Skip to content

Instantly share code, notes, and snippets.

@NAshwini
Created July 10, 2020 10:00
Show Gist options
  • Save NAshwini/bd03593ee9394364b1691a2bad58e4c1 to your computer and use it in GitHub Desktop.
Save NAshwini/bd03593ee9394364b1691a2bad58e4c1 to your computer and use it in GitHub Desktop.
mac_1015_traslatedcontrol
#encoding: UTF-8
# control "xccdf_org.cisecurity.benchmarks_rule_1.1_Verify_all_Apple_provided_software_is_current" do
# title "Verify all Apple provided software is current"
# desc "
# Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update.
# [https://support.apple.com/en-us/HT201541](https://support.apple.com/en-us/HT201541)
# Rationale: It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Ensure Software is up to date\n# \n\noutput=$(\nsoftwareupdate -l\n)\n\n# If result returns software updates fail, otherwise pass.\nif [ \"$output\" == *\"Software Update found the following new or updated software:\"* ]; then\n\techo \"$output\"\n exit 1\nelse\n # print the reason why we are failing\n echo \"$output\"\n exit 0\nfi\n\n\noutput=$(softwareupdate -l)") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_1.2_Enable_Auto_Update" do
# title "Enable Auto Update"
# desc "
# Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.
# http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
# https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
# Rationale: It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.SoftwareUpdate.plist', xpath: '/plist/dict/key[text()=\'AutomaticCheckEnabled\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_1.3_Enable_Download_new_updates_when_available" do
# title "Enable Download new updates when available"
# desc "
# In the GUI both \"Install macOS updates\" and \"Install app updates from the App Store\" are dependent on whether \"Download new updates when available\" is selected
# Rationale: It is important that a system has the newest updates downloaded so that they can be applied.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_1.4_Enable_app_update_installs" do
# title "Enable app update installs"
# desc "
# Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users.
# Rationale: Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.commerce.plist', xpath: '/plist/dict/key[text()=\'AutoUpdate\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_1.5_Enable_system_data_files_and_security_update_installs" do
# title "Enable system data files and security update installs"
# desc "
# Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights.
# [https://www.thesafemac.com/apple-cracks-down-on-adware/#more-1824](https://www.thesafemac.com/apple-cracks-down-on-adware/#more-1824)
# [https://support.apple.com/en-us/HT202491](https://support.apple.com/en-us/HT202491)
# Rationale: Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.SoftwareUpdate.plist', xpath: '/plist/dict/key[text()=\'ConfigDataInstall\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# describe plist('/Library/Preferences/com.apple.SoftwareUpdate.plist', xpath: '/plist/dict/key[text()=\'CriticalUpdateInstall\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_1.6_Enable_macOS_update_installs" do
# title "Enable macOS update installs"
# desc "
# Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off.
# **Additional Information**
# [https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/](https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/)
# Rationale: Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.commerce.plist', xpath: '/plist/dict/key[text()=\'AutoUpdateRestartRequired\'/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
control "xccdf_org.cisecurity.benchmarks_rule_2.1.1_Turn_off_Bluetooth_if_no_paired_devices_exist" do
title "Turn off Bluetooth, if no paired devices exist"
desc "
Bluetooth connectivity is central to Apple products and is prevalent in the use of peripherals connecting to Apple devices. If the user or policy prevents the use of Bluetooth it should be turned off. If Bluetooth is required it should be used with paired devices to reduce risk. This check ensures that paired device records are found to document that Bluetooth is required.
Rationale: Pairing is part of Bluetooth security
[https://duo.com/decipher/understanding-bluetooth-security](https://duo.com/decipher/understanding-bluetooth-security)
"
impact 1.0
if command('defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState').stdout.strip.match("1")
describe command('system_profiler SPBluetoothDataType | grep "Paired: Yes"') do
# describe command('echo "2020-07-08 13:32:56.230 system_profiler[1977:69830] SystemInfo-AccessoryFW - BT4200: no firmware version info available
# Paired: Yes
# Paired: Yes"') do
its("exit_status") { should cmp 0 }
its("stdout") { should match(/Paired: Yes/) }
end
else
describe.one do
describe plist('/Library/Preferences/com.apple.Bluetooth.plist', xpath: '/plist/dict/key[text()=\'ControllerPowerState\']/following-sibling::*[1]/text()') do
it { should exist }
its("xpath_value") { should cmp "0" }
end
describe plist('/Library/Preferences/com.apple.Bluetooth.plist', xpath: 'name(/plist/dict/key[text()=\'ControllerPowerState\']/following-sibling::*[1])') do
it { should exist }
its("xpath_value") { should cmp "false" }
end
end
end
end
# control "xccdf_org.cisecurity.benchmarks_rule_2.1.2_Bluetooth_Discoverable_is_only_available_when_Bluetooth_preference_pane_is_open" do
# title "Bluetooth \"Discoverable\" is only available when Bluetooth preference pane is open"
# desc "
# When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled only while the Bluetooth System Preference is open and turned off once closed.
# Rationale: When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.1.3_Show_Bluetooth_status_in_menu_bar" do
# title "Show Bluetooth status in menu bar"
# desc "
# By showing the Bluetooth status in the menu bar, a small Bluetooth icon is placed in the menu bar. This icon quickly shows the status of Bluetooth, and can allow the user to quickly turn Bluetooth on or off.
# Rationale: Enabling \"Show Bluetooth status in menu bar\" is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, Discoverable, what paired devices exist and are currently active.
# "
# impact 1.0
# describe plist('$HOME/Library/Preferences/com.apple.systemuiserver.plist', xpath: '/plist/dict/key[.=\'menuExtras\']/following-sibling::*[1]/string[.=\'/System/Library/CoreServices/Menu Extras/Bluetooth.menu\']/text()') do
# it { should exist }
# its("xpath_value") { should cmp "/System/Library/CoreServices/Menu Extras/Bluetooth.menu" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.2.1_Enable_Set_time_and_date_automatically" do
# title "Enable \"Set time and date automatically\""
# desc "
# Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries.
# Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date Time System Preference with each server separated by a space.
# Rationale: Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features.
# "
# impact 1.0
# describe command('systemsetup -getusingnetworktime') do
# its("exit_status") { should cmp 0 }
# #its("stdout") { should match(/On$/) }
# its("stdout") { should match(/Network Time: On/) }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_time_set_is_within_appropriate_limits" do
# title "Ensure time set is within appropriate limits"
# desc "
# Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds, for this audit a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time this check is not strict, it may be too great for your organization, adjust to a smaller offset value as needed.
# Rationale: Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind.
# "
# impact 1.0
# describe command('systemsetup -getusingnetworktime') do
# its("exit_status") { should cmp 0 }
# its("stdout") { should match(/Network Time: On/) }
# end
# describe command("systemsetup -getnetworktimeserver | awk '{print $4}' | xargs -I{} /usr/bin/sntp -K /dev/null {} 2>/dev/null | /usr/bin/awk 'END{ print $4 }' | tr -d '\n' ;").stdout.to_f do
# it { should cmp <= 270 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.3.1_Set_an_inactivity_interval_of_20_minutes_or_less_for_the_screen_saver" do
# title "Set an inactivity interval of 20 minutes or less for the screen saver"
# desc "
# A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
# Rationale: Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Eric 04/23/20 Retain install.log for 365 or more days\n# \n\npassing=\"\"\noutput=$(defaults -currentHost read com.apple.screensaver idleTime)\ndefaults -currentHost read com.apple.screensaver idleTime | grep -Eq '^\\s*(1200|1[0-1][0-9][0-9]|[1-9][0-9]{2}|[1-9][0-9]|[1-9])\\s*$' && passing=true\n\n# If results returns pass, otherwise fail.\nif [ \"$passing\" = \"true\" ] ; then\n\techo \"Passed, Screen Saver Idle Time is: \\\"$output\\\" seconds\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"Failed, Screen Saver Idle Time is: \\\"$output\\\" seconds\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.3.2_Secure_screen_saver_corners" do
# title "Secure screen saver corners"
# desc "
# Hot Corners can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen.
# Rationale: Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain access to the system.
# "
# impact 1.0
# describe plist('$HOME/Library/Preferences/com.apple.dock.plist', xpath: '/plist/dict/key[contains(text(), \'corner\')]/following-sibling::*[1]/text()') do
# it { should exist }
# its("xpath_value") { should_not cmp 6 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.3.3_Familiarize_users_with_screen_lock_tools_or_corner_to_Start_Screen_Saver" do
# title "Familiarize users with screen lock tools or corner to Start Screen Saver"
# desc "
# In 10.13 Apple added a \"Lock Screen\" option to the Apple Menu. Prior to this the best quick lock options were to use either a lock screen option with the screen saver or the lock screen option from Keychain Access if status was made available in the menu bar. As of 10.13 the menu bar option is no longer available.
# The intent of this control is to resemble control-alt-delete on Windows Systems as a means of quickly locking the screen. If the user of the system is stepping away from the computer the best practice is to lock the screen and setting a hot corner is an appropriate method.
# Rationale: Ensuring the user has a quick method to lock their screen may reduce opportunity for individuals in close physical proximity of the device to see screen contents.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.4.1_Disable_Remote_Apple_Events" do
# title "Disable Remote Apple Events"
# desc "
# Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer.
# Rationale: Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system.
# "
# impact 1.0
# describe command('systemsetup -getremoteappleevents') do
# its("exit_status") { should cmp 0 }
# its("stdout") { should match(/Off$/) }
# end
# end
control "xccdf_org.cisecurity.benchmarks_rule_2.4.2_Disable_Internet_Sharing" do
title "Disable Internet Sharing"
desc "
Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices.
Rationale: Disabling Internet Sharing reduces the remote attack surface of the system.
"
impact 1.0
describe.one do
describe plist('/Library/Preferences/SystemConfiguration/com.apple.nat.plist', xpath: '/plist/dict/key/following-sibling::*[1]/key[text()=\'Enabled\']/following-sibling::*[1]/text()') do
it { should exist }
its("xpath_value") { should cmp 0 }
end
describe file("/Library/Preferences/SystemConfiguration/com.apple.nat.plist") do
it { should_not exist }
end
end
end
control "xccdf_org.cisecurity.benchmarks_rule_2.4.3_Disable_Screen_Sharing" do
title "Disable Screen Sharing"
desc "
Screen sharing allows a computer to connect to another computer on a network and display the computer&#x2019;s screen. While sharing the computer&#x2019;s screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer.
Rationale: Disabling screen sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer.
"
impact 1.0
describe plist('/System/Library/LaunchDaemons/com.apple.screensharing.plist', xpath: '/plist/dict/key[text()=\'Disabled\']/following-sibling::*[1]/name()') do
it { should exist }
its("xpath_value") { should cmp "true" }
end
end
# control "xccdf_org.cisecurity.benchmarks_rule_2.4.4_Disable_Printer_Sharing" do
# title "Disable Printer Sharing"
# desc "
# By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead.
# Rationale: Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system.
# "
# impact 1.0
# describe command('system_profiler SPPrintersDataType -xml | xpath "/plist/array[1]/dict[1]/key[.=\'_items\']/following-sibling::array[1]/dict/key[.=\'shared\']/following-sibling::*[1]"') do
# its("exit_status") { should cmp 0 }
# its("stdout") { should match(/<string>no<\/string>/) }
# end
# end
control "xccdf_org.cisecurity.benchmarks_rule_2.4.5_Disable_Remote_Login" do
title "Disable Remote Login"
desc "
Remote Login allows an interactive terminal connection to a computer.
Rationale: Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers.
macOS does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. macOS no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Most macOS computers are mobile workstations, managing IP based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server.
"
impact 1.0
describe command('systemsetup -getremotelogin') do
its("exit_status") { should cmp 0 }
its("stdout") { should match(/Off$/) }
end
end
# control "xccdf_org.cisecurity.benchmarks_rule_2.4.6_Disable_DVD_or_CD_Sharing" do
# title "Disable DVD or CD Sharing"
# desc "
# DVD or CD Sharing allows users to remotely access the system's optical drive.
# Rationale: Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data.
# "
# impact 1.0
# describe plist('/System/Library/LaunchDaemons/com.apple.ODSAgent.plist', xpath: '/plist/dict/key[text()=\'Disabled\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.4.7_Disable_Bluetooth_Sharing" do
# title "Disable Bluetooth Sharing"
# desc "
# Bluetooth Sharing allows files to be exchanged with Bluetooth enabled devices.
# Rationale: Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system.
# "
# impact 1.0
# describe command('system_profiler SPBluetoothDataType -xml | xpath "/plist/array[1]/dict[1]/key[.=\'_items\']/following-sibling::*[1]/dict/key[.=\'services_title\']/following-sibling::*[1]/dict/key/following-sibling::*[1]/key[.=\'service_state\']/following-sibling::*[1]"') do
# its("exit_status") { should cmp 0 }
# its("stdout") { should match(/<string>attrib_disabled<\/string>/) }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.4.8_Disable_File_Sharing" do
# title "Disable File Sharing"
# desc "
# Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)
# Two common ways to share files using File Sharing are:
# * Apple File Protocol (AFP) AFP automatically uses encrypted logins, so this method of sharing files is fairly secure. The entire hard disk is shared to administrator user accounts. Individual home folders are shared to their respective user accounts. Users' \"Public\" folders (and the \"Drop Box\" folder inside) are shared to any user account that has sharing access to the computer (i.e. anyone in the \"staff\" group, including the guest account if it is enabled).
# * Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords in a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled.
# Rationale: By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced.
# "
# impact 1.0
# describe plist('/System/Library/LaunchDaemons/com.apple.AppleFileServer.plist', xpath: '/plist/dict/key[text()=\'Disabled\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# describe plist('/System/Library/LaunchDaemons/com.apple.smbd.plist', xpath: '/plist/dict/key[text()=\'Disabled\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.4.9_Disable_Remote_Management" do
# title "Disable Remote Management"
# desc "
# Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current Screen, install software, report on, and generally manage client Macs.
# The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing.
# Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems.
# Rationale: Remote management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Disable Remote Management\n# \n\noutput=$(\nps -ef | egrep ARDAgent\n)\n\n# If result returns fail, otherwise pass.\nif [ \"$output\" == *\"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents\"* ] ; then\n\techo \"$output\"\n exit 1\nelse\n # passing\n echo \"$output\"\n exit 0\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.4.10_Disable_Content_Caching" do
# title "Disable Content Caching"
# desc "
# Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier to deploy changes from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream.
# This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data.
# [https://support.apple.com/en-us/HT204675](https://support.apple.com/en-us/HT204675)
# Rationale: The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could be used to mitigate risk, they add to the management complexity, since the value of the service is in specific use cases organizations with the use case described above can accept risk as necessary.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.4.11_Disable_Media_Sharing" do
# title "Disable Media Sharing"
# desc "
# Starting with macOS 10.15 Apple has provided a control to allow a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple ID. This allows a user to share downloaded Movies, Music or TV shows with other controlled macOS, iOS and iPadOS devices as well as photos with Apple TVs.
# With this capability guest users can also use media downloaded on the computer.
# Best practice is not to use the computer as a server but to utilize Apple's cloud storage to download and use content stored there if content stored with Apple is used on multiple devices.
# [https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac](https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac)
# Rationale: Disabling Media Sharing reduces the remote attack surface of the system.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.1.1_Enable_FileVault" do
# title "Enable FileVault"
# desc "
# FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.
# Rationale: Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\noutput=$(\nfdesetup status\n)\n\n# If result returns it is enabled pass, otherwise fail.\nif [ \"$output\" == \"FileVault is On.\" ] ; then\n\techo \"$output\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"$output\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.1.2_Ensure_all_user_storage_APFS_volumes_are_encrypted" do
# title "Ensure all user storage APFS volumes are encrypted"
# desc "
# Apple developed a new file system that was first made available in 10.12 and then became the default in 10.13. The file system is optimized for Flash and Solid State storage and encryption.
# https://en.wikipedia.org/wiki/Apple_File_System
# macOS computers generally have several volumes created as part of APFS formatting including Preboot, Recovery and Virtual Memory (VM) as well as traditional user disks.
# All APFS volumes that do not have specific roles that do not require encryption should be encrypted. \"Role\" disks include Preboot, Recovery and VM. User disks are labelled with \"(No specific role)\" by default.
# Rationale: In order to protect user data from loss or tampering volumes carrying data should be encrypted
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.1.3_Ensure_all_user_storage_CoreStorage_volumes_are_encrypted" do
# title "Ensure all user storage CoreStorage volumes are encrypted"
# desc "
# Apple introduced Core Storage with 10.7. It is used as the default for formatting on macOS volumes prior to 10.13.
# All HFS and Core Storage Volumes should be encrypted
# Rationale: In order to protect user data from loss or tampering volumes carrying data should be encrypted
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.2_Enable_Gatekeeper" do
# title "Enable Gatekeeper"
# desc "
# Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization.
# Rationale: Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system.
# "
# impact 1.0
# describe command('spctl --status') do
# its("exit_status") { should cmp 0 }
# its("stdout") { should match(/assessments enabled/) }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.3_Enable_Firewall" do
# title "Enable Firewall"
# desc "
# A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall.
# [http://support.apple.com/en-us/HT201642](http://support.apple.com/en-us/HT201642)
# Rationale: A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.alf.plist', xpath: '/plist/dict/key[text()=\'globalstate\']/following-sibling::*[1]/text()') do
# it { should exist }
# its("xpath_value") { should cmp >= 1 }
# end
# describe plist('/Library/Preferences/com.apple.alf.plist', xpath: '/plist/dict/key[text()=\'globalstate\']/following-sibling::*[1]/text()') do
# it { should exist }
# its("xpath_value") { should cmp <= 2 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.4_Enable_Firewall_Stealth_Mode" do
# title "Enable Firewall Stealth Mode"
# desc "
# While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic.
# [http://support.apple.com/en-us/HT201642](http://support.apple.com/en-us/HT201642)
# Rationale: Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.alf.plist', xpath: '/plist/dict/key[text()=\'stealthenabled\']/following-sibling::*[1]/text()') do
# it { should exist }
# its("xpath_value") { should cmp 1 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.5_Review_Application_Firewall_Rules" do
# title "Review Application Firewall Rules"
# desc "
# A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall.
# [http://support.apple.com/en-us/HT201642](http://support.apple.com/en-us/HT201642)
# A computer should have a limited number of applications open to incoming connectivity.
# Rationale: A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet. Which applications are allowed access to accept incoming connections through the firewall is important to understand.
# No applications will be listed if &#x201C;Block all incoming connections&#x201D; (2) is selected
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.6_Enable_Location_Services" do
# title "Enable Location Services"
# desc "
# macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. Users do not need to change the time or the time zone, the computer will do it for them. They do not need to specify their location for weather or travel times and even get alerts on travel times to meetings and appointment where location information is supplied.
# For the purpose of asset management and time and log management with mobile computers location services simplify some processes.
# There are some use cases where it is important that the computer not be able to report its exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge.
# [https://support.apple.com/en-us/HT204690](https://support.apple.com/en-us/HT204690)
# Rationale: Location services are helpful in most use cases and can simplify log and time management where computers change time zones.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.7_Monitor_Location_Services_Access" do
# title "Monitor Location Services Access"
# desc "
# macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. While location services may be very useful it may not be desirable to allow all applications that can use location services to use your location for Internet queries to provide tailored content based on your current location.
# Ensure that the applications that can use Location Services are authorized to use that information and possibly provide data back to the software vendor and chosen affiliates that are trusted or used by the software vendor. Where user data is the product user trusted software vendors may allow access to user and machine data to data-mining companies that are not user trusted. Apple provides feedback within System Preferences and may be enabled to provide information on the menu bar when Location Services are used.
# Safari can deny access from websites or prompt for access.
# Applications that support Location Services can be individually controlled in the Privacy tab in Security Privacy under System Preferences.
# Access should be evaluated to ensure that privacy controls are as expected.
# Rationale: Privacy controls should be monitored for appropriate settings
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.8_Disable_Analytics__Improvements_sharing_with_Apple" do
# title "Disable Analytics sharing with Apple"
# desc "
# Apple provides a mechanism to send diagnostic and analytics data back to Apple to help them improve the platform. Information sent to Apple may contain internal organizational information that should be controlled and not available for processing by Apple.
# Turn off all Analytics and Improvements sharing.
# Share Mac Analytics (Share with App Developers dependent on Mac Analytic sharing)
# * Includes diagnostics, usage and location data
# Improve Siri Dictation
# * Includes audio recordings sent to Apple
# Share iCloud Analytics
# * Includes iCloud data and usage information
# [https://support.apple.com/guide/mac-help/share-analytics-information-mac-apple-mh27990/10.15/mac/10.15](https://support.apple.com/guide/mac-help/share-analytics-information-mac-apple-mh27990/10.15/mac/10.15)
# [https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings](https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings)
# [https://www.theguardian.com/technology/2019/aug/29/apple-apologises-listen-siri-recordings](https://www.theguardian.com/technology/2019/aug/29/apple-apologises-listen-siri-recordings)
# Rationale: Organizations should have knowledge of what is shared with the vendor and the setting automatically forwards information to Apple.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.5.9_Review_Advertising_settings" do
# title "Review Advertising settings"
# desc "
# Apple uses an ad platform that allows advertisers to target Apple users and end users to tailor their tolerance for what is shared with advertisers and what amount of targeting they will accept. While many people prefer that when they see advertising that is relevant to them and their interests the detailed information that is available with data mining collected information available in repositories to advertisers is often disconcerting.
# Organizations may prefer to manage advertising settings on managed computers rather than allow users to configure the settings.
# [https://support.apple.com/en-us/HT205223](https://support.apple.com/en-us/HT205223)
# On macOS one suggested control is to limit ad tracking.
# Rationale: Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.6.1_iCloud_configuration" do
# title "iCloud configuration"
# desc "
# Apple's iCloud is a consumer oriented service that allows a user to store data as well as find, control and backup devices that are associated with their Apple ID (Apple account.) The use of iCloud on Enterprise devices should align with the acceptable use policy for devices that are managed as well as confidentiality requirements for data handled by the user. If iCloud is allowed the data that is copied to Apple servers will likely be duplicated on both personal as well as Enterprise devices.
# For many users the Enterprise email system may replace many of the available features in iCloud. If using either an Exchange or Google environment email, calendars, notes and contacts can sync to the official Enterprise repository and be available through multiple devices.
# Depending on workplace requirements it may not be appropriate to intermingle Enterprise and personal bookmarks, photos and documents. Since the service allows every device associated with the user's ID to synchronize and have access to the cloud storage the concern is not just about having sensitive data on Apple's servers but having that same data on the phone of the teenage son or daughter of an employee. The use of family sharing options can reduce the risk.
# Apple's iCloud is just one of many cloud based solutions being used for data synchronization across multiple platforms and it should be controlled consistently with other cloud services in your environment. Work with your employees and configure the access to best enable data protection for your mission.
# Rationale: Organizations must make a risk decision on how their computers will interact with public cloud services.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.6.2_iCloud_keychain" do
# title "iCloud keychain"
# desc "
# The iCloud keychain is Apple's password manager that works with macOS and iOS. The capability allows users to store passwords in either iOS or macOS for use in Safari on both platforms and other iOS integrated applications. The most pervasive use is driven by iOS use rather than macOS. The passwords stored in a macOS keychain on an Enterprise managed computer could be stored in Apple's cloud and then be available on a personal computer using the same account. The stored passwords could be for organizational as well as for personal accounts.
# If passwords are no longer being used as organizational tokens they are not in scope for iCloud keychain storage.
# Rationale: Ensure that the iCloud keychain is used consistently with organizational requirements
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.6.3_iCloud_Drive" do
# title "iCloud Drive"
# desc "
# iCloud Drive is Apple's storage solution for applications on both macOS and iOS to use the same files that are resident in Apple's cloud storage. The iCloud Drive folder is available much like Dropbox, Microsoft OneDrive or Google Drive.
# One of the concerns in public cloud storage is that proprietary data may be inappropriately stored in an end user's personal repository. Organizations that need specific controls on information should ensure that this service is turned off or the user knows what information must be stored on services that are approved for storage of controlled information.
# Rationale: Organizations should review third party storage solutions pertaining to existing data confidentiality and integrity requirements.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.6.4_iCloud_Drive_Document_sync" do
# title "iCloud Drive Document sync"
# desc "
# With macOS 10.12 Apple introduced the capability to have a user's Documents folder automatically synchronize to the user's iCloud Drive, providing they have enough room purchased through Apple on their iCloud drive. This capability mirrors what Microsoft is doing with the use of OneDrive and Office 365. There are concerns with using this capability.
# The storage space that Apple provides for free is used by users with iCloud mail, all of a user's Photo Library created with the ever larger Multi-Pixel iPhone cameras and all of the iOS Backups. Adding a synchronization capability for users who have files going back a decade or more and storage may be tight without much larger Apple charges than the free 5GB. Users with multiple computers running 10.12 and above with unique content on each will have issues as well.
# Enterprise users may not be allowed to store Enterprise information in a third party public cloud. In previous implementations iCloud Drive or even DropBox the user selected what files were synchronized even if there were no other controls. The new feature synchronizes all files in a folder widely used to put working files.
# The automatic synchronization of all files in a user's Documents folder should be disabled.
# [https://derflounder.wordpress.com/2016/09/23/icloud-desktop-and-documents-in-macos-sierra-the-good-the-bad-and-the-ugly/](https://derflounder.wordpress.com/2016/09/23/icloud-desktop-and-documents-in-macos-sierra-the-good-the-bad-and-the-ugly/)
# Rationale: Automated Document synchronization should be planned and controlled to approved storage.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.6.5_iCloud_Drive_Desktop_sync" do
# title "iCloud Drive Desktop sync"
# desc "
# With macOS 10.12 Apple introduced the capability to have a user's Desktop folder automatically synchronize to the user's iCloud Drive, providing they have enough room purchased through Apple on their iCloud drive. This capability mirrors what Microsoft is doing with the use of OneDrive and Office 365. There are concerns with using this capability.
# The storage space that Apple provides for free is used by users with iCloud mail, all of a user's Photo Library created with the ever larger Multi-Pixel iPhone cameras and all of the iOS Backups. Adding a synchronization capability for users who have files going back a decade or more and storage may be tight without much larger Apple charges than the free 5GB. Users with multiple computers running 10.12 and above with unique content on each will have issues as well.
# Enterprise Users may not be allowed to store Enterprise information in a third party public cloud. In previous implementations iCloud Drive or even DropBox the user selected what files were synchronized even if there were no other controls. The new features synchronize all files in a folder widely used to put working files.
# The automatic synchronization of all files in a user's Desktop folder should be disabled
# https://derflounder.wordpress.com/2016/09/23/icloud-desktop-and-documents-in-macos-sierra-the-good-the-bad-and-the-ugly/
# Rationale: Automated Desktop synchronization should be planned and controlled to approved storage.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.7.1_Time_Machine_Auto-Backup" do
# title "Time Machine Auto-Backup"
# desc "
# Backup solutions are only effective if the backups run on a regular basis. The time to check for backups is before the hard drive fails or the computer goes missing. In order to simplify the user experience so that backups are more likely to occur Time Machine should be on and set to Back Up Automatically whenever the target volume is available.
# Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed.
# Backup dates are available even when the target volume is not available in the Time Machine plist.
# SnapshotDates = (
# \"2012-08-20 12:10:22 +0000\",
# \"2013-02-03 23:43:22 +0000\",
# \"2014-02-19 21:37:21 +0000\",
# \"2015-02-22 13:07:25 +0000\",
# \"2016-08-20 14:07:14 +0000\"
# When the backup volume is connected to the computer more extensive information is available through tmutil. See man tmutil
# Rationale: Backups should automatically run whenever the backup drive is available
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Time Machine Auto-Backup\n# Eric Pinnell 04/23/20 Corrected test error\n# \n\npassing=\"\"\noutput=$(defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup)\n\ndefaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup | grep -Eq \"[^0]\" && passing=true\n\n# If results returns pass, otherwise fail.\nif [ \"$output\" == \"1\" ] ; then\n\techo \"Passed, AutoBackup is set to: \\\"$output\\\"\"\n\texit 0\nelse\n# print the reason why we are failing\n\techo \"Failed, AutoBackup is set to: \\\"$output\\\"\"\n\texit 1\nfi\n\n#echo \"$output\"\n#exit 0") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.7.2_Time_Machine_Volumes_Are_Encrypted" do
# title "Time Machine Volumes Are Encrypted"
# desc "
# One of the most important security tools for data protection on macOS is FileVault. With encryption in place it makes it difficult for an outside party to access your data if they get physical possession of the computer. One very large weakness in data protection with FileVault is the level of protection on backup volumes. If the internal drive is encrypted but the external backup volume that goes home in the same laptop bag is not it is self-defeating. Apple tries to make this mistake easily avoided by providing a checkbox to enable encryption when setting-up a time machine backup. Using this option does require some password management, particularly if a large drive is used with multiple computers. A unique complex password to unlock the drive can be stored in keychains on multiple systems for ease of use.
# While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult backup volumes should be protected just like boot volumes.
# Rationale: Backup volumes need to be encrypted
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Ensure Time Machine Volumes Are Encrypted\n# Eric Pinnell 04/23/20 Correct test error\n# \n\npassing=\"\"\noutput=$(defaults read /Library/Preferences/com.apple.TimeMachine.plist | grep LastKnownEncryptionState)\ndefaults read /Library/Preferences/com.apple.TimeMachine.plist | grep -q LastKnownEncryptionState && defaults read /Library/Preferences/com.apple.TimeMachine.plist | grep LastKnownEncryptionState | grep -vq NotEncrypted && passing=true\n\n\n\n# If results returns pass, otherwise fail.\nif [ \"$passing\" = true ] ; then\n\techo \"Passed: \\\"$output\\\"\"\n\texit 0\nelse\n# print the reason why we are failing\n\techo \"Failed: \\\"$output\\\"\"\n\texit 1\nfi\n#echo \"$output\"\n#exit 0") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.8_Pair_the_remote_control_infrared_receiver_if_enabled" do
# title "Pair the remote control infrared receiver if enabled"
# desc "
# An infrared receiver is a piece of hardware that sends information from an infrared remote control to another device by receiving and decoding signals. If a remote is used with a computer, a specific remote, or \"pair\", can be set-up to work with the computer. This will allow only the paired remote to work on that computer. If a remote is needed the receiver should only be accessible by a paired device. Many models do not have infrared hardware. The audit check looks for the hardware first.
# Rationale: An infrared remote can be used from a distance to circumvent physical security controls. A remote could also be used to page through a document or presentation, thus revealing sensitive information.
# While Apple hardware that still supports infrared is uncommon and has not been manufactured in years it still does exist. This control checks first for the presence of an IR receiver so systems that do not have IR will quickly pass this control check.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.9_Enable_Secure_Keyboard_Entry_in_terminal.app" do
# title "Enable Secure Keyboard Entry in terminal.app"
# desc "
# Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal.
# Rationale: Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal.
# "
# impact 1.0
# describe plist('$HOME/Library/Preferences/com.apple.Terminal.plist', xpath: '/plist/dict/key[text()=\'SecureKeyboardEntry\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.10_Securely_delete_files_as_needed" do
# title "Securely delete files as needed"
# desc "
# In previous versions of macOS Apple included a capability to securely empty the trash that included overwrites of the existing data. With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives the requirements have changed and the \"Secure Empty Trash\" capability has been removed from the GUI. For systems that are not using encryption and continue to use platter-based hard drives there is residual risk that deleted files can still be recovered from the file system.
# In previous versions of the Benchmark srm was mentioned as an alternative to the removal of \"Secure Empty Trash.\" With the release of macOS 10.12 srm has been removed. There is still an option to erase free space from the command line but Apple has warned that encryption is a better solution
# From manual entry for diskutil
# NOTE: This kind of secure erase is no longer considered safe. Modern devices have wear-leveling, block-sparing, and possibly-persistent cache hardware, which cannot be completely erased by these commands. The modern solution for quickly and securely erasing your data is encryption. Strongly-encrypted data can be instantly \"erased\" by destroying (or losing) the key (password), because this renders your data irretrievable in practical terms. Consider using APFS encryption (File-Vault).
# diskutil secureErase freespace 0 /
# Rationale: Securely removing files mitigates the risk of an admin user on the system recovering sensitive files that the user has deleted. It is possible for anyone with physical access to the device to get access if FileVault is not used, or to recover deleted data if the FileVault volume is already mounted. Users and admins of computers containing sensitive information should be screened appropriately or additional security controls should be in place to prevent unauthorized access to sensitive information.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.11_Ensure_EFI_version_is_valid_and_being_regularly_checked" do
# title "Ensure EFI version is valid and being regularly checked"
# desc "
# In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.
# Rationale: If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Ensure EFI version is valid and being regularly checked\n# Eric Pinnell 04/22/20 Update to exclude systems where no check is required\n# \n\npassing=\"\"\n\nif [ -n \"$(system_profiler SPiBridgeDataType)\" ] ; then\n\toutput=$(system_profiler SPiBridgeDataType | awk -F: '/Model Name/ {print $NF}' | sed 's/^ *//')\n\tsystem_profiler SPiBridgeDataType | grep -q 'Apple T2 Security Chip' && passing=true\nelif command -v /usr/libexec/firmwarecheckers/eficheck/eficheck ; then\n\toutput=$(/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | awk 'NR==2') \n\t/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check | grep -q 'No changes detected in primary hashes' && passing=true\nelse\n\toutput=\"Command not found or efi check failed\"\nfi\n\n# If result contains string pass, otherwise fail.\nif [ \"$passing\" = true ] ; then\n\techo \"Passed: \\\"$output\\\"\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"Failed: \\\"$output\\\"\"\n exit 1\nfi") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_2.12_Disable_Wake_for_network_access_and_Power_Nap" do
# title "Disable \"Wake for network access\" and \"Power Nap\""
# desc "
# These two features allow the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and able to attempt to reconnect to known networks, including any wireless SSIDs with cached credentials. These macOS features are meant to allow the computer to resume activity as needed regardless of physical security controls.
# **Wake for network access** This feature allows other users to be able to access your computer&#x2019;s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on networks where the managed state is unknown, and where untrusted devices could send wake signals.
# **Power Nap** Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input
# Rationale: Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_3.1_Enable_security_auditing" do
# title "Enable security auditing"
# desc "
# macOS's audit facility, auditd , receives notifications from the kernel when certain system calls, such as open , fork , and exit , are made. These notifications are captured and written to an audit log.
# Rationale: Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor.
# "
# impact 1.0
# tag cis_issue_ref: "https://workbench.cisecurity.org/benchmarks/806/tickets/9023"
# describe plist('/System/Library/LaunchDaemons/com.apple.auditd.plist', xpath: '/plist/dict/key[text()=\'Label\']/following-sibling::*[1]/text()') do
# it { should exist }
# its("xpath_value") { should cmp "com.apple.auditd" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_3.2_Configure_Security_Auditing_Flags_per_local_organizational_requirements" do
# title "Configure Security Auditing Flags per local organizational requirements"
# desc "
# Auditing is the capture and maintenance of information about security-related events. Auditable events often depend on differing organizational requirements.
# Rationale: Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised.
# Depending on the governing authority organizations can have vastly different auditing requirements. In order to make a specific decision on which flags to check for a single standard on flags would have to exist for the uses of this Benchmark. At this point I don't see one. Some have suggested the use of an \"any\" flag, which would have to be an alternate check. It appears that many or statements would have to be used to make this a successfully scored control, and even this some will be dissatisfied. URL references to audit flag discussions are under references. Please follow best practices and organizational compliance requirements.
# **Additional Information**
# /usr/bin/grep :lo$ /private/etc/security/audit_event | /usr/bin/awk -F \":\" '{ print $2 }' sudo cat /etc/security/audit_class
# "
# impact 0.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Configure Security Auditing Flags\n# \n\noutput=$(\nsudo egrep \"^flags:\" /etc/security/audit_control\n)\n\n# If results returns pass, otherwise fail.\nif [ \"$output\" == \"flags:lo,aa,fd,fm,-all\" ] ; then\n\techo \"$output\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"$output\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_3.3_Ensure_security_auditing_retention" do
# title "Ensure security auditing retention"
# desc "
# The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
# Retention can be set to respect both size and longevity. To retain as much as possible under a certain size the recommendation is to use:
# expire-after:60d OR 1G
# More info in the man page
# man audit_control
# Rationale: The audit records need to be retained long enough to be reviewed as necessary.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Ensure security auditing retention\n# Eric Pinnell 04/22/20 Modified to include regex for ge and case insensitive\n# \n\noutput=$(\ngrep expire-after /etc/security/audit_control\n)\n\npassing=\"\"\n\ngrep -Eiq '\\s*expire-after:([6-9][0-9]|[1-9][0-9]{2,})D\\b' /etc/security/audit_control && passing=true\ngrep -Eiq '\\s*expire-after:([1-9]|[1-9][0-9]+)G\\b' /etc/security/audit_control && passing=true\ngrep -Eiq '\\s*expire-after:(10[2-9][4-9]|10[3-9][0-9]|[1-9][1-9][0-9]{2,}|[1-9][0-9]{4,})M\\b' /etc/security/audit_control && passing=true\n\n# If either result returns pass, otherwise fail.\nif [ \"$passing\" = true ] ; then\n\techo \"Passed: \\\"$output\\\"\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"Failed: \\\"$output\\\"\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_3.4_Control_access_to_audit_records" do
# title "Control access to audit records"
# desc "
# The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. macOS ACLs should not be used for these files.
# Rationale: Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes.
# "
# impact 1.0
# describe file("/etc/security/audit_control/^*$") do
# it { should exist }
# end
# describe file("/etc/security/audit_control/^*$") do
# it { should_not be_executable.by "group" }
# end
# describe file("/etc/security/audit_control/^*$") do
# it { should_not be_writable.by "group" }
# end
# describe file("/etc/security/audit_control/^*$") do
# it { should_not be_executable.by "other" }
# end
# describe file("/etc/security/audit_control/^*$") do
# it { should_not be_readable.by "other" }
# end
# describe file("/etc/security/audit_control/^*$") do
# it { should_not be_writable.by "other" }
# end
# describe file("/etc/security/audit_control/^*$") do
# it { should_not be_executable.by "owner" }
# end
# describe file("/etc/security/audit_control/^*$") do
# it { should_not be_writable.by "owner" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_3.5_Retain_install.log_for_365_or_more_days" do
# title "Retain install.log for 365 or more days"
# desc "
# macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.
# The default value has an \"all_max\" file limitation, no reference to a minimum retention and a less precise rotation argument.
# * The maximum file size limitation string should be removed \"all_max=\"
# * An organization appropriate retention should be added \"ttl=\"
# * The rotation should be set with time stamps \"rotate=utc\" or \"rotate=local\"
# Rationale: Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Retain install.log for 365 or more days\n# Eric Pinnell 04/23/20 Corrected test\n# \n\noutput=$(grep -i ttl /etc/asl/com.apple.install)\ngrep -Eq '^\\s*\\*\\s+file\\s+\\/var\\/log\\/install.log\\s+([^#]+\\s+)*ttl=(36[5-9]|3[7-9][0-9]|[4-9][0-9][0-9]|[[1-9][0-9]{3,})\\b(\\s*\\S+\\s*)*(\\s+#.*)?$' /etc/asl/com.apple.install && passing=true\n\n\n# If results returns pass, otherwise fail.\nif [ \"$passing\" = \"true\" ] ; then\n\techo \"Passed: \\\"$output\\\"\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"Failed: \\\"$output\\\"\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_3.6_Ensure_Firewall_is_configured_to_log" do
# title "Ensure Firewall is configured to log"
# desc "
# The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled.
# Rationale: In order to troubleshoot the successes and failures of a firewall logging should be enabled.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.alf.plist', xpath: '/plist/dict/key[text()=\'loggingenabled\']/following-sibling::*[1]/text()') do
# it { should exist }
# its("xpath_value") { should cmp 1 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_4.1_Disable_Bonjour_advertising_service" do
# title "Disable Bonjour advertising service"
# desc "
# Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled.
# Rationale: Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly-configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.mDNSResponder.plist', xpath: '/plist/dict/key[text()=\'NoMulticastAdvertisements\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_4.2_Enable_Show_Wi-Fi_status_in_menu_bar" do
# title "Enable \"Show Wi-Fi status in menu bar\""
# desc "
# The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the case. This control only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected either.
# Rationale: Enabling \"Show Wi-Fi status in menu bar\" is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status.
# "
# impact 1.0
# describe plist('$HOME/Library/Preferences/com.apple.systemuiserver.plist', xpath: '/plist/dict/key[.=\'menuExtras\']/following-sibling::*[1]/string[.=\'/System/Library/CoreServices/Menu Extras/AirPort.menu\']/text()') do
# it { should exist }
# its("xpath_value") { should cmp "/System/Library/CoreServices/Menu Extras/AirPort.menu" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_4.3_Create_network_specific_locations" do
# title "Create network specific locations"
# desc "
# The network location feature of the Mac is very powerful tool to manage network security. By creating different network locations, a user can easily (and without administrative privileges) change the network settings on the Mac. By only using the network interfaces needed at any specific time, exposure to network attacks is limited.
# A little understanding of how the Network System Preferences pane works is required.
# Rationale: Network locations allow the computer to have specific configurations ready for network access when required. Locations can be used to manage which network interfaces are available for specialized network access
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_http_server_is_not_running" do
# title "Ensure http server is not running"
# desc "
# macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.
# Rationale: Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Eric Pinnell 04/23/20\tCheck in a process in running\n# \n\npassing=\"\"\n[ -z \"$(pgrep \"$XCCDF_VALUE_REGEX\")\" ] && passing=true\n\n# If results returns pass, otherwise fail.\nif [ \"$passing\" = \"true\" ] ; then\n\techo \"Process \\\"$XCCDF_VALUE_REGEX\\\" is not running\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"Process \\\"$XCCDF_VALUE_REGEX\\\" is running\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_4.5_Ensure_nfs_server_is_not_running" do
# title "Ensure nfs server is not running"
# desc "
# macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer.
# Rationale: File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Eric Pinnell 04/23/20\tCheck in a process in running\n# \n\npassing=\"\"\n[ -z \"$(pgrep \"$XCCDF_VALUE_REGEX\")\" ] && passing=true\n\n# If results returns pass, otherwise fail.\nif [ \"$passing\" = \"true\" ] ; then\n\techo \"Process \\\"$XCCDF_VALUE_REGEX\\\" is not running\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"Process \\\"$XCCDF_VALUE_REGEX\\\" is running\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.1.1_Secure_Home_Folders" do
# title "Secure Home Folders"
# desc "
# By default macOS allows all valid users into the top level of every other users home folder, and restricts access to the Apple default folders within. Another user on the same system can see you have a \"Documents\" folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system.
# The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can't see your pictures, in the parallel with macOS they can see into every new Directory that is created because of the default permissions.
# Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable
# Rationale: Allowing all users to view the top level of all networked user's home folder may not be desirable since it may lead to the revelation of sensitive information.
# "
# impact 1.0
# describe file("/Users//^.*$") do
# it { should exist }
# end
# describe file("/Users//^.*$") do
# it { should_not be_readable.by "group" }
# end
# describe file("/Users//^.*$") do
# it { should_not be_writable.by "group" }
# end
# describe file("/Users//^.*$") do
# it { should_not be_readable.by "other" }
# end
# describe file("/Users//^.*$") do
# it { should_not be_writable.by "other" }
# end
# describe file("/Users//^.*$") do
# it { should be_executable.by "owner" }
# end
# describe file("/Users//^.*$") do
# it { should be_readable.by "owner" }
# end
# describe file("/Users//^.*$") do
# it { should be_writable.by "owner" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.1.2_Check_System_Wide_Applications_for_appropriate_permissions" do
# title "Check System Wide Applications for appropriate permissions"
# desc "
# Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world writable and allow any process or user to alter them for other processes or users to then execute modified versions
# Rationale: Unauthorized modifications of applications could lead to the execution of malicious code.
# "
# impact 1.0
# describe bash("#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Eric Pinnell 04/23/20 Test Systemwide Applications for other write\n# \n\n#find /Applications -name '*.app' -exec ls -l {} \\; | while read -r file; do\n#\tif echo \"$file\" | grep -Eq '^\\s*d\\S\\S\\S\\S\\S\\S\\Sw\\S'; then\n#\t # If we have a match, we failed, so fail and exit the shell\n#\t\techo \"Failed: Other has write permissions on *.app in /Applications\"\n#\t\texit 1\n#\tfi\n## If shell hasn't exited, we passed.\n#echo \"Passed: Other does not have write permissions on *.app in /Applications\"\n#exit 0\n\nfailing=\"\"\npassing=\"\"\n\nfor file in $(find /Applications -name '*.app' -exec ls -l {} \\;);do\n echo \"$file\" | grep -Eq '^\\s*d\\S\\S\\S\\S\\S\\S\\Sw\\S' && failing=true\ndone\n[ \"$failing\" = \"\" ] && passing=true\n\n# If results returns pass, otherwise fail.\nif [ \"$passing\" = \"true\" ] ; then\n\techo \"Passed: Other does not have write permissions on *.app in /Applications\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"Failed: Other has write permissions on *.app in /Applications\"\n exit 1\nfi") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.1.3_Check_System_folder_for_world_writable_files" do
# title "Check System folder for world writable files"
# desc "
# Software sometimes insists on being installed in the /System Directory and have inappropriate world writable permissions.
# Rationale: Folders in /System should not be world writable. The audit check excludes the \"Drop Box\" folder that is part of Apple's default user template.
# "
# impact 1.0
# describe command("find /System -regex .\\*/\\!\\(Public/Drop\\ Box\\) -type f \\! -perm -00002 -xdev") do
# its("stdout") { should_not be_empty }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.1.4_Check_Library_folder_for_world_writable_files" do
# title "Check Library folder for world writable files"
# desc "
# Software sometimes insists on being installed in the /Library Directory and have inappropriate world writable permissions.
# Rationale: Folders in /Library should not be world writable. The audit check excludes the /Library/Caches folder where the sticky bit is set.
# "
# impact 1.0
# describe command("find /Library -regex .\\*/\\!\\(Cache\\) -type f \\! -perm -00022 -xdev") do
# its("stdout") { should_not be_empty }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.2.1_Configure_account_lockout_threshold" do
# title "Configure account lockout threshold"
# desc "
# The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur.
# Ensure that a lockout threshold is part of the password policy on the computer
# Rationale: The account lockout feature mitigates brute-force password attacks on the system.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.2.2_Set_a_minimum_password_length" do
# title "Set a minimum password length"
# desc "
# A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.
# Ensure that a minimum of a 15 character password is part of the password policy on the computer.
# Where the confidentiality of encrypted information in FileVault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.
# Rationale: Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.2.3_Complex_passwords_must_contain_an_Alphabetic_Character" do
# title "Complex passwords must contain an Alphabetic Character"
# desc "
# Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters.
# Ensure that an Alphabetic character is part of the password policy on the computer
# Rationale: The more complex a password the more resistant it will be against persons seeking unauthorized access to a system.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.2.4_Complex_passwords_must_contain_a_Numeric_Character" do
# title "Complex passwords must contain a Numeric Character"
# desc "
# Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters.
# Ensure that a number or numeric value is part of the password policy on the computer.
# Rationale: The more complex a password the more resistant it will be against persons seeking unauthorized access to a system.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.2.5_Complex_passwords_must_contain_a_Special_Character" do
# title "Complex passwords must contain a Special Character"
# desc "
# Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that a special character is part of the password policy on the computer
# Rationale: The more complex a password the more resistant it will be against persons seeking unauthorized access to a system.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.2.6_Complex_passwords_must_contain_uppercase_and_lowercase_letters" do
# title "Complex passwords must contain uppercase and lowercase letters"
# desc "
# Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters.
# Ensure that both uppercase and lowercase letters are part of the password policy on the computer
# Rationale: The more complex a password the more resistant it will be against persons seeking unauthorized access to a system.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.2.7_Password_Age" do
# title "Password Age"
# desc "
# Over time passwords can be captured by third parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users should reset passwords periodically.
# This control uses 365 days as the acceptable value, some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.
# Rationale: Passwords should be changed periodically to reduce exposure
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.2.8_Password_History" do
# title "Password History"
# desc "
# Over time passwords can be captured by third parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users must reset passwords periodically. This control ensures that previous passwords are not reused immediately by keeping a history of previous passwords hashes. Ensure that password history checks are part of the password policy on the computer. This control checks whether a new password is different than the previous 15.
# The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak.
# Rationale: Old passwords should not be reused
# "
# impact 1.0
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.3_Reduce_the_sudo_timeout_period" do
# title "Reduce the sudo timeout period"
# desc "
# The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of change and control permissions for the system.
# Rationale: The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Reduce the sudo timeout period\n# Eric Pinnell 04/23/20 Fixed Test\n\noutput=$(grep timestamp /etc/sudoers)\ngrep -Eq '\\s*Defaults\\s+timestamp_timeout\\s*=\\s*0\\b' /etc/sudoers && passing=true\n\n# If results returns pass, otherwise fail.\nif [ \"$passing\" = \"true\" ] ; then\n\techo \"PASSED, \\\"$output\\\"\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"Failed: \\\"$output\\\"\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.4_Use_a_separate_timestamp_for_each_usertty_combo" do
# title "Use a separate timestamp for each user/tty combo"
# desc "
# In combination with removing the sudo timeout grace period a further mitigation should be in place to reduce the possibility of a a background process using elevated rights when a user elevates to root in an explicit context or tty. With the included sudo 1.8 introduced in 10.12 the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS.
# Rationale: Additional mitigation should be in place to reduce the risk of privilege escalation of background processes.
# "
# impact 1.0
# describe file("/etc/sudoers") do
# its("content") { should_not match(/Defaults !tty_tickets/) }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.5_Automatically_lock_the_login_keychain_for_inactivity" do
# title "Automatically lock the login keychain for inactivity"
# desc "
# The login keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. Application access to the login keychain does not keep it unlocked. If you set Apple Mail to check for email every 10 minutes using the keychain for credentials and the keychain to lock every 15 minutes if inactive it will still cause the keychain to lock. The approach recommended here is that the login keychain be set to periodically lock when inactive to reduce the risk of password exposure or unauthorized use of credentials by a third party. The time period that an organization uses will depend on how great the use is of keychain aware applications. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organization using keychain aware applications extensively.
# Rationale: While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user. Timing out the keychain can reduce the exploitation window.
# "
# impact 1.0
# tag cis_issue_ref: "https://workbench.cisecurity.org/benchmarks/577/tickets/8995"
# timeout = command('security show-keychain-info /Library/Keychains/System.keychain').stderr.scan(/.+timeout=([0-9]+)s/).flatten.first
# describe timeout do
# it { should_not be_nil }
# it { should cmp <= 21600 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_login_keychain_is_locked_when_the_computer_sleeps" do
# title "Ensure login keychain is locked when the computer sleeps"
# desc "
# The login keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. The approach recommended here is that the login keychain be set to lock when the computer sleeps to reduce the risk of password exposure. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organization using keychain aware applications extensively.
# Rationale: While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user.
# "
# impact 1.0
# describe command('security show-keychain-info /Library/Keychains/System.keychain') do
# its("exit_status") { should cmp 0 }
# its("stderr") { should match(/lock-on-sleep/) }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.7_Do_not_enable_the_root_account" do
# title "Do not enable the \"root\" account"
# desc "
# The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions.
# Rationale: Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell).
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Do not enable the \"root\" account\n# \n\noutput=$(\ndscl . -read /Users/root AuthenticationAuthority 2>&1\n)\n\n# If result returns it should pass, otherwise fail.\nif [ \"$output\" == \"No such key: AuthenticationAuthority\" ] ; then\n\techo \"$output\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"$output\"\n exit 1\nfi\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.8_Disable_automatic_login" do
# title "Disable automatic login"
# desc "
# The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen.
# Rationale: Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.loginwindow', xpath: '/plist/dict/key[text()=\'autoLoginUser\']') do
# it { should exist }
# its("xpath_value") { should cmp "^\\S+$" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.9_Require_a_password_to_wake_the_computer_from_sleep_or_screen_saver" do
# title "Require a password to wake the computer from sleep or screen saver"
# desc "
# Sleep and screensaver modes are low power modes that reduces electrical consumption while the system is not in use.
# Rationale: Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence.
# "
# impact 1.0
# describe plist('$HOME/Library/Preferences/com.apple.screensaver.plist', xpath: '/plist/dict/key[text()=\'askForPassword\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.10_Ensure_system_is_set_to_hibernate_and_Destroy_FileVault_key" do
# title "Ensure system is set to hibernate and Destroy FileVault key"
# desc "
# In order to use a computer with Full Disk Encryption (FDE) macOS must keep encryption keys in memory to allow the use of the disk that has been FileVault protected. The storage volume has been unlocked and acts as if it was not encrypted. When the system is not in use the volume is protected through encryption. When the system is sleeping and available to quickly resume the encryption keys remain in memory.
# If an unauthorized party has possession of the computer and the computer is only slept there are known attack vectors that can be attempted against the RAM that has the encryption keys or the running operating system that is protected by a login screen. Network attacks if network interfaces are on as well as USB or other open device ports are possible. Most of these attacks require knowledge of unpatched vulnerabilities or a high level of sophistication if all the other controls function as intended.
# There is little impact on hibernating the system rather than sleeping after an appropriate time period to remediate the risk of OS level attacks. Hibernation writes the keys to disk and requires FileVault to be unlocked prior to the OS being available. In the case of unauthorized personnel with access to the computer encryption would have to be broken prior to attacking the operating system in order to recover data from the system.
# [https://www.helpnetsecurity.com/2018/08/20/laptop-sleep-security/](https://www.helpnetsecurity.com/2018/08/20/laptop-sleep-security/)
# Apple has provided settings for standby delay as well as a \"highstandbythreshold\" setting.
# From man pmset
# standbydelayhigh and standbydelaylow specify the delay, in seconds, before writing the hibernation image to disk and powering off memory for Standby. standbydelayhigh is used when the remaining battery capacity is above highstandbythreshold, and standbydelaylow is used when the remaining battery capacity is below highstandbythreshold
# Apple also has provide a setting so that FileVault key is destroyed on hibernate.
# destroyfvkeyonstandby - Destroy File Vault Key when going to standby mode. By default File vault keys are retained even when system goes to standby. If the keys are destroyed, user will be prompted to enter the password while coming out of standby mode
# Rationale: To mitigate the risk of data loss the system should power down and lock the encrypted drive after a specified time. Laptops should hibernate after 10 minutes or less after sleeping and the FileVault key should be destroyed. Users will be prompted to decrypt before use.
# "
# impact 1.0
# describe bash("#!/usr/bin/env sh\n\n#\n# CIS-CAT Script Check Engine\n# \n# Name Date Description\n# -------------------------------------------------------------------\n# Sara Lynn Archacki 04/02/19 Ensure system is set to hibernate\n# \n\nstandbydelaylow=$(\npmset -g | egrep standbydelaylow | awk '{print $2}'\n)\n\nstandbydelayhigh=$(\npmset -g | egrep standbydelayhigh | awk '{print $2}'\n)\n\nif [ $standbydelaylow -le 900 ] && [ $standbydelayhigh -le 900 ] ; then\n output=True\nelse\n output=False\nfi\n\n# If result returns 900 pass, otherwise fail.\nif [ \"$output\" == True ] ; then\n\techo \"$output\"\n exit 0\nelse\n # print the reason why we are failing\n echo \"$output\"\n exit 1\nfi\n\n") do
# its("exit_status") { should eq 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.11_Require_an_administrator_password_to_access_system-wide_preferences" do
# title "Require an administrator password to access system-wide preferences"
# desc "
# System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer.
# Rationale: By requiring a password to unlock System-wide System Preferences the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes
# "
# impact 1.0
# describe command('security authorizationdb read system.preferences | xpath "/plist/dict/key[text()=\'shared\']/following-sibling::*[1]"') do
# its("stdout") { should include "false" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.12_Disable_ability_to_login_to_another_users_active_and_locked_session" do
# title "Disable ability to login to another user's active and locked session"
# desc "
# macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions.
# Rationale: Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
# "
# impact 1.0
# describe command('security authorizationdb read system.login.screensaver | xpath "/plist/dict/array/child::*[1]"') do
# its("stdout") { should include "use-login-window-ui" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.13_Create_a_custom_message_for_the_Login_Screen" do
# title "Create a custom message for the Login Screen"
# desc "
# An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored.
# Rationale: An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by establishing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.loginwindow.plist', xpath: '/plist/dict/key[text()=\'LoginwindowText\']/following-sibling::*[1]') do
# it { should exist }
# its("xpath_value") { should match(/^.+$/) }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.14_Create_a_Login_window_banner" do
# title "Create a Login window banner"
# desc "
# A Login window banner warning informs the user that the system is reserved for authorized use only. It enforces an acknowledgment by the user that they have been informed of the use policy in the banner if required
# Rationale: An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by establishing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.loginwindow.plist', xpath: '/plist/dict/key[text()=\'LoginwindowText\']/following-sibling::*[1]/text()') do
# it { should exist }
# its("xpath_value") { should match(/^.+/) }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.15_Do_not_enter_a_password-related_hint" do
# title "Do not enter a password-related hint"
# desc "
# Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password.
# Rationale: Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.16_Disable_Fast_User_Switching" do
# title "Disable Fast User Switching"
# desc "
# Fast user switching allows a person to quickly log in to the computer with a different account. While only a minimal security risk, when a second user is logged in, that user might be able to see what processes the first user is using, or possibly gain other information about the first user. In a large directory environment where it is difficult to limit login access many valid users can login to other user's assigned computers.
# Rationale: Fast user switching allows multiple users to run applications simultaneously at console. There can be information disclosed about processes running under a different user. Without a specific configuration to save data and log out users can have unsaved data running in a background session that is not obvious.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.17_Secure_individual_keychains_and_items" do
# title "Secure individual keychains and items"
# desc "
# By default, the keychain for an account, especially a local account, have the same password as the account's logon password. It is possible to change the passwords on keychains to something different than the login password, and doing so would keep that keychain locked until needed after login. This is especially important when a smartcard is being used for console login. Keychains need to be protected by more than a pin in order to be secured and the default behavior with a smartcard will result in a pin for the login password. Individual keychain entries can have special ACLs to increase security as well.
# Rationale: Each keychain entry can have different access controls. It's possible to set the keychain item to require a keychain password every time an item is accessed, even if the keychain is unlocked. This level of security could be useful for bank passwords or other passwords that need extra security.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.18_Create_specialized_keychains_for_different_purposes" do
# title "Create specialized keychains for different purposes"
# desc "
# The keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Users can create more than one keychain to protect various passwords separately.
# Rationale: If the user can logically split password and other entries into different keychains with different passwords, a compromise of one password will have limited effect.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_5.19_System_Integrity_Protection_status" do
# title "System Integrity Protection status"
# desc "
# System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID.
# The full list of applications and top level directories protected by SIP are listed in the rootless.conf file.
# cat /System/Library/Sandbox/rootless.conf More information available here:
# [https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/](https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/)
# Rationale: Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP.
# "
# impact 1.0
# describe command('system_profiler SPSoftwareDataType -xml | xpath "/plist/array/dict/array/dict/key[.=\'system_integrity\']/following-sibling::*[1]"') do
# its("exit_status") { should cmp 0 }
# its("stdout") { should match(/<string>integrity_enabled<\/string>/) }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_6.1.1_Display_login_window_as_name_and_password" do
# title "Display login window as name and password"
# desc "
# The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system.
# Rationale: Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.loginwindow.plist', xpath: '/plist/dict/key[text()=\'SHOWFULLNAME\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_6.1.2_Disable_Show_password_hints" do
# title "Disable \"Show password hints\""
# desc "
# Password hints are user created text displayed when an incorrect password is used for an account.
# Rationale: Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.loginwindow.plist', xpath: '/plist/dict/key[text()=\'RetriesUntilHint\']/following-sibling::*[1]') do
# it { should exist }
# its("xpath_value") { should cmp 0 }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_6.1.3_Disable_guest_account_login" do
# title "Disable guest account login"
# desc "
# The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out.
# Rationale: Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.loginwindow.plist', xpath: '/plist/dict/key[text()=\'GuestEnabled\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "false" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_6.1.4_Disable_Allow_guests_to_connect_to_shared_folders" do
# title "Disable \"Allow guests to connect to shared folders\""
# desc "
# Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network.
# Rationale: Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system.
# "
# impact 1.0
# describe plist('/Library/Preferences/com.apple.AppleFileServer.plist', xpath: '/plist/dict/key[text()=\'guestAccess\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "false" }
# end
# describe plist('/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist', xpath: '/plist/dict/key[text()=\'AllowGuestAccess\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "false" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_6.1.5_Remove_Guest_home_folder" do
# title "Remove Guest home folder"
# desc "
# In the previous two controls the guest account login has been disabled and sharing to guests has been disabled as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed.
# Rationale: The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately.
# "
# impact 1.0
# describe file("/Users/Guest") do
# it { should_not exist }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_6.2_Turn_on_filename_extensions" do
# title "Turn on filename extensions"
# desc "
# A filename extension is a suffix added to a base filename that indicates the base filename's file format.
# Rationale: Visible filename extensions allow the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files.
# "
# impact 1.0
# describe plist('$HOME/Library/Preferences/.GlobalPreferences.plist', xpath: '/plist/dict/key[text()=\'AppleShowAllExtensions\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "true" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_6.3_Disable_the_automatic_run_of_safe_files_in_Safari" do
# title "Disable the automatic run of safe files in Safari"
# desc "
# Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files includes text, image, video and archive formats that would be run in the context of the OS rather than the browser.
# Rationale: Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input.
# "
# impact 1.0
# describe plist('$HOME/Library/Preferences/com.apple.Safari.plist', xpath: '/plist/dict/key[text()=\'AutoOpenSafeDownloads\']/following-sibling::*[1]/name()') do
# it { should exist }
# its("xpath_value") { should cmp "false" }
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.1_Wireless_technology_on_macOS" do
# title "Wireless technology on macOS"
# desc "
# Some organizations have comprehensive rules that cover the use of wireless technologies in order to implement operational security. There are specific policies governing the use of both Bluetooth and Wi-Fi (802.11) that often include disabling the wireless capability in either software or hardware or both.
# Wireless access is part of the feature set required for mobile computers and is considered essential for most users. The general use case for macOS is to use wireless connectivity, Apple provides a wireless network card and Bluetooth capability in almost every product they make. Bluetooth keyboards are now the default selection where a keyboard is not already integrated into the device.
# There are instructions on how to remove parts of the operating system in order to remediate wireless connectivity, but they are not recommended within the scope of this Benchmark.
# [https://apple.stackexchange.com/questions/99686/how-to-easily-and-completely-disable-enable-wlan-so-it-cannot-be-turned-on-agai](https://apple.stackexchange.com/questions/99686/how-to-easily-and-completely-disable-enable-wlan-so-it-cannot-be-turned-on-agai)
# [https://apple.stackexchange.com/questions/123326/disable-bluetooth-permanently](https://apple.stackexchange.com/questions/123326/disable-bluetooth-permanently)
# * macOS computers will not allow this if System Integrity Protection is enabled.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.2_iSight_Camera_Privacy_and_Confidentiality_Concerns" do
# title "iSight Camera Privacy and Confidentiality Concerns"
# desc "
# If the computer is present in an area where there are privacy concerns or sensitive images or actions are taking place the camera should be covered at those times. A permanent cover or alteration may be required when the computer is always located in a confidential area.
# Malware is continuously discovered that circumvents the privacy controls of the built-in camera. No computer has perfect security and it seems likely that even if all the drivers are disabled or removed that working drivers can be re-introduced by a determined attacker.
# At this point video chatting and other uses of the built-in camera are standard uses for a computer. It is contrary to a standard use case to permanently remove the camera. In cases where the camera is not allowed to be used at all or when the computer is located in private areas additional precautions are warranted. The General rule should be that if the camera can capture images that could cause embarrassment or an adverse impact the camera should be covered until it is appropriate to use.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.3_Computer_Name_Considerations" do
# title "Computer Name Considerations"
# desc "
# If the computer is used in an organization that assigns host names, it is a good idea to change the computer name to the host name. This is more of a best practice than a security measure. If the host name and the computer name are the same, computer support may be able to track problems down more easily.
# With mobile devices using DHCP IP tracking has serious drawbacks, hostname or computer name tracking makes much more sense for those organizations that can implement it. If the computer is using different names for the \"Computer Name\" DNS and Directory environments it can be difficult to manage Macs in an Enterprise asset inventory.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.4_Software_Inventory_Considerations" do
# title "Software Inventory Considerations"
# desc "
# With the introduction of Mac OS X 10.6.6, Apple added a new application, App Store, which resides in the Applications directory. This application allows a user with admin privileges and an Apple ID to browse Apple's online App Store, purchase (including no cost purchases), and install new applications, bypassing Enterprise software inventory controls. Any admin user can install software in the /Applications directory whether from internet downloads, thumb drives, optical media, cloud storage or even binaries through email. Even standard users can run executables if permitted. The source of the software is not nearly as important as a consistent audit of all installed software for patch compliance and appropriateness.
# A single user desktop where the user, administrator and the person approving software are all the same person probably does not need to audit software inventory to this extent. It is helpful in the case of stability problems or malware however.
# Scan systems on a monthly basis and determine the number of unauthorized pieces of software that are installed. Verify that if an unauthorized piece of software is found one month, it is removed from the system the next.
# Export System Information through the built-in System Information Application or other third party tools on an organizationally defined timetable.
# System Information is available through the GUI and the command line:
# Apple icon menu &gt; About this Mac &gt; System Report &gt; File &gt; Save or Applications &gt; Utilities &gt; System Information
# In the CLI system_profiler
# man system_profiler
# [https://support.apple.com/en-us/HT203001](https://support.apple.com/en-us/HT203001)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.5_Firewall_Consideration" do
# title "Firewall Consideration"
# desc "
# In addition to the Application Layer Firewall ( alf ) mentioned in the benchmark, macOS also ships with packet filter, or pf . Leveraging pf is beyond the scope of this Benchmark. For more information, please see:
# [https://blog.neilsabol.site/post/quickly-easily-adding-pf-packet-filter-firewall-rules-macos-osx/](https://blog.neilsabol.site/post/quickly-easily-adding-pf-packet-filter-firewall-rules-macos-osx/)
# [http://marckerr.com/a-simple-guild-to-the-mac-pf-firewall/](http://marckerr.com/a-simple-guild-to-the-mac-pf-firewall/)
# [https://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/](https://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.6_Automatic_Actions_for_Optical_Media" do
# title "Automatic Actions for Optical Media"
# desc "
# Managing automatic actions, while useful in very few situations, is unlikely to increase security on the computer and does complicate the users experience and add additional complexity to the configuration. These settings are user controlled and can be changed without Administrator privileges unless controlled through MCX settings or Parental Controls. Unlike Windows Auto-run the optical media is accessed through Operating System applications, those same applications can open and access the media directly. If optical media is not allowed in the environment the optical media drive should be disabled in hardware and software
# [https://support.apple.com/guide/mac-help/choose-actions-for-blank-discs-on-mac-mchlp2712/mac](https://support.apple.com/guide/mac-help/choose-actions-for-blank-discs-on-mac-mchlp2712/mac)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.7_App_Store_Automatically_download_apps_purchased_on_other_Macs_Considerations" do
# title "App Store Automatically download apps purchased on other Macs Considerations"
# desc "
# With 10.9 Apple expanded the capability of the App Store to automatically download macOS applications that were purchased in the App Store on another Mac. This feature can be very desirable for personal Macs or in a small business setting so that all purchased software through Apple's App Store is provisioned on all macOS Computers, just like iOS. This feature may not be desirable in Enterprise environments where the expectations of handling software licenses, tracking software inventory and personal software are different.
# Please evaluate your organizations expectations about the use of personal software and software license tracking to align with this setting.
# For those organizations that are using Enterprise Apple IDs for their employees the reverse is true. If the user has the username and password for their Apple ID and software is being purchased on that account the user could download the software on other computers they have access to.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.8_Extensible_Firmware_Interface_EFI_password" do
# title "Extensible Firmware Interface (EFI) password"
# desc "
# EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, it also determines whether the user can enter single-user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode and protection against firewire DMA attacks. In the past it was not difficult to reset the firmware password by removing RAM but it did make tampering slightly harder and having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to Manage the firmware password on macOS computers, though some tools did make it much easier.
# Apple patched OS X in 10.7 to mitigate the DMA attacks and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses Single User Mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.
# Starting in Late 2010 with the MacBook Air Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.
# Setting the firmware password may be good practice in some environments. We cannot recommend it as a standard security practice at this time.
# [http://support.apple.com/kb/ts3554](http://support.apple.com/kb/ts3554)
# [https://docs.jamf.com/10.1.0/jamf-pro/administrator-guide/Administering_Open_Firmware_EFI_Passwords.html](https://docs.jamf.com/10.1.0/jamf-pro/administrator-guide/Administering_Open_Firmware_EFI_Passwords.html)
# [http://derflounder.wordpress.com/2012/02/05/protecting-yourself-against-firewire-dma-attacks-on-10-7-x/](http://derflounder.wordpress.com/2012/02/05/protecting-yourself-against-firewire-dma-attacks-on-10-7-x/)
# [http://derflounder.wordpress.com/2013/04/26/booting-into-single-user-mode-on-a-filevault-2-encrypted-mac/](http://derflounder.wordpress.com/2013/04/26/booting-into-single-user-mode-on-a-filevault-2-encrypted-mac/)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.9_FileVault_and_Local_Account_Password_Reset_using_AppleID" do
# title "FileVault and Local Account Password Reset using AppleID"
# desc "
# Apple has provided services for several years that allowed a user to reset a local account password on a computer using their Apple ID and a service to store the FileVault Master Password with Apple that would be controlled by access to an Apple ID. These distinct services have been more cleanly integrated starting in 10.12.
# This integrated service for password and decryption is a concern in Enterprise environments. Normal Enterprise management controls mitigate the risk of external control of organizational systems. The user of the system already has the ability to unlock the disk in order to login and use it and some form of password recovery function is likely already in place for any approved accounts. In addition:
# * You cannot reset anything but a local account
# * You need physical access to the computer on a network that can phone home to Apple
# * Enterprise FileVault management precludes the use of Apple's personal encryption recovery tied to a User's Apple ID
# * The current login keychain will have to be discarded unless the user remembers the old password
# This service allows for organizational computer users to utilize AppleIDs for encryption key escrow and user account management. The use of Apple's services rather than Enterprise services may be considered inappropriate.
# [https://support.apple.com/en-us/HT204837](https://support.apple.com/en-us/HT204837)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.10_Repairing_permissions_is_no_longer_needed" do
# title "Repairing permissions is no longer needed"
# desc "
# With the introduction of System Integrity Protection (SIP) Apple has removed the necessity of repairing permissions. In earlier versions of the Operating System repair permissions checked the receipt files of installed software and ensured that the existing permissions in the file system matched what the receipts said it should. System integrity protection manages and blocks permission to certain directories continuously.
# [http://www.macissues.com/2015/10/02/about-os-x-10-11-el-capitan-and-permissions-fixes/](http://www.macissues.com/2015/10/02/about-os-x-10-11-el-capitan-and-permissions-fixes/)
# [https://en.wikipedia.org/wiki/System_Integrity_Protection](https://en.wikipedia.org/wiki/System_Integrity_Protection)
# [http://www.infoworld.com/article/2988096/mac-os-x/sorry-unix-fans-os-x-el-capitan-kills-root.html](http://www.infoworld.com/article/2988096/mac-os-x/sorry-unix-fans-os-x-el-capitan-kills-root.html)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.11_App_Store_Password_Settings" do
# title "App Store Password Settings"
# desc "
# With OS X 10.11 Apple added settings for password storage for the App Store in macOS. These settings parallel the settings in iOS. As with iOS the choices are a requirement to provide a password after every purchase or to have a 15 minute grace period, and whether to require a password for free purchases. The response to this setting is stored in a cookie and processed by iCloud.
# There is plenty of risk information on the wisdom of this setting for parents with children buying games on iPhones and iPads. the most relevant information here is the likelihood that users that are not authorized to download software may have physical access to an unlocked computer where someone who is authorized recently made a purchase. If that is a concern a password should be required at all times for App Store access in the Password Settings controls
# In macOS 10.15 purchase controls have been moved to:
# * System Preferences
# * Apple ID
# * Media Purchases
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.12_Siri_on_macOS" do
# title "Siri on macOS"
# desc "
# With macOS 10.12 Sierra Apple has introduced Siri from iOS to macOS. While there are data spillage concerns with use of software data gathering personal assistants the risk here does not seem greater in sending queries to Apple through Siri than in sending search terms in a browser to Google or Microsoft. While it is possible that Siri will be used for local actions rather than Internet searches which could, in theory, tell Apple about confidential Programs and Projects that should not be revealed this appears be an edge use case.
# In cases where sensitive and protected data is processed and Siri could help a user navigate their machine and expose that information it should be disabled. Siri does need to phone home to Apple so it should not be available from air-gapped networks as part of its requirements.
# Most of the use case data published has shown that Siri is a tremendous time saver on iOS where multiple screens and menus need to be navigated through. Information like sports scores, weather, movie times and simple to-do items on existing calendars can be easily found with Siri. None of the standard use cases should be riskier than already approved activity. Where \"normal\" user activity is already limited Siri use should be controlled as well.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.13_Apple_Watch_features_with_macOS" do
# title "Apple Watch features with macOS"
# desc "
# With the release of macOS 10.12 Apple introduced a feature where the owner of an Apple Watch can lock and unlock their screen simply by being within range of a 10.12 computer when both devices are using the same AppleID with iCloud active. The benefit of not leaving the computer unlocked while the user is out of sight and readying the computer to resume work when the user returns without having to type in a password or insert a smartcard does seem attractive to people who have the Apple Watch. It is a continuation of other features like hand-off and continuity for the multiple Apple products users who have grown to expect their devices to work together.
# For the screen unlock capability in particular it may not be attractive to organizations that are managing Apple devices and credentials. The capability allows a user to unlock their computer tied to an Enterprise account with a personal token that is not managed or controlled by the Enterprise. If the user loses their watch revoking the credential that can unlock the screen might be problematic.
# Unless Enterprise control of the watch as a token tied to a user identity can be achieved Apple Watches should not be used for screen unlocks. The risk of an auto-lock based on the user being out of proximity may still be acceptable if possible to do lock only.
# This functionality does require the computer to be logged in to iCloud. If iCloud is disabled the Apple watch lock and unlock will not be possible.
# A profile may be used to control unlock functionality.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.14_Touch_ID" do
# title "Touch ID"
# desc "
# Apple has integrated Touch ID with macOS and allows fingerprint use for many common operations. All use of Touch ID requires the presence of a password and the use of that password after every reboot or where it has been more than 48 hours since the device was last unlocked.
# Touch ID is integrated with Apple Pay, Safari AutoFill and all Apple store payment options.
# Touch ID may be managed by profiles to exclude unacceptable activities depending on the environment. There should be few organizations that cannot utilize some of the TOuch ID functionality.
# [https://support.apple.com/en-us/HT204587](https://support.apple.com/en-us/HT204587)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.15_System_information_backup_to_remote_computers" do
# title "System information backup to remote computers"
# desc "
# It is best practice to ensure that local computers are not a single point of failure for logging and auditing records about activity on the computer itself. Whether end user activity or system process information a mechanism should be in place to transfer the logs to another system that is hardened to receive them. A hardened log host reduces the risk of failure or compromise, particularly with user end points. From an enterprise management standpoint those records should be reviewed to ensure that there is not a common exploitable vulnerability, system bug or even hardware issue that can effect other devices in the environment.
# With changes in Apple's logging methods in the last few years third party tools appear to be preferred to ensure logs and records are obtained appropriately. Aggressive retention likely requires more space than available on built-in SSDs even if offline Time Machine backups are large and pristine.
# Please ensure that solutions to capture and retain log and audit records are in place.
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.16_Unified_logging" do
# title "Unified logging"
# desc "
# Starting with macOS 10.12 Apple introduced unified logging. This capability replaces the previous logging methodology with centralized system wide common controls. A full explanation of macOS logging behavior is beyond the scope of this Benchmark. These changes impact previous logging controls from macOS Benchmarks. At this point many of the syslog controls have been or are being removed since the old logging methods have been deprecated. Controls that still appear useful will be retained. Some legacy controls have been removed for this release.
# More info
# [https://developer.apple.com/documentation/os/logging](https://developer.apple.com/documentation/os/logging)
# [https://eclecticlight.co/2018/03/19/macos-unified-log-1-why-what-and-how/](https://eclecticlight.co/2018/03/19/macos-unified-log-1-why-what-and-how/)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.17_AirDrop_security_considerations" do
# title "AirDrop security considerations"
# desc "
# AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other.
# In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are usually required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you.
# Even with all of these positives some environments may wish to disable AirDrop. Organizations where Bluetooth and Wireless are not used will disable AirDrop by blocking its necessary interfaces. Organizations that have disabled USB and other pluggable storage mechanisms and have blocked all unmanaged cloud and transfer solutions for DLP may want to disable AirDrop as well.
# AirDrop should be used with Contacts only to limit attacks.
# More info
# [https://www.imore.com/how-apple-keeps-your-airdrop-files-private-and-secure](https://www.imore.com/how-apple-keeps-your-airdrop-files-private-and-secure)
# [https://en.wikipedia.org/wiki/AirDrop](https://en.wikipedia.org/wiki/AirDrop)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.18_Sidecar" do
# title "Sidecar"
# desc "
# Apple introduced a technology called Sidecar with the release of mac OS 10.15 \"Catalina\" that allows the use of an Apple iPad as an additional screen. There are no known security issues with the use of Sidecar at the time of the publication of this Benchmark.
# There are security concerns with some of the underlying technology that allows this feature to work. The Apple support article below has the additional requirements that are reproduced below. So while Sidecar may not have a explicit security concern some organizations may have requirements that block the use of the features required to allow Sidecar to work.
# [https://support.apple.com/en-afri/HT210380](https://support.apple.com/en-afri/HT210380)
# Additional requirements
# * Both devices must be signed in to iCloud with the same Apple ID using two-factor authentication.
# * To use Sidecar wirelessly, both devices must be within 10 meters (30 feet) of each other and have Bluetooth, Wi-Fi, and Handoff turned on. Also make sure that the iPad is not sharing its cellular connection and the Mac is not sharing its Internet connection.
# * To use Sidecar over USB, make sure that your iPad is set to trust your Mac.
# Organizations that do not allow the use of iCloud and more specifically Handoff will not be able to use Sidecar.
# Some organizations may not allow the use of mixed ownership for P2P wireless or USB connections so that unless the organization controls both the Mac and the iPad connections may not be approved and the use of a single Apple ID for distinctly managed devices may be prohibited.
# **Additional Info**
# [https://www.apple.com/macos/catalina/docs/Sidecar_Tech_Brief_Oct_2019.pdf](https://www.apple.com/macos/catalina/docs/Sidecar_Tech_Brief_Oct_2019.pdf)
# [https://www.pocket-lint.com/laptops/news/apple/148262-apple-sidecar-macos-ipados-features-explained](https://www.pocket-lint.com/laptops/news/apple/148262-apple-sidecar-macos-ipados-features-explained)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
# control "xccdf_org.cisecurity.benchmarks_rule_7.19_Screen_Time" do
# title "Screen Time"
# desc "
# Screen Time is Apple's technology monitoring application for the entire family and for educational markets. It replaces Parental Controls and allows for an administrator to manage usage patterns and access across macOS and iOS based on Apple IDs. While this is far more useful for parents to manage mult-device use across Apple platforms it is less designed as a macOS management platform for avoiding the use of profile management on Enterprise controlled Macs.
# While there are many interesting statistics that even users might want to monitor for usage patterns they are mainly interesting for data mining HR departments, especially residential home HR departments where the employees are under age, rather than enterprise device security.
# [https://www.imore.com/parental-controls-mac-ultimate-guide](https://www.imore.com/parental-controls-mac-ultimate-guide)
# [https://thecybersafetylady.com.au/2019/10/new-parental-controls-for-apple-mac-p-cs-catalina/](https://thecybersafetylady.com.au/2019/10/new-parental-controls-for-apple-mac-p-cs-catalina/)
# "
# impact 0.0
# describe "No tests defined for this control" do
# skip "No tests defined for this control"
# end
# end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment