diff --git a/sca/macos/cis_apple_macOS_10.11.yml b/sca/macos/cis_apple_macOS_10.11.yml index 13de469e7..750d8e7fb 100644 --- a/sca/macos/cis_apple_macOS_10.11.yml +++ b/sca/macos/cis_apple_macOS_10.11.yml @@ -29,7 +29,7 @@ requirements: checks: # 1.1 Verify all Apple provided software is current (Scored) - - id: XXXXX + - id: 11000 title: "Verify all Apple provided software is current (Scored)" description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." @@ -40,7 +40,7 @@ checks: rules: - 'c:softwareupdate -l -> !r:^\s*Now new software available;' # 1.2 Enable Auto Update (Scored) - - id: XXXXX + - id: 11001 title: "Enable Auto Update (Scored)" description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." @@ -54,7 +54,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> !r:^\s*1;' # 1.3 Enable app update installs (Scored) - - id: XXXXX + - id: 11002 title: "Enable app update installs (Scored)" description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -65,7 +65,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> !r:^\s*1;' # 1.4 Enable system data files and security update installs (Scored) - - id: XXXXX + - id: 11003 title: "Enable system data files and security update installs (Scored)" description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -80,7 +80,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:^\s*ConfigDataInstall\s*= && !r\s*1;;' - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:^\s*CriticalUpdateInstall\s*= && !r\s*1;;' # 1.5 Enable OS X update installs (Scored) - - id: XXXXX + - id: 11004 title: "Enable OS X update installs (Scored)" description: "Ensure that OS X updates are installed after they are available from Apple. This setting enables OS X updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -91,7 +91,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> !r:^\s*1;' # 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Scored) - - id: XXXXX + - id: 11005 title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable." rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." @@ -102,7 +102,7 @@ checks: rules: - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> !r:^\s*[Dd]iscoverable:\s*Off;' # 2.2.1 Enable "Set time and date automatically" (Not Scored) - - id: XXXXX + - id: 11006 title: "Enable \"Set time and date automatically\" (Not Scored)" description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Apple's automatic time update solution will enable an NTP server that is not controlled by the Application Firewall. Turning on \"Set time and date automatically\" allows other computers to connect to set their time and allows for exploit attempts against ntpd. It also allows for more accurate network detection and OS fingerprinting." rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." @@ -113,7 +113,7 @@ checks: rules: - 'c:systemsetup -getusingnetworktime -> !r:^\s*Network Time:\s*On;' # 2.2.3 Restrict NTP server to loopback interface (Scored) - - id: XXXXX + - id: 11007 title: "Restrict NTP server to loopback interface (Scored)" description: "The Apple System Preference setting to \"Set date and time automatically\" enables both an NTP client that can synchronize the time from known time server(s) and an open listening NTP server that can be used by any other computer that can connect to port 123 on the time syncing computer. This open listening service can allow for both exploits of future NTP vulnerabilities and allow for open ports that can be used for fingerprinting to target exploits. Access to this port should be restricted. Editing the /etc/ntp-restrict.conf file by adding a control on the loopback interface limits external access." rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." @@ -124,7 +124,7 @@ checks: rules: - 'f:/etc/ntp-restrict.conf -> !r:restrict lo;' # 2.4.1 Disable Remote Apple Events (Scored) - - id: XXXXX + - id: 11008 title: "Disable Remote Apple Events (Scored)" description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." @@ -135,7 +135,7 @@ checks: rules: - 'c:systemsetup -getremoteappleevents -> !r:^Remote Apple Events:\s*Off;' # 2.4.4 Disable Printer Sharing (Scored) - - id: XXXXX + - id: 11009 title: "Disable Printer Sharing (Scored)" description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." @@ -146,7 +146,7 @@ checks: rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*Yes;' # 2.4.5 Disable Remote Login (Scored) - - id: XXXXX + - id: 11010 title: "Disable Remote Login (Scored)" description: "Remote Login allows an interactive terminal connection to a computer." rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers." @@ -157,7 +157,7 @@ checks: rules: - 'c:systemsetup -getremotelogin -> !r:^Remote Login:\s*Off;' # 2.4.8 Disable File Sharing (Scored) - - id: XXXXX + - id: 11011 title: "Disable File Sharing (Scored)" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." @@ -169,7 +169,7 @@ checks: - 'c:launchctl list -> r:AppleFileServer;' - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:[Aa][Rr][Rr][Aa][Yy];' # 2.5.1 Disable "Wake for network access" (Scored) - - id: XXXXX + - id: 11012 title: "Disable \"Wake for network access\" (Scored)" description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode" rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." @@ -181,7 +181,7 @@ checks: - 'c:pmset -c -g -> !r:^\s*womp\s+0;' - 'c:pmset -b -g -> !r:^\s*womp\s+0;' # 2.6.1 Enable FileVault (Scored) - - id: XXXXX + - id: 11013 title: "Enable FileVault (Scored)" description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." @@ -193,7 +193,7 @@ checks: - 'c:diskutil cs list -> r:[Ee]ncryption [Ss]tatus: -> !r:[Uu]nlocked;' - 'c:diskutil cs list -> !r:[Ee]ncryption [Tt]ype:;' # 2.6.2 Enable Gatekeeper (Scored) - - id: XXXXX + - id: 11014 title: "Enable Gatekeeper (Scored)" description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." @@ -204,7 +204,7 @@ checks: rules: - 'c:spctl --status -> !r:^assessments enabled;' # 2.6.3 Enable Firewall (Scored) - - id: XXXXX + - id: 11015 title: "Enable Firewall (Scored)" description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." @@ -218,7 +218,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*1;' - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*2;' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: XXXXX + - id: 11016 title: "Enable Firewall Stealth Mode (Scored)" description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." @@ -231,7 +231,7 @@ checks: rules: - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> !r:^\s*Stealth mode enabled;' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: XXXXX + - id: 11017 title: "Enable Secure Keyboard Entry in terminal.app (Scored)" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." @@ -242,7 +242,7 @@ checks: rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> !r:^\s*1;' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: XXXXX + - id: 11018 title: "Java 6 is not the default Java runtime (Scored)" description: "Apple had made Java part of the core Operating System for OS X. Apple is no longer providing Java updates for OS X and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path." @@ -254,7 +254,7 @@ checks: - 'c:java -version -> r:version.*1.6.0;' - 'c:java -version -> r:Runtime Environment.*build.*1.6.0;' # 3.2 Enable security auditing (Scored) - - id: XXXXX + - id: 11019 title: "Enable security auditing (Scored)" description: "OSX's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." @@ -265,7 +265,7 @@ checks: rules: - 'c:launchctl list -> !r:com\.apple\.auditd;' # 3.3 Configure Security Auditing Flags (Scored) - - id: XXXXX + - id: 11020 title: "Configure Security Auditing Flags (Scored)" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." @@ -280,7 +280,7 @@ checks: - 'f:/etc/security/audit_control -> r:^flags && !r:fm;' - 'f:/etc/security/audit_control -> r:^flags && !r:-all;' # 4.1 Disable Bonjour advertising service (Scored) - - id: XXXXX + - id: 11021 title: "Disable Bonjour advertising service (Scored)" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on Mac OS X is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed." @@ -291,7 +291,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> !r:^\s*1;' # 4.4 Ensure http server is not running (Scored) - - id: XXXXX + - id: 11022 title: "Ensure http server is not running (Scored)" description: "Mac OS X used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -302,7 +302,7 @@ checks: rules: - 'p:httpd;' # 4.5 Ensure ftp server is not running (Scored) - - id: XXXXX + - id: 11023 title: "Ensure ftp server is not running (Scored)" description: "Mac OS X used to have a graphical front-end to the embedded ftp server in the Operating System. Ftp sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an Ftp server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The Ftp server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Ftp servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -313,7 +313,7 @@ checks: rules: - 'c:launchctl list -> r:ftp;' # 4.6 Ensure nfs server is not running (Scored) - - id: XXXXX + - id: 11024 title: "Ensure nfs server is not running (Scored)" description: "Mac OS X can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." @@ -325,7 +325,7 @@ checks: - 'p:nfsd;' - 'c:cat /etc/exports -> !r:No such file or directory;' # 5.7 Do not enable the "root" account (Scored) - - id: XXXXX + - id: 11025 title: "Do not enable the \"root\" account (Scored)" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. In the UNIX/Linux world, the system administrator commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." @@ -336,7 +336,7 @@ checks: rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> !r:^No such key: AuthenticationAuthority;' # 5.8 Disable automatic login (Scored) - - id: XXXXX + - id: 11026 title: "Disable automatic login (Scored)" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." @@ -347,7 +347,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser;' # 5.9 Require a password to wake the computer from sleep or screen saver (Scored) - - id: XXXXX + - id: 11027 title: "Require a password to wake the computer from sleep or screen saver (Scored)" description: "Sleep and screensaver modes are low power modes that reduces electrical consumption while the system is not in use." rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." @@ -358,7 +358,7 @@ checks: rules: - 'c:defaults read com.apple.screensaver askForPassword -> !r:^\s*1;' # 5.11 Disable ability to login to another user's active and locked session (Scored) - - id: XXXXX + - id: 11028 title: "Disable ability to login to another user's active and locked session (Scored)" description: "OSX has a privilege that can be granted to any user that will allow that user to unlock active user's sessions." rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." @@ -369,7 +369,7 @@ checks: rules: - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel fail_safe;' # 5.18 System Integrity Protection status (Scored) - - id: XXXXX + - id: 11029 title: "System Integrity Protection status (Scored)" description: "System Integrity Protection is a new security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." @@ -380,7 +380,7 @@ checks: rules: - 'c:/usr/bin/csrutil status -> !r:^\s*System Integrity Protection status: enabled;' # 6.1.3 Disable guest account login (Scored) - - id: XXXXX + - id: 11030 title: "Disable guest account login (Scored)" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." @@ -391,7 +391,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> !r:^\s*0;' # 6.1.5 Remove Guest home folder (Scored) - - id: XXXXX + - id: 11031 title: "Remove Guest home folder (Scored)" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." @@ -402,7 +402,7 @@ checks: rules: - 'd:/Users/Guest;' # 6.2 Turn on filename extensions (Scored) - - id: XXXXX + - id: 11032 title: "Turn on filename extensions (Scored)" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." @@ -413,7 +413,7 @@ checks: rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> !r:^\s*1;' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: XXXXX + - id: 11033 title: "Disable the automatic run of safe files in Safari (Scored)" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." diff --git a/sca/macos/cis_apple_macOS_10.12.yml b/sca/macos/cis_apple_macOS_10.12.yml index e60d7ce89..3b8886c50 100644 --- a/sca/macos/cis_apple_macOS_10.12.yml +++ b/sca/macos/cis_apple_macOS_10.12.yml @@ -218,7 +218,7 @@ checks: rules: - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> !r:^\s*Stealth mode enabled;' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: XXXXX + - id: 10516 title: "Enable Secure Keyboard Entry in terminal.app (Scored)" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." @@ -229,7 +229,7 @@ checks: rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> !r:^\s*1;' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 10516 + - id: 10517 title: "Java 6 is not the default Java runtime (Scored)" description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." @@ -241,7 +241,7 @@ checks: - 'c:java -version -> r:version.*1.6.0;' - 'c:java -version -> r:Runtime Environment.*build.*1.6.0;' # 3.1 Enable security auditing (Scored) - - id: 10517 + - id: 10518 title: "Enable security auditing (Scored)" description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." @@ -252,7 +252,7 @@ checks: rules: - 'c:launchctl list -> !r:com\.apple\.auditd;' # 3.2 Configure Security Auditing Flags (Scored) - - id: 10518 + - id: 10519 title: "Configure Security Auditing Flags (Scored)" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." @@ -267,7 +267,7 @@ checks: - 'f:/etc/security/audit_control -> r:^flags && !r:fm;' - 'f:/etc/security/audit_control -> r:^flags && !r:-all;' # 4.1 Disable Bonjour advertising service (Scored) - - id: 10519 + - id: 10520 title: "Disable Bonjour advertising service (Scored)" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." @@ -278,7 +278,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> !r:^\s*1;' # 4.4 Ensure http server is not running (Scored) - - id: 10520 + - id: 10521 title: "Ensure http server is not running (Scored)" description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -289,7 +289,7 @@ checks: rules: - 'p:httpd;' # 4.5 Ensure FTP server is not running (Scored) - - id: 10521 + - id: 10522 title: "Ensure FTP server is not running (Scored)" description: "macOS used to have a graphical front-end to the embedded FTP server in the Operating System. FTP sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an FTP server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The FTP server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. FTP servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -300,7 +300,7 @@ checks: rules: - 'c:launchctl list -> r:ftp;' # 4.6 Ensure nfs server is not running (Scored) - - id: 10522 + - id: 10523 title: "Ensure nfs server is not running (Scored)" description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." @@ -312,7 +312,7 @@ checks: - 'p:nfsd;' - 'c:cat /etc/exports -> !r:No such file or directory;' # 5.8 Do not enable the "root" account (Scored) - - id: 10523 + - id: 10524 title: "Do not enable the \"root\" account (Scored)" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." @@ -323,7 +323,7 @@ checks: rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> !r:^No such key: AuthenticationAuthority;' # 5.9 Disable automatic login (Scored) - - id: 10524 + - id: 10525 title: "Disable automatic login (Scored)" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." @@ -334,7 +334,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser;' # 5.20 System Integrity Protection status (Scored) - - id: 10525 + - id: 10526 title: "System Integrity Protection status (Scored)" description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." @@ -345,7 +345,7 @@ checks: rules: - 'c:/usr/bin/csrutil status -> !r:^\s*System Integrity Protection status: enabled;' # 6.1.3 Disable guest account login (Scored) - - id: 10526 + - id: 10527 title: "Disable guest account login (Scored)" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." @@ -356,7 +356,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> !r:^\s*0;' # 6.1.5 Remove Guest home folder (Scored) - - id: 10527 + - id: 10528 title: "Remove Guest home folder (Scored)" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." @@ -367,7 +367,7 @@ checks: rules: - 'd:/Users/Guest;' # 6.2 Turn on filename extensions (Scored) - - id: 10528 + - id: 10529 title: "Turn on filename extensions (Scored)" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." @@ -378,7 +378,7 @@ checks: rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> !r:^\s*1;' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 10529 + - id: 10530 title: "Disable the automatic run of safe files in Safari (Scored)" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." diff --git a/sca/macos/cis_apple_macOS_10.13.yml b/sca/macos/cis_apple_macOS_10.13.yml index 1edf8bc93..2c8cd2c6c 100644 --- a/sca/macos/cis_apple_macOS_10.13.yml +++ b/sca/macos/cis_apple_macOS_10.13.yml @@ -207,7 +207,7 @@ checks: rules: - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> !r:^\s*Stealth mode enabled;' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: XXXXX + - id: 10015 title: "Enable Secure Keyboard Entry in terminal.app (Scored)" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." @@ -218,7 +218,7 @@ checks: rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> !r:^\s*1;' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 10015 + - id: 10016 title: "Java 6 is not the default Java runtime (Scored)" description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." @@ -230,7 +230,7 @@ checks: - 'c:java -version -> r:version.*1.6.0;' - 'c:java -version -> r:Runtime Environment.*build.*1.6.0;' # 2.13 Ensure EFI version is valid and being regularly checked (Scored) - - id: 10016 + - id: 10017 title: "Ensure EFI version is valid and being regularly checked (Scored)" description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days." rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." @@ -242,7 +242,7 @@ checks: - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> !r:Primary allowlist version match found\. No changes detected in primary hashes\.;' - 'c:launchctl list -> !r:-\s*0\s*com\.apple\.driver\.eficheck;' # 3.1 Enable security auditing (Scored) - - id: 10017 + - id: 10018 title: "Enable security auditing (Scored)" description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." @@ -253,7 +253,7 @@ checks: rules: - 'c:launchctl list -> !r:com\.apple\.auditd;' # 3.2 Configure Security Auditing Flags (Scored) - - id: 10018 + - id: 10019 title: "Configure Security Auditing Flags (Scored)" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." @@ -268,7 +268,7 @@ checks: - 'f:/etc/security/audit_control -> r:^flags && !r:fm;' - 'f:/etc/security/audit_control -> r:^flags && !r:-all;' # 4.1 Disable Bonjour advertising service (Scored) - - id: 10019 + - id: 10020 title: "Disable Bonjour advertising service (Scored)" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." @@ -279,7 +279,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> !r:^\s*1;' # 4.4 Ensure http server is not running (Scored) - - id: 10020 + - id: 10021 title: "Ensure http server is not running (Scored)" description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -290,7 +290,7 @@ checks: rules: - 'p:httpd;' # 4.5 Ensure nfs server is not running (Scored) - - id: 10021 + - id: 10022 title: "Ensure nfs server is not running (Scored)" description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." @@ -302,7 +302,7 @@ checks: - 'p:nfsd;' - 'c:cat /etc/exports -> !r:No such file or directory;' # 5.11 Do not enable the "root" account (Scored) - - id: 10022 + - id: 10023 title: "Do not enable the \"root\" account (Scored)" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." @@ -313,7 +313,7 @@ checks: rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> !r:^No such key: AuthenticationAuthority;' # 5.12 Disable automatic login (Scored) - - id: 10023 + - id: 10024 title: "Disable automatic login (Scored)" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." @@ -324,7 +324,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser;' # 5.23 System Integrity Protection status (Scored) - - id: 10024 + - id: 10025 title: "System Integrity Protection status (Scored)" description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." @@ -335,7 +335,7 @@ checks: rules: - 'c:/usr/bin/csrutil status -> !r:^\s*System Integrity Protection status: enabled;' # 6.1.3 Disable guest account login (Scored) - - id: 10025 + - id: 10026 title: "Disable guest account login (Scored)" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." @@ -346,7 +346,7 @@ checks: rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> !r:^\s*0;' # 6.1.5 Remove Guest home folder (Scored) - - id: 10026 + - id: 10027 title: "Remove Guest home folder (Scored)" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." @@ -357,7 +357,7 @@ checks: rules: - 'd:/Users/Guest;' # 6.2 Turn on filename extensions (Scored) - - id: 10027 + - id: 10028 title: "Turn on filename extensions (Scored)" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." @@ -368,7 +368,7 @@ checks: rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> !r:^\s*1;' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 10028 + - id: 10029 title: "Disable the automatic run of safe files in Safari (Scored)" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."