#
# This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
#
# $Revision: 1.0 $
# $Date: 2021/08/02 $
#
# description : This document implements the security configuration as recommended by the
# CIS Apple macOS 11 Benchmark v1.2.0
#
#
#CIS Apple macOS 11 v1.2.0 L1
#
# CIS
# Apple macOS 11 L1
# 1.2.0
# https://workbench.cisecurity.org/files/3425
#
#macosx,agent,unix
#LEVEL,CSCv6,CSCv7,CIS_Recommendation
#
#
# ACCESS_WARNING
# This system is reserved for authorized use only and may be monitored.
# Login Window Text
# An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored.
#
#
#
type : CMD_EXEC
description : "MacOS 12 is installed"
cmd : "/usr/bin/sw_vers | /usr/bin/grep 'ProductVersion'"
expect : "^ProductVersion[\\s]*:[\\s]*12\\."
description : "CIS_Apple_macOS_11_v1.2.0_L1.audit from CIS Apple macOS 11 Benchmark v1.2.0"
see_also : "https://workbench.cisecurity.org/files/3425"
type : CMD_EXEC
description : "1.1 Verify all Apple-provided software is current"
info : "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update.
Software updates should be run at minimum every 30 days. Run the following command to verify when software update was previously run: $ sudo defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep -e LastFullSuccessfulDate. The response should be in the last 30 days (Example): LastFullSuccessfulDate = '2020-07-30 12:45:25 +0000';
Rationale:
It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities.
Impact:
Missing patches can lead to more exploit opportunities."
solution : "Perform the following to install all available software updates:
Graphical Method:
Open System Preferences
Select Software Update
Select Show Updates
Select Update All
Terminal Method:
Run the following command to verify what packages need to be installed:
$ sudo softwareupdate -l
The output will include the following:
Software Update found the following new or updated software:
Run the following command to install all the packages that need to be updated:
$ sudo softwareupdate -i -a
Or run the following command to install individual packages:
$ sudo softwareupdate -i ''
example:
$ sudo softwareupdate -l
Software Update Tool
Finding available software
Software Update found the following new or updated software:
* iTunesX-12.8.2
iTunes (12.8.2), 273614K [recommended]
$ sudo softwareupdate -i 'iTunesX-12.8.2'
Software Update Tool
Downloaded iTunes
Installing iTunes
Done with iTunes
Done."
reference : "800-171|3.14.1,800-53|SI-2c.,CIS_Recommendation|1.1,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1A,NESA|T7.6.2,NESA|T7.7.1,NIAv2|AM38,NIAv2|AM39,NIAv2|SS14b,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/softwareupdate -l 2>&1"
expect : "No new software available"
type : MACOSX_DEFAULTS_READ
description : "1.2 Enable Auto Update"
info : "Auto Update verifies that your system has the newest security patches and software updates. If 'Automatically check for updates' is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.
http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
Rationale:
It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities.
Impact:
Without automatic update, updates may not be made in a timely manner and the system will be exposed to additional risk."
solution : "Perform the following to enable the system to automatically check for updates:
Graphical Method:
Open System Preferences
Select Software Update
Select Advanced
Select Check for updates
Terminal Method:
Run the following command to enable auto update:
$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true"
reference : "800-171|3.14.1,800-53|SI-2(5),CIS_Recommendation|1.2,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1A,NESA|T7.6.2,NESA|T7.7.1,NIAv2|NS26b,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "AutomaticCheckEnabled"
plist_name : "/Library/Preferences/com.apple.SoftwareUpdate"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "1.3 Enable Download new updates when available"
info : "In the GUI both 'Install macOS updates' and 'Install app updates from the App Store' are dependent on whether 'Download new updates when available' is selected.
Rationale:
It is important that a system has the newest updates downloaded so that they can be applied.
Impact:
If 'Download new updates when available' is not selected, updates may not made in a timely manner and the system will be exposed to additional risk."
solution : "Perform the following to enable the system to automatically check for updates:
Graphical Method:
Open System Preferences
Select Software Update
Select Advanced
Select Download new updates when available
Terminal Method:
Run the following command to enable auto update:
$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true"
reference : "800-171|3.14.1,800-53|SI-2(5),CIS_Recommendation|1.3,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1A,NESA|T7.6.2,NESA|T7.7.1,NIAv2|NS26b,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "AutomaticDownload"
plist_name : "/Library/Preferences/com.apple.SoftwareUpdate"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "1.4 Enable app update installs"
info : "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users.
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Perform the following to enable App Store updates to install automatically:
Graphical Method:
Open System Preferences
Select Software Updates
Select Advanced
Select Install app updates from the App Store
Terminal Method:
Run the following command to turn on App Store auto updating:
$ sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE
This remediation requires a log out and log in to show in the GUI."
reference : "800-171|3.14.1,800-53|SI-2(5),CIS_Recommendation|1.4,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1A,NESA|T7.6.2,NESA|T7.7.1,NIAv2|NS26b,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "AutoUpdate"
plist_name : "/Library/Preferences/com.apple.commerce"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "1.5 Enable system data files and security updates install - 'ConfigDataInstall'"
info : "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper. With this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights.
http://www.thesafemac.com/tag/xprotect/
https://support.apple.com/en-us/HT202491
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Perform the following to enable system data files and security updates to install automatically:
Graphical Method:
Open System Preferences
Select Software Updates
Select Advanced
Select Install system data files and security updates
Terminal Method:
Run the following commands to enable automatically checking of system data files and security updates:
$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true
$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
reference : "800-171|3.14.1,800-53|SI-2(5),CIS_Recommendation|1.5,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1A,NESA|T7.6.2,NESA|T7.7.1,NIAv2|NS26b,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "ConfigDataInstall"
plist_name : "/Library/Preferences/com.apple.SoftwareUpdate"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "1.5 Enable system data files and security updates install - 'CriticalUpdateInstall'"
info : "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper. With this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights.
http://www.thesafemac.com/tag/xprotect/
https://support.apple.com/en-us/HT202491
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Perform the following to enable system data files and security updates to install automatically:
Graphical Method:
Open System Preferences
Select Software Updates
Select Advanced
Select Install system data files and security updates
Terminal Method:
Run the following commands to enable automatically checking of system data files and security updates:
$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true
$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
reference : "800-171|3.14.1,800-53|SI-2(5),CIS_Recommendation|1.5,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1A,NESA|T7.6.2,NESA|T7.7.1,NIAv2|NS26b,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "CriticalUpdateInstall"
plist_name : "/Library/Preferences/com.apple.SoftwareUpdate"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "1.6 Enable macOS update installs"
info : "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable, repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off.
Rationale:
Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.
Impact:
Unpatched software may be exploited."
solution : "Perform the following to enable macOS updates to run automatically:
Graphical Method:
Open System Preferences
Select Software Updates
Select Advanced
Select Install macOS updates
Terminal Method:
Run the following command to to enable automatic checking and installing of macOS updates:
$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool TRUE"
reference : "800-171|3.14.1,800-53|SI-2(5),CIS_Recommendation|1.6,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1A,NESA|T7.6.2,NESA|T7.7.1,NIAv2|NS26b,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "AutomaticallyInstallMacOSUpdates"
plist_name : "/Library/Preferences/com.apple.SoftwareUpdate"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "2.1.1 Turn off Bluetooth, if no paired devices exist"
regex : "0"
plist_item : "ControllerPowerState"
plist_name : "/Library/Preferences/com.apple.Bluetooth"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "2.1.1 Turn off Bluetooth, if no paired devices exist"
info : "Bluetooth devices use a wireless communications system that replaces the cables used by other peripherals to connect to a system. It is by design a peer-to-peer network technology and typically lacks centralized administration and security enforcement infrastructure.
Rationale:
Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access.
Impact:
There have been many Bluetooth exploits. While Bluetooth can be hardened, it does create a local wireless network that can be attacked to compromise both devices and information. Apple has emphasized the ease of use in Bluetooth devices so it is generally expected that Bluetooth will be used. Turning off Bluetooth with this control will also disable the Bluetooth sharing capability that is more strongly recommended against in control 2.4.7."
solution : "Perform the following to disable Bluetooth:
Graphical Method:
Open System Preferences
Select Bluetooth
Select Turn Bluetooth Off
Terminal Method:
Run the following command to disable Bluetooth
$ sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
$ sudo killall -HUP blued
Note: When using the terminal method to disable Bluetooth, the prescribed state will not be properly shown in the GUI. Use the terminal method of the audit to verify if Bluetooth is enabled/disabled."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.1.1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "0"
plist_item : "ControllerPowerState"
plist_name : "/Library/Preferences/com.apple.Bluetooth"
plist_option : CANNOT_BE_NULL
type : CMD_EXEC
description : "2.1.1 Turn off Bluetooth, if no paired devices exist"
info : "Bluetooth devices use a wireless communications system that replaces the cables used by other peripherals to connect to a system. It is by design a peer-to-peer network technology and typically lacks centralized administration and security enforcement infrastructure.
Rationale:
Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access.
Impact:
There have been many Bluetooth exploits. While Bluetooth can be hardened, it does create a local wireless network that can be attacked to compromise both devices and information. Apple has emphasized the ease of use in Bluetooth devices so it is generally expected that Bluetooth will be used. Turning off Bluetooth with this control will also disable the Bluetooth sharing capability that is more strongly recommended against in control 2.4.7."
solution : "Perform the following to disable Bluetooth:
Graphical Method:
Open System Preferences
Select Bluetooth
Select Turn Bluetooth Off
Terminal Method:
Run the following command to disable Bluetooth
$ sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
$ sudo killall -HUP blued
Note: When using the terminal method to disable Bluetooth, the prescribed state will not be properly shown in the GUI. Use the terminal method of the audit to verify if Bluetooth is enabled/disabled."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|2.1.1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/system_profiler SPBluetoothDataType | /usr/bin/grep \"Bluetooth:\" -A 20 | /usr/bin/grep Connectable"
expect : "Connectable: Yes"
type : MACOSX_DEFAULTS_READ
description : "2.1.2 Show Bluetooth status in menu bar"
info : "By showing the Bluetooth status in the menu bar, a small Bluetooth icon is placed in the menu bar. This icon quickly shows the status of Bluetooth, and can allow the user to quickly turn Bluetooth on or off.
Rationale:
Enabling 'Show Bluetooth status in menu bar' is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, discoverable, what paired devices exist, and what paired devices are currently active.
Impact:
Bluetooth is a useful wireless tool that has been widely exploited when configured improperly. The user should have insight into the Bluetooth status."
solution : "Perform the following to enable Bluetooth status in the menu bar:
Graphical Method:
Open System Preferences
Select Bluetooth
Select Show Bluetooth in menu bar
Terminal Method:
For each user, run the following command to enable Bluetooth status in the menu bar:
$ sudo -u defaults -currentHost write com.apple.controlcenter.plist Bluetooth -int 18
example:
$ sudo -u firstuser defaults -currentHost write com.apple.controlcenter.plist Bluetooth -int 18"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.1.2,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "18"
byhost : YES
plist_item : "Bluetooth"
plist_name : "com.apple.controlcenter"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.2.1 Enable 'Set time and date automatically' - Set time and date automatically"
info : "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries.
Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date & Time System Preference with each server separated by a space.
Rationale:
Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features.
Impact:
Apple's automatic time update solution will enable an NTP server that is not controlled by the Application Firewall. Turning on 'Set time and date automatically' allows other computers to connect to set their time and allows for exploit attempts against ntpd. It also allows for more accurate network detection and OS fingerprinting
Current testing shows scanners can easily determine the MAC address and the OS vendor. More extensive OS fingerprinting may be possible."
solution : "Perform the following to enable the date and time to be set automatically:
Graphical Method:
Open System Preferences
Select Date & Time
Verify that Set date and time automatically is selected
Terminal Method:
Run the following commands to enable the date and time setting automatically:
$ sudo systemsetup -setnetworktimeserver
setNetworkTimeServer:
$ sudo systemsetup -setusingnetworktime on
setUsingNetworkTime: On
example:
$ sudo systemsetup -setnetworktimeserver time.apple.com
setNetworkTimeServer: time.apple.com
$ sudo systemsetup -setusingnetworktime on
setUsingNetworkTime: On
Run the following commands if you have not set, or need to set, a new time zone:
$ sudo systemsetup -listtimezones
$ sudo systemsetup -settimezone
example:
$ sudo systemsetup -listtimezones
Time Zones:
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
...
Pacific/Wake
Pacific/Wallis
$ sudo systemsetup -settimezone America/New_York
Set TimeZone: America/New_York"
reference : "800-171|3.3.7,800-53|AU-8(1),CIS_Recommendation|2.2.1,CN-L3|8.1.4.3(b),CSCv6|6.1,CSCv7|6.1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.4,ITSG-33|AU-8(1),LEVEL|1A,NESA|T3.6.7,NIAv2|NS44,NIAv2|NS45,NIAv2|NS46,NIAv2|NS47,PCI-DSSv3.1|10.4,PCI-DSSv3.2|10.4,QCSC-v1|8.2.1,QCSC-v1|13.2,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/systemsetup -getusingnetworktime"
expect : "Network Time:[\\s]*On"
type : CMD_EXEC
description : "2.2.2 Ensure time set is within appropriate limits"
info : "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time, this check is not strict,so it may be too great for your organization. Your organization can adjust to a smaller offset value as needed.
Note: ntpdate has been deprecated with 10.14. sntp replaces that command.
Rationale:
Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind.
Impact:
Accurate time is required for many computer functions."
solution : "Run the following commands to ensure your time is set within an appropriate limit:
$ sudo systemsetup -getnetworktimeserver
The output will include Network Time Server: and the name of your time server
example: Network Time Server: time.apple.com.
$ sudo touch /var/db/ntp-kod
$ sudo chown root:wheel /var/db/ntp-kod
$ sudo sntp -sS
example:
$ sudo systemsetup -getnetworktimeserver
Network Time Server: time.apple.com
$ sudo touch /var/db/ntp-kod
$ sudo chown root:wheel /var/db/ntp-kod
$ sudo sntp -sS time.apple.com
Additional Information:
The associated check will fail if no network connection is available."
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.2.2,CN-L3|8.1.10.6(d),CSCv7|6.1,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "sntp `/usr/sbin/systemsetup -getnetworktimeserver | cut -d ' ' -f 4` | grep '+/-' | cut -d ' ' -f 4,5,6"
expect : "^[\\-\\+]?([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-6][0-9]|270)\\.([\\d]{1,6})[\\s]+\\+\\/\\-[\\s]+([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-6][0-9]|270)\\.([\\d]{1,6})[\\s]*$"
type : MACOSX_DEFAULTS_READ
description : "2.3.1 Set an inactivity interval of 15 minutes or less for the screen saver"
info : "A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screensaver starts after a value is selected in the drop down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
Rationale:
Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.
Impact:
If the screensaver is not set users may leave the computer available for an unauthorized person to access information."
solution : "Perform the following to set the screen saver to activate in 20 minutes of less:
Graphical Method:
Open System Preferences
Select Desktop & Screen Saver
Select Screen Saver
Select on option for Start after that is 20 minutes or less (<=1200)
Terminal Method:
Run the following command to verify that the idle time of the screen saver is set to 15 minutes of less (<=900)
$ sudo -u defaults -currentHost write com.apple.screensaver idleTime -int
example:
$ sudo defaults -currentHost write com.apple.screensaver idleTime -int 900
If there are multiple users out of compliance with the prescribed setting, run this command for each user to set their idle time:
$ sudo -u defaults -currentHost write com.apple.screensaver idleTime -int
example:
$ sudo -u seconduser defaults -currentHost write com.apple.screensaver idleTime -int 900
$ sudo -u seconduser defaults -currentHost read com.apple.screensaver idleTime
600
Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (120) minutes to avoid any issues."
reference : "800-171|3.1.10,800-53|AC-11.,CIS_Recommendation|2.3.1,CN-L3|8.1.4.1(b),CSCv6|16.5,CSCv7|16.11,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : ".* = ([1-9]|[1-8][0-9]|9[0-9]|[1-8][0-9]{2}|900)$"
byhost : YES
plist_item : "idleTime"
plist_name : "com.apple.screensaver"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver"
info : "In 10.13 Apple added a 'Lock Screen' option to the Apple Menu. Prior to this the best quick lock options were to use either a lock screen option with the screen saver or the lock screen option from Keychain Access if status was made available in the menu bar. With 10.13 the menu bar option is no longer available. The intent of this control is to resemble control-alt-delete on Windows Systems as a means of quickly locking the screen. If the user of the system is stepping away from the computer the best practice is to lock the screen and setting a hot corner is an appropriate method.
Rationale:
Ensuring the user has a quick method to lock their screen may reduce the opportunity for individuals in close physical proximity of the device to see screen contents."
solution : "Perform the following to set a Hot Corner to either Start Screen Saver or Put Display to Sleep:
Graphical Method:
Open System Preferences
Select Desktop & Screen Saver
Select Screen Saver
Select Hot Corners... and turn on either/both Start Screen Saver or Put Display to Sleep
Terminal Method:
For all users, run the following commands to set Start Screen Saver or Put Display to Sleep as a Hot Corner:
$ sudo -u defaults read com.apple.dock -int <5 or 10>
example:
$ sudo -u seconduser defaults write com.apple.dock wvous-tl-corner -int 10
$ sudo -u seconduser defaults read com.apple.dock wvous-tl-corner
10
$ sudo -u seconduser defaults write com.apple.dock wvous-bl-corner -int 5
$ sudo -u seconduser defaults read com.apple.dock wvous-bl-corner
10"
reference : "800-171|3.1.10,800-53|AC-11a.,CIS_Recommendation|2.3.3,CN-L3|8.1.4.1(b),CSCv7|16.11,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11a.,LEVEL|1M,NESA|T2.3.8,NESA|T2.3.9,NIAv2|AM23a,NIAv2|AM23b"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/defaults read ~/Library/Preferences/com.apple.dock | /usr/bin/grep -i corner"
expect : "\".*-corner\"[\\s]*=[\\s]*(5|10);$"
type : CMD_EXEC
description : "2.4.1 Disable Remote Apple Events"
info : "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer.
Rationale:
Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system.
Impact:
With remote Apple events turned on, an AppleScript program running on another Mac can interact with the local computer."
solution : "Perform the following to disable Remote Apple Events:
Graphical Method:
Open System Preferences
Select Sharing
Verify that Remote Apple Evens is not set
Terminal Method:
Run the following commands to set Remote Apple Events to Off:
$ sudo systemsetup -setremoteappleevents off
setremoteappleevents: Off"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|2.4.1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/systemsetup -getremoteappleevents"
expect : "^Remote Apple Events:[\\s]*Off"
type : CMD_EXEC
description : "2.4.2 Disable Internet Sharing"
info : "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices.
Rationale:
Disabling Internet Sharing reduces the remote attack surface of the system.
Impact:
Internet Sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices."
solution : "Perform the following to disable Internet Sharing:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck Internet Sharing
Terminal Method:
Run the following command to turn off Internet Sharing:
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
Note: Using the Terminal Method will not uncheck the setting in System Preferences>Sharing but will disable the underlying service."
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.4.2,CN-L3|8.1.10.6(d),CSCv6|3.1,CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | /usr/bin/grep -i Enabled | /usr/bin/grep -v 0 | /usr/bin/awk '{print} END {if (NR == 0) print\"pass\"}'"
expect : "pass"
type : CMD_EXEC
description : "2.4.3 Disable Screen Sharing"
info : "Screen Sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer.
Rationale:
Disabling Screen Sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer."
solution : "Perform the following to disable Screen Sharing:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck Screen Sharing
Terminal Method:
Run the following command to turn off Screen Sharing:
$ sudo launchctl disable system/com.apple.screensharing"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.4.3,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.screensharing\" => true'"
expect : "1"
type : CMD_EXEC
description : "2.4.4 Disable Printer Sharing"
info : "By enabling Printer Sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead.
Rationale:
Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
solution : "Perform the following to disable Printer Sharing:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck Printer Sharing
Terminal Method:
Run the following command to disable Printer Sharing:
$ sudo cupsctl --no-share-printers"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.4.4,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/cupsctl | /usr/bin/grep _share_printers"
expect : "_share_printers=0"
type : CMD_EXEC
description : "2.4.5 Disable Remote Login"
info : "Remote Login allows an interactive terminal connection to a computer.
Rationale:
Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers.
macOS does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. macOS no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Since most macOS computers are mobile workstations, managing IP-based firewall rules on mobile devices can be very resource-intensive. All of these factors can be parts of running a hardened SSH server.
Impact:
The SSH server built-in to macOS should not be enabled on a standard user computer, particularly one that changes locations and IP addresses. A standard user that runs local applications including email, web browser and productivity tools should not use the same device as a server. There are Enterprise management tool-sets that do utilize SSH. If they are in use, the computer should be locked down to only respond to known, trusted IP addresses and appropriate admin service accounts.
For macOS computers that are being used for specialized functions there are several options to harden the SSH server to protect against unauthorized access including brute force attacks. There are some basic criteria that need to be considered:
Do not open an SSH server to the internet without controls in place to mitigate SSH brute force attacks. This is particularly important for systems bound to Directory environments. It is great to have controls in place to protect the system, but if they trigger after the user is already locked out of their account they are not optimal. If authorization happens after authentication directory accounts for users that don't even use the system can be locked out.
Do not use SSH key pairs when there is no insight to the security on the client system that will authenticate into the server with a private key. If an attacker gets access to the remote system and can find the key they may not need a password or a key logger to access the SSH server.
Detailed instructions on hardening an SSH server, if needed, are available in the CIS Linux Benchmarks but it is beyond the scope of this benchmark."
solution : "Perform the following to disable Remote Login:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck Remote Login
Terminal Method:
Run the following command to disable Remote Login:
$ sudo systemsetup -setremotelogin off
Do you really want to turn remote login off? If you do, you will lose this connection and can only turn it back on locally at the server (yes/no)?
Entering yes will disable remote login.
Additional Information:
man sshd_config"
reference : "800-171|3.1.1,800-171|3.1.2,800-53|AC-17.,CIP|005-5-R2,CIS_Recommendation|2.4.5,CN-L3|8.1.4.4(c),CN-L3|8.1.10.6(i),CSCv7|9.2,CSF|PR.AC-3,CSF|PR.PT-4,ISO/IEC-27001|A.6.2.2,ITSG-33|AC-17,LEVEL|1A,NESA|T5.4.5,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.6"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/systemsetup -getremotelogin"
expect : "^Remote[\\s]*Login:[\\s]*Off$"
type : CMD_EXEC
description : "2.4.6 Disable DVD or CD Sharing"
info : "DVD or CD Sharing allows users to remotely access the system's optical drive. While Apple does not ship Macs with built-in optical drives any longer, external optical drives are still recognized when they are connected. In testing the sharing of an external optical drive persists when a drive is reconnected.
Rationale:
Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data.
Impact:
Many Apple devices are now sold without optical drives and drive sharing may be needed for legacy optical media. The media should be explicitly re-shared as needed rather than using a persistent share. Optical drives should not be used for long term storage. To store necessary data from an optical drive it should be copied to another form of external storage. Optionally, an image can be made of the optical drive so that it is stored in it's original form on another form of external storage"
solution : "Perform the following to disable DVD or CD Sharing:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck DVD or CD sharing
Terminal Method:
Run the following command to disable DVD or CD Sharing:
$ sudo launchctl disable system/com.apple.ODSAgent
Note: If using the Terminal method, the GUI will still show the service checked until after a reboot."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.4.6,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.ODSAgent\" => true'"
expect : "1"
type : MACOSX_DEFAULTS_READ
description : "2.4.7 Disable Bluetooth Sharing"
info : "Bluetooth Sharing allows files to be exchanged with Bluetooth-enabled devices.
Rationale:
Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system.
Impact:
Control 2.1.1 discusses disabling Bluetooth if no paired devices exist. There is a general expectation that Bluetooth peripherals will be used by most users in Apple's ecosystem. It is possible that sharing is required and Bluetooth peripherals are not. Bluetooth must be enabled if sharing is an acceptable use case."
solution : "Perform the following to disable Bluetooth Sharing:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck Bluetooth Sharing
Run the following command to disable Bluetooth Sharing is disabled:
sudo -u defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false
$ sudo -u firstuser defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
byhost : YES
not_regex : "1"
plist_item : "PrefKeyServicesEnabled"
plist_name : "com.apple.Bluetooth"
plist_option : CAN_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.4.8 Disable ob体育 Sharing - Appleob体育Server"
info : "Server Message Block (SMB), Common Internet ob体育 System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled.
Rationale:
By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced.
Impact:
ob体育 Sharing can be used to share documents with other users but hardened servers should be used rather than user endpoints. Turning on file sharing increases the visibility and attack surface of a system unnecessarily."
solution : "Perform the following to disable ob体育 Sharing:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck ob体育 Sharing
Terminal Method:
Run the following command to disable SMB file sharing:
$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|2.4.8,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/launchctl list | /usr/bin/grep Appleob体育Server | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : CMD_EXEC
description : "2.4.8 Disable ob体育 Sharing - SMB"
info : "Server Message Block (SMB), Common Internet ob体育 System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled.
Rationale:
By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced.
Impact:
ob体育 Sharing can be used to share documents with other users but hardened servers should be used rather than user endpoints. Turning on file sharing increases the visibility and attack surface of a system unnecessarily."
solution : "Perform the following to disable ob体育 Sharing:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck ob体育 Sharing
Terminal Method:
Run the following command to disable SMB file sharing:
$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.4.8,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.smbd\" => true'"
expect : "1"
type : CMD_EXEC
description : "2.4.9 Disable Remote Management"
info : "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs.
The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing.
Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems.
Rationale:
Remote Management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring.
Impact:
Many organizations utilize ARD for client management."
solution : "Perform the following to disable Remote Management:
Graphical Method:
Open System Preferences
Select Sharing
Uncheck Remote Management
Terminal Method:
Run the following command to disable Remote Management:
$ sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
Starting...
Removed preference to start ARD after reboot.
Done.
Additional Information:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -help"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|2.4.9,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSCv7|4.3,CSCv7|9.2,CSCv7|14.3,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/ps -ef | /usr/bin/egrep ARDAgent | /usr/bin/grep -v egrep | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : MACOSX_DEFAULTS_READ
description : "2.4.12 Ensure AirDrop Is Disabled"
info : "AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other.
In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you.
While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards.
Rationale:
AirDrop can allow malicious files to be downloaded from unknown sources. Contacts Only limits may expose personal information to devices in the same area.
Impact:
Disabling AirDrop can limit the ability to move files quickly over the network without using file shares."
solution : "Perform the following to disable AirDrop:
Graphical Method:
Open Finder
Select Go
Select AirDrop
Set Allow me to be discovered by: No One
Terminal Method:
Run the following commands to disable AirDrop:
$ sudo -u defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
example:
$ sudo -u seconduser defaults write com.apple.NetworkBrowser DisableAirDrop -bool true"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.4.12,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|13,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "DisableAirDrop"
plist_name : "com.apple.NetworkBrowser"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.5.1.1 Enable ob体育Vault"
info : "ob体育Vault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.
ob体育vault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details:
https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/ https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/
Rationale:
Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it.
Impact:
Mounting a ob体育Vaulted volume from an alternate boot source will require a valid password to decrypt it."
solution : "Perform the following to enable ob体育Vault:
Graphical Method:
Open System Preferences
Select Security & Privacy
Select ob体育Vault
Select Turn on ob体育Vault
Additional Information:
ob体育Vault may not be desirable on a virtual OS. As long as the hypervisor and file storage are encrypted the virtual OS does not need to be. Rather than checking if the OS is virtual and passing the control regardless of the encryption of the host system the normal check will be run. Security officials can evaluate the comprehensive controls outside of the OS being tested."
reference : "800-171|3.13.16,800-53|SC-28(1),CIS_Recommendation|2.5.1.1,CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv6|13.2,CSCv7|13.6,CSCv7|14.8,CSF|PR.DS-1,ITSG-33|SC-28(1),LEVEL|1A,QCSC-v1|5.2.2,QCSC-v1|6.2,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/fdesetup status"
expect : "ob体育Vault[\\s]+is[\\s]+On."
type : CMD_EXEC
description : "2.5.1.2 Ensure all user storage APFS volumes are encrypted"
info : "Apple developed a new file system that was first made available in 10.12 and then became the default in 10.13. The file system is optimized for Flash and Solid State storage and encryption. https://en.wikipedia.org/wiki/Apple_ob体育_System macOS computers generally have several volumes created as part of APFS formatting including Preboot, Recovery and Virtual Memory (VM) as well as traditional user disks.
All APFS volumes that do not have specific roles that do not require encryption should be encrypted. 'Role' disks include Preboot, Recovery and VM. User disks are labelled with '(No specific role)' by default.
Rationale:
In order to protect user data from loss or tampering volumes carrying data should be encrypted.
Impact:
While ob体育Vault protects the boot volume data may be copied to other attached storage and reduce the protection afforded by ob体育Vault. Ensure all user volumes are encrypted to protect data."
solution : "Use Disk Utility to erase a user disk and format as APFS (Encrypted).
Note: APFS Encrypted disks will be described as 'ob体育Vault' whether they are the boot volume or not in the ap list."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.5.1.2,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|13.6,CSCv7|14.8,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1M,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/diskutil ap list"
expect : "ob体育Vault[\\s]*:[\\s]*Yes"
type : CMD_EXEC
description : "2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted"
info : "Apple introduced CoreStorage with 10.7. It is used as the default for formatting on macOS volumes prior to 10.13.
All HFS and CoreStorage Volumes should be encrypted
Rationale:
In order to protect user data from loss or tampering, volumes carrying data should be encrypted
Impact:
While ob体育Vault protects the boot volume data may be copied to other attached storage and reduce the protection afforded by ob体育Vault. Ensure all user volumes are encrypted to protect data."
solution : "Use Disk Utility to erase a disk and format as macOS Extended (Journaled, Encrypted)"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.5.1.3,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|13.6,CSCv7|14.8,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1M,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/diskutil cs list"
expect : "Encryption[\\s]+Type[\\s]*:[\\s]*AES-XTS"
type : CMD_EXEC
description : "2.5.2.1 Enable Gatekeeper"
info : "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization.
Rationale:
Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
solution : "Perform the following to implement the prescribed state:
Graphical Method:
Open System Preferences
Select Security & Privacy
Select General
Set Allow apps downloaded from to App Store and identified developers
Terminal Method:
Run the following command to enable Gatekeeper to allow applications from App Store and identified developers:
$ sudo spctl --master-enable"
reference : "800-171|3.4.8,800-53|CM-7(4),CIS_Recommendation|2.5.2.1,CSCv7|2.6,CSCv7|2.7,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS13a,QCSC-v1|3.2,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/sbin/spctl --status"
expect : "assessments[\\s]*enabled"
type : MACOSX_DEFAULTS_READ
description : "2.5.2.2 Enable Firewall"
info : "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall.
http://support.apple.com/en-us/HT201642
Rationale:
A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet.
Impact:
The firewall may block legitimate traffic. Applications that are unsigned will require special handling."
solution : "Perform the following to turn the firewall on:
Graphical Method:
Open System Preferences
Select Security & Privacy
Select Firewall
Select Turn On Firewall
Terminal Method:
Run the following command to enable the firewall:
$ sudo defaults write /Library/Preferences/com.apple.alf globalstate -int
For the , use either 1, specific services, or 2, essential services only."
reference : "800-171|3.13.1,800-53|SC-7(12),CIS_Recommendation|2.5.2.2,CN-L3|8.1.10.6(j),CSCv6|9.2,CSCv7|9.4,CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "[12]"
plist_item : "globalstate"
plist_name : "/Library/Preferences/com.apple.alf"
plist_option : CANNOT_BE_NULL
type : CMD_EXEC
description : "2.5.2.3 Enable Firewall Stealth Mode"
info : "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic.
http://support.apple.com/en-us/HT201642
Rationale:
Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.
Impact:
Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.
This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses stealth mode may not be desirable."
solution : "Perform the following to enable stealth mode:
Graphical Method:
Open System Preferences
Select Security & Privacy
Select Firewall Options
Turn on Enable stealth mode
Terminal Method:
Run the following command to enable stealth mode:
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Stealth mode enabled
Additional Information:
http://docs.info.apple.com/article.html?artnum=306938"
reference : "800-171|3.13.1,800-53|SC-7(12),CIS_Recommendation|2.5.2.3,CN-L3|8.1.10.6(j),CSCv6|9.2,CSCv7|9.4,CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode"
expect : "Stealth mode enabled"
type : MACOSX_DEFAULTS_READ
description : "2.5.6 Limit Ad tracking and personalized Ads"
info : "Apple provides a framework that allows advertisers to target Apple users and end-users with advertisements. While many people prefer that when they see advertising it is relevant to them and their interests, the detailed information that is data mining collected, correlated, and available to advertisers in repositories is often disconcerting. This information is valuable to both advertisers and attackers and has been used with other metadata to reveal users' identities.
Organizations should manage advertising settings on computers rather than allow users to configure the settings.
Apple Information
Ad tracking should be limited on 10.15 and prior.
Rationale:
Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements.
Impact:
Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads."
solution : "Perform the following to set limited ad tracking:
Open System Preferences
Select Security & Privacy
Select Privacy
Select Advertising
Set Limit Ad Tracking
Terminal Method:
For each needed user, run the following command to enable limited ad tracking:
$ sudo -u defaults -currentHost write /Users//Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false
example:
$ sudo -u seconduser defaults -currentHost write /Users/seconduser/Library/Preferences/com.apple.Adlib.plist forceLimitAdTracking -bool true"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|2.5.6,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|13,CSCv7|3,CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "0"
plist_item : "allowApplePersonalizedAdvertising"
plist_name : "com.apple.AdLib.plist"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "2.7.2 Time Machine Volumes Are Encrypted"
info : "One of the most important security tools for data protection on macOS is ob体育Vault. With encryption in place it makes it difficult for an outside party to access your data if they get physical possession of the computer. One very large weakness in data protection with ob体育Vault is the level of protection on backup volumes. If the internal drive is encrypted but the external backup volume that goes home in the same laptop bag is not it is self-defeating. Apple tries to make this mistake easily avoided by providing a checkbox to enable encryption when setting-up a Time Machine backup. Using this option does require some password management, particularly if a large drive is used with multiple computers. A unique complex password to unlock the drive can be stored in keychains on multiple systems for ease of use.
While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult backup volumes should be protected just like boot volumes.
Rationale:
Backup volumes need to be encrypted."
solution : "Perform the following to enable encryption on the Time Machine drive:
Graphical Method:
Open System Preferences
Select Time Machine
Select Backup Disk...
Select the existing Time Machine backup drive from the Available Drive list
Set Encrypt backups
Select Use Disk
Note: You can set encryption through Disk Utility or diskutil in terminal."
reference : "800-171|3.13.16,800-53|SC-28(1),CIS_Recommendation|2.7.2,CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|10.4,CSF|PR.DS-1,ITSG-33|SC-28(1),LEVEL|1A,QCSC-v1|5.2.2,QCSC-v1|6.2,TBA-FIISB|28.1"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/defaults read /Library/Preferences/com.apple.TimeMachine.plist | /usr/bin/grep LastKnownEncryptionState"
expect : "LastKnownEncryptionState[\\s]*=[\\s]*Encrypted"
type : CMD_EXEC
description : "2.8 Disable Wake for network access"
info : "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require ob体育Vault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls.
This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
Impact:
Management programs like Apple Remote Desktop Administrator use wake-on-LAN to connect with computers. If turned off, such management programs will not be able to wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off this feature.
The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
solution : "Perform the following disable Wake for network access or Power Nap:
Graphical Method:
Open System Preferences
Select Energy Saver
Uncheck Wake for network access
Terminal Method:
Run the following command to disable Wake for network access:
$ sudo pmset -a womp 0
Additional Information:
man pmset"
reference : "800-171|3.1.10,800-53|AC-11.,CIS_Recommendation|2.8,CN-L3|8.1.4.1(b),CSCv6|3.1,CSCv7|9.2,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/pmset -g | /usr/bin/grep womp"
expect : "^[\\s]*womp[\\s]*0$"
type : CMD_EXEC
description : "2.9 Disable Power Nap"
info : "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require ob体育Vault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls.
Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires ob体育Vault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input.
This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.
Rationale:
Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt ob体育Vault and have the applications download what is required when the computer is actively used.
The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.
Impact:
Power Nap exists for unattended user application updates like email and social media clients. With Power Nap disabled the computer will not wake and reconnect to known wireless SSIDs intermittently when slept."
solution : "Perform the following disable Wake for network access or Power Nap:
Graphical Method:
Open System Preferences
Select Energy Saver
Uncheck Enable Power Nap
Terminal Method:
Run the following command to disable Power Nap:
$ sudo pmset -a powernap 0
Additional Information:
man pmset"
reference : "800-171|3.1.10,800-53|AC-11a.,CIS_Recommendation|2.9,CN-L3|8.1.4.1(b),CSCv7|9.2,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11a.,LEVEL|1A,NESA|T2.3.8,NESA|T2.3.9,NIAv2|AM23a,NIAv2|AM23b"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/pmset -g everything | /usr/bin/grep -c 'powernap 1'"
expect : "0"
type : MACOSX_DEFAULTS_READ
description : "2.10 Enable Secure Keyboard Entry in terminal.app"
info : "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal.
Rationale:
Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
solution : "Perform the following to enable secure keyboard entries in Terminal:
Graphical Method:
Open Terminal
Select Terminal
Select Secure Keyboard Entry
Terminal Method:
$ sudo -u defaults write -app Terminal SecureKeyboardEntry -bool true
example:
$ sudo -u firstuser defaults write -app Terminal SecureKeyboardEntry -bool true"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.10,CN-L3|8.1.10.6(d),CSCv7|9.2,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "SecureKeyboardEntry"
plist_name : "com.apple.Terminal"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : CMD_EXEC
description : "Check to see if there's an Apple T2 Security Chip on the system"
cmd : "system_profiler SPiBridgeDataType | awk -F: '/Model Name/ {print $NF}' | sed 's/^ *//'"
expect : "Apple T2 Security Chip"
description : "2.11 Ensure EFI version is valid and being regularly checked - integrity-check"
info : "In order to mitigate firmware attacks Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
Rationale:
If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
solution : "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
reference : "800-53|SI-7(9),CIS_Recommendation|2.11,CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|2.2,CSF|PR.DS-6,ITSG-33|SI-7,ITSG-33|SI-7a.,LEVEL|1A,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,QCSC-v1|3.2"
see_also : "https://workbench.cisecurity.org/files/3425"
type : CMD_EXEC
description : "2.11 Ensure EFI version is valid and being regularly checked - integrity-check"
info : "In order to mitigate firmware attacks Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
Rationale:
If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
solution : "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
reference : "800-53|SI-7(9),CIS_Recommendation|2.11,CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|2.2,CSF|PR.DS-6,ITSG-33|SI-7,ITSG-33|SI-7a.,LEVEL|1A,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,QCSC-v1|3.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check"
expect : "No[\\s]+changes[\\s]+detected[\\s]+in[\\s]+primary[\\s]+hashes"
type : CMD_EXEC
description : "2.11 Ensure EFI version is valid and being regularly checked - daemon"
info : "In order to mitigate firmware attacks Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
Rationale:
If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
solution : "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
reference : "800-53|SI-7(9),CIS_Recommendation|2.11,CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|2.2,CSF|PR.DS-6,ITSG-33|SI-7,ITSG-33|SI-7a.,LEVEL|1A,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,QCSC-v1|3.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/launchctl list | /usr/bin/grep com.apple.driver.eficheck"
expect : "com.apple.driver.eficheck"
type : CMD_EXEC
description : "2.12 Automatic Actions for Optical Media"
info : "Managing automatic actions, while useful in very few situations, is unlikely to increase security on the computer and does complicate the user experience and add additional complexity to the configuration. These settings are user controlled and can be changed without Administrator privileges unless controlled through MCX settings or Parental Controls. Unlike Windows, the Auto-run the optical media is accessed through Operating System applications. Those same applications can open and access the media directly. If optical media is not allowed in the environment the optical media drive should be disabled in hardware and software.
Rationale:
Setting automatic actions for optical media can mitigate malicious code from running automatically when optical media is inserted.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Perform the following to set the optical media action setting:
Graphical Method:
Open System Preferences
Select CDs & DVDs
Set each option to meet your organization's requirements
Terminal Method:
Run the following command to set the optical media action:
$ sudo -u defaults write /Users//Library/Preferences/com.apple.digihub -dict action
example:
$ sudo -u seconduser defaults write /Users/seconduser/Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict action 1
The five media types are com.apple.digihub.blank.cd.appeared(blank cd), com.apple.digihub.blank.dvd.appeared (blank dvd), com.apple.digihub.cd.music.appeared (music cd), com.apple.digihub.cd.picture.appeared (picture cd), and com.apple.digihub.dvd.video.appeared (DVD movie)."
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.12,CN-L3|8.1.10.6(d),CSCv7|8,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1M,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/defaults read com.apple.digihub"
expect : "Manual Review Required"
severity : MEDIUM
type : CMD_EXEC
description : "2.13 Review Siri Settings"
info : "With macOS 10.12 Sierra Apple has introduced Siri from iOS to macOS. While there are data spillage concerns with the use of data gathering personal assistant software, the risk here does not seem greater in sending queries to Apple through Siri than in sending search terms in a browser to Google or Microsoft. While it is possible that Siri will be used for local actions rather than Internet searches, Siri could, in theory, tell Apple about confidential Programs and Projects that should not be revealed. This appears be a usage edge case.
In cases where sensitive and protected data is processed and Siri could help a user navigate their machine and expose that information it should be disabled. Siri does need to phone home to Apple so it should not be available from air-gapped networks as part of its requirements.
Most of the use case data published has shown that Siri is a tremendous time saver on iOS where multiple screens and menus need to be navigated through. Information like sports scores, weather, movie times and simple to-do items on existing calendars can be easily found with Siri. None of the standard use cases should be more risky than already approved activity.
For information on Apple's privacy policy for Siri, click here.
Rationale:
Where 'normal' user activity is already limited, Siri use should be controlled as well.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Perform the following to set Siri to your organization's parameters:
Graphical Method:
Open System Preferences
Select Siri
Select the settings that are within your organization's requirements
Terminal Method:
Run the following commands to enable or disable Siri settings:
$ sudo -u defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool
$ sudo -u defaults write com.apple.Siri.plist LockscreenEnabled -bool
$ sudo -u defaults write com.apple.Siri.plist StatusMenuVisible -bool
$ sudo -u defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool
After running the default writes, the Windows Server needs to be restarted and the caches cleared. Run the following commands to perform that action:
$ sudo killall -HUP cfprefsd
$ sudo killall SystemUIServer
example:
$ sudo -u firstuser defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool true
$ sudo -u firstuser defaults write com.apple.Siri.plist StatusMenuVisible -bool true
$ sudo -u firstuser defaults write com.apple.Siri.plist LockscreenEnabled -bool false
$ sudo killall -HUP cfprefsd
$ sudo killall SystemUIServer
$ sudo -u seconduser defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool false
$ sudo killall -HUP cfprefsd
$ sudo killall SystemUIServer
$ sudo -u thirduser defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool false
$ sudo killall -HUP cfprefsd
$ sudo killall SystemUIServer"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|2.13,CN-L3|8.1.10.6(d),CSCv7|5,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1M,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/defaults read com.apple.assistant.support.plist | grep -i 'Assistant Enabled'; /usr/bin/defaults read com.apple.Siri.plist | egrep -i '(StatusMenuVisible|VoiceTriggerUserEnabled)'"
expect : "Manual Review Required"
severity : MEDIUM
description : "2.14 Review Sidecar Settings"
info : "Apple introduced a technology called Sidecar with the release of mac OS 10.15 'Catalina' that allows the use of an Apple iPad as an additional screen. There are no known security issues with the use of Sidecar at the time of the publication of this Benchmark. There are security concerns with some of the underlying technology that allows this feature to work. The Apple support article below has the additional requirements that are reproduced below. So while Sidecar may not have an explicit security concern some organizations may have requirements that block the use of the features required to allow Sidecar to work.
https://support.apple.com/en-afri/HT210380
Additional requirements
Both devices must be signed in to iCloud with the same Apple ID using two-factor authentication.
To use Sidecar wirelessly, both devices must be within 10 meters (30 feet) of each other and have Bluetooth, Wi-Fi, and Handoff turned on. Also make sure that the iPad is not sharing its cellular connection and the Mac is not sharing its Internet connection.
To use Sidecar over USB, make sure that your iPad is set to trust your Mac.
Organizations that do not allow the use of iCloud and more specifically Handoff will not be able to use Sidecar.
Some organizations may not allow the use of mixed ownership for P2P wireless or USB connections so that unless the organization controls both the Mac and the iPad connections may not be approved and the use of a single Apple ID for distinctly managed devices may be prohibited.
Rationale:
Organizations need to have an understanding of integration of organizational and personal inventory in the work environment.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Perform the following to set Sidecar to your organization's parameters:
Graphical Method:
Open System Preferences
Select Sidecar
Select the settings that are within your organization's parameters
Terminal Method:
Run the following to enable or disable Sidecar settings:
$ sudo defaults write com.apple.sidecar.display AllowAllDevices
$ sudo defaults write com.apple.sidecar.display hasShownPref
Note: Using the Terminal Method will not display in System Preferences, but will disable the underlying service."
reference : "800-53|CM-10,CIS_Recommendation|2.14,CSCv7|15,CSCv8|16,LEVEL|1M"
see_also : "https://workbench.cisecurity.org/files/3425"
type : CMD_EXEC
description : "3.1 Enable security auditing"
info : "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log.
Rationale:
Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
solution : "Perform the following to enable security auditing:
Run the following command to load auditd:
$ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|3.1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|6.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1A,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/launchctl list | /usr/bin/grep -i auditd"
expect : "com.apple.auditd"
type : CMD_EXEC
description : "3.3 Retain install.log for 365 or more days with no maximum size - ttl"
info : "macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.
The default value has an 'all_max' file limitation, no reference to a minimum retention and a less precise rotation argument.
The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year and depending on the applications a size restriction could compromise the ability to store a full year.
While this Benchmark is not scoring for a rotation flag the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired.
Please review the ob体育 Rotation section in the man page for more information.
man asl.conf
The maximum file size limitation string should be removed 'all_max='
An organization appropriate retention should be added 'ttl='
The rotation should be set with timestamps 'rotate=utc' or 'rotate=local'
Rationale:
Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred.
Impact:
Without log files system maintenance and security forensics cannot be properly performed."
solution : "Perform the following to ensure that install logs are retained for at least 365 days:
Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
reference : "800-53|AU-11.,CIP|007-6-R4.3,CIS_Recommendation|3.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-11,LEVEL|1A,NESA|M5.2.3,NESA|T3.6.2,NIAv2|SM7,PCI-DSSv3.1|10.7,PCI-DSSv3.2|10.7,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/grep -i install\\.log /etc/asl/com.apple.install | /usr/bin/grep -i ttl"
expect : "[Tt][Tt][Ll]=(36[5-9]|3[7-9][0-9]|[4-9]\d{2,}|[1-9]\d{3,})"
type : CMD_EXEC
description : "3.3 Retain install.log for 365 or more days with no maximum size - all_max"
info : "macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.
The default value has an 'all_max' file limitation, no reference to a minimum retention and a less precise rotation argument.
The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year and depending on the applications a size restriction could compromise the ability to store a full year.
While this Benchmark is not scoring for a rotation flag the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired.
Please review the ob体育 Rotation section in the man page for more information.
man asl.conf
The maximum file size limitation string should be removed 'all_max='
An organization appropriate retention should be added 'ttl='
The rotation should be set with timestamps 'rotate=utc' or 'rotate=local'
Rationale:
Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred.
Impact:
Without log files system maintenance and security forensics cannot be properly performed."
solution : "Perform the following to ensure that install logs are retained for at least 365 days:
Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
reference : "800-53|AU-11.,CIS_Recommendation|3.3,CSCv7|6.4,CSF|PR.PT-1,ITSG-33|AU-11,LEVEL|1A,NESA|M5.2.3,NESA|T3.6.2,NIAv2|SM7,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/grep -i install\\.log /etc/asl/com.apple.install | /usr/bin/grep -i all_max | /usr/bin/awk '{print} END {if (NR == 0) print \"pass - all_max value not found\"; else print \"fail\"}'"
expect : "^pass - all_max value not found$"
type : FILE_CONTENT_CHECK
description : "3.4 Ensure security auditing retention"
info : "The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible under a certain size the recommendation is to use the following:
expire-after:60d OR 1G
More info in the man page man audit_control
Rationale:
The audit records need to be retained long enough to be reviewed as necessary.
Impact:
The recommendation is that at least 60 days or 1 gigabyte of audit records are retained. Systems that have very little remaining disk space may have issues retaining sufficient data."
solution : "Perform the following to set the audit retention length:
Edit the /etc/security/audit_control file so that expire-after: is at least 60d OR 1G"
reference : "800-53|AU-4.,CIS_Recommendation|3.4,CSCv6|6.3,CSCv7|6.4,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|1A,NESA|T3.3.1,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/3425"
file : "/etc/security/audit_control"
regex : "^expire-after:"
expect : "^expire-after:(([6-9][0-9]|[1-9][0-9]{2,})D|[1-9][0-9]{0,}G)"
type : FILE_CHECK
description : "3.5 Control access to audit records - /etc/security/audit_control"
info : "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
Rationale:
Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated, but the authoritative files should be protected from unauthorized changes.
Impact:
This control is only checking the default configuration to ensure that unwanted access to audit records is not available."
solution : "Run the following to commands to set the audit records to the root user and wheel group:
$ sudo chown -R root:wheel /etc/security/audit_control
$ sudo chmod -R -o-rw /etc/security/audit_control
$ sudo chown -R root:wheel /var/audit/
$ sudo chmod -R -o-rw /var/audit/
Note: It is recommended to do a thorough verification process on why the audit logs have been changed before following the remediation steps. If the system has different access controls on the audit logs, and the changes cannot be traced, a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes.
Additional Information:
From ls man page
-e Print the Access Control List (ACL) associated with the file, if
present, in long (-l) output.
More info:
https://www.techrepublic.com/blog/apple-in-the-enterprise/introduction-to-os-x-access-control-lists-acls/
http://ahaack.net/technology/OS-X-Access-Control-Lists-ACL.html"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|3.5,CN-L3|8.1.10.6(d),CSCv6|3.1,CSCv7|14.6,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
file : "/etc/security/audit_control"
owner : "root"
mask : "337"
group : "wheel" || "root"
type : FILE_CHECK
description : "3.5 Control access to audit records - /var/audit"
info : "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
Rationale:
Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated, but the authoritative files should be protected from unauthorized changes.
Impact:
This control is only checking the default configuration to ensure that unwanted access to audit records is not available."
solution : "Run the following to commands to set the audit records to the root user and wheel group:
$ sudo chown -R root:wheel /etc/security/audit_control
$ sudo chmod -R -o-rw /etc/security/audit_control
$ sudo chown -R root:wheel /var/audit/
$ sudo chmod -R -o-rw /var/audit/
Note: It is recommended to do a thorough verification process on why the audit logs have been changed before following the remediation steps. If the system has different access controls on the audit logs, and the changes cannot be traced, a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes.
Additional Information:
From ls man page
-e Print the Access Control List (ACL) associated with the file, if
present, in long (-l) output.
More info:
https://www.techrepublic.com/blog/apple-in-the-enterprise/introduction-to-os-x-access-control-lists-acls/
http://ahaack.net/technology/OS-X-Access-Control-Lists-ACL.html"
reference : "800-171|3.3.8,800-53|AU-9.,CIS_Recommendation|3.5,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSCv6|3.1,CSCv7|14.6,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,LEVEL|1A,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/3425"
file : "/var/audit"
owner : "root"
mask : "337"
group : "wheel" || "root"
type : CMD_EXEC
description : "3.6 Ensure Firewall is configured to log"
info : "The socketfilter firewall is what is used when the firewall is turned on in the Security Preference Pane. In order to appropriately monitor what access is allowed and denied logging must be enabled.
Rationale:
In order to troubleshoot the successes and failures of a firewall, logging should be enabled.
Impact:
Detailed logging may result in excessive storage."
solution : "Run the following command to enable logging of the firewall:
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode
Additional Information:
More info http://krypted.com/tag/socketfilterfw/"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|3.6,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv7|6.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1A,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | /usr/bin/grep on | /usr/bin/awk \'{print} END {if (NR == 0) print \"fail\"}\'"
expect : "Log mode is on"
type : CMD_EXEC
description : "Check to see if there's a wireless adapter on the system"
cmd : "/usr/sbin/networksetup -listallhardwareports | /usr/bin/grep 'Hardware Port: Wi-fi'"
expect : "Hardware Port: Wi-fi"
type : MACOSX_DEFAULTS_READ
description : "4.2 Enable 'Show Wi-Fi status in menu bar' - Show Wi-Fi status in menu bar"
info : "The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the case. This control only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected either.
Rationale:
Enabling 'Show Wi-Fi status in menu bar' is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status.
Impact:
The user of the system should have a quick check on their wireless network status available."
solution : "Perform the following to enable Wi-Fi status in the menu bar:
Graphical Method:
Open System Preferences
Select Network
Select Wi-Fi
Set Show Wi-Fi status in menu bar
Terminal Method:
For each user, run the following to turn the Wi-Fi status on in the menu bar
$ sudo -u defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18
example:
$ sudo -u firstuser defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18
Additional Information:
AirPort is Apple's marketing name for its 802.11b, g, and n wireless interfaces."
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|4.2,CN-L3|8.1.10.6(d),CSCv7|15.4,CSCv7|15.5,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "18"
byhost : YES
plist_item : "WiFi"
plist_name : "com.apple.controlcenter"
plist_option : CANNOT_BE_NULL
plist_user : "all"
description : "4.2 Enable 'Show Wi-Fi status in menu bar' - Show Wi-Fi status in menu bar"
info : "The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the case. This control only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected either.
Rationale:
Enabling 'Show Wi-Fi status in menu bar' is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status.
Impact:
The user of the system should have a quick check on their wireless network status available."
solution : "Perform the following to enable Wi-Fi status in the menu bar:
Graphical Method:
Open System Preferences
Select Network
Select Wi-Fi
Set Show Wi-Fi status in menu bar
Terminal Method:
For each user, run the following to turn the Wi-Fi status on in the menu bar
$ sudo -u defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18
example:
$ sudo -u firstuser defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18
Additional Information:
AirPort is Apple's marketing name for its 802.11b, g, and n wireless interfaces."
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|4.2,CN-L3|8.1.10.6(d),CSCv7|15.4,CSCv7|15.5,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
type : CMD_EXEC
description : "4.4 Ensure http server is not running"
info : "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.
Rationale:
Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer.
Impact:
The web server is both a point of attack for the system and a means for unauthorized file transfers."
solution : "Run the following command to disable the http server services:
$ sudo launchctl disable system/org.apache.httpd"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|4.4,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/launchctl print-disabled system | /usr/bin/grep -c '\"org.apache.httpd\" => true'"
expect : "1"
type : CMD_EXEC
description : "4.5 Ensure nfs server is not running."
info : "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. ob体育 sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer.
Rationale:
ob体育 serving should not be done from a user desktop. Dedicated servers should be used. Open ports make it easier to exploit the computer.
Impact:
The nfs server is both a point of attack for the system and a means for unauthorized file transfers."
solution : "Run the following command to disable the nfsd fileserver services:
$ sudo launchctl disable system/com.apple.nfsd
Remove the exported Directory listing.
$ sudo rm /etc/exports"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIS_Recommendation|4.5,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv7|9.2,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/launchctl print-disabled system | /usr/bin/grep -c '\"com.apple.nfsd\" => true'"
expect : "1"
type : CMD_EXEC
description : "5.1.1 Secure Home Folders"
info : "By default, macOS allows all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a 'Documents' folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system.
The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures. Similarly with macOS, users can see into every new Directory that is created because of the default permissions.
Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable.
Rationale:
Allowing all users to view the top level of all networked users' home folder may not be desirable since it may lead to the revelation of sensitive information.
Impact:
If implemented, users will not be able to use the 'Public' folders in other users' home folders. 'Public' folders with appropriate permissions would need to be set up in the /Shared folder."
solution : "For each user, run the following command to secure all home folders:
$ sudo chmod -R og-rwx /Users/
Alternately, run the following command if there needs to be executable access for a home folder:
$ sudo chmod -R og-rw /Users/
example:
$ sudo chmod -R og-rw /Users/thirduser/
$ sudo chmod -R og-rwx /Users/fourthuser/
# ls -l /Users/
total 0
drwxr-xr-x+ 12 Guest _guest 384 24 Jul 13:42 Guest
drwxrwxrwt 4 root wheel 128 22 Jul 11:00 Shared
drwx--x--x+ 18 firstuser staff 576 10 Aug 14:36 firstuser
drwx--x--x+ 15 seconduser staff 480 10 Aug 09:16 seconduser
drwx--x--x+ 11 thirduser staff 352 10 Aug 14:53 thirduser
drwx------+ 11 fourthuser staff 352 10 Aug 14:53 fourthuser"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|5.1.1,CN-L3|8.1.10.6(d),CSCv6|3.1,CSCv7|14.6,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/find /Users -type d ! -perm -1000 -maxdepth 1 -a -perm +0066 | /usr/bin/egrep -v '^/Users$' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : CMD_EXEC
description : "5.1.2 Check System Wide Applications for appropriate permissions"
info : "Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world-writable and allow any process or user to alter them for other processes or users to then execute modified versions.
Rationale:
Unauthorized modifications of applications could lead to the execution of malicious code.
Impact:
Applications changed will no longer be world-writable."
solution : "Run the following command to change the permissions for each application that does not meet the requirements:
$ sudo chmod -R o-w /Applications/
example:
$ sudo chmod -R o-w /Applications/Google\ Chrome.app/
$ sudo find /Applications -iname '*.app' -type d -perm -2 -ls
922602 0 drwxr-xrwx 3 seconduser admin 96 8 Aug 04:32 /Applications/Google Chrome copy.app"
reference : "800-171|3.1.5,800-53|AC-6(7)(b),CIS_Recommendation|5.1.2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|14.6,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.5,ITSG-33|AC-6,LEVEL|1A,NESA|M1.1.3,NESA|T5.1.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/find /Applications -iname '*\.app' -type d -perm -2 -ls | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : CMD_EXEC
description : "5.1.3 Check System folder for world writable files"
info : "Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and have inappropriate world-writable permissions.
Rationale:
Folders in /System/Volumes/Data/System should not be world-writable. The audit check excludes the 'Drop Box' folder that is part of Apple's default user template."
solution : "Run the following command to set permissions so that folders are not world-writable in the /System folder:
$ sudo chmod -R o-w /Path/
example:
$ sudo chmod -R o-w /System/Volumes/Data/System/Library/baddir"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.1.3,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|14.6,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/find /System/Volumes/Data/System -type d -perm -2 -ls | /usr/bin/grep -v 'Public/Drop Box' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : CMD_EXEC
description : "5.2.1 Configure account lockout threshold"
info : "The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur.
Ensure that a lockout threshold is part of the password policy on the computer.
Rationale:
The account lockout feature mitigates brute-force password attacks on the system.
Impact:
The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on.
The locked account will auto-unlock after a few minutes when bad password attempts stop. The computer will accept the still-valid password if remembered or recovered."
solution : "Run the following command to set the maximum number of failed login attempts to less than or equal to 3:
$ sudo pwpolicy -n /Local/Default -setglobalpolicy 'maxFailedLoginAttempts='
example:
$ sudo pwpolicy -n /Local/Default -setglobalpolicy 'maxFailedLoginAttempts=3'"
reference : "800-171|3.1.8,800-53|AC-7a.,CIS_Recommendation|5.2.1,CN-L3|8.1.4.1(b),CSCv7|16.7,ITSG-33|AC-7a.,LEVEL|1A,NESA|T5.5.1,NIAv2|AM24,TBA-FIISB|45.1.2,TBA-FIISB|45.2.1,TBA-FIISB|45.2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A 1 'policyAttributeMaximumFailedAuthentications' | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1"
expect : "^[1-3]$"
type : CMD_EXEC
description : "5.2.2 Set a minimum password length"
info : "A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.
Ensure that a minimum of a 14-character password is part of the password policy on the computer.
Where the confidentiality of encrypted information in ob体育Vault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.
Rationale:
Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.
Impact:
Short passwords can be easily attacked."
solution : "Run the following command to set the password length to greater than or equal to 14:
$ sudo pwpolicy -n /Local/Default -setglobalpolicy 'minChars==14>'
example:
$ sudo pwpolicy -n /Local/Default -setglobalpolicy 'minChars=14'"
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIS_Recommendation|5.2.2,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSCv7|4.4,CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1A,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -e 'Must be a minimum of' -e 'Contain at least'"
expect : "(Must[\\s]+be[\\s]+a[\\s]+minimum[\\s]+of[\\s]+(1[4-9]|2[0-9])[\\s]+characters|Contain[\\s]+at[\\s]+least[\\s]+(1[4-9]|2[0-9])[\\s]+characters)"
type : CMD_EXEC
description : "5.2.7 Password Age"
info : "Over time passwords can be captured by third-parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users should reset passwords periodically. This control uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.
Rationale:
Passwords should be changed periodically to reduce exposure.
Impact:
Required password changes will lead to some locked computers requiring admin assistance."
solution : "Run the following command to require that passwords expire after at most 90 days:
$ sudo pwpolicy -n /Local/Default -setglobalpolicy 'maxMinutesUntilChangePassword='
example:
$ sudo pwpolicy -n /Local/Default -setglobalpolicy 'maxMinutesUntilChangePassword=129600'"
reference : "800-171|3.5.2,800-53|IA-5(1)(d),CIS_Recommendation|5.2.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSCv7|16.9,CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(d),LEVEL|1A,NESA|T5.2.3,NIAv2|AM20,NIAv2|AM21,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep policyAttributeExpiresEveryNDays -A1"
expect : "integer.*[1-9]|[1-8][0-9]|90"
type : CMD_EXEC
description : "5.2.8 Password History"
info : "Over time passwords can be captured by third-parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users must reset passwords periodically. This control ensures that previous passwords are not reused immediately by keeping a history of previous password hashes. Ensure that password history checks are part of the password policy on the computer. This control checks whether a new password is different than the previous 15. The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak.
Rationale:
Old passwords should not be reused.
Impact:
Required password changes will lead to some locked computers requiring admin assistance."
solution : "Run the following command to require that the password must to be different from at least the last 24 passwords:
$ sudo pwpolicy -n /Local/Default -setglobalpolicy 'usingHistory==24>'
example:
$ sudo pwpolicy -n /Local/Default -setglobalpolicy 'usingHistory=24'"
reference : "800-171|3.5.2,800-53|IA-5f.,CIS_Recommendation|5.2.8,CN-L3|8.1.4.1(a),CSCv7|4.4,CSF|PR.AC-1,ITSG-33|IA-5f.,LEVEL|1A,NESA|T5.5.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep -A 1 'policyAttributePasswordHistoryDepth'"
expect : "(2[4-9]|[3-9][0-9])"
type : FILE_CONTENT_CHECK
description : "5.3 Reduce the sudo timeout period"
info : "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control along with the control to use a separate timestamp for each tty limits the window where an unauthorized user, process or attacker could utilize legitimate credentials that are valid for longer than required.
Rationale:
The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.
Impact:
This control has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this control too onerous and are better to accept the risk of not requiring a 0 grace period.
In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password."
solution : "Run the following command to edit the sudo settings:
$ sudo visudo
Add the line Defaults timestamp_timeout=0 in the Override built-in defaults section.
Additional Information:
#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
##
# Override built-in defaults
##
Defaults env_reset
Defaults env_keep += 'BLOCKSIZE'
Defaults env_keep += 'COLORFGBG COLORTERM'
Defaults env_keep += '__CF_USER_TEXT_ENCODING'
Defaults env_keep += 'CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE'
Defaults env_keep += 'LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME'
Defaults env_keep += 'LINES COLUMNS'
Defaults env_keep += 'LSCOLORS'
Defaults env_keep += 'SSH_AUTH_SOCK'
Defaults env_keep += 'TZ'
Defaults env_keep += 'DISPLAY XAUTHORIZATION XAUTHORITY'
Defaults env_keep += 'EDITOR VISUAL'
Defaults env_keep += 'HOME MAIL'
Defaults lecture_file = '/etc/sudo_lecture'
Defaults timestamp_timeout=0
##
# User alias specification
##
# User_Alias FULLTIMERS = millert, mikef, dowdy
##
# Runas alias specification
##
# Runas_Alias OP = root, operator
##
# Host alias specification
##
# Host_Alias CUNETS = 128.138.0.0/255.255.0.0
# Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
# Host_Alias SERVERS = master, mail, www, ns
# Host_Alias CDROM = orion, perseus, hercules
##
# Cmnd alias specification
##
# Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d"
reference : "800-171|3.1.1,800-53|AC-3(7),CIS_Recommendation|5.3,CN-L3|7.1.2.2(g),CN-L3|7.1.3.2(c),CSCv7|16.11,CSF|PR.AC-4,CSF|PR.PT-3,HIPAA|164.310(a)(2)(iii),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/3425"
file : "/etc/sudoers"
regex : "^[\\s]*Defaults[\\s]*timestamp_timeout[\\s]*=[\\s]*0"
expect : "^[\\s]*Defaults[\\s]*timestamp_timeout[\\s]*=[\\s]*0"
type : FILE_CONTENT_CHECK_NOT
description : "5.5 Use a separate timestamp for each user/tty combo"
info : "Using tty tickets ensures that a user must enter the sudo password in each Terminal session.
With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS.
Rationale:
In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty.
Additional mitigation should be in place to reduce the risk of privilege escalation of background processes.
Impact:
This control should have no user impact. Developers or installers may have issues if background processes are spawned with different interfaces than where sudo was executed."
solution : "Edit the /etc/sudoers file with visudo and remove !tty_tickets from any Defaults line. If there is a Default line of timestamp_type= with a value other than tty, change the value to tty
If there is a file in the /etc/sudoers.d/ folder that contains Defaults !tty_tickets, edit the file and remove !tty_tickets from any Defaults line. If there is a file /etc/sudoers.d/ folder that contains a Default line of timestamp_type= with a value other than tty, change the value to tty
Default Value:
If no value is set, the default value of tty_tickets enabled will be used.
Additional Information:
https://github.com/jorangreef/sudo-prompt/issues/33"
reference : "800-171|3.1.1,800-53|AC-3(7),CIS_Recommendation|5.5,CN-L3|7.1.2.2(g),CN-L3|7.1.3.2(c),CSCv7|16.11,CSF|PR.AC-4,CSF|PR.PT-3,HIPAA|164.310(a)(2)(iii),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/3425"
file : "/etc/sudoers"
regex : "^[\\s]*Defaults[\\s]+!tty_tickets"
expect : "^[\\s]*Defaults[\\s]+!tty_tickets"
type : CMD_EXEC
description : "5.7 Do not enable the 'root' account - root account"
info : "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly use the root account to perform administrative functions.
Rationale:
Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell).
Impact:
Some legacy POSIX software might expect an available root account."
solution : "Perform the following to ensure that the root user is disabled:
Graphical Method:
Open /System/Library/CoreServices/Applications/Directory Utility
Click the lock icon to unlock the service
Click Edit
Click Disable Root User
Terminal Method:
Run the following command to disable the root user:
$ sudo dsenableroot -d
username = root
user password:"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|5.7,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/dscl . -read /Users/root AuthenticationAuthority"
expect : "(No such key: AuthenticationAuthority|Disabled)"
type : CMD_EXEC
description : "5.8 Disable automatic login"
info : "The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen.
Rationale:
Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system.
Impact:
If automatic login is not disabled an unauthorized user could gain access to the system without supplying any credentials."
solution : "Perform the following to set automatic login to off:
Graphical Method:
Open System Preferences
Select Users & Groups
Click the lock to authenticate
Select Login Options
Select Automatic login and set it to Off
Terminal Method:
Run the following command to disable automatic login:
$ sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
reference : "800-53|AC-14a.,CIS_Recommendation|5.8,CSCv7|4.2,ITSG-33|AC-14a.,LEVEL|1A,NESA|T5.6.1,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
description : "5.9 Require a password to wake the computer from sleep or screen saver"
info : "Sleep and screensaver modes are low power modes that reduce electrical consumption while the system is not in use.
Rationale:
Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence.
Impact:
Without a screenlock in place anyone with physical access to the computer would be logged in and able to use the active user's session.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Perform the following to enable a password for unlock after a screen saver begins:
Open System Preferences
Select Security & Privacy
Select General
Set Require password after or screensaver begins with a time of <=5 minutes (immediately or 5 seconds is recommended)
Note: The command line check in previous versions of the Benchmark does not work as expected here. The use of a profile is recommended for both implementation and auditing on a 10.13 system.
Issue
https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-a385726e2ae2
Profile to control screensaver
https://github.com/rtrouton/profiles/blob/master/SetDefaultScreensaver/SetDefaultScreensaver.mobileconfig
Additional Information:
This only protects the system when the screen saver is running."
reference : "800-53|IA-5e.,CIS_Recommendation|5.9,CSCv7|4.2,CSCv8|4.7,LEVEL|1M"
see_also : "https://workbench.cisecurity.org/files/3425"
type : CMD_EXEC
description : "5.11 Require an administrator password to access system-wide preferences"
info : "System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer.
Rationale:
By requiring a password to unlock system-wide System Preferences the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes
Impact:
If Automatic login is not disabled an unauthorized user could login without supplying a user password or credential."
solution : "Perform the following to verify that an administrator password is required to access system-wide preferences:
Graphical Method:
Open System Preferences
Select Security & Privacy
Select General
Select Advanced...
Set Require an administrator password to access system-wide preferences
Terminal Method:
The authorizationdb settings cannot be written to directly, so the plist must be exported out to temporary file. Changes can be made to the temporary plist, then imported back into the authorizationdb settings.
Run the following commands to enable that an administrator password is required to access system-wide preferences:
$ sudo security authorizationdb read system.preferences > /tmp/system.preferences.plist
YES (0)
$ sudo defaults write /tmp/system.preferences.plist shared -bool false
$ sudo security authorizationdb write system.preferences < /tmp/system.preferences.plist
YES (0)"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|5.11,CN-L3|8.1.10.6(d),CSCv6|3.1,CSCv7|5.1,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/security authorizationdb read system.preferences | /usr/bin/grep 'shared' -A1"
expect : ""
type : CMD_EXEC
description : "5.12 Ensure an administrator account cannot login to another user's active and locked session"
info : "macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions.
Rationale:
Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
Impact:
While Fast user switching is a workaround for some lab environments especially where there is even less of an expectation of privacy this setting change may impact some maintenance workflows."
solution : "Run the following command to disable a user logging into another user's active and/or locked session:
$ sudo security authorizationdb write system.login.screensaver use-login-window-ui
YES (0)"
reference : "800-53|AC-10.,CIS_Recommendation|5.12,CSCv7|16.11,ITSG-33|AC-10,LEVEL|1A,NESA|T5.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c use-login-window-ui"
expect : "1"
type : MACOSX_DEFAULTS_READ
description : "5.13 Create a custom message for the Login Screen"
info : "An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored.
Rationale:
An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements.
Impact:
If users are not informed of their responsibilities, unapproved activities may occur. Users that are not approved for access may take the lack of a warning banner as implied consent to access."
solution : "Run the following command to enable a custom login screen message:
$ sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText ''
example:
$ sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText 'Center for Internet Security Test Message'"
reference : "800-171|3.1.9,800-53|AC-8a.,CIS_Recommendation|5.13,CSCv7|5.1,ITSG-33|AC-8a.,LEVEL|1A,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e,TBA-FIISB|45.2.4"
see_also : "https://workbench.cisecurity.org/files/3425"
# Note: Variable @ACCESS_WARNING@ replaced with "This system is reserved for authorized use only and may be monitored." in field "regex".
regex : "This system is reserved for authorized use only and may be monitored."
plist_item : "LoginwindowText"
plist_name : "/Library/Preferences/com.apple.loginwindow"
plist_option : CANNOT_BE_NULL
type : CMD_EXEC
description : "5.15 Do not enter a password-related hint"
info : "Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password.
Rationale:
Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks."
solution : "Perform the following to remove a user's password hint:
Graphical Method:
Open System Preferences
Select Users & Groups
Select the Current User
Select Change Password
Change the password and ensure that no text is entered in the Password hint box
Terminal Method:
Run the following command to remove a user's password hint:
$ sudo dscl . -delete /Users/ hint
example:
$ sudo dscl . -delete /Users/firstuser hint
$ sudo dscl . -delete /Users/seconduser hint
Additional Information:
Organizations might consider entering an organizational help desk phone number or other text (such as a warning to the user). A help desk number is only appropriate for organizations with trained help desk personnel that are validating user identities for password resets."
reference : "800-171|3.5.11,800-53|IA-6.,CIS_Recommendation|5.15,CSCv7|4.4,ITSG-33|IA-6,ITSG-33|IA-6a.,LEVEL|1A,NESA|T5.5.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ if ($2) print $0\" - fail\" }' | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\";}'"
expect : "^pass$"
type : CMD_EXEC
description : "5.18 System Integrity Protection status"
info : "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID.
Rationale:
Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP.
Impact:
System binaries and processes could become compromised."
solution : "Perform the following to enable System Integrity Protection:
Reboot into the Recovery Partition (reboot and hold down Command ([]) + R)
Select Utilities
Select Terminal
Run the following command:
$ sudo /usr/bin/csrutil enable
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
Reboot the computer
Note: You cannot enable System Integrity Protection from the booted operating system. If the remediation is attempted in the booted OS and not the Recovery Partition the output will give the error csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS."
reference : "800-53|SI-7(1),CIS_Recommendation|5.18,CN-L3|7.1.3.5(b),CSCv7|2.6,CSF|PR.DS-6,ITSG-33|SI-7(1),LEVEL|1A,NESA|T7.3.3,QCSC-v1|3.2,SWIFT-CSCv1|6.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/csrutil status"
expect : "System Integrity Protection status: enabled"
type : CMD_EXEC
description : "5.19 Enable Sealed System Volume (SSV)"
info : "Sealed System Volume is a security feature introduced in macOS 11.0 Big Sur.
During system installation, a SHA-256 cryptographic hash is calculated for all immutable system files and stored in a Merkle tree which itself is hashed as the Seal. Both are stored in the metadata of the snapshot created of the System volume.
The seal is verified by the boot loader at startup. macOS will not boot if system files have been tampered with. If validation fails, the user will be instructed to reinstall the operating system.
During read operations for files located in the Sealed System Volume, a hash is calculated and compared to the value stored in the Merkle tree.
Rationale:
Running without Sealed System Volume on a production system could run the risk of Apple software, that integrates directly with macOS, being modified.
Impact:
Apple Software that integrates with the operating system could become compromised."
solution : "Perform the following to enable System Integrity Protection:
Reboot into the Recovery Partition (reboot and hold down Command ([]) + R)
Select an administrator's account and enter that account's password
Select Utilities
Select Terminal
Run the following command:
$ sudo /usr/bin/csrutil enable authenticated-root
Successfully enabled System authenticated root.
Restart the machine for the changes to take effect.
Reboot the computer
Note: You cannot enable Sealed System Volume from the booted operating system. If the remediation is attempted in the booted OS and not the Recovery Partition the output will give the error csrutil: This tool needs to be executed from Recovery OS."
reference : "800-53|SI-7(9),CIS_Recommendation|5.19,CN-L3|8.1.2.3,CN-L3|8.1.4.6,CSCv7|13.6,CSCv7|14.8,CSF|PR.DS-6,ITSG-33|SI-7,ITSG-33|SI-7a.,LEVEL|1A,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,QCSC-v1|3.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/usr/bin/csrutil authenticated-root status"
expect : "Authenticated Root status: enabled"
type : MACOSX_DEFAULTS_READ
description : "5.20 Enable Library Validation"
info : "Library Validation is a security feature introduced in macOS 10.10 Yosemite. Library Validation protects processes from loading arbitrary libraries. This stops root from loading arbitrary libraries into any process (depending on SIP status),and keeps root from becoming more powerful. Security is strengthened, because some user processes can no longer be fooled to run additional code without root's explicit request, which may grant access to daemons that depend on Library Validation for secure validation of code identity.
Rationale:
Running without Library Validation on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by Library Validation.
Impact:
System binaries and processes could load arbitrary libraries."
solution : "Run the following command to set Library Validation:
$ sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation DisableLibraryValidation -bool false"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7a.,CIS_Recommendation|5.20,CN-L3|7.1.3.5(c),CN-L3|8.1.4.4(a),CSCv7|2.6,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS15a,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "0"
plist_item : "DisableLibraryValidation"
plist_name : "/Library/Preferences/com.apple.security.libraryvalidation"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "6.1.1 Display login window as name and password"
info : "The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system.
Rationale:
Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes."
solution : "Perform the following to ensure the login window display name and password:
Graphical Method:
Open System Preferences
Select Users and Groups
Select Login Options
Set Name and Password
Terminal Method:
Run the following command to enable the login window to display name and password:
$ sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true
Note: The GUI will not display the updated setting until the current user(s) logs out."
reference : "800-171|3.1.7,800-53|AC-6(10),CIS_Recommendation|6.1.1,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|5.1,CSF|PR.AC-4,ITSG-33|AC-6,LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "SHOWFULLNAME"
plist_name : "/Library/Preferences/com.apple.loginwindow"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "6.1.2 Disable 'Show password hints' - Show password hints"
info : "Password hints are user-created text displayed when an incorrect password is used for an account.
Rationale:
Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist in remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user.
Impact:
The user can set the hint to any value including the password itself or clues that allow trivial social engineering attacks."
solution : "Perform the to disable password hints from being shown:
Graphical Method:
Open System Preferences
Select Users & Groups
Select Login Options
Uncheck Show password hints
Terminal Method:
Run the following command to disable password hints:
$ sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0"
reference : "800-171|3.5.11,800-53|IA-6.,CIS_Recommendation|6.1.2,CSCv7|5.1,ITSG-33|IA-6,ITSG-33|IA-6a.,LEVEL|1A,NESA|T5.5.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "0"
plist_item : "RetriesUntilHint"
plist_name : "/Library/Preferences/com.apple.loginwindow"
plist_option : CAN_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "6.1.3 Disable guest account login"
info : "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes cannot remotely login to the system. All files, caches, and passwords created by the guest user are deleted upon logging out.
Rationale:
Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system.
Impact:
A guest user can use that access to find out additional information about the system and might be able to use privilege escalation vulnerabilities to establish greater access."
solution : "Perform the following to disable guest account availability:
Graphical Method:
Open System Preferences
Select Users & Groups
Select Guest User
Uncheck Allow guests to log in to this computer
Terminal Method:
Run the following command to disable the guest account:
$ sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
Additional Information:
By default, the guest account is enabled for access to sharing services but is not allowed to log in to the computer.
The guest account does not need a password when it is enabled to log in to the computer."
reference : "800-171|3.1.1,800-53|AC-3.,CIS_Recommendation|6.1.3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|4.4,CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "0"
plist_item : "GuestEnabled"
plist_name : "/Library/Preferences/com.apple.loginwindow.plist"
plist_option : CANNOT_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "6.1.4 Disable 'Allow guests to connect to shared folders' - AFP Sharing"
info : "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network.
Rationale:
Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system.
Impact:
Unauthorized users could access shared files on the system."
solution : "Perform the following to no longer allow guest user access to shared folders:
Graphical Method:
Open System Preferences
Select Users & Groups
Select Guest User
Uncheck Allow guests to connect to shared folders
Terminal Method:
Run the following commands to verify that shared folders are not accessible to guest users:
$ sudo defaults write /Library/Preferences/com.apple.Appleob体育Server guestAccess -bool false
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false"
reference : "800-171|3.1.1,800-53|AC-2.,CIS_Recommendation|6.1.4,CN-L3|7.1.3.2(d),CSCv7|14.6,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "0"
plist_item : "guestAccess"
plist_name : "/Library/Preferences/com.apple.Appleob体育Server"
plist_option : CAN_BE_NULL
type : MACOSX_DEFAULTS_READ
description : "6.1.4 Disable 'Allow guests to connect to shared folders' - SMB Sharing"
info : "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network.
Rationale:
Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system.
Impact:
Unauthorized users could access shared files on the system."
solution : "Perform the following to no longer allow guest user access to shared folders:
Graphical Method:
Open System Preferences
Select Users & Groups
Select Guest User
Uncheck Allow guests to connect to shared folders
Terminal Method:
Run the following commands to verify that shared folders are not accessible to guest users:
$ sudo defaults write /Library/Preferences/com.apple.Appleob体育Server guestAccess -bool false
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false"
reference : "800-171|3.1.1,800-53|AC-2.,CIS_Recommendation|6.1.4,CN-L3|7.1.3.2(d),CSCv7|14.6,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "0"
plist_item : "AllowGuestAccess"
plist_name : "/Library/Preferences/SystemConfiguration/com.apple.smb.server"
plist_option : CAN_BE_NULL
type : CMD_EXEC
description : "6.1.5 Remove Guest home folder"
info : "In the previous two controls the guest account login has been disabled and sharing to guests has been disabled as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folder's continued existence, it is best removed.
Rationale:
The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately.
Impact:
The Guest account should not be necessary after it is disabled, and it will be automatically re-created if the Guest account is re-enabled"
solution : "Run the following command to remove the Guest user home folder:
Run the following command in Terminal:
$ sudo rm -R /Users/Guest"
reference : "800-171|3.1.1,800-53|AC-2.,CIS_Recommendation|6.1.5,CN-L3|7.1.3.2(d),CSCv7|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/3425"
cmd : "/bin/ls /Users/ | /usr/bin/grep Guest | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
type : MACOSX_DEFAULTS_READ
description : "6.2 Turn on filename extensions"
info : "A filename extension is a suffix added to a base filename that indicates the base filename's file format.
Rationale:
Visible filename extensions allow the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files.
Impact:
The user of the system can open files of unknown or unexpected filetypes if the extension is not visible."
solution : "Perform the following to ensure file extensions are shown:
Graphical Method:
Open Finder
Select Finder in the Menu Bar
Select Preferences
Select Advanced
Set Show all filename extensions
Terminal Method:
Run the following command to enable displaying of file extensions:
$ sudo -u defaults write /Users//Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true
example:
$ sudo -u seconduser defaults write /Users/secondname/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true"
reference : "800-171|3.14.1,800-53|SI-2(5),CIS_Recommendation|6.2,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|2.6,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1A,NESA|T7.6.2,NESA|T7.7.1,NIAv2|NS26b,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "1"
plist_item : "AppleShowAllExtensions"
plist_name : ".GlobalPreferences"
plist_option : CANNOT_BE_NULL
plist_user : "all"
type : MACOSX_DEFAULTS_READ
description : "6.3 Disable the automatic run of safe files in Safari"
info : "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser.
Rationale:
Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input.
Impact:
Apple considers many files that the operating system itself auto-executes as 'safe files.' Many of these files could be malicious and could execute locally without the user even knowing that a file of a specific type had been download."
solution : "Perform the following to set safe files to not open after downloading in Safari:
Graphical Method:
Open Safari
Select Safari from the menu bar
Select Preferences
Select General
Uncheck Open 'safe' files after downloading
Terminal Method:
Run the following command to disable safe files from not opening in Safari:
$ sudo -u defaults write /Users//Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false
example:
$ sudo -u firstuser defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences"
reference : "800-171|3.13.13,800-53|SC-18(4),CIS_Recommendation|6.3,CSCv7|8.5,CSF|DE.CM-5,ITSG-33|SC-18(4),LEVEL|1A,NIAv2|SU3,QCSC-v1|3.2,QCSC-v1|8.2.1"
see_also : "https://workbench.cisecurity.org/files/3425"
regex : "0"
managed_path : "/Library/Containers"
plist_item : "AutoOpenSafeDownloads"
plist_name : "com.apple.Safari/Data/Library/Preferences/com.apple.Safari"
plist_option : CANNOT_BE_NULL
plist_user : "all"
description : "7.4 Apple Watch features with macOS"
info : "With the release of macOS 10.12 Apple introduced a feature where the owner of an Apple Watch can lock and unlock their screen simply by being within range of a 10.12 computer when both devices are using the same AppleID with iCloud active. The benefit of not leaving the computer unlocked while the user is out of sight and readying the computer to resume work when the user returns without having to type in a password or insert a smartcard does seem attractive to people who have the Apple Watch. It is a continuation of other features like hand-off and continuity for the multiple Apple products users who have grown to expect their devices to work together.
For the screen unlock capability in particular, it may not be attractive to organizations that are managing Apple devices and credentials. The capability allows a user to unlock their computer tied to an Enterprise account with a personal token that is not managed or controlled by the Enterprise. If the user loses their watch revoking the credential that can unlock the screen might be problematic.
Apple Watches should not be used for screen unlocks, unless Enterprise control of the watch as a token tied to a user identity can be achieved. The risk of an auto-lock based on the user being out of proximity may still be acceptable if possible to do lock only.
This functionality does require the computer to be logged in to iCloud. If iCloud is disabled the Apple watch lock and unlock will not be possible.
A profile may be used to control unlock functionality.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : ""
reference : "800-53|CM-6b.,CIS_Recommendation|7.4,CSCv7|16,CSCv8|2,LEVEL|1M"
see_also : "https://workbench.cisecurity.org/files/3425"
description : "7.6 Touch ID"
info : "Apple has integrated Touch ID with macOS and allows fingerprint use for many common operations. All use of Touch ID requires the presence of a password and the use of that password after every reboot or where it has been more than 48 hours since the device was last unlocked.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : ""
reference : "800-53|AC-3,CIS_Recommendation|7.6,CSCv7|13,CSCv8|6,LEVEL|1M"
see_also : "https://workbench.cisecurity.org/files/3425"
description : "CIS_Apple_macOS_11_v1.2.0_L1.audit from CIS Apple macOS 11 Benchmark v1.2.0"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://workbench.cisecurity.org/files/3425"