Merge final Catalina changes into main branch

usnistgov · Oct 6, 2020 · 27de863 · 27de863
2 parents 3a3a2fe + 1a0d0a8
commit 27de863
Show file tree

Hide file tree

Showing 286 changed files with 7,445 additions and 6,216 deletions.
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -2,11 +2,29 @@
 
 This document provides a high-level view of the changes to the macOS Security Compliance Project.
 
-== [0.9.0] - 2020-06-19
+== [Catalina, Revision 1] - 2020-10-06
 
-Initial Public release (PRE-RELEASE)
+* Rules
+** Added new rules
+** Better categorization
+** Added new supplementals 
 
+* Baselines
+** Added 800-171
 
+* Scripts
+** Added generate_guidance.py (consolidates older scripts)
+** Added generate_baseline.py
+** Added yaml-to-oval.py
+** Removed baseline_identify.py
+** Added debug support to generate_guidance.py
 
+* Miscellaneous
+** Additional customizations
+** Cleaned up rule language
+** Added SCAP artifacts
+** Added logo
 
+== [0.9.0] - 2020-06-19
 
+Initial Public release (PRE-RELEASE)
diff --git a/Gemfile b/Gemfile
@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem 'asciidoctor'
+gem 'asciidoctor-pdf'
+gem 'rouge'
diff --git a/README.adoc b/README.adoc
@@ -1,4 +1,4 @@
-= macOS Security Compliance Project
+image::templates/images/macOSSCP_Banner_3100x500.png[]
 // settings:
 :idprefix:
 :idseparator: - 
@@ -21,7 +21,9 @@ image:https://badgen.net/badge/icon/apple?icon=apple&label, link=[https://www.ap
 image:https://badgen.net/badge/icon/10.15?icon=apple&label, link=[https://www.apple.com/macos]
 endif::[]
 
-The macOS Security Compliance Project is an link:LICENSE.md[open source] effort that can be used to create customized security baselines of technical security controls, which are mapped to various compliance frameworks such as: NIST 800-53, DISA STIG, FINRA, and HIPAA requirements. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
+The macOS Security Compliance Project is an link:LICENSE.md[open source] to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Recommended Security Controls for Federal Information Systems and Organizations_, Revision 4. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL).
+
+This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 4). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.  
 
 To learn more about the project, please see the {uri-repo}/wiki[wiki].
 
@@ -47,6 +49,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
 |Blair Heiserman|National Institute of Standards and Technology
 |Joshua Glemza|National Aeronautics and Space Administration
 |Elyse Anderson|National Aeronautics and Space Administration
+|Gary Gapinski|National Aeronautics and Space Administration
 |Paige Ramsey|Los Alamos National Laboratory
 |===
 

diff --git a/VERSION.yaml b/VERSION.yaml
@@ -0,0 +1,2 @@
+version: "Catalina, Revision 1"
+date: "2020-10-06"
diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml
@@ -0,0 +1,165 @@
+title: "macOS 10.15: Security Configuration - 800-171"
+description: |
+  This guide describes the actions to take when securing a macOS 10.15 system against the NIST SP 800-171.
+profile:
+  - section: "authentication"
+    rules:
+      - auth_pam_login_smartcard_enforce
+      - auth_pam_sudo_smartcard_enforce
+      - auth_ssh_smartcard_enforce
+      - auth_smartcard_enforce
+      - auth_pam_su_smartcard_enforce
+  - section: "auditing"
+    rules:
+      - audit_folder_group_configure
+      - audit_failure_halt
+      - audit_acls_folders_configure
+      - audit_flags_fm_configure
+      - audit_auditd_enabled
+      - audit_flags_ad_configure
+      - audit_flags_ex_configure
+      - audit_files_mode_configure
+      - audit_flags_aa_configure
+      - audit_files_owner_configure
+      - audit_flags_fr_configure
+      - audit_settings_failure_notify
+      - audit_folder_owner_configure
+      - audit_flags_lo_configure
+      - audit_flags_fw_configure
+      - audit_folders_mode_configure
+      - audit_files_group_configure
+      - audit_acls_files_configure
+  - section: "macos"
+    rules:
+      - os_firewall_default_deny_require
+      - os_ssh_client_alive_count_max_configure
+      - os_firmware_password_require
+      - os_gatekeeper_rearm
+      - os_root_disable
+      - os_guest_account_disable
+      - os_policy_banner_ssh_enforce
+      - os_password_proximity_disable
+      - os_mdm_require
+      - os_screensaver_loginwindow_enforce
+      - os_handoff_disable
+      - os_firewall_log_enable
+      - os_system_wide_preferences_configure
+      - os_tftpd_disable
+      - os_password_autofill_disable
+      - os_password_sharing_disable
+      - os_ssh_fips_140_ciphers
+      - os_ssh_login_grace_time_configure
+      - os_uucp_disable
+      - os_policy_banner_loginwindow_enforce
+      - os_touchid_prompt_disable
+      - os_filevault_autologin_disable
+      - os_messages_app_disable
+      - os_airdrop_disable
+      - os_parental_controls_enable
+      - os_nfsd_disable
+      - os_httpd_disable
+      - os_gatekeeper_enable
+      - os_sip_enable
+      - os_removable_media_disable
+      - os_guest_access_smb_disable
+      - os_policy_banner_ssh_configure
+      - os_time_server_enabled
+      - os_unlock_active_user_session_disable
+      - os_internet_accounts_prefpane_disable
+      - os_siri_prompt_disable
+      - os_appleid_prompt_disable
+      - os_ssh_fips_140_macs
+      - os_home_folders_secure
+      - os_facetime_app_disable
+      - os_guest_access_afp_disable
+      - os_icloud_storage_prompt_disable
+      - os_ir_support_disable
+      - os_mail_app_disable
+      - os_ssh_client_alive_interval_configure
+      - os_bonjour_disable
+      - os_calendar_app_disable
+  - section: "passwordpolicy"
+    rules:
+      - pwpolicy_account_inactivity_enforce
+      - pwpolicy_history_enforce
+      - pwpolicy_account_lockout_enforce
+      - pwpolicy_simple_sequence_disable
+      - pwpolicy_lower_case_character_enforce
+      - pwpolicy_account_lockout_timeout_enforce
+      - pwpolicy_special_character_enforce
+      - pwpolicy_alpha_numeric_enforce
+      - pwpolicy_minimum_length_enforce
+      - pwpolicy_upper_case_character_enforce
+      - pwpolicy_60_day_enforce
+      - pwpolicy_minimum_lifetime_enforce
+  - section: "icloud"
+    rules:
+      - icloud_photos_disable
+      - icloud_reminders_disable
+      - icloud_sync_disable
+      - icloud_appleid_prefpane_disable
+      - icloud_keychain_disable
+      - icloud_notes_disable
+      - icloud_drive_disable
+      - icloud_bookmarks_disable
+      - icloud_mail_disable
+      - icloud_calendar_disable
+      - icloud_addressbook_disable
+  - section: "systempreferences"
+    rules:
+      - sysprefs_smbd_disable
+      - sysprefs_firewall_stealth_mode_enable
+      - sysprefs_ad_tracking_disable
+      - sysprefs_internet_sharing_disable
+      - sysprefs_rae_disable
+      - sysprefs_ssh_enable
+      - sysprefs_media_sharing_disabled
+      - sysprefs_screensaver_password_enforce
+      - sysprefs_gatekeeper_identified_developers_allowed
+      - sysprefs_gatekeeper_override_disallow
+      - sysprefs_screensaver_timeout_enforce
+      - sysprefs_firewall_enable
+      - sysprefs_find_my_disable
+      - sysprefs_afp_disable
+      - sysprefs_content_caching_disable
+      - sysprefs_location_services_disable
+      - sysprefs_time_server_configure
+      - sysprefs_diagnostics_reports_disable
+      - sysprefs_bluetooth_disable
+      - sysprefs_loginwindow_prompt_username_password_enforce
+      - sysprefs_power_nap_disable
+      - sysprefs_automatic_login_disable
+      - sysprefs_apple_watch_unlock_disable
+      - sysprefs_token_removal_enforce
+      - sysprefs_screensaver_ask_for_password_delay_enforce
+      - sysprefs_time_server_enforce
+      - sysprefs_touchid_unlock_disable
+      - sysprefs_screen_sharing_disable
+      - sysprefs_hot_corners_disable
+      - sysprefs_siri_disable
+      - sysprefs_filevault_enforce
+      - sysprefs_password_hints_disable
+      - sysprefs_bluetooth_sharing_disable
+      - sysprefs_improve_siri_dictation_disable
+      - sysprefs_enforce_auto_logout
+  - section: "Inherent"
+    rules:
+      - os_prevent_priv_functions
+      - os_logical_access
+      - os_implement_cryptography
+      - os_obscure_password
+      - os_store_encrypted_passwords
+      - os_prevent_unauthorized_disclosure
+      - pwpolicy_force_change_password_change
+  - section: "Permanent"
+    rules:
+      - pwpolicy_50_percent
+      - sysprefs_wifi_disable
+  - section: "Supplemental"
+    rules:
+      - supplemental_firewall_pf
+      - supplemental_filevault
+      - supplemental_password_policy
+      - supplemental_smartcard
+      - supplemental_controls
+
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		version: "Catalina, Revision 1"
		date: "2020-10-06"