Skip to content

Align CIS baseline with CIS macOS 26 Tahoe v1.1.0#688

Open
tonyyo11 wants to merge 3 commits into
usnistgov:tahoefrom
tonyyo11:tahoe
Open

Align CIS baseline with CIS macOS 26 Tahoe v1.1.0#688
tonyyo11 wants to merge 3 commits into
usnistgov:tahoefrom
tonyyo11:tahoe

Conversation

@tonyyo11
Copy link
Copy Markdown

@tonyyo11 tonyyo11 commented May 21, 2026

This PR brings the mSCP Tahoe Branch up to date in preparation for The Center for Internet Security Benchmark for macOS Tahoe v1.1.0 pending release. https://workbench.cisecurity.org/benchmarks/24637

CHANGES:

  • system_settings_hot_corners_secure: CIS 2.7.1 moved Level 2 -> Level 1; update benchmark ref and add cis_lvl1 tag; add rule to cis_lvl1 baseline
  • audit_retention_configure: CIS 3.4 lower retention ODV from '60d OR 5G' to '30d'
  • supplemental_cis_manual: track 5.3.1, 5.3.2, 5.3.3 as manual (CIS marks them Automated but provides no automatable remediation)
  • system_settings_guest_access_smb_disable: CIS 2.13.2 update check to 'sysadminctl -smbGuestAccess status' matching 'SMB guest access disabled'; fix unchanged
  • mscp-data: bump cis_lvl1/cis_lvl2 titles from v1.0.0 to v1.1.0

tonyyo11 added 2 commits May 21, 2026 21:25
@tonyyo11
Align CIS baseline with CIS macOS 26 Tahoe v1.1.0 (draft)
0334792 
- system_settings_hot_corners_secure: CIS 2.7.1 moved Level 2 -> Level 1; update benchmark ref and add cis_lvl1 tag; add rule to cis_lvl1 baseline
- audit_retention_configure: CIS 3.4 lower retention ODV from '60d OR 5G' to '30d'
- supplemental_cis_manual: track 5.3.1, 5.3.2, 5.3.3 as manual (CIS marks them Automated but provides no automatable remediation)
- system_settings_guest_access_smb_disable: CIS 2.13.2 update check to 'sysadminctl -smbGuestAccess status' matching 'SMB guest access disabled'; fix unchanged
- mscp-data: bump cis_lvl1/cis_lvl2 titles from v1.0.0 to v1.1.0
@tonyyo11
Add APFS/HFS encryption and FAT/ExFAT rules
425f5a8 
Introduce three new OS rules to enforce disk encryption and block insecure filesystems: os_internal_apfs_volumes_encrypted, os_external_apfs_hfs_volumes_encrypted, and os_fat_exfat_volumes_prohibit. Update CIS baselines (cis_lvl1, cis_lvl2, cisv8) to include the new checks where appropriate. Clean up the supplemental CIS manual entries to remove the now-redundant manual checklist lines. New rules include checks, fixes, CIS mappings, macOS 26.0 target, and medium severity metadata.
@tonyyo11
Copy link
Copy Markdown
Author

tonyyo11 commented May 26, 2026

UPDATE COMMIT & PR
This PR brings the mSCP Tahoe branch up to date in preparation for the Center for Internet Security Benchmark for macOS Tahoe v1.1.0 pending release. https://workbench.cisecurity.org/benchmarks/24637

CHANGES:

  • system_settings_hot_corners_secure (CIS 2.7.1): recommendation moved Level 2 -> Level 1. Updated the benchmark reference to 2.7.1 (level 1), added the cis_lvl1 tag, and added the rule to the cis_lvl1 baseline.
  • audit_retention_configure (CIS 3.4): lowered the retention ODV for cis_lvl1/cis_lvl2 from 60d OR 5G to 30d to match the revised recommendation ("Ensure Security Auditing Logs Are Retained for 30 Days").
  • New rules for CIS 5.3 (Disk Encryption): v1.1.0 marks these Automated, but the benchmark provides no scripted remediation, so each rule audits and reports compliance, with the CIS remediation steps listed in the fix (no enforcement/profile):
    • os_internal_apfs_volumes_encrypted — CIS 5.3.1 (Level 1)
    • os_external_apfs_hfs_volumes_encrypted — CIS 5.3.2 (Level 1)
    • os_fat_exfat_volumes_prohibit — CIS 5.3.3 (Level 2)
      Added to baselines: cis_lvl1 (5.3.1, 5.3.2), cis_lvl2 (5.3.1, 5.3.2, 5.3.3), and cisv8 (all three).
  • supplemental_cis_manual: removed the legacy 5.3.1 (APFS) and 5.3.2 (CoreStorage) manual entries, now superseded by the dedicated 5.3.x rules above.
  • system_settings_guest_access_smb_disable (CIS 2.13.2): updated the check to /usr/sbin/sysadminctl -smbGuestAccess status matching "SMB guest access disabled"; fix unchanged.
  • mscp-data: bumped the cis_lvl1/cis_lvl2 titles from v1.0.0 to v1.1.0.

NOTES:

  • The new 5.3.x rules currently populate only the CIS references (benchmark + controls v8: 3.6, 3.11, 13.6, 14.8); the remaining reference fields (CCE, 800-53, CCI, SRG, STIG) are left as N/A for maintainers to fill, per discussion.
  • v1.1.0 is still a draft on the CIS Workbench as of this PR

@brodjieski
Copy link
Copy Markdown
Collaborator

brodjieski commented Jun 4, 2026

Hey @tonyyo11 .. CIS now published the benchmark for Tahoe. Before we pull this in, can you do a final once-over to make sure it's in sync with what was published? Thank again for your assist on this one!

@tonyyo11
Refactor volume encryption checks; remove FAT rule based on Published…
61c5478 
… CIS macOS Tahoe 26 Benchmark 1.1

Make external/internal APFS encryption checks more informative by listing unencrypted volume names and returning a string result ("Yes" when compliant) instead of an integer. Remove the deprecated os_fat_exfat_volumes_prohibit rule and drop it from cis_lvl2 and cisv8 baselines. Exclude /Library/AppStore from the world-writable library folder check to avoid false positives. Update supplemental documentation to note auditing of connected FAT32/ExFAT drives.
@tonyyo11 tonyyo11 changed the title Align CIS baseline with CIS macOS 26 Tahoe v1.1.0 (draft) Align CIS baseline with CIS macOS 26 Tahoe v1.1.0 Jun 4, 2026
@tonyyo11
Copy link
Copy Markdown
Author

tonyyo11 commented Jun 4, 2026

Rules have been updated based on changes between draft and publication. @brodjieski

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tonyyo11 @brodjieski