diff --git a/sca/macos/cis_apple_macOS_10.13.yml b/sca/macos/cis_apple_macOS_10.13.yml index 9228db370..422003dee 100644 --- a/sca/macos/cis_apple_macOS_10.13.yml +++ b/sca/macos/cis_apple_macOS_10.13.yml @@ -8,6 +8,7 @@ # Foundation # # Based on: +# Center for Internet Security Apple macOS 10.13 Benchmark v1.0.0 - 08-31-2018 policy: id: "cis_apple_macos_10_13" @@ -18,38 +19,988 @@ policy: - https://www.cisecurity.org/cis-benchmarks/ requirements: - title: "Check Debian version" - description: "Requirements for running the SCA scan against Debian/Ubuntu." - condition: "all required" + title: "Check MacOS version" + description: "Requirements for running the SCA scan against MacOS 10.13 (High Sierra)." + condition: "any required" rules: - - 'f:/etc/debian_version;' - - 'f:/proc/sys/kernel/ostype -> Linux;' + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\.13;' + - 'c:sw_vers -> r:^ProductVersion: -> r:\s*10\.13;' + - 'c:system_profiler SPSoftwareDataType -> r:System Version: -> r:\s*10\.13;' checks: - - id: YYYYY - title: "Install Updates, Patches and Additional Security Software" +# 1.1 Verify all Apple provided software is current (Scored) + - id: XXXXX + title: "Verify all Apple provided software is current (Scored)" + description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." + rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." + remediation: "In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" + compliance: + - cis: "1.1" + references: + - ... + condition: any + rules: + - 'c:softwareupdate -l -> !r:^\s*Now new software available;' +# 1.2 Enable Auto Update (Scored) + - id: XXXXX + title: "Enable Auto Update (Scored)" + description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." + rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" + compliance: + - cis: "1.2" + references: + - http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ + - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> !r:^\s*1;' +# 1.3 Enable app update installs (Scored) + - id: XXXXX + title: "Enable app update installs (Scored)" + description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." + compliance: + - cis: "1.3" + references: + - ... + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> !r:^\s*1;' +# 1.4 Enable system data files and security update installs (Scored) + - id: XXXXX + title: "Enable system data files and security update installs (Scored)" + description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" + compliance: + - cis: "1.4" + references: + - http://www.thesafemac.com/tag/xprotect/ + - https://support.apple.com/en-us/HT202491 + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:^\s*ConfigDataInstall\s*= -> !r\s*1;;' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:^\s*CriticalUpdateInstall\s*= -> !r\s*1;;' +# 1.5 Enable macOS update installs (Scored) + - id: XXXXX + title: "Enable macOS update installs (Scored)" + description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" + compliance: + - cis: "1.5" + references: + - ... + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> !r:^\s*1;' +# 2.1.1 Turn off Bluetooth, if no paired devices exist (Scored) + - id: XXXXX + title: "Turn off Bluetooth, if no paired devices exist (Scored)" description: "" rationale: "" remediation: "" + compliance: + - cis: "2.1.1" + references: + - ... condition: any rules: - - 'c:softwareupdate -l -> !r:^\s*Now new software available;' - - - id: YYYYY - title: "Enable Auto Update" + - '' +# 2.1.3 Show Bluetooth status in menu bar (Scored) + - id: XXXXX + title: "Show Bluetooth status in menu bar (Scored)" description: "" rationale: "" remediation: "" + compliance: + - cis: "2.1.3" + references: + - ... condition: any rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> !r:^\s*1;' - - - id: YYYYY - title: "Enable app update installs" + - '' +# 2.2.1 Enable "Set time and date automatically" (Scored) + - id: XXXXX + title: "Enable \"Set time and date automatically\" (Scored)" + description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries." + rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." + remediation: "un the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup –setusingnetworktime on" + compliance: + - cis: "2.2.1" + references: + - ... + condition: any + rules: + - 'c:systemsetup -getusingnetworktime -> r:^\s*Network Time: -> !r:\s*On;' +# 2.2.2 Ensure time set is within appropriate limits (Scored) + - id: XXXXX + title: "Ensure time set is within appropriate limits (Scored)" description: "" rationale: "" remediation: "" + compliance: + - cis: "2.2.2" + references: + - ... condition: any rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> !r:^\s*1;' - + - '' +# 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Scored) + - id: XXXXX + title: "Set an inactivity interval of 20 minutes or less for the screen saver (Scored)" + description: "A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts." + rationale: "Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time." + remediation: "1. In Terminal, run one of the the following commands: defaults -currentHost write com.apple.screensaver idleTime -int 600 defaults -currentHost write com.apple.screensaver idleTime -int 1200" + compliance: + - cis: "2.3.1" + references: + - ... + condition: any + rules: + # TODO: Will this work? + # TODO 2: This only controls the configuration for the current user. + - 'c:(( $(defaults -currentHost read com.apple.screensaver idleTime) <= 1200 )) && echo ok || echo ko -> r:ko;' +# 2.3.2 Secure screen saver corners (Scored) + - id: XXXXX + title: "Secure screen saver corners (Scored)" + description: "Hot Corners can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen." + rationale: "Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain access to the system." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Mission Control 3. Select Hot Corners 4. Remove any corners which are set to Disable Screen Saver" + compliance: + - cis: "2.3.2" + references: + - ... + condition: any + rules: + - 'defaults read ~/Library/Preferences/com.apple.dock | grep -i corner -> r:6;' +# 2.4.1 Disable Remote Apple Events (Scored) + - id: XXXXX + title: "Disable Remote Apple Events (Scored)" + description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." + rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." + remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" + compliance: + - cis: "2.4.1" + references: + - ... + condition: any + rules: + - 'c:systemsetup -getremoteappleevents -> r:^Remote Apple Events: -> !r:\s*Off;' +# 2.4.2 Disable Internet Sharing (Scored) + - id: XXXXX + title: "Disable Internet Sharing (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.4.2" + references: + - ... + condition: any + rules: + - '' +# 2.4.3 Disable Screen Sharing (Scored) + - id: XXXXX + title: "Disable Screen Sharing (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.4.3" + references: + - ... + condition: any + rules: + - '' +# 2.4.4 Disable Printer Sharing (Scored) + - id: XXXXX + title: "Disable Printer Sharing (Scored)" + description: "y enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." + rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" + compliance: + - cis: "2.4.4" + references: + - ... + condition: any + rules: + - 'c:system_profiler SPPrintersDataType -> r:Shared -> !r:Yes;' +# 2.4.5 Disable Remote Login (Scored) + - id: XXXXX + title: "Disable Remote Login (Scored)" + description: "Remote Login allows an interactive terminal connection to a computer." + rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." + remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" + compliance: + - cis: "2.4.5" + references: + - ... + condition: any + rules: + - 'c:systemsetup -getremotelogin -> r:^Remote Login: -> !r:\s*Off;' +# 2.4.6 Disable DVD or CD Sharing (Scored) + - id: XXXXX + title: "Disable DVD or CD Sharing (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.4.6" + references: + - ... + condition: any + rules: + - '' +# 2.4.7 Disable Bluetooth Sharing (Scored) + - id: XXXXX + title: "Disable Bluetooth Sharing (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.4.7" + references: + - ... + condition: any + rules: + - '' +# 2.4.8 Disable File Sharing (Scored) + - id: XXXXX + title: "Disable File Sharing (Scored)" + description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" + rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." + remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist  Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" + compliance: + - cis: "2.4.8" + references: + - ... + condition: any + rules: + - 'c:launchctl list -> r:AppleFileServer;' + - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:[Aa][Rr][Rr][Aa][Yy];' +# 2.4.9 Disable Remote Management (Scored) + - id: XXXXX + title: "Disable Remote Management (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.4.9" + references: + - ... + condition: any + rules: + - '' +# 2.5.1 Disable "Wake for network access" (Scored) + - id: XXXXX + title: "Disable \"Wake for network access\" (Scored)" + description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." + rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." + remediation: "Run the following command in Terminal: sudo pmset -a womp 0" + compliance: + - cis: "2.5.1" + references: + - ... + condition: any + rules: + - 'c:pmset -g -> r:^\s*womp -> !r:\s+0;' +# 2.6.1.1 Enable FileVault (Scored) + - id: XXXXX + title: "Enable FileVault (Scored)" + description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." + rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." + remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" + compliance: + - cis: "2.6.1.1" + references: + - ... + condition: any + rules: + - 'c:fdesetup status -> r:^FileVault is -> !r:\s*On\.;' +# 2.6.2 Enable Gatekeeper (Scored) + - id: XXXXX + title: "Enable Gatekeeper (Scored)" + description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." + rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." + remediation: "Run the following command in Terminal: sudo spctl --master-enable" + compliance: + - cis: "2.6.2" + references: + - + condition: any + rules: + - 'c:spctl --status -> !r:^assessments enabled;' +# 2.6.3 Enable Firewall (Scored) + - id: XXXXX + title: "Enable Firewall (Scored)" + description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." + rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is:  1 = on for specific services  2 = on for essential services " + compliance: + - cis: "2.6.3" + references: + - https://support.apple.com/en-us/HT201642 + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*[12];' +# 2.6.4 Enable Firewall Stealth Mode (Scored) + - id: XXXXX + title: "Enable Firewall Stealth Mode (Scored)" + description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." + rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." + remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" + compliance: + - cis: "2.6.4" + references: + - https://support.apple.com/en-us/HT201642 + condition: any + rules: + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> !r:^\s*Stealth mode enabled;' +# 2.6.5 Review Application Firewall Rules (Scored) + - id: XXXXX + title: "Review Application Firewall Rules (Scored)" + description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall. A computer should have a limited number of applications open to incoming connectivity. This rule will check for whether there are more than 10 rules for inbound connections." + rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet. Which applications are allowed access to accept incoming connections through the firewall is important to understand." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select Firewall Options 4. Select unneeded rules 5. Select the minus sign below to delete them Alternatively: Edit and run the following command in Terminal to remove specific applications: /usr/libexec/ApplicationFirewall/socketfilterfw --remove Where is the one to be removed" + compliance: + - cis: "2.6.5" + references: + - https://support.apple.com/en-us/HT201642 + condition: any + rules: + # TODO: Don't know what the output looks like... + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | wc -l -> !r:^\s*([0-9]|10)\s*$;' +# 2.6.8 Disable sending diagnostic and usage data to Apple (Scored) + - id: XXXXX + title: "Disable sending diagnostic and usage data to Apple (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.6.8" + references: + - ... + condition: any + rules: + #TODO: No way to audit this via command line? + - '' +# 2.7.4 iCloud Drive Document sync (Scored) + - id: XXXXX + title: "iCloud Drive Document sync (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.7.4" + references: + - ... + condition: any + rules: + - '' +# 2.7.5 iCloud Drive Desktop sync (Scored) + - id: XXXXX + title: "iCloud Drive Desktop sync (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.7.5" + references: + - ... + condition: any + rules: + - '' +# 2.8.1 Time Machine Auto-Backup (Scored) + - id: XXXXX + title: "Time Machine Auto-Backup (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.8.1" + references: + - ... + condition: any + rules: + - '' +# 2.8.2 Time Machine Volumes Are Encrypted (Scored) + - id: XXXXX + title: "Time Machine Volumes Are Encrypted (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.8.2" + references: + - ... + condition: any + rules: + - '' +# 2.9 Pair the remote control infrared receiver if enabled (Scored) + - id: XXXXX + title: "Pair the remote control infrared receiver if enabled (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.9" + references: + - ... + condition: any + rules: + - '' +# 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) + - id: XXXXX + title: "Enable Secure Keyboard Entry in terminal.app (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.10" + references: + - ... + condition: any + rules: + - '' +# 2.11 Java 6 is not the default Java runtime (Scored) + - id: XXXXX + title: "Java 6 is not the default Java runtime (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.11" + references: + - ... + condition: any + rules: + - '' +# 2.13 Ensure EFI version is valid and being regularly checked (Scored) + - id: XXXXX + title: "Ensure EFI version is valid and being regularly checked (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "2.13" + references: + - ... + condition: any + rules: + - '' +# 3.1 Enable security auditing (Scored) + - id: XXXXX + title: "Enable security auditing (Scored)" + description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." + rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." + remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" + compliance: + - cis: "3.1" + references: + - ... + condition: any + rules: + - 'c:launchctl list | grep -i auditd -> !r:com.apple.auditd;' +# 3.2 Configure Security Auditing Flags (Scored) + - id: XXXXX + title: "Configure Security Auditing Flags (Scored)" + description: "Auditing is the capture and maintenance of information about security-related events." + rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." + remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." + compliance: + - cis: "3.2" + references: + - ... + condition: any + rules: + - 'f:/etc/security/audit_control -> r:^flags -> !r:lo;' + - 'f:/etc/security/audit_control -> r:^flags -> !r:ad;' + - 'f:/etc/security/audit_control -> r:^flags -> !r:fd;' + - 'f:/etc/security/audit_control -> r:^flags -> !r:fm;' + - 'f:/etc/security/audit_control -> r:^flags -> !r:-all;' +# 3.3 Ensure security auditing retention (Scored) + - id: XXXXX + title: "Ensure security auditing retention (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "3.3" + references: + - ... + condition: any + rules: + - '' +# 3.4 Control access to audit records (Scored) + - id: XXXXX + title: "Control access to audit records (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "3.4" + references: + - ... + condition: any + rules: + - '' +# 3.5 Retain install.log for 365 or more days (Scored) + - id: XXXXX + title: "Retain install.log for 365 or more days (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "3.5" + references: + - ... + condition: any + rules: + - '' +# 3.6 Ensure Firewall is configured to log (Scored) + - id: XXXXX + title: "Ensure Firewall is configured to log (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "3.6" + references: + - ... + condition: any + rules: + - '' +# 4.1 Disable Bonjour advertising service (Scored) + - id: XXXXX + title: "Disable Bonjour advertising service (Scored)" + description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." + rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" + compliance: + - cis: "4.1" + references: + - ... + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> !r:^\s*1;' +# 4.2 Enable "Show Wi-Fi status in menu bar" (Scored) + - id: XXXXX + title: "Enable \"Show Wi-Fi status in menu bar\" (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "4.2" + references: + - ... + condition: any + rules: + - '' +# 4.4 Ensure http server is not running (Scored) + - id: XXXXX + title: "Ensure http server is not running (Scored)" + description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." + rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." + remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" + compliance: + - cis: "4.4" + references: + - ... + condition: any + rules: + - 'c:ps -ef | grep -i httpd -> r:/usr/bin/httpd;' +# 4.5 Ensure nfs server is not running (Scored) + - id: XXXXX + title: "Ensure nfs server is not running (Scored)" + description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." + rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." + remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" + compliance: + - cis: "4.5" + references: + - ... + condition: any + rules: + - 'c:ps -ef | grep -i nfsd -> r:/sbin/nfsd;' + - 'c:cat /etc/exports -> !r:No such file or directory;' +# 5.1.1 Secure Home Folders (Scored) + - id: XXXXX + title: "Secure Home Folders (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.1.1" + references: + - ... + condition: any + rules: + - '' +# 5.1.2 Check System Wide Applications for appropriate permissions (Scored) + - id: XXXXX + title: "Check System Wide Applications for appropriate permissions (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.1.2" + references: + - ... + condition: any + rules: + - '' +# 5.1.3 Check System folder for world writable files (Scored) + - id: XXXXX + title: "Check System folder for world writable files (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.1.3" + references: + - ... + condition: any + rules: + - '' +# 5.1.4 Check Library folder for world writable files (Scored) + - id: XXXXX + title: "Check Library folder for world writable files (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.1.4" + references: + - ... + condition: any + rules: + - '' +# 5.2.1 Configure account lockout threshold (Scored) + - id: XXXXX + title: "Configure account lockout threshold (Scored)" + description: "The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur. Ensure that a lockout threshold is part of the password policy on the computer" + rationale: "The account lockout feature mitigates brute-force password attacks on the system." + remediation: "Run the following command in Terminal: pwpolicy -setaccountpolicies" + compliance: + - cis: "5.2.1" + references: + - pwpolicy man page + condition: any + rules: + # TODO: this command may return nothing + - 'c:pwpolicy -getaccountpolicies | grep -A 1 ''policyAttributeMaximumFailedAuthentications'' | tail -1 | cut -d''>'' -f2 | cut -d ''<'' -f1 -> !r:[1-5];' +# 5.2.2 Set a minimum password length (Scored) + - id: XXXXX + title: "Set a minimum password length (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.2.2" + references: + - ... + condition: any + rules: + - '' +# 5.2.7 Password Age (Scored) + - id: XXXXX + title: "Password Age (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.2.7" + references: + - ... + condition: any + rules: + - '' +# 5.2.8 Password History (Scored) + - id: XXXXX + title: "Password History (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.2.8" + references: + - ... + condition: any + rules: + - '' +# 5.3 Reduce the sudo timeout period (Scored) + - id: XXXXX + title: "Reduce the sudo timeout period (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.3" + references: + - ... + condition: any + rules: + - '' +# 5.4 Use a separate timestamp for each user/tty combo (Scored) + - id: XXXXX + title: "Use a separate timestamp for each user/tty combo (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.4" + references: + - ... + condition: any + rules: + - '' +# 5.7 Automatically lock the login keychain for inactivity (Scored) + - id: XXXXX + title: "Automatically lock the login keychain for inactivity (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.7" + references: + - ... + condition: any + rules: + - '' +# 5.8 Ensure login keychain is locked when the computer sleeps (Scored) + - id: XXXXX + title: "Ensure login keychain is locked when the computer sleeps (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.8" + references: + - ... + condition: any + rules: + - '' +# 5.9 Enable OCSP and CRL certificate checking (Scored) + - id: XXXXX + title: "Enable OCSP and CRL certificate checking (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.9" + references: + - ... + condition: any + rules: + - '' +# 5.11 Do not enable the "root" account (Scored) + - id: XXXXX + title: "Do not enable the \"root\" account (Scored)" + description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." + rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." + remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." + compliance: + - cis: "5.11" + references: + - ... + condition: any + rules: + - 'c:dscl . -read /Users/root AuthenticationAuthority -> !r:^No such key: AuthenticationAuthority;' +# 5.12 Disable automatic login (Scored) + - id: XXXXX + title: "Disable automatic login (Scored)" + description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." + rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." + remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" + compliance: + - cis: "5.12" + references: + - ... + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser;' +# 5.13 Require a password to wake the computer from sleep or screen saver (Scored) + - id: XXXXX + title: "Require a password to wake the computer from sleep or screen saver (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.13" + references: + - ... + condition: any + rules: + - '' +# 5.14 Ensure system is set to hibernate (Scored) + - id: XXXXX + title: "Ensure system is set to hibernate (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.14" + references: + - ... + condition: any + rules: + - '' +# 5.15 Require an administrator password to access system-wide preferences (Scored) + - id: XXXXX + title: "Require an administrator password to access system-wide preferences (Scored)" + description: "System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer." + rationale: "By requiring a password to unlock System-wide System Preferences the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes" + remediation: "In System Preferences: Security, General tab under Advanced, check \"Require an administrator password to access system-wide preferences\"" + compliance: + - cis: "5.15" + references: + - ... + condition: any + rules: + - 'c:security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E ''(true|false)'' -> !r:false;' +# 5.16 Disable ability to login to another user's active and locked session (Scored) + - id: XXXXX + title: "Disable ability to login to another user's active and locked session (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.16" + references: + - ... + condition: any + rules: + - '' +# 5.17 Create a custom message for the Login Screen (Scored) + - id: XXXXX + title: "Create a custom message for the Login Screen (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.17" + references: + - ... + condition: any + rules: + - '' +# 5.18 Create a Login window banner (Scored) + - id: XXXXX + title: "Create a Login window banner (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "5.18" + references: + - ... + condition: any + rules: + - '' +# 5.23 System Integrity Protection status (Scored) + - id: XXXXX + title: "System Integrity Protection status (Scored)" + description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." + rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." + remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." + compliance: + - cis: "5.23" + references: + - ... + condition: any + rules: + - 'c:/usr/bin/csrutil status -> !r:^\s*System Integrity Protection status: enabled;' +# 6.1.1 Display login window as name and password (Scored) + - id: XXXXX + title: "Display login window as name and password (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "6.1.1" + references: + - ... + condition: any + rules: + - '' +# 6.1.2 Disable "Show password hints" (Scored) + - id: XXXXX + title: "Disable \"Show password hints\" (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "6.1.2" + references: + - ... + condition: any + rules: + - '' +# 6.1.3 Disable guest account login (Scored) + - id: XXXXX + title: "Disable guest account login (Scored)" + description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." + rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." + remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" + compliance: + - cis: "6.1.3" + references: + - ... + condition: any + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> !r:^\s*0;' +# 6.1.4 Disable "Allow guests to connect to shared folders" (Scored) + - id: XXXXX + title: "Disable \"Allow guests to connect to shared folders\" (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "6.1.4" + references: + - ... + condition: any + rules: + - '' +# 6.1.5 Remove Guest home folder (Scored) + - id: XXXXX + title: "Remove Guest home folder (Scored)" + description: "" + rationale: "" + remediation: "" + compliance: + - cis: "6.1.5" + references: + - ... + condition: any + rules: + - '' +# 6.2 Turn on filename extensions (Scored) + - id: XXXXX + title: "Turn on filename extensions (Scored)" + description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." + rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." + remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" + compliance: + - cis: "6.2" + references: + - ... + condition: any + rules: + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> !r:^\s*1;' +# 6.3 Disable the automatic run of safe files in Safari (Scored) + - id: XXXXX + title: "Disable the automatic run of safe files in Safari (Scored)" + description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." + rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." + remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" + compliance: + - cis: "6.3" + references: + - ... + condition: any + rules: + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> !r:^0;'