Sequoia Release 1.1 (#457)

* refactor[rules] STIG IDs

Initial STIG-IDs added to rule files.

* refactor[rules]ccis added

New CCIs added to rules

* refactor[rules] SRGs added

New SRGs added to stig rules

* refactor[rule] pwpolicy_custom_regex_enforce

Remove unneeded SRG

* refactor[rules] Added, Removed, Updated rules

- os_authenticated_root_enable, updated check
- os_directory_services_configured, removed from stig
- os_ess_installed, removed from stig
- os_firewall_log_enable, removed from 15.x
- os_genmoji_disable, added 800-53 and stig
- os_image_generation_disable, added 800-53 and sti.yaml
- os_iphone_mirroring_disable
- os_password_autofill_disable, added 800-53 and sti
- os_ssh_fips_compliant, fixed check/fix
- os_ssh_server_alive_count_max_configure, fixed fix
- os_ssh_server_alive_interval_configure, fixed fix
- os_sshd_fips_compliant, fixed fix/check
- os_sudo_log_enforce, added 800-53 and stig
- os_writing_tools_disable, added 800-53 and sti
- pwpolicy_custom_regex_enforce, updated regex
- system_settings_ssh_enable, removed from stig

* refactor[rules] Removed from STIG

Removed CCI, SRG, STIG ID, and STIG tag

* refactor[rules]Added new STIG IDs

Added STIG ID to
- os_genmoji_disable
- os_image_generation_disable
- os_sudo_log_enforce
- os_writing_tools_disable

* Added new rule file

* Add APPL-15-002023

* added APPL-15-002024

* fix[rules] removed tags for rules removed

removed tags from rules removed from cis

* added os_time_server_enable back to cis

* Update Gitignore

* Updating CIS benchmark and tags in missed rules.

* refactor[rules]ssh fips and sshd fips

Updated check and fix for ssh and sshd for FIPS

* refactor[rules]ssh and sshd fips

added check into sshd to not fix if proper

* Fixed ODV regression for CIS

* added missing path to grep

* removed [ ]

* Fix to not print, and fix multiple entries in .ssh/config

* added dev null redirection, prevention of double entries

* Fixed bin to dev and case insensitive sed

* 800-171 Rev 2 to Rev 3

* Updated media sharing key

* Updated STIG ID

* merge from sequoia

* refactor[rules] ssh fixes

Updated ssh fixes to match os_ssh_fips_compliant

* slightly simplier fix. removed unneeded loop

* slightly simplier fix. removed unneeded loop

* Adjusting CIS numbering.

* fix[rule] fixed path

Fixed path in system_settings_system_wide_preferences_configure

* fix[rule] fixed path on line 63

fixed path in system_settings_system_wide_preferences_configure

* fix[rule] added reference

Added reference to os_sudo_log_enforce

* refactor[rules] Added, Modified and deleted rules

Added os_mail_summary_disable
Added os_photos_enhanced_search_disable
Removed system_settings_cd_dvd_sharing_disable
Modified system_settings_improve_search_disable - updated title
Modified system_settings_improve_siri_dictation_disable - updated title

* renamed .yml to .yaml

* changes for upcoming cis release

* refactor - DISA STIG

references updated to sequoia for DISA STIG
baseline file created for disa stig

* added os_sleep_and_display_sleep_apple_silicon_enable to all_rules

* refactor[rules] CNSSI tags added

Added CNSSI1253 low, moderate, high tags

* refactor[baselines] Updated baseline files

Updated cnssi1253 baseline files
Updated all_rules baseline file
Updated CIS baseline files

* udpdated baseline files

* [fix]system_settings_sleep_enforce sleep/displaysleep swap

* updated title

* fix[rule] remove cis tags and reference

remove cis ref & tag from system_settings_improve_search_disable

issue #443

* Adding arm64 tag to os_sleep_and_display_sleep_apple_silicon_enable

* Fixing Sleep/displaysleep numbers based on CIS changes.

* Fixing os_sleep_and_display_sleep_apple_silicon_enable

* Removing DRAFT status from CIS

* [fix]rule world writable library folder

os_world_writable_library_folder_configure

issue# 445

* refactor[rules] Added missing CCEs

Replaced N/A CCEs for os_mail_summary_disable and os_photos_enhanced_search_disable

* fix[rule] updated odv hint

pwpolicy_custom_regex_enforce odv hint updated

* Update system_settings_improve_assistive_voice_disable

Issue #450

* refactor[rules]pwpolicy updates

Removed 800-53 and 800-171 tags

Updated discussion to reflect NIST SP 800-63 and Executive Order M-22-09

* refactor[rules] Added external intelligence rules

Added rules to disable external intelligence features for 15.2

* Issue #450

* updated pwpolicy

* Added CCEs

* Removed double stig tag

* updated baseline files

* updated changelog

* removed rules/system_settings/system_settings_cd_dvd_sharing_disable.yaml

* updated changelog

* update[supplemental]: added 800-63 guidance
fix[supplemental]: update note about filevault unlock

* refactor[rule] pwpolicy_special_character_enforce

Updated check to allow greater than ODV.

Issue #451

* refactor[rules] ssh rules discussion update

Added mention of /usr/libexec/reset-ssh-configuration.

* updated release date and version

* Added uniq to prevent false negatives

* updated authors

* updated release date

---------

Co-authored-by: Allen Golbig <[email protected]>
Co-authored-by: mahlmanj <[email protected]>
Co-authored-by: Dan Brodjieski <[email protected]>

CHANGELOG.adoc

@@ -2,7 +2,41 @@
 
 This document provides a high-level view of the changes to the macOS Security Compliance Project.
 
-== [Sequoia, Revision 1.0] - 2024-XX-XX
+== [Sequoia, Revision 1.1] - 2024-12-16]
+* Rules
+** Added Rules
+*** os_iphone_mirroring_disable
+*** os_mail_summary_disable
+*** os_photos_enhanced_search_disable
+*** system_settings_external_intelligence_disable
+*** system_settings_external_intelligence_sign_in_disable
+** Modified Rules
+*** os_sleep_and_display_sleep_apple_silicon_enable
+*** os_sudo_log_enforce
+*** os_world_writable_library_folder_configure
+*** os_password_autofill_disable
+*** pwpolicy_alpha_numeric_enforce
+*** pwpolicy_custom_regex_enforce
+*** pwpolicy_lower_case_character_enforce.yaml
+*** pwpolicy_max_lifetime_enforce
+*** pwpolicy_minimum_lifetime_enforce
+*** pwpolicy_history_enforce
+*** pwpolicy_account_lockout_timeout_enforce
+*** pwpolicy_account_lockout_enforce
+*** pwpolicy_prevent_dictionary_words
+*** pwpolicy_simple_sequence_disable
+*** pwpolicy_special_character_enforce
+*** pwpolicy_upper_case_character_enforce.yaml
+*** system_settings_improve_assistive_voice_disable
+** Removed Rules
+*** system_settings_cd_dvd_sharing_disable
+** Bug Fixes
+* Baselines
+** Added DISA STIG v1r1
+** Added CIS Level (Draft -> Final)
+** Updated CNSSI-1253
+
+== [Sequoia, Revision 1.0] - 2024-09-12
 
 * Rules
 ** Added Rules
@@ -44,7 +78,7 @@ This document provides a high-level view of the changes to the macOS Security Co
 **** pwpolicy_minimum_length_enforce
 **** pwpolicy_simple_sequence_disable
 **** pwpolicy_special_character_enforce
-** Deleted Rules
+** Removed Rules
 *** os_firewall_log_enable
 *** os_gatekeeper_rearm
 *** os_safari_popups_disabled
@@ -59,4 +93,4 @@ This document provides a high-level view of the changes to the macOS Security Co
 ** generate_baseline
 ** generate_mappings
 ** generate_scap
-*** Added support for severity
+*** Added support for severity

README.adoc

@@ -53,6 +53,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
 |Dan Brodjieski|NASA
 |John Mahlman IV|Leidos
 |Aaron Kegerreis|DISA
+|Henry Stamerjohann|Zentral Pro Services GmbH
 |Marco A Piñeryo II|State Department
 |Jason Blake|NIST
 |Blair Heiserman|NIST

VERSION.yaml

@@ -1,5 +1,5 @@
 os: "15.0"
 platform: macOS
-version: "Sequoia Guidance, Revision 1.0"
+version: "Sequoia Guidance, Revision 1.1"
 cpe: o:apple:macos:15.0
-date: "2024-09-12"
+date: "2024-12-16"

baselines/800-171.yaml

@@ -1,6 +1,6 @@
-title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 2"
+title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 3"
 description: |
-  This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 2 security baseline.
+  This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 3 security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -79,14 +79,16 @@ profile:
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_image_generation_disable
+      - os_iphone_mirroring_disable
       - os_ir_support_disable
       - os_loginwindow_adminhostinfo_undefined
+      - os_mail_summary_disable
       - os_mdm_require
       - os_nfsd_disable
       - os_on_device_dictation_enforce
-      - os_password_autofill_disable
       - os_password_proximity_disable
       - os_password_sharing_disable
+      - os_photos_enhanced_search_disable
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
@@ -121,14 +123,9 @@ profile:
       - pwpolicy_account_inactivity_enforce
       - pwpolicy_account_lockout_enforce
       - pwpolicy_account_lockout_timeout_enforce
-      - pwpolicy_alpha_numeric_enforce
-      - pwpolicy_custom_regex_enforce
       - pwpolicy_history_enforce
-      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
-      - pwpolicy_minimum_lifetime_enforce
       - pwpolicy_simple_sequence_disable
-      - pwpolicy_special_character_enforce
   - section: "systemsettings"
     rules:
       - system_settings_apple_watch_unlock_disable
@@ -138,6 +135,8 @@ profile:
       - system_settings_bluetooth_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_diagnostics_reports_disable
+      - system_settings_external_intelligence_disable
+      - system_settings_external_intelligence_sign_in_disable
       - system_settings_filevault_enforce
       - system_settings_find_my_disable
       - system_settings_firewall_enable

baselines/800-53r5_high.yaml

@@ -86,16 +86,18 @@ profile:
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_image_generation_disable
+      - os_iphone_mirroring_disable
       - os_ir_support_disable
       - os_loginwindow_adminhostinfo_undefined
+      - os_mail_summary_disable
       - os_mdm_require
       - os_newsyslog_files_owner_group_configure
       - os_newsyslog_files_permissions_configure
       - os_nfsd_disable
       - os_on_device_dictation_enforce
-      - os_password_autofill_disable
       - os_password_proximity_disable
       - os_password_sharing_disable
+      - os_photos_enhanced_search_disable
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
@@ -133,14 +135,9 @@ profile:
       - pwpolicy_account_inactivity_enforce
       - pwpolicy_account_lockout_enforce
       - pwpolicy_account_lockout_timeout_enforce
-      - pwpolicy_alpha_numeric_enforce
-      - pwpolicy_custom_regex_enforce
       - pwpolicy_history_enforce
-      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
-      - pwpolicy_minimum_lifetime_enforce
       - pwpolicy_simple_sequence_disable
-      - pwpolicy_special_character_enforce
       - pwpolicy_temporary_or_emergency_accounts_disable
   - section: "systemsettings"
     rules:
@@ -151,10 +148,11 @@ profile:
       - system_settings_bluetooth_disable
       - system_settings_bluetooth_settings_disable
       - system_settings_bluetooth_sharing_disable
-      - system_settings_cd_dvd_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_critical_update_install_enforce
       - system_settings_diagnostics_reports_disable
+      - system_settings_external_intelligence_disable
+      - system_settings_external_intelligence_sign_in_disable
       - system_settings_filevault_enforce
       - system_settings_find_my_disable
       - system_settings_firewall_enable

baselines/800-53r5_low.yaml

@@ -77,13 +77,15 @@ profile:
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_image_generation_disable
+      - os_iphone_mirroring_disable
       - os_ir_support_disable
+      - os_mail_summary_disable
       - os_mdm_require
       - os_nfsd_disable
       - os_on_device_dictation_enforce
-      - os_password_autofill_disable
       - os_password_proximity_disable
       - os_password_sharing_disable
+      - os_photos_enhanced_search_disable
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
@@ -107,25 +109,21 @@ profile:
     rules:
       - pwpolicy_account_lockout_enforce
       - pwpolicy_account_lockout_timeout_enforce
-      - pwpolicy_alpha_numeric_enforce
-      - pwpolicy_custom_regex_enforce
       - pwpolicy_history_enforce
-      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
-      - pwpolicy_minimum_lifetime_enforce
       - pwpolicy_simple_sequence_disable
-      - pwpolicy_special_character_enforce
   - section: "systemsettings"
     rules:
       - system_settings_airplay_receiver_disable
       - system_settings_automatic_login_disable
       - system_settings_bluetooth_disable
       - system_settings_bluetooth_settings_disable
       - system_settings_bluetooth_sharing_disable
-      - system_settings_cd_dvd_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_critical_update_install_enforce
       - system_settings_diagnostics_reports_disable
+      - system_settings_external_intelligence_disable
+      - system_settings_external_intelligence_sign_in_disable
       - system_settings_find_my_disable
       - system_settings_firewall_enable
       - system_settings_firewall_stealth_mode_enable

baselines/800-53r5_moderate.yaml

@@ -84,16 +84,18 @@ profile:
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_image_generation_disable
+      - os_iphone_mirroring_disable
       - os_ir_support_disable
       - os_loginwindow_adminhostinfo_undefined
+      - os_mail_summary_disable
       - os_mdm_require
       - os_newsyslog_files_owner_group_configure
       - os_newsyslog_files_permissions_configure
       - os_nfsd_disable
       - os_on_device_dictation_enforce
-      - os_password_autofill_disable
       - os_password_proximity_disable
       - os_password_sharing_disable
+      - os_photos_enhanced_search_disable
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
@@ -130,14 +132,9 @@ profile:
       - pwpolicy_account_inactivity_enforce
       - pwpolicy_account_lockout_enforce
       - pwpolicy_account_lockout_timeout_enforce
-      - pwpolicy_alpha_numeric_enforce
-      - pwpolicy_custom_regex_enforce
       - pwpolicy_history_enforce
-      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
-      - pwpolicy_minimum_lifetime_enforce
       - pwpolicy_simple_sequence_disable
-      - pwpolicy_special_character_enforce
       - pwpolicy_temporary_or_emergency_accounts_disable
   - section: "systemsettings"
     rules:
@@ -148,10 +145,11 @@ profile:
       - system_settings_bluetooth_disable
       - system_settings_bluetooth_settings_disable
       - system_settings_bluetooth_sharing_disable
-      - system_settings_cd_dvd_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_critical_update_install_enforce
       - system_settings_diagnostics_reports_disable
+      - system_settings_external_intelligence_disable
+      - system_settings_external_intelligence_sign_in_disable
       - system_settings_filevault_enforce
       - system_settings_find_my_disable
       - system_settings_firewall_enable