# # This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.1 $ # $Date: 2019/02/07 $ # # description : This document implements the security configuration as recommended by the # CIS Apple macOS 10.13 Benchmark v1.0.0 # # https://workbench.cisecurity.org/files/2105 # # #CIS Apple macOS 10.13 L1 v1.0.0 # # CIS # Apple macOS 10.13 L1 # 1.0.0 # https://workbench.cisecurity.org/files/2105 # #unix,cis,macosx,macosx_10,macosx_10.13 #LEVEL # # # ACCESS_WARNING # This system is reserved for authorized use only and may be monitored. # Login Window Text # An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored. # # # type : CMD_EXEC description : "MacOS 10.13 is installed" cmd : "/usr/bin/sw_vers | /usr/bin/grep 'ProductVersion'" expect : "^ProductVersion[\\s]*:[\\s]*10\.13" description : "CIS_Apple_macOS_10.13_v1.0.0_Level_1.audit from CIS Apple macOS 10.13 Benchmark v1.0.0" type : CMD_EXEC description : "1.1 Verify all Apple provided software is current" info : "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update. Rationale: It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." solution : "Perform the following to ensure the system is configured as prescribed: 1. Choose Apple menu > App Store If prompted, enter an admin name and password. 2. Install all available updates and software patches that are applicable. Alternatively: 1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" reference : "800-171|3.14.1,800-53|SI-2,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,LEVEL|1S,NESA|T7.6.2,NESA|T7.7.1,NIAv2|AM38,NIAv2|AM39,NIAv2|PR9,NIAv2|SS14b,SWIFT-CSCv1|2.2" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/softwareupdate -l 2>&1" expect : "No new software available" type : MACOSX_DEFAULTS_READ description : "1.2 Enable Auto Update" info : "Auto Update verifies that your system has the newest security patches and software updates. If 'Automatically check for updates' is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur. http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ Rationale: It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" reference : "800-171|3.14.1,800-53|SI-2,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S,NIAv2|NS26b,SWIFT-CSCv1|2.2" see_also : "https://workbench.cisecurity.org/files/2105" regex : "1" plist_item : "AutomaticCheckEnabled" plist_name : "/Library/Preferences/com.apple.SoftwareUpdate" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "1.3 Enable app update installs" info : "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users. Rationale: Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." reference : "800-171|3.14.1,800-53|SI-2,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S,NIAv2|NS26b,SWIFT-CSCv1|2.2" see_also : "https://workbench.cisecurity.org/files/2105" regex : "1" plist_item : "AutoUpdate" plist_name : "/Library/Preferences/com.apple.commerce" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "1.4 Enable system data files and security update installs - 'ConfigDataInstall'" info : "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights. http://www.thesafemac.com/tag/xprotect/ https://support.apple.com/en-us/HT202491 Rationale: Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" reference : "800-171|3.14.1,800-53|SI-2,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S,NIAv2|NS26b,SWIFT-CSCv1|2.2" see_also : "https://workbench.cisecurity.org/files/2105" regex : "1" plist_item : "ConfigDataInstall" plist_name : "/Library/Preferences/com.apple.SoftwareUpdate" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "1.4 Enable system data files and security update installs - 'CriticalUpdateInstall'" info : "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights. http://www.thesafemac.com/tag/xprotect/ https://support.apple.com/en-us/HT202491 Rationale: Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" reference : "800-171|3.14.1,800-53|SI-2,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S,NIAv2|NS26b,SWIFT-CSCv1|2.2" see_also : "https://workbench.cisecurity.org/files/2105" regex : "1" plist_item : "CriticalUpdateInstall" plist_name : "/Library/Preferences/com.apple.SoftwareUpdate" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "1.5 Enable macOS update installs" info : "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off. Rationale: Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" reference : "800-171|3.14.1,800-53|SI-2,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S,NIAv2|NS26b,SWIFT-CSCv1|2.2" see_also : "https://workbench.cisecurity.org/files/2105" regex : "1" plist_item : "AutoUpdateRestartRequired" plist_name : "/Library/Preferences/com.apple.commerce" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "2.1.1 Turn off Bluetooth, if no paired devices exist" regex : "0" plist_item : "ControllerPowerState" plist_name : "/Library/Preferences/com.apple.Bluetooth" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "2.1.1 Turn off Bluetooth, if no paired devices exist" info : "Bluetooth devices use a wireless communications system that replaces the cables used by other peripherals to connect to a system. It is by design a peer-to-peer network technology and typically lacks centralized administration and security enforcement infrastructure. Rationale: Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access." solution : "Perform the following to implement the prescribed state: 1. In Terminal, run the following commands: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 sudo killall -HUP blued" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" regex : "0" plist_item : "ControllerPowerState" plist_name : "/Library/Preferences/com.apple.Bluetooth" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "2.1.1 Turn off Bluetooth, if no paired devices exist" info : "Bluetooth devices use a wireless communications system that replaces the cables used by other peripherals to connect to a system. It is by design a peer-to-peer network technology and typically lacks centralized administration and security enforcement infrastructure. Rationale: Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access." solution : "Perform the following to implement the prescribed state: 1. In Terminal, run the following commands: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 sudo killall -HUP blued" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/system_profiler | /usr/bin/grep 'Bluetooth:' -A 20 | /usr/bin/grep Connectable" expect : "Connectable: Yes" type : CMD_EXEC description : "2.1.2 Bluetooth 'Discoverable' is only available when Bluetooth preference pane is open" info : "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is 'discoverable' it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled only while the Bluetooth System Preference is open and turned off once closed. Rationale: When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." solution : "Quit System Preferences Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1NS,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/system_profiler SPBluetoothDataType | /usr/bin/grep -i discoverable" expect : "Discoverable:[\\s]*Off" type : CMD_EXEC description : "2.1.3 Show Bluetooth status in menu bar" info : "By showing the Bluetooth status in the menu bar, a small Bluetooth icon is placed in the menu bar. This icon quickly shows the status of Bluetooth, and can allow the user to quickly turn Bluetooth on or off. Rationale: Enabling 'Show Bluetooth status in menu bar' is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, Discoverable, what paired devices exist and are currently active." solution : "In System Preferences: Bluetooth, turn Show Bluetooth Status In Menu Bar on. Alternatively run the following in the command line: defaults write com.apple.systemuiserver menuExtras -array-add '/System/Library/CoreServices/Menu Extras/Bluetooth.menu' If the remediation is run multiple times multiple instances of the Bluetooth status will appear after rebooting the system. Command-click and drag the unwanted icons off the menu bar [http://osxdaily.com/2012/01/05/remove-icons-menu-bar-mac-os-x/](http://osxdaily.com/2012/01/05/remove-icons-menu-bar-mac-os-x/)" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/defaults read com.apple.systemuiserver menuExtras | /usr/bin/grep Bluetooth.menu" expect : "/System/Library/CoreServices/Menu Extras/Bluetooth\\.menu" type : CMD_EXEC description : "2.2.1 Enable 'Set time and date automatically'" info : "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date & Time System Preference with each server separated by a space. Rationale: Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Date & Time 3. Select Set date and time automatically Alternatively run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup setusingnetworktime on" reference : "800-171|3.3.7,800-53|AU-8,CSCv6|6.1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.4,ITSG-33|AU-8,LEVEL|1S,NESA|T3.6.7,NIAv2|NS44,NIAv2|NS45,NIAv2|NS46,NIAv2|NS47,PCI-DSSv3.1|10.4,PCI-DSSv3.2|10.4" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/systemsetup -getusingnetworktime" expect : "Network Time:[\\s]*On" type : CMD_EXEC description : "2.2.2 Ensure time set is within appropriate limits" info : "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds, for this audit a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time this check is not strict, it may be too great for your organization, adjust to a smaller offset value as needed. Rationale: Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind." solution : "Perform the following to implement the prescribed state: 1. In Terminal, run the following command: sudo systemsetup -getnetworktimeserver 2. Use 'Network Time Server:' your.time.server to capture drift sudo ntpdate -sv your.time.server" reference : "800-171|3.4.2,800-53|CM-6,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "ntpdate -svd `sudo /usr/sbin/systemsetup -getnetworktimeserver | cut -d ' ' -f 4` | egrep offset" expect : "offset[\\s]+(-)?([0-9]{1,2}|1[0-9]{2}|2[0-6][0-9]|270)\\." type : MACOSX_DEFAULTS_READ description : "2.3.1 Set an inactivity interval of 15 minutes or less for the screen saver" info : "A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts. Rationale: Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Desktop & Screen Saver 3. Select Screen Saver 4. Set Start after to 20 minutes or less Alternatively: 1. In Terminal, run one of the the following commands: defaults -currentHost write com.apple.screensaver idleTime -int 900 defaults -currentHost write com.apple.screensaver idleTime -int 900 There are anomalies if the command line is used to make the setting something other than what is available in the GUI Menu. Choose 15 minutes" reference : "800-171|3.1.10,800-53|AC-11,CSCv6|16.5,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1S" see_also : "https://workbench.cisecurity.org/files/2105" regex : ".* = ([1-9]|[1-8][0-9]|9[0-9]|[1-8][0-9]{2}|900)$" byhost : YES plist_item : "idleTime" plist_name : "com.apple.screensaver" plist_option : CANNOT_BE_NULL plist_user : "all" type : CMD_EXEC description : "2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver" info : "In 10.13 Apple added a 'Lock Screen' option to the Apple Menu. Prior to this the best quick lock options were to use either a lock screen option with the screen saver or the lock screen option from Keychain Access if status was made available in the menu bar. With 10.13 the menu bar option is no longer available. The intent of this control is to resemble control-alt-delete on Windows Systems as a means of quickly locking the screen. If the user of the system is stepping away from the computer the best practice is to lock the screen and setting a hot corner is an appropriate method. Rationale: Ensuring the user has a quick method to lock their screen may reduce opportunity for individuals in close physical proximity of the device to see screen contents." solution : "Ensure users know how to lock screen using the Apple Menu 'Lock Screen' option when briefly stepping away from the computer. Alternatively In System Preferences: Desktop & Screen Saver: Screen Saver: Hot Corners, make sure at least one Active Screen Corner is set to Start Screen Saver. Make sure the user knows about this feature. The screen corners can be set using the defaults command, but the permutations of combinations are many. The plist file to check is '~/Library/Preferences/com.apple.dock' and the keys are wvous-bl-corner wvous-br-corner wvous-tl-corner wvous-tr-corner There are also modifier keys to check and various values for each of these keys. A value of '5' means the corner will start the screen saver. The corresponding wvous-xx-modifier key should be set to '0'." reference : "800-171|3.1.10,800-53|AC-11,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1NS,NESA|T2.3.8,NESA|T2.3.9,NIAv2|AM23a,NIAv2|AM23b" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/defaults read ~/Library/Preferences/com.apple.dock | /usr/bin/grep -i corner" expect : "\".*-corner\"[\\s]*=[\\s]*5;$" type : CMD_EXEC description : "2.4.1 Disable Remote Apple Events" info : "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer. Rationale: Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/systemsetup -getremoteappleevents" expect : "^Remote Apple Events:[\\s]*Off" type : CMD_EXEC description : "2.4.2 Disable Internet Sharing" info : "Internet Sharing uses the open source 'natd' process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices. Rationale: Disabling Internet Sharing reduces the remote attack surface of the system." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Internet Sharing" reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | /usr/bin/grep -i Enabled | /usr/bin/grep -v 0 | /usr/bin/awk '{print} END {if (NR == 0) print\"pass\"}'" expect : "pass" type : CMD_EXEC description : "2.4.3 Disable Screen Sharing" info : "Screen sharing allows a computer to connect to another computer on a network and display the computers screen. While sharing the computers screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer. Rationale: Disabling screen sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Screen Sharing" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist" expect : "Service[\\s]+is[\\s]+disabled" type : CMD_EXEC description : "2.4.4 Disable Printer Sharing" info : "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead. Rationale: Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/system_profiler SPPrintersDataType" expect : "(The[\\s]*printers[\\s]*list[\\s]*is[\\s]*empty|Shared:[\\s]+No)" type : CMD_EXEC description : "2.4.5 Disable Remote Login" info : "Remote Login allows an interactive terminal connection to a computer. Rationale: Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers. macOS does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. macOS no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Most macOS computers are mobile workstations, managing IP based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server." solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: sudo systemsetup -setremotelogin off" reference : "800-171|3.1.1,800-171|3.1.2,800-53|AC-17,CIP|005-5-R2,CSF|PR.AC-3,CSF|PR.PT-4,ITSG-33|AC-17,LEVEL|1S,NESA|T5.4.5,SWIFT-CSCv1|2.6" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/systemsetup -getremotelogin" expect : "^Remote[\\s]*Login:[\\s]Off$" type : CMD_EXEC description : "2.4.6 Disable DVD or CD Sharing" info : "DVD or CD Sharing allows users to remotely access the system's optical drive. Rationale: Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck DVD or CD Sharing" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/launchctl list | /usr/bin/egrep ODSAgent | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "2.4.7 Disable Bluetooth Sharing" info : "Bluetooth Sharing allows files to be exchanged with Bluetooth enabled devices. Rationale: Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Bluetooth Sharing" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "system_profiler SPBluetoothDataType | grep State | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "(none|State:[\\s]*Disabled)" type : CMD_EXEC description : "2.4.8 Disable File Sharing - AppleFileServer" info : "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing) Two common ways to share files using File Sharing are: 1. Apple File Protocol (AFP) AFP automatically uses encrypted logins, so this method of sharing files is fairly secure. The entire hard disk is shared to administrator user accounts. Individual home folders are shared to their respective user accounts. Users' 'Public' folders (and the 'Drop Box' folder inside) are shared to any user account that has sharing access to the computer (i.e. anyone in the 'staff' group, including the guest account if it is enabled). 2. Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled. Rationale: By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." solution : "Perform the following to implement the prescribed state: - Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/launchctl list | /usr/bin/grep AppleFileServer | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "2.4.8 Disable File Sharing - SMB" info : "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing) Two common ways to share files using File Sharing are: 1. Apple File Protocol (AFP) AFP automatically uses encrypted logins, so this method of sharing files is fairly secure. The entire hard disk is shared to administrator user accounts. Individual home folders are shared to their respective user accounts. Users' 'Public' folders (and the 'Drop Box' folder inside) are shared to any user account that has sharing access to the computer (i.e. anyone in the 'staff' group, including the guest account if it is enabled). 2. Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled. Rationale: By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." solution : "Perform the following to implement the prescribed state: - Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/launchctl list | /usr/bin/grep smbd | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "2.4.9 Disable Remote Management" info : "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current Screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems. Rationale: Remote management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring." solution : "In System Preferences: Sharing, turn off Remote Management." reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/ps -ef | /usr/bin/egrep ARDAgent | /usr/bin/grep -v egrep | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "2.5.1 Disable 'Wake for network access'" info : "This feature allows other users to be able to access your computers shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals. Rationale: Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: sudo pmset -a womp 0" reference : "800-171|3.1.10,800-53|AC-11,CSCv6|3.1,CSF|PR.IP-1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1S,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/pmset -g | /usr/bin/grep womp" expect : "^[\\s]*womp[\\s]*0$" type : CMD_EXEC description : "2.6.1.1 Enable FileVault" info : "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. Rationale: Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" reference : "800-171|3.13.16,800-53|SC-28,CSF|PR.DS-1,ITSG-33|SC-28,LEVEL|1S,TBA-FIISB|28.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/fdesetup status" expect : "FileVault[\\s]+is[\\s]+On." type : CMD_EXEC description : "2.6.1.2 Ensure all user storage APFS volumes are encrypted" info : "Apple developed a new file system that was first made available in 10.12 and then became the default in 10.13. The file system is optimized for Flash and Solid State storage and encryption. https://en.wikipedia.org/wiki/Apple_File_System macOS computers generally have several volumes created as part of APFS formatting including Preboot, Recovery and Virtual Memory (VM) as well as traditional user disks. All APFS volumes that do not have specific roles that do not require encryption should be encrypted. 'Role' disks include Preboot, Recovery and VM. User disks are labelled with '(No specific role)' by default. Rationale: In order to protect user data from loss or tampering volumes carrying data should be encrypted" solution : "Use Disk Utility to erase a user disk and format as APFS (Encrypted) Note: APFS Encrypted disks will be described as 'FileVault' whether they are the boot volume or not in the ap list" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1NS,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/diskutil ap list" expect : "FileVault[\\s]*:[\\s]*Yes" type : CMD_EXEC description : "2.6.1.3 Ensure all user storage CoreStorage volumes are encrypted" info : "Apple introduced Core Storage with 10.7. It is used as the default for formatting on macOS volumes prior to 10.13. All HFS and Core Storage Volumes should be encrypted Rationale: In order to protect user data from loss or tampering volumes carrying data should be encrypted" solution : "Use Disk Utility to erase a disk and format as macOS Extended (Journaled, Encrypted)" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1NS,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/diskutil cs list" expect : "Encryption[\\s]+Type[\\s]*:[\\s]*AES-XTS" type : CMD_EXEC description : "2.6.2 Enable Gatekeeper" info : "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. Rationale: Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select General 4. Select Allow applications downloaded from: Mac App Store and identified developers Alternatively, perform the following to ensure the system is configured as: 1. Run the following command in Terminal: sudo spctl --master-enable" reference : "800-171|3.4.8,800-53|CM-7,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.6.2,LEVEL|1S,NIAv2|SS13a,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/sbin/spctl --status" expect : "assessments[\\s]*enabled" type : MACOSX_DEFAULTS_READ description : "2.6.3 Enable Firewall" info : "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall. [http://support.apple.com/en-us/HT201642](http://support.apple.com/en-us/HT201642) Rationale: A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select Firewall 4. Select Turn On Firewall Alternatively: 1. Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int 2. Where is: - '1' = on for specific services - '2' = on for essential services" reference : "800-171|3.13.1,800-53|SC-7,CSCv6|9.2,ITSG-33|SC-7,LEVEL|1S,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26" see_also : "https://workbench.cisecurity.org/files/2105" regex : "[12]" plist_item : "globalstate" plist_name : "/Library/Preferences/com.apple.alf" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "2.6.4 Enable Firewall Stealth Mode" info : "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic. [http://support.apple.com/en-us/HT201642](http://support.apple.com/en-us/HT201642) Rationale: Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select Firewall Options 4. Select Enable stealth mode Alternatively: 1. Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" reference : "800-171|3.13.1,800-53|SC-7,CSCv6|9.2,ITSG-33|SC-7,LEVEL|1S,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode" expect : "Stealth mode enabled" type : CMD_EXEC description : "2.6.5 Review Application Firewall Rules" info : "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall. [http://support.apple.com/en-us/HT201642](http://support.apple.com/en-us/HT201642) A computer should have a limited number of applications open to incoming connectivity. This rule will check for whether there are more than 10 rules for inbound connections. Rationale: A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet. Which applications are allowed access to accept incoming connections through the firewall is important to understand." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select Firewall Options 4. Select unneeded rules 5. Select the minus sign below to delete them Alternatively: 1. Edit and run the following command in Terminal to remove specific applications: /usr/libexec/ApplicationFirewall/socketfilterfw --remove 2. Where is the one to be removed" reference : "800-171|3.13.1,800-53|SC-7,CSCv6|9.2,ITSG-33|SC-7,LEVEL|1S,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | /usr/bin/grep Allow | /usr/bin/wc -l" expect : "^[\\s]*[0-9][\\s]*$" type : CMD_EXEC description : "2.8.2 Time Machine Volumes Are Encrypted" info : "One of the most important security tools for data protection on macOS is FileVault. With encryption in place it makes it difficult for an outside party to access your data if they get physical possession of the computer. One very large weakness in data protection with FileVault is the level of protection on backup volumes. If the internal drive is encrypted but the external backup volume that goes home in the same laptop bag is not it is self-defeating. Apple tries to make this mistake easily avoided by providing a checkbox to enable encryption when setting-up a time machine backup. Using this option does require some password management, particularly if a large drive is used with multiple computers. A unique complex password to unlock the drive can be stored in keychains on multiple systems for ease of use. While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult backup volumes should be protected just like boot volumes. Rationale: Backup volumes need to be encrypted NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "Ensure that backup volumes are encrypted using the Time Machine control or using Disk Utility" reference : "800-171|3.13.16,800-53|SC-28,CSF|PR.DS-1,ITSG-33|SC-28,LEVEL|1S,TBA-FIISB|28.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/tmutil destinationinfo" expect : "" severity : MEDIUM type : MACOSX_DEFAULTS_READ description : "2.9 Pair the remote control infrared receiver if enabled" regex : "0" plist_item : "DeviceEnabled" plist_name : "/Library/Preferences/com.apple.driver.AppleIRController" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "2.9 Pair the remote control infrared receiver if enabled" info : "An infrared receiver is a piece of hardware that sends information from an infrared remote control to another device by receiving and decoding signals. If a remote is used with a computer, a specific remote, or 'pair', can be set-up to work with the computer. This will allow only the paired remote to work on that computer. If a remote is needed the receiver should only be accessible by a paired device. Many models do not have infrared hardware. The audit check looks for the hardware first. Rationale: An infrared remote can be used from a distance to circumvent physical security controls. A remote could also be used to page through a document or presentation, thus revealing sensitive information." solution : "Perform one of the following to implement the prescribed state: Disable the remote control infrared receiver: 1. Open System Preferences 2. Select Security & Privacy 3. Select the General tab 4. Select Advanced 5. Check Disable remote control infrared receiver Pair a remote control infrared receiver 1. Holding the remote close to the computer, point the remote at the front of the computer. 2. Pair the Apple Remote. - If you have an Apple Remote with seven buttons, press and hold both the Right and Menu buttons on the remote until the paired-remote icon appears on your screen - If you have an Apple Remote with six buttons, press and hold both the Next and Menu buttons on the remote until the paired-remote icon appears on your screen" reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" regex : "0" plist_item : "DeviceEnabled" plist_name : "/Library/Preferences/com.apple.driver.AppleIRController" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "2.9 Pair the remote control infrared receiver if enabled" info : "An infrared receiver is a piece of hardware that sends information from an infrared remote control to another device by receiving and decoding signals. If a remote is used with a computer, a specific remote, or 'pair', can be set-up to work with the computer. This will allow only the paired remote to work on that computer. If a remote is needed the receiver should only be accessible by a paired device. Many models do not have infrared hardware. The audit check looks for the hardware first. Rationale: An infrared remote can be used from a distance to circumvent physical security controls. A remote could also be used to page through a document or presentation, thus revealing sensitive information." solution : "Perform one of the following to implement the prescribed state: Disable the remote control infrared receiver: 1. Open System Preferences 2. Select Security & Privacy 3. Select the General tab 4. Select Advanced 5. Check Disable remote control infrared receiver Pair a remote control infrared receiver 1. Holding the remote close to the computer, point the remote at the front of the computer. 2. Pair the Apple Remote. - If you have an Apple Remote with seven buttons, press and hold both the Right and Menu buttons on the remote until the paired-remote icon appears on your screen - If you have an Apple Remote with six buttons, press and hold both the Next and Menu buttons on the remote until the paired-remote icon appears on your screen" reference : "800-171|3.1.18,800-53|AC-19,CSF|PR.AC-3,ISO/IEC-27001|A.6.2.1,ITSG-33|AC-19,LEVEL|1S" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/defaults read /Library/Preferences/com.apple.driver.AppleIRController | /usr/bin/grep UIDFilter | /usr/bin/grep none | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "^[\\s]*none[\\s]*$" type : MACOSX_DEFAULTS_READ description : "2.10 Enable Secure Keyboard Entry in terminal.app" info : "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal. Rationale: Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." solution : "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" reference : "800-171|3.4.2,800-53|CM-6,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" regex : "1" plist_item : "SecureKeyboardEntry" plist_name : "com.apple.Terminal" plist_option : CANNOT_BE_NULL plist_user : "all" type : CMD_EXEC description : "2.13 Ensure EFI version is valid and being regularly checked - itegrity-check" info : "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days. Rationale: If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." solution : "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." reference : "800-53|SI-7,CSF|PR.DS-6,LEVEL|1S" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check" expect : "No[\\s]+changes[\\s]+detected[\\s]+in[\\s]+primary[\\s]+hashes" type : CMD_EXEC description : "2.13 Ensure EFI version is valid and being regularly checked - daemon" info : "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days. Rationale: If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." solution : "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." reference : "800-53|SI-7,CSF|PR.DS-6,LEVEL|1S" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/launchctl list | /usr/bin/grep com.apple.driver.eficheck" expect : "com.apple.driver.eficheck" type : CMD_EXEC description : "3.1 Enable security auditing" info : "macOS's audit facility, 'auditd', receives notifications from the kernel when certain system calls, such as 'open', 'fork', and 'exit', are made. These notifications are captured and written to an audit log. Rationale: Logs generated by 'auditd' may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/launchctl list | /usr/bin/grep -i auditd" expect : "com.apple.auditd" type : FILE_CONTENT_CHECK description : "3.3 Ensure security auditing retention" info : "The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records. Retention can be set to respect both size and longevity. To retain as much as possible under a certain size the recommendation is to use: expire-after:60D OR 1G More info in the man page man audit_control Rationale: The audit records need to be retained long enough to be reviewed as necessary." solution : "Edit the /etc/security/audit_control file so that: expire-after is at least 60D OR 1G" reference : "800-53|AU-4,CSCv6|6.3,CSF|PR.DS-4,CSF|PR.PT-1,ITSG-33|AU-4,LEVEL|1S,NESA|T3.3.1,NESA|T3.6.2" see_also : "https://workbench.cisecurity.org/files/2105" file : "/etc/security/audit_control" regex : "^expire-after:" expect : "^expire-after:(([6-9][0-9]|[1-9][0-9]{2,})D|[1-9][0-9]{0,}G)" type : FILE_CHECK description : "3.4 Control access to audit records - /etc/security/audit_control" info : "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. macOS ACLs should not be used for these files. Rationale: Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes." solution : "If the system has different access controls on the audit logs and the changes cannot be traced a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes." reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" file : "/etc/security/audit_control" owner : "root" mask : "337" group : "wheel" type : FILE_CHECK description : "3.4 Control access to audit records - /var/audit" info : "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. macOS ACLs should not be used for these files. Rationale: Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes." solution : "If the system has different access controls on the audit logs and the changes cannot be traced a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes." reference : "800-171|3.3.8,800-53|AU-9,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSCv6|3.1,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,LEVEL|1S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4" see_also : "https://workbench.cisecurity.org/files/2105" file : "/var/audit" owner : "root" mask : "337" group : "wheel" type : CMD_EXEC description : "3.5 Retain install.log for 365 or more days" info : "macOS writes information pertaining to system-related events to the file '/var/log/install.log' and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization. The default value has an 'all_max' file limitation, no reference to a minimum retention and a less precise rotation argument. - The maximum file size limitation string should be removed 'all_max=' - An organization appropriate retention should be added 'ttl=' - The rotation should be set with time stamps 'rotate=utc' or 'rotate=local' Rationale: Archiving and retaining 'install.log' for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred." solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: sudo vim /etc/asl/com.apple.install 2. Replace or edit the current setting with a compliant setting * file /var/log/install.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=365" reference : "800-53|AU-11,CIP|007-6-R4,CSF|PR.PT-1,ITSG-33|AU-11,LEVEL|1S,NESA|M5.2.3,NESA|T3.6.2,NIAv2|SM7,PCI-DSSv3.1|10.7,PCI-DSSv3.2|10.7" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/grep -i install\\.log /etc/asl/com.apple.install | /usr/bin/grep -i ttl" expect : "ttl=(36[5-9]|3[7-9][0-9]|[4-9]\d{2,}|[1-9]\d{3,})" type : CMD_EXEC description : "3.6 Ensure Firewall is configured to log" info : "The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled. Rationale: In order to troubleshoot the successes and failures of a firewall logging should be enabled." solution : "Run /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on" reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | /usr/bin/grep on | /usr/bin/awk \'{print} END {if (NR == 0) print \"fail\"}\'" expect : "Log mode is on" type : CMD_EXEC description : "Check to see if there's a wireless adapter on the system" cmd : "/usr/sbin/networksetup -listallhardwareports | /usr/bin/grep 'Hardware Port: Wi-fi'" expect : "Hardware Port: Wi-fi" type : CMD_EXEC description : "4.2 Enable 'Show Wi-Fi status in menu bar'" info : "The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the case. This control only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected either. Rationale: Enabling 'Show Wi-Fi status in menu bar' is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Network 3. Check Show Wi-Fi status in menu bar Alternatively run the following in the command line: Open /System/Library/CoreServices/Menu/Extras/AirPort.menu" reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/defaults read com.apple.systemuiserver menuExtras | /usr/bin/grep 'Air[Pp]ort\\.menu'" expect : "/System/Library/CoreServices/Menu Extras/Air[Pp]ort\\.menu" description : "4.2 Enable 'Show Wi-Fi status in menu bar'" info : "The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the case. This control only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected either. Rationale: Enabling 'Show Wi-Fi status in menu bar' is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Network 3. Check Show Wi-Fi status in menu bar Alternatively run the following in the command line: Open /System/Library/CoreServices/Menu/Extras/AirPort.menu" reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4" see_also : "https://workbench.cisecurity.org/files/2105" type : CMD_EXEC description : "4.4 Ensure http server is not running" info : "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services. Rationale: Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." solution : "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|3.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/ps -ef | /usr/bin/grep -i httpd | /usr/bin/grep -v grep | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"}'" expect : "pass" dont_echo_cmd : YES type : CMD_EXEC description : "4.5 Ensure nfs server is not running" info : "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer. Rationale: File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." solution : "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,CIP|007-6-R1,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,NIAv2|SS15a,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/ps -ef | /usr/bin/grep -i nfsd | /usr/bin/grep -v grep | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"}'" expect : "pass" type : CMD_EXEC description : "5.1.1 Secure Home Folders" info : "By default macOS allows all valid users into the top level of every other users home folder, and restricts access to the Apple default folders within. Another user on the same system can see you have a 'Documents' folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system. The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures, in the parallel with macOS they can see into every new Directory that is created because of the default permissions. Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable Rationale: Allowing all users to view the top level of all networked user's home folder may not be desirable since it may lead to the revelation of sensitive information." solution : "Perform the following to implement the prescribed state: 1. Run one of the following commands in Terminal: sudo chmod -R og-rwx /Users/ sudo chmod -R og-rw /Users/ 3. Substitute user name. 4. This command has to be run for each user account with a local home folder." reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/find /Users -type d ! -perm -1000 -maxdepth 1 -a -perm +0066 | /usr/bin/egrep -v '^/Users$' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "5.1.2 Check System Wide Applications for appropriate permissions" info : "Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world writable and allow any process or user to alter them for other processes or users to then execute modified versions Rationale: Unauthorized modifications of applications could lead to the execution of malicious code." solution : "Change permissions so that 'Others' can only execute. (Example Below) sudo chmod -R o-w /Applications/Bad/Permissions.app/" reference : "800-53|AC-6,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.5,LEVEL|1S,NESA|M1.1.3,NESA|T5.1.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/find /Applications -iname '*\.app' -type d -perm -2 -ls | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "5.1.3 Check System folder for world writable files" info : "Software sometimes insists on being installed in the /System Directory and have inappropriate world writable permissions. Rationale: Folders in /System should not be world writable. The audit check excludes the 'Drop Box' folder that is part of Apple's default user template." solution : "Change permissions so that 'Others' can only execute. (Example Below) sudo chmod -R o-w /Bad/Directory" reference : "800-171|3.1.5,800-53|AC-6,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,SWIFT-CSCv1|5.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/find /System -type d -perm -2 -ls | /usr/bin/grep -v 'Public/Drop Box' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "5.2.1 Configure account lockout threshold" info : "The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur. Ensure that a lockout threshold is part of the password policy on the computer Rationale: The account lockout feature mitigates brute-force password attacks on the system." solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page" reference : "800-171|3.1.8,800-53|AC-7,CSCv6|16.7,ITSG-33|AC-7,LEVEL|1S,TBA-FIISB|45.1.2,TBA-FIISB|45.2.1,TBA-FIISB|45.2.2" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A 1 'policyAttributeMaximumFailedAuthentications' | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1" expect : "^[1-5]$" type : CMD_EXEC description : "5.2.2 Set a minimum password length" info : "A minimum password length is the fewest number of characters a password can contain to meet a system's requirements. Ensure that a minimum of a 15 character password is part of the password policy on the computer. Where the confidentiality of encrypted information in FileVault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating. Rationale: Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system." solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page" reference : "800-171|3.5.7,800-53|IA-5,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep 'Must be a minimum of'" expect : "must[\\s]+be[\\s]+a[\\s]+minimum[\\s]+of[\\s]+(1[5-9]|2[0-9])[\\s]+characters" type : CMD_EXEC description : "5.2.7 Password Age" info : "Over time passwords can be captured by third parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users should reset passwords periodically. This control uses 365 days as the acceptable value, some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts. Rationale: Passwords should be changed periodically to reduce exposure" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page" reference : "800-53|IA-5,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,LEVEL|1S,NESA|T5.2.3,NIAv2|AM20,NIAv2|AM21,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.2" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep policyAttributeExpiresEveryNDays -A1" expect : "integer.*[1-9]|[1-8][0-9]|90" type : CMD_EXEC description : "5.2.8 Password History" info : "Over time passwords can be captured by third parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users must reset passwords periodically. This control ensures that previous passwords are not reused immediately by keeping a history of previous passwords hashes. Ensure that password history checks are part of the password policy on the computer. This control checks whether a new password is different than the previous 15. The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak. Rationale: Old passwords should not be reused" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page" reference : "800-171|3.5.8,800-53|IA-5,CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,LEVEL|1S,PCI-DSSv3.1|8.2.5,PCI-DSSv3.2|8.2.5,TBA-FIISB|26.2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep -A 1 'policyAttributePasswordHistoryDepth'" expect : "(1[5-9]|[2-9][0-9])" type : CMD_EXEC description : "5.3 Reduce the sudo timeout period" info : "The 'sudo' command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. Rationale: The 'sudo' command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user." solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: sudo visudo 2. In the '# Override built-in defaults' section, add the line: Defaults timestamp_timeout=0" reference : "800-171|3.1.1,800-53|AC-3,CN-L3|7.1.2.2(g),CN-L3|7.1.3.2(c),CSF|PR.AC-4,CSF|PR.PT-3,HIPAA|164.310(a)(2)(iii),LEVEL|1S" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/cat /etc/sudoers | /usr/bin/grep -v '#[\\s]*Defaults' | /usr/bin/grep timestamp" expect : "Defaults[\\s]*timestamp_timeout[\\s]*=[\\s]*0" type : FILE_CONTENT_CHECK_NOT description : "5.4 Use a separate timestamp for each user/tty combo" info : "In combination with removing the sudo timeout grace period a further mitigation should be in place to reduce the possibility of a a background process using elevated rights when a user elevates to root in an explicit context or tty. With the included sudo 1.8 introduced in 10.12 the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS. Rationale: Additional mitigation should be in place to reduce the risk of privilege escalation of background processes." solution : "Remove 'Defaults !tty_tickets' from the /etc/sudoers file using visudo" reference : "800-171|3.1.1,800-53|AC-3,CN-L3|7.1.2.2(g),CN-L3|7.1.3.2(c),CSF|PR.AC-4,CSF|PR.PT-3,HIPAA|164.310(a)(2)(iii),LEVEL|1S" see_also : "https://workbench.cisecurity.org/files/2105" file : "/etc/sudoers" regex : "^[\\s]*Defaults[\\s]+!tty_tickets" expect : "^[\\s]*Defaults[\\s]+!tty_tickets" type : CMD_EXEC description : "5.11 Do not enable the 'root' account" info : "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions. Rationale: Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the 'sudo' command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the 'sudo' command (use '-s' or '-i' to get a root shell)." solution : "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." reference : "800-171|3.1.5,800-53|AC-6,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,SWIFT-CSCv1|5.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/dscl . -read /Users/root AuthenticationAuthority" expect : "(No such key: AuthenticationAuthority|Disabled)" type : CMD_EXEC description : "5.12 Disable automatic login" info : "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen. Rationale: Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" reference : "800-53|AC-14,ITSG-33|AC-14,LEVEL|1S,NESA|T5.6.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow | /usr/bin/grep autoLoginUser | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : MACOSX_DEFAULTS_READ description : "5.13 Require a password to wake the computer from sleep or screen saver" info : "Sleep and screensaver modes are low power modes that reduces electrical consumption while the system is not in use. Rationale: Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." solution : "Perform the following to implement the prescribed state: - Open System Preferences - Select Security & Privacy - Select General - Check Require password after or screensaver begins is checked The Grace period should be no longer than 5 minutes. 5 seconds is recommended. The command line check in previous versions of the Benchmark does not work as expected here. The use of a profile is recommended for both implementation and auditing on a 10.13 system. Issue [https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-a385726e2ae2](https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-a385726e2ae2) Profile to control screensaver [https://github.com/rtrouton/profiles/blob/master/SetDefaultScreensaver/SetDefaultScreensaver.mobileconfig](https://github.com/rtrouton/profiles/blob/master/SetDefaultScreensaver/SetDefaultScreensaver.mobileconfig)" reference : "800-171|3.1.10,800-53|AC-11,CSCv6|16.5,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1S" see_also : "https://workbench.cisecurity.org/files/2105" regex : "1" plist_item : "askForPassword" plist_name : "com.apple.screensaver" plist_option : CANNOT_BE_NULL plist_user : "all" type : CMD_EXEC description : "5.15 Require an administrator password to access system-wide preferences" info : "System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer. Rationale: By requiring a password to unlock System-wide System Preferences the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes" solution : "In System Preferences: Security, General tab under Advanced, check 'Require an administrator password to access system-wide preferences'" reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/security authorizationdb read system.preferences | /usr/bin/grep 'shared' -A1" expect : "" type : CMD_EXEC description : "5.16 Disable ability to login to another user's active and locked session" info : "macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Rationale: Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." solution : "Edit the Authorization Database 'authorizationdb' by replacing 'authenticate-session-owner-or-admin' with 'use-login-window-ui' References [https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/](https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/) [https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver](https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver)" reference : "800-53|AC-10,ITSG-33|AC-10,LEVEL|1S,NESA|T5.5.1" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/grep -i 'group=admin,wheel fail_safe' /etc/pam.d/screensaver | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : MACOSX_DEFAULTS_READ description : "5.17 Create a custom message for the Login Screen" info : "An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored. Rationale: An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements." solution : "Perform the following to implement the prescribed state: 1. To add text with elevated privileges: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText 'your text here' 2. To remove the text with elevated privileges: sudo defaults delete /Library/Preferences/com.apple.loginwindow LoginwindowText" reference : "800-171|3.1.9,800-53|AC-8,ITSG-33|AC-8,LEVEL|1S,NESA|M1.3.6,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e" see_also : "https://workbench.cisecurity.org/files/2105" # Note: Variable @ACCESS_WARNING@ replaced with "This system is reserved for authorized use only and may be monitored." in field "regex". regex : "This system is reserved for authorized use only and may be monitored." plist_item : "LoginwindowText" plist_name : "/Library/Preferences/com.apple.loginwindow" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "5.19 Do not enter a password-related hint" info : "Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password. Rationale: Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks" solution : "1. Open 'System Preferences' 2. Select 'Users & Groups' 3. Highlight the user 4. Select 'Change Password' 5. Verify that no text is entered in the 'Password hint' box" reference : "800-171|3.5.11,800-53|IA-6,ITSG-33|IA-6,LEVEL|1NS,NESA|T5.5.1" see_also : "https://workbench.cisecurity.org/files/2105" regex : "0" plist_item : "RetriesUntilHint" plist_name : "/Library/Preferences/com.apple.loginwindow" plist_option : CAN_BE_NULL type : CMD_EXEC description : "5.23 System Integrity Protection status" info : "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID. Rationale: Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." solution : "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: 'Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.' 4. Reboot. If a change to the status is attempted from the booted Operating System rather than the recovery partition an error will be generated. 'csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.'" reference : "800-53|SI-7,CN-L3|7.1.3.5(b),CSF|PR.DS-6,ITSG-33|SI-7,LEVEL|1S,NESA|T7.3.3,SWIFT-CSCv1|6.2" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/csrutil status" expect : "System Integrity Protection status: enabled" type : MACOSX_DEFAULTS_READ description : "6.1.1 Display login window as name and password" info : "The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system. Rationale: Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users and Groups 3. Select Login Options 4. Select Name and Password Alternatively: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes" reference : "800-171|3.1.7,800-53|AC-6,CSF|PR.AC-4,LEVEL|1S" see_also : "https://workbench.cisecurity.org/files/2105" regex : "1" plist_item : "SHOWFULLNAME" plist_name : "/Library/Preferences/com.apple.loginwindow" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "6.1.2 Disable 'Show password hints'" info : "Password hints are user created text displayed when an incorrect password is used for an account. Rationale: Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users & Groups 3. Select Login Options 4. Uncheck Show password hints Alternatively: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0" reference : "800-171|3.5.11,800-53|IA-6,ITSG-33|IA-6,LEVEL|1S,NESA|T5.5.1" see_also : "https://workbench.cisecurity.org/files/2105" regex : "0" plist_item : "RetriesUntilHint" plist_name : "/Library/Preferences/com.apple.loginwindow" plist_option : CAN_BE_NULL type : MACOSX_DEFAULTS_READ description : "6.1.3 Disable guest account login" info : "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out. Rationale: Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users & Groups 3. Select Guest User 4. Uncheck Allow guests to log in to this computer Alternatively: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO" reference : "800-171|3.1.1,800-53|AC-3,CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ITSG-33|AC-3,LEVEL|1S,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29" see_also : "https://workbench.cisecurity.org/files/2105" regex : "0" plist_item : "GuestEnabled" plist_name : "/Library/Preferences/com.apple.loginwindow.plist" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "6.1.4 Disable 'Allow guests to connect to shared folders' - AFP Sharing" info : "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network. Rationale: Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users & Groups 3. Select Guest User 4. Uncheck Allow guests to connect to shared folders Alternatively: For AFP sharing: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no For SMB sharing: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no" reference : "800-171|3.1.1,800-53|AC-2,CN-L3|7.1.3.2(d),CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ITSG-33|AC-2,LEVEL|1S,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e" see_also : "https://workbench.cisecurity.org/files/2105" regex : "0" plist_item : "guestAccess" plist_name : "/Library/Preferences/com.apple.AppleFileServer" plist_option : CAN_BE_NULL type : MACOSX_DEFAULTS_READ description : "6.1.4 Disable 'Allow guests to connect to shared folders' - SMB Sharing" info : "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network. Rationale: Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system." solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users & Groups 3. Select Guest User 4. Uncheck Allow guests to connect to shared folders Alternatively: For AFP sharing: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no For SMB sharing: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no" reference : "800-171|3.1.1,800-53|AC-2,CN-L3|7.1.3.2(d),CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ITSG-33|AC-2,LEVEL|1S,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e" see_also : "https://workbench.cisecurity.org/files/2105" regex : "0" plist_item : "AllowGuestAccess" plist_name : "/Library/Preferences/SystemConfiguration/com.apple.smb.server" plist_option : CAN_BE_NULL type : CMD_EXEC description : "6.1.5 Remove Guest home folder" info : "In the previous two controls the guest account login has been disabled and sharing to guests has been disabled as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed. Rationale: The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" reference : "800-171|3.1.1,800-53|AC-2,CN-L3|7.1.3.2(d),CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ITSG-33|AC-2,LEVEL|1S,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/bin/ls /Users/ | /usr/bin/grep Guest" expect : "" type : CMD_EXEC description : "6.2 Turn on filename extensions" info : "A filename extension is a suffix added to a base filename that indicates the base filename's file format. Rationale: Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." solution : "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/files/2105" cmd : "/usr/bin/defaults read NSGlobalDomain AppleShowAllExtensions" expect : "^1$" type : MACOSX_DEFAULTS_READ description : "6.3 Disable the automatic run of safe files in Safari" info : "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser. Rationale: Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." solution : "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open 'safe' files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" reference : "800-171|3.13.13,800-53|SC-18,CSF|DE.CM-5,ITSG-33|SC-18,LEVEL|1S,NIAv2|NS26f" see_also : "https://workbench.cisecurity.org/files/2105" regex : "0" plist_item : "AutoOpenSafeDownloads" plist_name : "com.apple.Safari" plist_option : CANNOT_BE_NULL plist_user : "all" description : "7.6 Automatic Actions for Optical Media" info : "Managing automatic actions, while useful in very few situations, is unlikely to increase security on the computer and does complicate the users experience and add additional complexity to the configuration. These settings are user controlled and can be changed without Administrator privileges unless controlled through MCX settings or Parental Controls. Unlike Windows Auto-run the optical media is accessed through Operating System applications, those same applications can open and access the media directly. If optical media is not allowed in the environment the optical media drive should be disabled in hardware and software NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." reference : "LEVEL|1NS" see_also : "https://workbench.cisecurity.org/files/2105" description : "7.10 Repairing permissions is no longer needed" info : "With the introduction of System Integrity Protection (SIP) Apple has removed the necessity of repairing permissions. In earlier versions of the Operating System repair permissions checked the receipt files of installed software and ensured that the existing permissions in the file system matched what the receipts said it should. System integrity protection manages and blocks permission to certain directories continuously. [http://www.macissues.com/2015/10/02/about-os-x-10-11-el-capitan-and-permissions-fixes/](http://www.macissues.com/2015/10/02/about-os-x-10-11-el-capitan-and-permissions-fixes/) [https://en.wikipedia.org/wiki/System_Integrity_Protection](https://en.wikipedia.org/wiki/System_Integrity_Protection) [http://www.infoworld.com/article/2988096/mac-os-x/sorry-unix-fans-os-x-el-capitan-kills-root.html](http://www.infoworld.com/article/2988096/mac-os-x/sorry-unix-fans-os-x-el-capitan-kills-root.html) NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." reference : "LEVEL|1NS" see_also : "https://workbench.cisecurity.org/files/2105" description : "7.12 Siri on MacOS" info : "With macOS 10.12 Sierra Apple has introduced Siri from iOS to macOS. While there are data spillage concerns with use of software data gathering personal assistants the risk here does not seem greater in sending queries to Apple through Siri than in sending search terms in a browser to Google or Microsoft. While it is possible that Siri will be used for local actions rather than Internet searches which could, in theory, tell Apple about confidential Programs and Projects that should not be revealed this appears be an edge use case. In cases where sensitive and protected data is processed and Siri could help a user navigate their machine and expose that information it should be disabled. Siri does need to phone home to Apple so it should not be available from air-gapped networks as part of it's requirements. Most of the use case data published has shown that Siri is a tremendous time saver on iOS where multiple screens and menus need to be navigated through. Information like sports scores, weather, movie times and simple to-do items on existing calendars can be easily found with Siri. None of the standard use cases should be more risky than already approved activity. Where 'normal' user activity is already limited Siri use should be controlled as well. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." reference : "LEVEL|1NS" see_also : "https://workbench.cisecurity.org/files/2105" description : "7.13 Apple Watch features with MacOS" info : "With the release of macOS 10.12 Apple introduced a feature where the owner of an Apple Watch can lock and unlock their screen simply by being within range of a 10.12 computer when both devices are using the same AppleID with iCloud active. The benefit of not leaving the computer unlocked while the user is out of sight and readying the computer to resume work when the user returns without having to type in a password or insert a smartcard does seem attractive to people who have the Apple Watch. It is a continuation of other features like hand-off and continuity for the multiple Apple products users who have grown to expect their devices to work together. For the screen unlock capability in particular it may not be attractive to organizations that are managing Apple devices and credentials. The capability allows a user to unlock their computer tied to an Enterprise account with a personal token that is not managed or controlled by the Enterprise. If the user loses their watch revoking the credential that can unlock the screen might be problematic. Unless Enterprise control of the watch as a token tied to a user identity can be achieved Apple Watches should not be used for screen unlocks. The risk of an auto-lock based on the user being out of proximity may still be acceptable if possible to do lock only. This functionality does require the computer to be logged in to iCloud. If iCloud is disabled the Apple watch lock and unlock will not be possible. A profile may be used to control unlock functionality. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." reference : "LEVEL|1NS" see_also : "https://workbench.cisecurity.org/files/2105" description : "7.15 Unified logging" info : "Starting with macOS 10.12 Apple introduced unified logging. This capability replaces the previous logging methodology with centralized system wide common controls. A full explanation of macOS logging behavior is beyond the scope of this Benchmark. These changes impact previous logging controls from macOS Benchmarks. At this point many of the syslog controls have been or are being removed since the old logging methods have been deprecated. Controls that still appear useful will be retained. Some legacy controls have been removed for this release. More info https://developer.apple.com/documentation/os/logging https://eclecticlight.co/2018/03/19/macos-unified-log-1-why-what-and-how/ NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." reference : "LEVEL|1NS" see_also : "https://workbench.cisecurity.org/files/2105" description : "7.16 AirDrop security considerations" info : "AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other. In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you. Even with all of these positives some environments may wish to disable AirDrop. Organizations where Bluetooth and Wireless are not used will disable AirDrop by blocking it's necessary interfaces. Organizations that have disabled USB and other pluggable storage mechanisms and have blocked all unmanaged cloud and transfer solutions for DLP may want to disable AirDrop as well. AirDrop should be used with Contacts only to limit attacks. More info https://www.imore.com/how-apple-keeps-your-airdrop-files-private-and-secure https://en.wikipedia.org/wiki/AirDrop NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." reference : "LEVEL|1NS" see_also : "https://workbench.cisecurity.org/files/2105" description : "CIS_Apple_macOS_10.13_v1.0.0_Level_1.audit from CIS Apple macOS 10.13 Benchmark v1.0.0" info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."