diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml index aee5e1378..372e6b9b3 100644 --- a/baselines/cis_lvl1.yaml +++ b/baselines/cis_lvl1.yaml @@ -34,11 +34,13 @@ profile: - os_anti_virus_installed - os_authenticated_root_enable - os_config_data_install_enforce + - os_external_apfs_hfs_volumes_encrypted - os_gatekeeper_enable - os_guest_folder_removed - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_internal_apfs_volumes_encrypted - os_mail_summary_disable - os_mobile_file_integrity_enable - os_nfsd_disable @@ -87,6 +89,7 @@ profile: - system_settings_firewall_stealth_mode_enable - system_settings_guest_access_smb_disable - system_settings_guest_account_disable + - system_settings_hot_corners_secure - system_settings_improve_assistive_voice_disable - system_settings_improve_search_disable - system_settings_improve_siri_dictation_disable diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml index fd167b2d0..1546d518e 100644 --- a/baselines/cis_lvl2.yaml +++ b/baselines/cis_lvl2.yaml @@ -45,11 +45,13 @@ profile: - os_authenticated_root_enable - os_bonjour_disable - os_config_data_install_enforce + - os_external_apfs_hfs_volumes_encrypted - os_gatekeeper_enable - os_guest_folder_removed - os_home_folders_secure - os_httpd_disable - os_install_log_retention_configure + - os_internal_apfs_volumes_encrypted - os_mail_summary_disable - os_mobile_file_integrity_enable - os_nfsd_disable diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml index 62b3fa977..01924f552 100644 --- a/baselines/cisv8.yaml +++ b/baselines/cisv8.yaml @@ -74,6 +74,7 @@ profile: - os_dictation_disable - os_directory_services_configured - os_ess_installed + - os_external_apfs_hfs_volumes_encrypted - os_filevault_autologin_disable - os_gatekeeper_enable - os_handoff_disable @@ -81,6 +82,7 @@ profile: - os_httpd_disable - os_icloud_storage_prompt_disable - os_install_log_retention_configure + - os_internal_apfs_volumes_encrypted - os_iphone_mirroring_disable - os_ir_support_disable - os_library_validation_enabled diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml index 53686bdae..9f098c9b3 100644 --- a/includes/mscp-data.yaml +++ b/includes/mscp-data.yaml @@ -97,8 +97,8 @@ titles: 800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact 800-53r5_low: NIST SP 800-53 Rev 5 Low Impact 800-171: NIST 800-171 Rev 3 - cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) + cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.1.0 Benchmark (Level 1) + cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.1.0 Benchmark (Level 2) cmmc_lvl1: US CMMC 2.0 Level 1 cmmc_lvl2: US CMMC 2.0 Level 2 cisv8: CIS Controls Version 8 diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml index d23829d89..a148adaa1 100644 --- a/rules/audit/audit_retention_configure.yaml +++ b/rules/audit/audit_retention_configure.yaml @@ -45,8 +45,8 @@ macOS: odv: hint: See man audit_control for possible values. recommended: 7d - cis_lvl1: 60d OR 5G - cis_lvl2: 60d OR 5G + cis_lvl1: 30d + cis_lvl2: 30d stig: 7d nlmapgov_base: 180d nlmapgov_plus: 180d diff --git a/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml b/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml new file mode 100644 index 000000000..e1ca14943 --- /dev/null +++ b/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml @@ -0,0 +1,56 @@ +id: os_external_apfs_hfs_volumes_encrypted +title: Ensure All APFS and HFS+ External User Storage Volumes Are Encrypted +discussion: | + All APFS and HFS+ external user storage volumes _MUST_ be encrypted. + + While FileVault protects the boot volume, data may be copied to attached external storage and reduce the protection afforded by FileVault. All external user data volumes (APFS or HFS+) _MUST_ be encrypted to protect user data from loss or tampering. CoreStorage has been deprecated and replaced with APFS for volume encryption. +check: | + fail=$(/usr/sbin/diskutil list external | /usr/bin/grep -E "APFS Volume|Apple_HFS|Logical Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk ' + /Volume Name:/{name=$0; sub(/^[ \t]*Volume Name:[ \t]*/,"",name)} + /FileVault:/{ + if ($2=="No") { + if (list=="") list=name; else list=list ", " name + } + } + END{print list}') + if [ -z "$fail" ]; then + /bin/echo "Yes" + else + /bin/echo "Unencrypted external volumes: $fail" + fi +result: + string: "Yes" +fix: | + Use Disk Utility to erase a user disk and format as APFS (Encrypted). + + NOTE: It is recommended using APFS over HFS+ where possible. If you do need to use an HFS+/CoreStorage external drive for compatibility reasons, you need to format the drive to MacOS Extended (Journaled) (or MacOS Extended (Case-Sensitive, Journaled) if Case-Sensitive is required). +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + cis: + benchmark: + - 5.3.2 (level 1) + controls v8: + - 3.6 + - 3.11 + - 13.6 + - 14.8 +macOS: + - '26.0' +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +severity: medium +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_internal_apfs_volumes_encrypted.yaml b/rules/os/os_internal_apfs_volumes_encrypted.yaml new file mode 100644 index 000000000..3f767075d --- /dev/null +++ b/rules/os/os_internal_apfs_volumes_encrypted.yaml @@ -0,0 +1,56 @@ +id: os_internal_apfs_volumes_encrypted +title: Ensure All Internal User Storage APFS Volumes Are Encrypted +discussion: | + All internal user storage APFS volumes _MUST_ be encrypted. + + While FileVault protects the boot volume, data may be copied to other attached internal storage and reduce the protection afforded by FileVault. All internal APFS volumes that carry user data and do not have a specific role (Preboot, Recovery, VM) _MUST_ be encrypted to protect user data from loss or tampering. +check: | + fail=$(/usr/sbin/diskutil list internal | /usr/bin/grep "APFS Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk ' + /Volume Name:/{name=$0; sub(/^[ \t]*Volume Name:[ \t]*/,"",name)} + /FileVault:/{ + if ($2=="No" && name !~ /^(Preboot|Recovery|VM)$/) { + if (list=="") list=name; else list=list ", " name + } + } + END{print list}') + if [ -z "$fail" ]; then + /bin/echo "Yes" + else + /bin/echo "Unencrypted internal user APFS volumes: $fail" + fi +result: + string: "Yes" +fix: | + Use Disk Utility to erase a user disk and format as APFS (Encrypted). + + NOTE: APFS Encrypted disks will be described as "FileVault" whether they are the boot volume or not. +references: + cce: + - N/A + cci: + - N/A + 800-53r5: + - N/A + 800-53r4: + - N/A + srg: + - N/A + disa_stig: + - N/A + cis: + benchmark: + - 5.3.1 (level 1) + controls v8: + - 3.6 + - 3.11 + - 13.6 + - 14.8 +macOS: + - '26.0' +tags: + - cis_lvl1 + - cis_lvl2 + - cisv8 +severity: medium +mobileconfig: false +mobileconfig_info: diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml index 9e6975a61..dc6a823f3 100644 --- a/rules/os/os_world_writable_library_folder_configure.yaml +++ b/rules/os/os_world_writable_library_folder_configure.yaml @@ -5,7 +5,7 @@ discussion: | NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment. check: | - /usr/bin/find /Library -type d -perm -002 ! -perm -1000 ! -xattrname com.apple.rootless 2>/dev/null | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/find /Library -type d -perm -002 ! -perm -1000 ! -xattrname com.apple.rootless 2>/dev/null | /usr/bin/grep -vE "/Library/AppStore" | /usr/bin/wc -l | /usr/bin/xargs result: integer: 0 fix: | diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml index a008640b3..e8b1d02cd 100644 --- a/rules/supplemental/supplemental_cis_manual.yaml +++ b/rules/supplemental/supplemental_cis_manual.yaml @@ -60,8 +60,7 @@ discussion: | 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured + 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured + 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured + - 5.3.1 Ensure All User Storage APFS Volumes are Encrypted + - 5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted + + 5.3.3 Audit Connected FAT32 and ExFAT Drives |=== [cols="15%h, 85%a"] diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml index 37b722a7f..ca4fc05be 100644 --- a/rules/system_settings/system_settings_guest_access_smb_disable.yaml +++ b/rules/system_settings/system_settings_guest_access_smb_disable.yaml @@ -5,9 +5,9 @@ discussion: | Turning off guest access prevents anonymous users from accessing files shared via SMB. check: | - /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess + /usr/sbin/sysadminctl -smbGuestAccess status 2>&1 | /usr/bin/grep -c "SMB guest access disabled" result: - boolean: 0 + integer: 1 fix: | [source,bash] ---- diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml index c8f55b168..a50824517 100644 --- a/rules/system_settings/system_settings_hot_corners_secure.yaml +++ b/rules/system_settings/system_settings_hot_corners_secure.yaml @@ -49,7 +49,7 @@ references: - 03.01.10 cis: benchmark: - - 2.7.1 (level 2) + - 2.7.1 (level 1) controls v8: - 4.3 cmmc: @@ -57,6 +57,7 @@ references: macOS: - '26.0' tags: + - cis_lvl1 - cis_lvl2 - cisv8 - cnssi-1253_low