| V-259438 | | The macOS system must limit SSHD to FIPS-compliant connections. | If SSHD is enabled then it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAccepte... |
| V-259439 | | The macOS system must limit SSH to FIPS-compliant connections. | SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatur... |
| V-259477 | | The macOS system must disable password authentication for SSH. | If remote logon through SSH is enabled, password-based authentication must be disabled for user logon.
All users must go through multifactor authenti... |
| V-259499 | | The macOS system must disable Trivial File Transfer Protocol service. | If the system does not require Trivial File Transfer Protocol (TFTP), support it is nonessential and must be disabled.
The information system must be... |
| V-259509 | | The macOS system must apply gatekeeper settings to block applications from unidentified developers. | The information system implements cryptographic mechanisms to authenticate software prior to installation.
Gatekeeper settings must be configured cor... |
| V-259510 | | The macOS system must disable Bluetooth when no approved device is connected. | The macOS system must be configured to disable Bluetooth unless an approved device is connected.
[IMPORTANT]
====
Information system security officer... |
| V-259512 | | The macOS system must enable Gatekeeper. | Gatekeeper must be enabled.
Gatekeeper is a security feature that ensures applications are digitally signed by an Apple-issued certificate before the... |
| V-259515 | | The macOS system must require administrator privileges to modify systemwide settings. | The system must be configured to require an administrator password in order to modify the systemwide preferences in System Settings.
Some Preference ... |
| V-259560 | | The macOS system must ensure System Integrity Protection is enabled. | System Integrity Protection (SIP) must be enabled.
SIP is vital to protecting the integrity of the system as it prevents malicious users and software... |
| V-259561 | | The macOS system must enforce FileVault. | FileVault must be enforced.
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information st... |
| V-259418 | | The macOS system must prevent Apple Watch from terminating a session lock. | Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using a... |
| V-259419 | | The macOS system must enforce screen saver password. | Users must authenticate when unlocking the screen saver.
The screen saver acts as a session lock and prevents unauthorized users from accessing the c... |
| V-259420 | | The macOS system must enforce session lock no more than five seconds after screen saver is started. | A screen saver must be enabled and the system must be configured to require a password to unlock once the screensaver has been on for a maximum of fiv... |
| V-259421 | | The macOS system must configure user session lock when a smart token is removed. | The screen lock must be configured to initiate automatically when the smart token is removed from the system.
Session locks are temporary actions tak... |
| V-259422 | | The macOS system must disable hot corners. | Hot corners must be disabled.
The information system conceals, via the session lock, information previously visible on the display with a publicly vi... |
| V-259423 | | The macOS system must prevent AdminHostInfo from being available at LoginWindow. | The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, ... |
| V-259424 | | The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours. | The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation.... |
| V-259425 | | The macOS system must enforce time synchronization. | Time synchronization must be enforced on all networked systems.
This rule ensures the uniformity of time stamps for information systems with multiple... |
| V-259428 | | The macOS system must limit consecutive failed log on attempts to three. | The macOS must be configured to limit the number of failed log on attempts to a maximum of three. When the maximum number of failed attempts is reache... |
| V-259429 | | The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at remote log on. | Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy an... |
| V-259430 | | The macOS system must enforce SSH to display the Standard Mandatory DOD Notice and Consent Banner. | Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy an... |
| V-259431 | | The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window. | Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy an... |
| V-259432 | | The macOS system must configure audit log files to not contain access control lists. | The audit log files must not contain access control lists (ACLs).
This rule ensures that audit information and audit files are configured to be reada... |
| V-259433 | | The macOS system must configure audit log folders to not contain access control lists. | The audit log folder must not contain access control lists (ACLs).
Audit logs contain sensitive data about the system and users. This rule ensures th... |
| V-259434 | | The macOS system must disable FileVault automatic log on. | If FileVault is enabled, automatic log on must be disabled, so that both FileVault and login window authentication are required.
The default behavior... |
| V-259435 | | The macOS system must configure SSHD ClientAliveInterval to 900. | If SSHD is enabled, then it must be configured with the Client Alive Interval set to 900.
Sets a timeout interval in seconds after which if no data h... |
| V-259436 | | The macOS system must configure SSHD ClientAliveCountMax to 1. | If SSHD is enabled it must be configured with the Client Alive Maximum Count set to 1.
This will set the number of client alive messages which may be... |
| V-259437 | | The macOS system must set Login Grace Time to 30. | If SSHD is enabled, then it must be configured to wait only 30 seconds before timing out logon attempts.
Note: /etc/ssh/sshd_config will be automatic... |
| V-259440 | | The macOS system must set account lockout time to 15 minutes. | The macOS must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached.
Thi... |
| V-259441 | | The macOS system must enforce screen saver timeout. | The screen saver timeout must be set to 900 seconds or a shorter length of time.
This rule ensures that a full session lock is triggered within no mo... |
| V-259443 | | The macOS system must disable logon to other user's active and locked sessions. | The ability to log in to another user's active or locked session must be disabled.
macOS has a privilege that can be granted to any user that will al... |
| V-259444 | | The macOS system must disable root logon. | To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.
The macOS system must r... |
| V-259445 | | The macOS system must configure SSH ServerAliveInterval option set to 900. | SSH must be configured with an Active Server Alive Maximum Count set to 900.
Setting the Active Server Alive Maximum Count to 900 will log users out ... |
| V-259446 | | The macOS system must configure SSHD Channel Timeout to 900. | If SSHD is enabled it must be configured with session Channel Timeout set to 900.
This will set the time out when the session is inactive.
Note: /et... |
| V-259447 | | The macOS system must configure SSHD unused connection timeout to 900. | If SSHD is enabled, it must be configured with unused connection timeout set to 900.
This will set the timeout when there are no open channels within... |
| V-259448 | | The macOS system must set SSH Active Server Alive Maximum to 0. | SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window o... |
| V-259449 | | The macOS system must enforce auto logout after 86400 seconds of inactivity. | Auto logout must be configured to automatically terminate a user session and log out the after 86400 seconds of inactivity.
Note: The maximum that ma... |
| V-259450 | | The macOS system must be configured to use an authorized time server. | Approved time servers must be the only servers configured for use.
This rule ensures the uniformity of time stamps for information systems with multi... |
| V-259451 | | The macOS system must enable time synchronization daemon. | The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server.
Note: The time synchroniz... |
| V-259452 | | The macOS system must be configured to audit all administrative action events. | Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include "ad" events... |
| V-259453 | | The macOS system must be configured to audit all log on and log out events. | The audit system must be configured to record all attempts to log in and out of the system (lo).
Frequently, an attacker that successfully gains acce... |
| V-259454 | | The macOS system must enable security auditing. | Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in th... |
| V-259455 | | The macOS system must configure system to shut down upon audit failure. | The audit service must be configured to shut down the computer if it is unable to audit system events.
Once audit failure occurs, user and system act... |
| V-259456 | | The macOS system must configure audit log files to be owned by root. | Audit log files must be owned by root.
The audit service must be configured to create log files with the correct ownership to prevent normal users fr... |
| V-259457 | | The macOS system must configure audit log folders to be owned by root. | Audit log folders must be owned by root.
The audit service must be configured to create log folders with the correct ownership to prevent normal user... |
| V-259458 | | The macOS system must configure audit log files group to wheel. | Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to preven... |
| V-259459 | | The macOS system must configure audit log folders group to wheel. | Audit log folders must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to prev... |
| V-259460 | | The macOS system must configure audit log files to mode 440 or less permissive. | The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files mus... |
| V-259461 | | The macOS system must configure audit log folders to mode 700 or less permissive. | The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folde... |
| V-259462 | | The macOS system must be configured to audit all deletions of object attributes. | The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd).
***Enforcement actions are the methods ... |
| V-259463 | | The macOS system must be configured to audit all changes of object attributes. | The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm).
Enforcement actions are the methods or ... |
| V-259464 | | The macOS system must be configured to audit all failed read actions on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.
Enforcement acti... |
| V-259465 | | The macOS system must be configured to audit all failed write actions on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.
Enforcement act... |
| V-259466 | | The macOS system must be configured to audit all failed program execution on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcemen... |
| V-259468 | | The macOS system must configure audit capacity warning. | The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined v... |
| V-259469 | | The macOS system must configure audit failure notification. | The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.
It is... |
| V-259470 | | The macOS system must configure the system to audit all authorization and authentication events. | The auditing system must be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the iden... |
| V-259471 | | The macOS system must set smart card certificate trust to moderate. | The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
To prevent the use... |
| V-259472 | | The macOS system must disable root logon for SSH. | If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled.
The macOS system ... |
| V-259473 | | The macOS system must configure audit_control group to wheel. | /etc/security/audit_control must have the group set to wheel.
The audit service must be configured with the correct group ownership to prevent normal... |
| V-259474 | | The macOS system must configure audit_control owner to root. | /etc/security/audit_control must have the owner set to root.
The audit service must be configured with the correct ownership to prevent normal users ... |
| V-259475 | | The macOS system must configure audit_control to mode 440 or less permissive. | /etc/security/audit_control must be configured so that it is readable only by the root user and group wheel.
Satisfies: SRG-OS-000057-GPOS-00027,SRG-... |
| V-259476 | | The macOS system must configure audit_control to not contain access control lists. | /etc/security/audit_control must not contain Access Control Lists (ACLs).
/etc/security/audit_control contains sensitive configuration data about the... |
| V-259478 | | The macOS system must disable Server Message Block sharing. | Support for Server Message Block (SMB) file sharing is nonessential and must be disabled.
The information system must be configured to provide only e... |
| V-259479 | | The macOS system must disable Network File System service. | Support for Network File Systems (NFS) services is nonessential and, therefore, must be disabled.... |
| V-259480 | | The macOS system must disable Location Services. | The information system must be configured to provide only essential capabilities. Disabling Location Services helps prevent the unauthorized connectio... |
| V-259481 | | The macOS system must disable Bonjour multicast. | Bonjour multicast advertising must be disabled to prevent the system from broadcasting its presence and available services over network interfaces.... |
| V-259482 | | The macOS system must disable Unix-to-Unix Copy Protocol service. | The system must not have the Unix-to-Unix Copy Protocol (UUCP) service active.
UUCP, a set of programs that enable the sending of files between diffe... |
| V-259483 | | The macOS system must disable Internet Sharing. | If the system does not require Internet Sharing, support for it is nonessential and must be disabled.
The information system must be configured to pr... |
| V-259484 | | The macOS system must disable the built-in web server. | The built-in web server is a nonessential service built into macOS and must be disabled.
Note: The built in web server service is disabled at startup... |
| V-259485 | | The macOS system must disable AirDrop. | AirDrop must be disabled to prevent file transfers to or from unauthorized devices. AirDrop allows users to share and receive files from other nearby ... |
| V-259486 | | The macOS system must disable FaceTime.app. | The macOS built-in FaceTime.app must be disabled.
The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls ha... |
| V-259487 | | The macOS system must disable the iCloud Calendar services. | The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with e... |
| V-259488 | | The macOS system must disable iCloud Reminders. | The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with ... |
| V-259489 | | The macOS system must disable iCloud Address Book. | The macOS built-in Contacts.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with e... |
| V-259490 | | The macOS system must disable iCloud Mail. | The macOS built-in Mail.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enoug... |
| V-259491 | | The macOS system must disable iCloud Notes. | The macOS built-in Notes.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enou... |
| V-259492 | | The macOS system must disable the camera. | macOS must be configured to disable the camera.... |
| V-259493 | | The macOS system must disable Siri. | Support for Siri is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities.... |
| V-259494 | | The macOS system must disable sending diagnostic and usage data to Apple. | The ability to submit diagnostic data to Apple must be disabled.
The information system must be configured to provide only essential capabilities. Di... |
| V-259495 | | The macOS system must disable Remote Apple Events. | If the system does not require Remote Apple Events, support for Apple Remote Events is nonessential and must be disabled.
The information system must... |
| V-259496 | | The macOS system must disable Apple ID setup during Setup Assistant. | The prompt for Apple ID setup during Setup Assistant must be disabled.
macOS will automatically prompt new users to set up an Apple ID while they are... |
| V-259497 | | The macOS system must disable Privacy Setup services during Setup Assistant. | The prompt for Privacy Setup services during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The ... |
| V-259498 | | The macOS system must disable iCloud Storage Setup during Setup Assistant. | The prompt to set up iCloud storage services during Setup Assistant must be disabled.
The default behavior of macOS is to prompt new users to set up ... |
| V-259500 | | The macOS system must disable Siri Setup during Setup Assistant. | The prompt for Siri during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The macOS Siri Assista... |
| V-259501 | | The macOS system must disable iCloud Keychain synchronization. | The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled.
Apple's iCloud service does not ... |
| V-259502 | | The macOS system must disable iCloud Document synchronization. | The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nona... |
| V-259503 | | The macOS system must disable iCloud Bookmarks. | The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled.
Apple's iCloud service does not provide an organizati... |
| V-259504 | | The macOS system must disable iCloud Photo Library. | The macOS built-in Photos.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with eno... |
| V-259505 | | The macOS system must disable Screen Sharing and Apple Remote Desktop. | Support for both Screen Sharing and Apple Remote Desktop (ARD) is nonessential and must be disabled.
The information system must be configured to pro... |
| V-259506 | | The macOS system must disable the TouchID System Settings pane. | The System Settings pane for TouchID must be disabled.
Disabling the System Settings pane prevents the users from configuring TouchID.... |
| V-259507 | | The macOS system must disable the System Settings pane for Wallet and Apple Pay. | The System Settings pane for Wallet and Apple Pay must be disabled.
Disabling the System Settings pane prevents the users from configuring Wallet and... |
| V-259508 | | The macOS system must disable the system settings pane for Siri. | The System Settings pane for Siri must be hidden.
Hiding the System Settings pane prevents the users from configuring Siri.... |
| V-259511 | | The macOS system must disable the guest account. | Guest access must be disabled.
Turning off guest access prevents anonymous users from accessing files.... |
| V-259513 | | The macOS system must disable unattended or automatic log on to the system. | Automatic logon must be disabled.
When automatic logons are enabled, the default user account is automatically logged on at boot time without prompti... |
| V-259514 | | The macOS system must secure user's home folders. | The system must be configured to prevent access to other user's home folders.
The default behavior of macOS is to allow all valid users access to the... |
| V-259516 | | The macOS system must disable Airplay Receiver. | Airplay Receiver allows users to send content from another Apple device to be displayed on the screen as it is being played from another device.
Supp... |
| V-259517 | | The macOS system must disable TouchID for unlocking the device. | TouchID enables the ability to unlock a macOS system with a user's fingerprint.
TouchID must be disabled for "Unlocking your Mac" on all macOS device... |
| V-259518 | | The macOS system must disable Media Sharing. | Media sharing must be disabled.
When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's... |
| V-259519 | | The macOS system must disable Bluetooth sharing. | Bluetooth Sharing must be disabled.
Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, incl... |
| V-259520 | | The macOS system must disable AppleID and Internet Account modifications. | The system must disable account modification.
Account modification includes adding additional or modifying internet accounts in Apple Mail, Calendar... |
| V-259521 | | The macOS system must disable CD/DVD Sharing. | CD/DVD Sharing must be disabled.... |
| V-259522 | | The macOS system must disable content caching service. | Content caching must be disabled.
Content caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac ... |
| V-259523 | | The macOS system must disable iCloud desktop and document folder synchronization. | The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive must be disabled.
Apple's iCloud ... |
| V-259524 | | The macOS system must disable iCloud Game Center. | This works only with supervised devices (MDM) and allows Apple Game Center to be disabled. The rationale is Game Center is using Apple ID and will sha... |
| V-259525 | | The macOS system must disable iCloud Private Relay. | Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled.
Network administrators ... |
| V-259526 | | The macOS system must disable Find My service. | The Find My service must be disabled.
A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple'... |
| V-259527 | | The macOS system must disable password autofill. | Password Autofill must be disabled.
macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To prot... |
| V-259528 | | The macOS system must disable personalized advertising. | Ad tracking and targeted ads must be disabled.
The information system must be configured to provide only essential capabilities. Disabling ad trackin... |
| V-259529 | | The macOS system must disable sending Siri and Dictation information to Apple. | The ability for Apple to store and review audio of Siri and Dictation interactions must be disabled.
The information system must be configured to pro... |
| V-259530 | | The macOS system must enforce on device dictation. | Dictation must be restricted to on device only to prevent potential data exfiltration.
The information system must be configured to provide only esse... |
| V-259531 | | The macOS system must disable dictation. | Dictation must be disabled on Intel-based Macs as the feature On Device Dictation is only available on Apple Silicon devices.... |
| V-259532 | | The macOS system must disable Printer Sharing. | Printer Sharing must be disabled.... |
| V-259533 | | The macOS system must disable Remote Management. | Remote Management must be disabled.... |
| V-259534 | | The macOS system must disable the Bluetooth system settings pane. | The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration.... |
| V-259535 | | The macOS system must disable the iCloud Freeform services. | The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with e... |
| V-259536 | | The macOS system must issue or obtain public key certificates from an approved service provider. | The organization must issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors ar... |
| V-259537 | | The macOS system must require passwords contain a minimum of one numeric character. | The macOS must be configured to require at least one numeric character be used when a password is created.
This rule enforces password complexity by ... |
| V-259538 | | The macOS system must restrict maximum password lifetime to 60 days. | The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days.
This rule ensures that users are forced to change thei... |
| V-259540 | | The macOS system must require a minimum password length of 14 characters. | The macOS must be configured to require a minimum of 14 characters be used when a password is created.
This rule enforces password complexity by requ... |
| V-259541 | | The macOS system must require passwords contain a minimum of one special character. | The macOS must be configured to require at least one special character be used when a password is created.
Special characters are those characters th... |
| V-259542 | | The macOS system must disable password hints. | Password hints must be disabled.
Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.... |
| V-259543 | | The macOS system must enable firmware password. | A firmware password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by ... |
| V-259544 | | The macOS system must remove password hints from user accounts. | User accounts must not contain password hints. Password hints leak information about passwords that are currently in use and can lead to loss of confi... |
| V-259545 | | The macOS system must enforce smart card authentication. | Smart card authentication must be enforced.
The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access... |
| V-259546 | | The macOS system must allow smart card authentication. | Smart card authentication must be allowed.
The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access.... |
| V-259547 | | The macOS system must enforce multifactor authentication for logon. | The system must be configured to enforce multifactor authentication.
All users must go through multifactor authentication to prevent unauthenticated ... |
| V-259548 | | The macOS system must enforce multifactor authentication for the su command. | The system must be configured such that, when the su command is used, multifactor authentication is enforced.
All users must go through multifactor a... |
| V-259549 | | The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. | The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.
All users must go through mul... |
| V-259550 | | The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character. | The macOS be configured to require at least one lowercase character and one uppercase character be used when a password is created.
This rule enforce... |
| V-259551 | | The macOS system must set minimum password lifetime to 24 hours. | The macOS must be configured to enforce a minimum password lifetime limit of 24 hours.
This rule discourages users from cycling through their previou... |
| V-259552 | | The macOS system must disable accounts after 35 days of inactivity. | The macOS must be configured to disable accounts after 35 days of inactivity.
This rule prevents malicious users from making use of unused accounts t... |
| V-259553 | | The macOS system must configure Apple System Log files to be owned by root and group to wheel. | The Apple System Logs (ASL) must be owned by root.
ASL logs contain sensitive data about the system and users. If ASL log files are set to only be re... |
| V-259554 | | The macOS system must configure Apple System Log files to mode 640 or less permissive. | The Apple System Logs (ASL) must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log fil... |
| V-259555 | | The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command. | The file /etc/sudoers must include a timestamp_timout of 0.
Without reauthentication, users may access resources or perform tasks for which they do n... |
| V-259556 | | The macOS system must configure system log files to be owned by root and group to wheel. | The system log files must be owned by root.
System logs contain sensitive data about the system and users. If log files are set to only be readable a... |
| V-259557 | | The macOS system must configure system log files to mode 640 or less permissive. | The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files must b... |
| V-259559 | | The macOS system must configure sudoers timestamp type. | The file /etc/sudoers must be configured to not include a timestamp_type of global or ppid and be configured for timestamp record types of tty.
This ... |
| V-259562 | | The macOS system must enable the application firewall. | The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled.
When the macOS Application Firewall is enabled... |
| V-259563 | | The macOS system must configure login window to prompt for username and password. | The login window must be configured to prompt all users for both a username and a password.
By default, the system displays a list of known users on ... |
| V-259564 | | The macOS system must disable TouchID prompt during Setup Assistant. | The prompt for TouchID during Setup Assistant must be disabled.
macOS prompts new users through enabling TouchID during Setup Assistant; this is not ... |
| V-259565 | | The macOS system must disable Screen Time prompt during Setup Assistant. | The prompt for Screen Time setup during Setup Assistant must be disabled.... |
| V-259566 | | The macOS system must disable Unlock with Apple Watch during Setup Assistant. | The prompt for Apple Watch unlock setup during Setup Assistant must be disabled.
Disabling Apple watches is a necessary step to ensuring that the inf... |
| V-259567 | | The macOS system must disable Handoff. | Handoff must be disabled.
Handoff allows users to continue working on a document or project when the user switches from one Apple device to another. ... |
| V-259568 | | The macOS system must disable proximity-based password sharing requests. | Proximity-based password sharing requests must be disabled.
The default behavior of macOS is to allow users to request passwords from other known dev... |
| V-259569 | | The macOS system must disable Erase Content and Settings. | Erase Content and Settings must be disabled.... |
| V-259570 | | The macOS system must enable Authenticated Root. | Authenticated Root must be enabled.
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected t... |
| V-259571 | | The macOS system must prohibit user installation of software into /users/. | Users must not be allowed to install software into /users/.
Allowing users who do not possess explicit privileges to install software presents the ri... |
| V-259572 | | The macOS system must authorize USB devices before allowing connection. | USB devices connected to a Mac must be authorized.
[IMPORTANT]
====
This feature is removed if a smart card is paired or smart card attribute mapping... |
| V-259573 | | The macOS system must ensure secure boot level set to full. | The Secure Boot security setting must be set to full.
Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is ... |
| V-259574 | | The macOS system must enforce enrollment in mobile device management. | Users must enroll their Mac in a Mobile Device Management (MDM) software.
User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manag... |
| V-259575 | | The macOS system must enable recovery lock. | A recovery lock password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macO... |
| V-259576 | | The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. | Software Update must be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect ... |
| V-259467 | | The macOS system must configure audit retention to seven days. | The audit service must be configured to require records be kept for an organizational defined value before deletion, unless the system uses a central ... |
| V-259558 | | The macOS system must configure install.log retention to 365. | The install.log must be configured to require records be kept for an organizational-defined value before deletion, unless the system uses a central au... |
