctl enable system/com.openssh.sshd CCE-50240-1 Use "stealth mode" to make it more difficult for hackers and malware to find your Mac. When stealth mode is turned on, your Mac doesn't respond to either ping requests or connection attempts from a closed TCP or UDP network. Fix: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --set ... CCE-50277-3 If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and rep ... CCE-50254-2 A custom message that can be displayed at the lock screen and FileVault login screen. Often used to warn people of permitted system actions and possible legal consequences of misuse. The benchmark (macOS) states that displaying an access warning may reduce an attackers tendency to access the system, ... CCE-50239-3 SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. Operating systems utilizing encryption _MUST_ use F ... CCE-50255-9 A policy banner is an additional window that is displayed during the login process. It requires users to acknowledge the contents of the banner by clicking an "Accept" button before proceeding to log in. Often used to supplement the lock screen message text, and to warn people of permitted ... CCE-50303-7 Bluetooth sharing allows users to wirelessly transmit files between Mac OS X and Bluetooth-enabled devices, including personally owned cell phones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files. Disabling Bluetooth Sharing mitigates this r ... CCE-50228-6 Over time passwords can be captured by third parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not eve ... CCE-50257-5 The Guest account, a special managed account, is considered a security vulnerability in most situations because it has no password associated with it. Once an attacker has gained guest-level access, the attacker can try to elevate privileges to further exploit a system. We recommend that the Guest a ... CCE-50320-1 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional at ... CCE-50283-1 The group of the audit logs must be root. Fix: chown -R :0 /var/audit CCE-50309-4 Enabling Show Bluetooth status in menu bar is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, Discoverable, what paired devices exist and are currently active. Bluetooth is a useful wireless tool that has been widely exploited when c ... CCE-50263-3 A source-routed packet attempts to specify the network path that the system should take. If the system is not configured to block the sending of source-routed packets, an attacker can redirect the system's network traffic. Fix: To configure the system to not forward source-routed packets, add the f ... CCE-50231-0 Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain access to the system. Fix: $ sudo -u <username> defaults read com.apple.dock wvous-tl-corner $ sudo -u <username> defaults rea ... CCE-50301-1 Firewall logging must be enabled. This ensures that malicious network activity will be logged to the system. This requirement is NA if HBSS is used. Fix: To enable the firewall logging, run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on CCE-50226-0 The macOS _MUST_ be configured to disable accounts after 35 days of inactivity. This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. Fix: sudo pwpolicy setglobalpolicy 'maxMinutesOfNonUse=50400' Note: 35 Days = 50400 minutes ... CCE-50241-9 Automatically checking for updates makes it easier for the user to know when updates are available. It is important that a system has the newest updates applied to prevent unauthorized persons from exploiting identified vulnerabilities. Fix: defaults write /Library/Preferences/com.apple.SoftwareUpda ... CCE-50210-4 The system _MUST_ be configured to enforce multifactor authentication. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/pam.d/login will be automatically modified to its original state following any update o ... CCE-50294-8 Infrared [IR] kernel support must be disabled to prevent users from controlling the system with IR devices. By default, if IR is enabled, the system will accept IR control from any remote. Fix: To disable IR, run the following command: sudo defaults write /Library/Preferences/com.apple.driver.Appl ... CCE-50232-8 Disabling Internet Sharing reduces the remote attack surface of the system. Internet sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices. ... CCE-50209-6 The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a ... CCE-50260-9 A filename extension is a suffix added to a base filename that indicates the base filenames file format. Visible filename extensions allow for the user to identify file types and the applications that files are associated with. It would help in identifying malicious files. Fix: defaults write /User ... CCE-50275-7 Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the lifetime of passwords and force users to chan ... CCE-50251-8 NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the users computer. File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer. Fix nfsd disable CCE-50322-7 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long ... CCE-50227-8 The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur. Ensure that a lockout threshold is part of the password policy on the computer. The account lockout feature mitigates brute-force password attacks on the system. The numb ... CCE-50238-5 If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. ... CCE-50229-4 The macOS _MUST_ be configured to require at least one lower-case character an one upper-case character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. Fix: To set the password policy, run ... CCE-50235-1 If the system does not require Remote Apple Events, support for Apple Remote Events is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the un ... CCE-50269-0 A source-routed packet attempts to specify the network path the packet should take. If the system is not configured to block the incoming source-routed packets, an attacker can redirect the system's network traffic. Configuring the system to drop incoming source-routed IPv4 packets mitigates this ri ... CCE-50219-5 SSH _MUST_ be configured with an Active Server Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unatte ... CCE-50317-7 Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data. Operating systems using encryption are required to use FIPS-compliant mechanisms for authentic ... CCE-50222-9 If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. ... CCE-50214-6 The system _MUST_ be configured to prevent access to other users home folders. The default behavior of macOS is to allow all valid users access to the the top level of every other users home folder while restricting access only to the Apple default folders within. Fix: IFS=$'\n' for userDirs in ... CCE-50323-5 External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed. Fix: Renaming or Removing /System/Library/Extensions/IOUSBMassStorag ... CCE-50248-4 Correct date and time settings are required for authentication protocols, file creation, modification dates, and log entries. If the time on the Mac is off by more than 5 minutes, Apple's single sign-on feature and active directory logins may be affected. Fix: To set date and time automatically sy ... CCE-50288-0 The minimum password length must be set to 15 characters. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to cr ... CCE-50276-5 By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation. Enforcement ... CCE-50264-1 The audit service must be configured to require a minimum percentage of free disk space in order to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs. When minfree is set to 25%, security personnel are notified immediately w ... CCE-50233-6 Location Services _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling Location Services helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling. Fix: /usr/bin/defaults wr ... CCE-50218-7 SSH _MUST_ be configured to display a policy banner. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Ord ... CCE-50206-2 Audit log files _MUST_ have the group set to wheel. The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and wr ... CCE-50270-8 The Application Firewall is the built in firewall that comes with Mac OS X and must be enabled. Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. Fix: To ... CCE-50284-9 By default, Mac OS X obligingly displays the password hint for an account after three unsuccessful attempts at entering a password. Where security is an issue, this is like serving a hacker a piece of apple pie. Therefore, head to System Preferences, display the Accounts settings, click the Login Op ... CCE-50295-5 Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administrators should only run commands as root after first authenticating with their individual user names and p ... CCE-50225-2 macOS has a privilege that can be granted to any user that will allow that user to unlock active users sessions. Disabling the admins and/or users ability to log into another users active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal informatio ... CCE-50286-4 The owner of the /etc/syslog.conf file must be root. The syslog.conf file is the configuration file for the syslogd(8) program. It consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifies ... CCE-50204-7 Audit log files _MUST_ be owned by root. The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by sys ... CCE-50215-3 The built-in web server is a non-essential service built into macOS and _MUST_ be disabled. Fix: /bin/launchctl disable system/org.apache.httpd CCE-50244-3 By automatically installing app store updates in the background, the user safeguarded from potential vulnerabilities in the previous version of the App Store. Fix: defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool true CCE-50289-8 The kernel extension for Wi-Fi network devices such as Airport must be removed to ensure that users will not be able to reactivate wireless networking at a later time. System updates will sometimes replace deleted kernel extensions. Administrator users may need to periodically check to ensure that t ... CCE-50296-3 SSH should be configured to log users out after a 15 minute interval of inactivity and to only wait 30 seconds before timing out login attempts. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session ... CCE-50207-0 Audit log files _MUST_ be owned by root. The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by sys ... CCE-50406-8 The Find My service must be disabled. A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more ... CCE-50385-4 Automatic logon must be disabled. When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged ... CCE-50392-0 The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration. Audit: Verify the macOS system is configured to disable the Bluetooth system settings pane with the following command: /usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath ... CCE-50402-7 USB devices connected to a Mac must be authorized. NOTE: This feature is removed if a smart card is paired or smart card attribute mapping is configured. Audit: Verify the macOS system is configured to authorize USB devices before allowing connection with the following command: / ... CCE-50396-1 The prompt for TouchID during Setup Assistant must be disabled. macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential, and therefore must be disabled to prevent against the risk of individuals electing to enable TouchID to override organizationwide settings. ... CCE-50384-7 The macOS system must be configured to disable Bluetooth unless an approved device is connected. NOTE: Information system security officers (ISSOs) may make the risk-based decision not to disable Bluetooth to maintain necessary functionality, but they are advised to first fully weigh the potential ... CCE-50400-1 Proximity-based password sharing requests must be disabled. The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature must be disabled to prevent passwords from being shared. Audit: Verify the macOS system is configured to d ... CCE-50386-2 TouchID enables the ability to unlock a macOS system with a user's fingerprint. TouchID must be disabled for "Unlocking your Mac" on all macOS devices that are capable of using TouchID. The system must remain locked until the user establishes access using an authorized identification and a ... CCE-50371-4 The macOS built-in Mail.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization must be controlled by an organization approved service. ... CCE-50378-9 The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization must be control ... CCE-50366-4 The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smart card must meet the following criteria: its issuer has a system-trusted certificate, the certif ... CCE-50381-3 The System Settings pane for TouchID must be disabled. Disabling the System Settings pane prevents the users from configuring TouchID. Audit: Verify the macOS system is configured to disable the TouchID System Settings pane with the following command: /usr/bin/profiles show -output stdout ... CCE-50373-0 The macOS must be configured to disable the camera. Audit: Verify the macOS system is configured to disable the camera with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowCam ... CCE-50410-0 Time synchronization must be enforced on all networked systems. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Audit: Verify the macOS system is configured to enforce time synchronization with the fo ... CCE-50372-2 The macOS built-in Notes.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization must be controlled by an organization approved service. ... CCE-50405-0 The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication ... CCE-50368-0 The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization must be controlled by an organization approved ser ... CCE-50374-8 The prompt for Apple ID setup during Setup Assistant must be disabled. macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first log on. ... CCE-50376-3 The prompt to set up iCloud storage services during Setup Assistant must be disabled. The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data. Audit: Verif ... CCE-50379-7 The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization must be controlled by an organization app ... CCE-50412-6 Users must authenticate when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account. Audit: Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the f ... CCE-50397-9 The prompt for Screen Time setup during Setup Assistant must be disabled. Audit: Verify the macOS system is configured to disable Screen Time prompt during Setup Assistant with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('c ... CCE-50377-1 The prompt for Siri during Setup Assistant must be disabled. Organizations must apply organizationwide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings; this is not essential and, therefore, must be disabled to prevent a ... CCE-50388-8 Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled. Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com. Audit: Verify the macOS system ... CCE-50401-9 Erase Content and Settings must be disabled. Audit: Verify the macOS system is configured to disable Erase Content and Settings with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey( ... CCE-50394-6 Smart card authentication must be allowed. The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access. When enabled, the smart card can be used for logon, authorization, and screen saver unlocking. Audit: Verify the macOS system is configured ... CCE-50382-1 The System Settings pane for Wallet and Apple Pay must be disabled. Disabling the System Settings pane prevents the users from configuring Wallet and Apple Pay. Audit: Verify the macOS system is con figured to disable the System Settings pane for Wallet and Apple Pay with the following com ... CCE-50370-6 The macOS built-in Contacts.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization must be controlled by an organization approved ser ... CCE-50403-5 The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files must be configured to mode 640 permissive or less; thereby preventing normal users from reading, modifying, or deleting audit logs. System logs frequently c ... CCE-50407-6 /etc/security/audit_control must not contain Access Control Lists (ACLs). /etc/security/audit_control contains sensitive configuration data about the audit service. This rule ensures that the audit service is configured to be readable and writable only by system administrators in order to prevent no ... CCE-50398-7 The prompt for Apple Watch unlock setup during Setup Assistant must be disabled. Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. Aud ... CCE-50390-4 The ability for Apple to store and review audio of Siri and Dictation interactions must be disabled. The information system must be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Appl ... CCE-50399-5 Handoff must be disabled. Handoff allows users to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices. Audit: Verify the macOS system is configured to disable handoff with the f ... CCE-50391-2 Dictation must be disabled on Intel-based Macs as the feature On Device Dictation is only available on Apple Silicon devices. Audit: For Apple Silicon-based systems, this is not applicable. Verify the macOS system is configured to disable dictation with the following command: /usr/bin/os ... CCE-50387-0 The system must disable account modification. Account modification includes adding additional or modifying internet accounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane. This prevents the addition of unauthorized accounts. NOTE: ... CCE-50393-8 Smart card authentication must be enforced. The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access. When enforceSmartCard is set to "true", the smart card must be used for logon, authorization, and unlocking the screensaver. CAUTION:enfor ... CCE-50389-6 Password Autofill must be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature must be disabled to prevent users from being prompted to save passwords in appli ... CCE-50369-8 The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization must be controlled by an organization approved s ... CCE-50395-3 The login window must be configured to prompt all users for both a username and a password. By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their usernam ... CCE-50375-5 The prompt for Privacy Setup services during Setup Assistant must be disabled. Organizations must apply organizationwide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings; this is not essential and, therefore, must b ... CCE-50408-4 Auto logout must be configured to automatically terminate a user session and log out the after 86400 seconds of inactivity. Note:The maximum that macOS can be configured for autologoff is 86400 seconds. NOTE: The automatic logout may cause disruptions to an organization's workflow and/or loss of d ... CCE-50411-8 Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using authorized identification and authentication procedures. Audit: Verify the macOS system is configured to prevent Apple Watch from terminating ... CCE-50380-5 The macOS built-in Photos.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization must be controlled by an organization approved service. ... CCE-50365-6 The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, IP Address, and operating system version and build to be displayed. Audit: Verify the macOS system is configured to prevent AdminHostInfo fr ... CCE-50404-3 The system log files must be owned by root. System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. Audit: Verify the macOS system is configured with system log files owned by ... CCE-50367-2 The system must not have the Unix-to-Unix Copy Protocol (UUCP) service active. UUCP, a set of programs that enable the sending of files between different Unix systems as well as sending commands to be executed on another system, is not essential and must be disabled in order to prevent the unauthori ... CCE-50383-9 The System Settings pane for Siri must be hidden. Hiding the System Settings pane prevents the users from configuring Siri. Audit: Verify the macOS system is configured to disable the system settings pane for Siri with the following command: /usr/bin/profiles show -output stdout-xml | /us ... |
