| V-268438 | | The macOS system must limit SSHD to FIPS-compliant connections. | If SSHD is enabled, it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlg... |
| V-268439 | | The macOS system must limit SSH to FIPS-compliant connections. | SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatur... |
| V-268477 | | The macOS system must disable password authentication for SSH. | If remote login through SSH is enabled, password-based authentication must be disabled for user login.
All users must go through multifactor authenti... |
| V-268499 | | The macOS system must disable Trivial File Transfer Protocol (TFTP) service. | If the system does not require TFTP support, it is nonessential and must be disabled.
The information system must be configured to provide only essen... |
| V-268508 | | The macOS system must apply gatekeeper settings to block applications from unidentified developers. | The information system implements cryptographic mechanisms to authenticate software prior to installation.
Gatekeeper settings must be configured cor... |
| V-268509 | | The macOS system must disable Bluetooth when no approved device is connected. | The macOS system must be configured to disable Bluetooth unless an approved device is connected.
[IMPORTANT]
====
Information system security officer... |
| V-268511 | | The macOS system must enable gatekeeper. | Gatekeeper must be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate befor... |
| V-268512 | | The macOS system must disable unattended or automatic login to the system. | Automatic login must be disabled.
When automatic logins are enabled, the default user account is automatically logged on at boot time without prompti... |
| V-268514 | | The macOS system must require an administrator password to modify systemwide preferences. | The system must be configured to require an administrator password to modify the systemwide preferences in System Settings.
Some Preference Panes in ... |
| V-268555 | | The macOS system must ensure System Integrity Protection is enabled. | System Integrity Protection is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized an... |
| V-268556 | | The macOS system must enforce FileVault. | The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during ... |
| V-268420 | | The macOS system must prevent Apple Watch from terminating a session lock. | Apple Watches are not an approved authenticator and their use must be disabled.
Disabling Apple Watches is a necessary step to ensuring that the info... |
| V-268421 | | The macOS system must enforce screen saver password. | Users must authenticate when unlocking the screen saver.
The screen saver acts as a session lock and prevents unauthorized users from accessing the c... |
| V-268422 | | The macOS system must enforce session lock no more than five seconds after screen saver is started. | A screen saver must be enabled and the system must be configured to require a password to unlock once the screen saver has been on for a maximum of fi... |
| V-268423 | | The macOS system must configure user session lock when a smart token is removed. | The screen lock must be configured to initiate automatically when the smart token is removed from the system.
Session locks are temporary actions tak... |
| V-268424 | | The macOS system must disable hot corners. | Hot corners must be disabled.
The information system conceals, via the session lock, information previously visible on the display with a publicly vi... |
| V-268425 | | The macOS system must prevent AdminHostInfo from being available at LoginWindow. | The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo, when configured, will allow the HostName... |
| V-268426 | | The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours. | The macOS system can be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation.... |
| V-268427 | | The macOS system must enforce time synchronization. | Time synchronization must be enforced on all networked systems.
This rule ensures the uniformity of time stamps for information systems with multiple... |
| V-268428 | | The macOS system must limit consecutive failed login attempts to three. | The macOS must be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached... |
| V-268429 | | The macOS system must display a policy banner at remote login. | Remote login service must be configured to display a policy banner at login.
Displaying a standardized and approved use notification before granting ... |
| V-268431 | | The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window. | Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy an... |
| V-268432 | | The macOS system must configure audit log files to not contain access control lists (ACLs). | The audit log files must not contain ACLs.
This rule ensures that audit information and audit files are configured to be readable and writable only b... |
| V-268433 | | The macOS system must configure the audit log folder to not contain access control lists (ACLs). | The audit log folder must not contain ACLs.
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is... |
| V-268434 | | The macOS system must disable FileVault automatic login. | If FileVault is enabled, automatic login must be disabled so that both FileVault and login window authentication are required.
The default behavior o... |
| V-268435 | | The macOS system must configure SSHD ClientAliveInterval to 900. | If SSHD is enabled, it must be configured with the Client Alive Interval set to 900.
This sets a timeout interval in seconds, after which if no data ... |
| V-268436 | | The macOS system must configure SSHD ClientAliveCountMax to 1. | If SSHD is enabled, it must be configured with the Client Alive Maximum Count set to 1.
This will set the number of client alive messages that may be... |
| V-268437 | | The macOS system must set login grace time to 30. | If SSHD is enabled, it must be configured to wait only 30 seconds before timing out login attempts.
NOTE: /etc/ssh/sshd_config will be automatically ... |
| V-268440 | | The macOS system must set account lockout time to 15 minutes. | The macOS system must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed login attempts is reache... |
| V-268441 | | The macOS system must enforce screen saver timeout. | The screen saver timeout must be set to 900 seconds or a shorter length of time.
This rule ensures that a full session lock is triggered within no mo... |
| V-268442 | | The macOS system must disable login to other users' active and locked sessions. | The ability to log in to another user's active or locked session must be disabled.
macOS has a privilege that can be granted to any user that will al... |
| V-268443 | | The macOS system must disable root login. | To assure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.
The macOS system must r... |
| V-268444 | | The macOS system must configure the SSH ServerAliveInterval to 900. | SSH must be configured with an Active Server Alive Maximum Count set to 900.
Setting the Active Server Alive Maximum Count to 900 will log users out ... |
| V-268445 | | The macOS system must configure SSHD channel timeout to 900. | If SSHD is enabled, it must be configured with session ChannelTimeout set to 900.
This will set the timeout when the session is inactive.
NOTE: /etc... |
| V-268446 | | The macOS system must configure SSHD unused connection timeout to 900. | If SSHD is enabled, it must be configured with unused connection timeout set to 900.
This will set the timeout when there are no open channels within... |
| V-268447 | | The macOS system must set SSH Active Server Alive Maximum to 0. | SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window o... |
| V-268448 | | The macOS system must enforce auto logout after 86400 seconds of inactivity. | Auto logout must be configured to automatically terminate a user session and log out after 86400 seconds of inactivity.
NOTE: The maximum that macOS ... |
| V-268449 | | The macOS system must be configured to use an authorized time server. | An approved time server must be the only server configured for use. As of macOS 10.13, only one time server is supported.
This rule ensures the unifo... |
| V-268450 | | The macOS system must enable the time synchronization daemon. | The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server.
NOTE: The time synchroniz... |
| V-268451 | | The macOS system must configure sudo to log events. | Sudo must be configured to log privilege escalation.
Without logging privilege escalation, it is difficult to identify attempted attacks because no a... |
| V-268452 | | The macOS system must be configured to audit all administrative action events. | The auditing system must be configured to flag administrative action (ad) events.
Administrative action events include changes made to the system (e.... |
| V-268453 | | The macOS system must be configured to audit all login and logout events. | The audit system must be configured to record all attempts to log in and out of the system (lo).
Frequently, an attacker that successfully gains acce... |
| V-268454 | | The macOS system must enable security auditing. | The information system must be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, ... |
| V-268455 | | The macOS system must be configured to shut down upon audit failure. | The audit service must be configured to shut down the computer if it is unable to audit system events.
Once audit failure occurs, user and system act... |
| V-268456 | | The macOS system must configure audit log files to be owned by root. | Audit log files must be owned by root.
The audit service must be configured to create log files with the correct ownership to prevent normal users fr... |
| V-268457 | | The macOS system must configure audit log folders to be owned by root. | Audit log folders must be owned by root.
The audit service must be configured to create log folders with the correct ownership to prevent normal user... |
| V-268458 | | The macOS system must configure the audit log files group to wheel. | Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to preven... |
| V-268459 | | The macOS system must configure the audit log folders group to wheel. | Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to preven... |
| V-268460 | | The macOS system must configure audit log files to mode 440 or less permissive. | The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files mus... |
| V-268461 | | The macOS system must configure audit log folders to mode 700 or less permissive. | The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folde... |
| V-268462 | | The macOS system must be configured to audit all deletions of object attributes. | The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd).
***Enforcement actions are the methods ... |
| V-268463 | | The macOS system must be configured to audit all changes of object attributes. | The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm).
Enforcement actions are the methods or ... |
| V-268464 | | The macOS system must be configured to audit all failed read actions on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.
Enforcement acti... |
| V-268465 | | The macOS system must be configured to audit all failed write actions on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.
Enforcement act... |
| V-268468 | | The macOS system must configure audit capacity warning. | The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization-defined v... |
| V-268469 | | The macOS system must configure audit failure notification. | The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.
It is... |
| V-268470 | | The macOS system must be configured to audit all authorization and authentication events. | The auditing system must be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the iden... |
| V-268471 | | The macOS system must set smart card certificate trust to moderate. | The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
To prevent the use... |
| V-268472 | | The macOS system must disable root login for SSH. | If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled.
The macOS system ... |
| V-268473 | | The macOS system must configure audit_control group to wheel. | /etc/security/audit_control must have the group set to wheel.
The audit service must be configured with the correct group ownership to prevent normal... |
| V-268474 | | The macOS system must configure audit_control owner to root. | /etc/security/audit_control must have the owner set to root.
The audit service must be configured with the correct ownership to prevent normal users ... |
| V-268475 | | The macOS system must configure audit_control owner to mode 440 or less permissive. | /etc/security/audit_control must be configured so that it is readable only by the root user and group wheel.
The audit service must be configured wit... |
| V-268478 | | The macOS system must disable Server Message Block (SMB) sharing. | Support for SMB file sharing is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. ... |
| V-268479 | | The macOS system must disable Network File System (NFS) service. | Support for NFS services is nonessential and, therefore, must be disabled. Enabling any service increases the attack surface for an intruder. By disab... |
| V-268480 | | The macOS system must disable Location Services. | Location Services must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Location Services hel... |
| V-268481 | | The macOS system must disable Bonjour multicast. | Bonjour multicast advertising must be disabled to prevent the system from broadcasting its presence and available services over network interfaces.... |
| V-268482 | | The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service. | The system must not have the UUCP service active.
UUCP, a set of programs that enables sending files between different Unix systems and sending comma... |
| V-268483 | | The macOS system must disable Internet Sharing. | If the system does not require Internet Sharing, support for it is nonessential and must be disabled.
The information system must be configured to pr... |
| V-268484 | | The macOS system must disable the built-in web server. | The built-in web server is a nonessential service built into macOS and must be disabled.
NOTE: The built-in web server is disabled at startup by defa... |
| V-268485 | | The macOS system must disable AirDrop. | AirDrop must be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby... |
| V-268486 | | The macOS system must disable FaceTime.app. | The macOS built-in FaceTime.app must be disabled.
The FaceTime.app establishes a connection to Apple's iCloud service even when security controls hav... |
| V-268487 | | The macOS system must disable the iCloud Calendar services. | The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with e... |
| V-268488 | | The macOS system must disable iCloud Reminders. | The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with ... |
| V-268489 | | The macOS system must disable iCloud Address Book. | The macOS built-in Contacts.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with e... |
| V-268490 | | The macOS system must disable iCloud Mail. | The macOS built-in Mail.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enoug... |
| V-268491 | | The macOS system must disable iCloud Notes. | The macOS built-in Notes.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enou... |
| V-268492 | | The macOS system must disable the camera. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-268493 | | The macOS system must disable Siri. | Support for Siri is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Enabling any... |
| V-268494 | | The macOS system must disable sending diagnostic and usage data to Apple. | The ability to submit diagnostic data to Apple must be disabled.
The information system must be configured to provide only essential capabilities. Di... |
| V-268495 | | The macOS system must disable Remote Apple Events. | If the system does not require Remote Apple Events, support for Apple Remote Events is nonessential and must be disabled.
The information system must... |
| V-268496 | | The macOS system must disable Apple ID setup during Setup Assistant. | The prompt for Apple ID setup during Setup Assistant must be disabled.
macOS will automatically prompt new users to set up an Apple ID while they are... |
| V-268497 | | The macOS system must disable Privacy Setup services during Setup Assistant. | The prompt for Privacy Setup services during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The ... |
| V-268498 | | The macOS system must disable iCloud storage setup during Setup Assistant. | The prompt to set up iCloud storage services during Setup Assistant must be disabled.
The default behavior of macOS is to prompt new users to set up ... |
| V-268500 | | The macOS system must disable Siri Setup during Setup Assistant. | The prompt for Siri during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The macOS Siri Assista... |
| V-268501 | | The macOS system must disable iCloud Keychain Sync. | The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled.
Apple's iCloud service does not ... |
| V-268502 | | The macOS system must disable iCloud Document Sync. | The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nona... |
| V-268503 | | The macOS system must disable iCloud Bookmarks. | The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled.
Apple's iCloud service does not provide an organizati... |
| V-268504 | | The macOS system must disable iCloud Photo Library. | The macOS built-in Photos.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with eno... |
| V-268505 | | The macOS system must disable Screen Sharing and Apple Remote Desktop. | Support for both Screen Sharing and Apple Remote Desktop is nonessential and must be disabled.
The information system must be configured to provide o... |
| V-268506 | | The macOS system must disable the System Settings pane for Wallet and Apple Pay. | The System Settings pane for Wallet and Apple Pay must be disabled.
Disabling the System Settings pane prevents the users from configuring Wallet and... |
| V-268507 | | The macOS system must disable the system settings pane for Siri. | The System Settings pane for Siri must be hidden.
Hiding the System Settings pane prevents users from configuring Siri. Enabling any service increase... |
| V-268510 | | The macOS system must disable the guest account. | Guest access must be disabled.
Turning off guest access prevents anonymous users from accessing files.... |
| V-268513 | | The macOS system must secure users' home folders. | The system must be configured to prevent access to other users' home folders.
The default behavior of macOS is to allow all valid users access to the... |
| V-268515 | | The macOS system must disable Airplay Receiver. | Airplay Receiver allows users to send content from one Apple device to be displayed on the screen as it is being played from another device.
Support ... |
| V-268516 | | The macOS system must disable TouchID for unlocking the device. | TouchID enables the ability to unlock a Mac system with a user's fingerprint.
TouchID must be disabled for "Unlocking your Mac" on all macOS devices ... |
| V-268517 | | The macOS system must disable Media Sharing. | Media Sharing must be disabled.
When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's... |
| V-268518 | | The macOS system must disable Bluetooth Sharing. | Bluetooth Sharing must be disabled.
Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, incl... |
| V-268519 | | The macOS system must disable AppleID and internet Account Modification. | The system must disable Account Modification.
Account Modification includes adding or modifying internet accounts in Apple Mail, Calendar, or Contac... |
| V-268520 | | The macOS system must disable CD/DVD Sharing. | CD/DVD Sharing must be disabled.... |
| V-268521 | | The macOS system must disable Content Caching service. | Content Caching must be disabled.
Content Caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac ... |
| V-268522 | | The macOS system must disable iCloud Desktop and Document folder sync. | The macOS system's ability to automatically synchronize a user's Desktop and Documents folder to their iCloud Drive must be disabled.
Apple's iCloud ... |
| V-268523 | | The macOS system must disable iCloud Game Center. | This works only with supervised devices (mobile device management [MDM]) and allows to disable Apple Game Center. The rationale is that Game Center is... |
| V-268524 | | The macOS system must disable iCloud Private Relay. | Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled.
Network administrators ... |
| V-268525 | | The macOS system must disable Find My service. | The Find My service must be disabled.
A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple'... |
| V-268526 | | The macOS system must disable Personalized Advertising. | Ad tracking and targeted ads must be disabled.
The information system must be configured to provide only essential capabilities. Disabling ad trackin... |
| V-268527 | | The macOS system must disable sending Siri and Dictation information to Apple. | The ability for Apple to store and review audio of Siri and Dictation interactions must be disabled.
The information system must be configured to pro... |
| V-268528 | | The macOS system must enforce On Device Dictation. | Dictation must be restricted to On Device Only to prevent potential data exfiltration.
The information system must be configured to provide only esse... |
| V-268529 | | The macOS system must disable Dictation. | Dictation must be disabled on Intel-based Macs as the feature On Device Dictation is only available on Apple Silicon devices.... |
| V-268530 | | The macOS system must disable Printer Sharing. | Printer Sharing must be disabled.... |
| V-268531 | | The macOS system must disable Remote Management. | Remote Management must be disabled.... |
| V-268532 | | The macOS system must disable the Bluetooth System Settings pane. | The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration.... |
| V-268533 | | The macOS system must disable the iCloud Freeform services. | The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled.
Enabling any service increases the attack surface for an intru... |
| V-268534 | | The macOS system must issue or obtain public key certificates from an approved service provider. | The organization must issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors ar... |
| V-268535 | | The macOS system must require that passwords contain a minimum of one numeric character. | The macOS must be configured to require at least one numeric character be used when a password is created.
This rule enforces password complexity by ... |
| V-268536 | | The macOS system must restrict maximum password lifetime to 60 days. | The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days.
This rule ensures that users are forced to change thei... |
| V-268537 | | The macOS system must require a minimum password length of 14 characters. | The macOS must be configured to require that a minimum of 14 characters be used when a password is created.
This rule enforces password complexity by... |
| V-268538 | | The macOS system must require that passwords contain a minimum of one special character. | The macOS must be configured to require that at least one special character be used when a password is created.
Special characters are characters tha... |
| V-268539 | | The macOS system must disable password hints. | Password hints must be disabled.
Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.... |
| V-268540 | | The macOS system must enable firmware password. | A firmware password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by ... |
| V-268541 | | The macOS system must remove password hints from user accounts. | User accounts must not contain password hints.
Password hints leak information about passwords in use and can lead to loss of confidentiality.... |
| V-268542 | | The macOS system must enforce smart card authentication. | Smart card authentication must be enforced.
The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access... |
| V-268543 | | The macOS system must allow smart card authentication. | Smart card authentication must be allowed.
The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access.... |
| V-268544 | | The macOS system must enforce multifactor authentication for login. | The system must be configured to enforce multifactor authentication.
All users must go through multifactor authentication to prevent unauthenticated ... |
| V-268545 | | The macOS system must enforce multifactor authentication for the su command. | The system must be configured such that, when the su command is used, multifactor authentication is enforced.
All users must go through multifactor a... |
| V-268546 | | The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. | The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.
All users must go through mul... |
| V-268547 | | The macOS system must require that passwords contain a minimum of one lowercase character and one uppercase character. | The macOS must be configured to require that at least one lowercase character and one uppercase character be used when a password is created.
This ru... |
| V-268548 | | The macOS system must set minimum password lifetime to 24 hours. | The macOS must be configured to enforce a minimum password lifetime limit of 24 hours.
This rule discourages users from cycling through their previou... |
| V-268549 | | The macOS system must disable accounts after 35 days of inactivity. | The macOS must be configured to disable accounts after 35 days of inactivity.
This rule prevents malicious users from employing unused accounts to ga... |
| V-268550 | | The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel. | The Apple System Logs must be owned by root.
ASLs contain sensitive data about the system and users. Setting ASL files to be readable and writable on... |
| V-268551 | | The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive. | The Apple System Logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL files must be... |
| V-268552 | | The macOS system must configure system log files owned by root and group to wheel. | The system log files must be owned by root.
System logs contain sensitive data about the system and users. Setting log files to be readable and writa... |
| V-268553 | | The macOS system must configure system log files to mode 640 or less permissive. | The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files must b... |
| V-268557 | | The macOS system must enable macOS Application Firewall. | The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled.
When the macOS Application Firewall is enabled... |
| V-268558 | | The macOS system must configure the login window to prompt for username and password. | The login window must be configured to prompt all users for both a username and a password.
By default, the system displays a list of known users on ... |
| V-268559 | | The macOS system must disable the TouchID prompt during Setup Assistant. | The prompt for TouchID during Setup Assistant must be disabled.
macOS prompts new users through enabling TouchID during Setup Assistant; this is not ... |
| V-268560 | | The macOS system must disable the Screen Time prompt during Setup Assistant. | The prompt for Screen Time setup during Setup Assistant must be disabled.
Enabling any service increases the attack surface for an intruder. By disa... |
| V-268561 | | The macOS system must disable Unlock with Apple Watch during Setup Assistant. | The prompt for Apple Watch unlock setup during Setup Assistant must be disabled.
Disabling Apple watches is a necessary step to ensuring the informat... |
| V-268562 | | The macOS system must disable Handoff. | Handoff must be disabled.
Handoff allows users to continue working on a document or project when the user switches from one Apple device to another. ... |
| V-268563 | | The macOS system must disable proximity-based password sharing requests. | Proximity-based password sharing requests must be disabled.
The default behavior of macOS is to allow users to request passwords from other known dev... |
| V-268564 | | The macOS system must disable Erase Content and Settings. | Erase Content and Settings must be disabled.
Without disabling the Erase Content and Settings configuration, forensics data could be lost if this fea... |
| V-268565 | | The macOS system must enable Authenticated Root. | Authenticated Root must be enabled.
When Authenticated Root is enabled, the macOS is booted from a signed volume that is cryptographically protected ... |
| V-268566 | | The macOS system must prohibit user installation of software into /users/. | Users must not be allowed to install software into /users/.
Allowing regular users without explicit privileges to install software presents the risk ... |
| V-268567 | | The macOS system must authorize USB devices before allowing connection. | USB devices connected to a Mac must be authorized.
[IMPORTANT]
====
This feature is removed if a smart card is paired or smart card attribute mapping... |
| V-268568 | | The macOS system must ensure Secure Boot level is set to "full". | The Secure Boot security setting must be set to "full".
Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot i... |
| V-268569 | | The macOS system must enforce enrollment in Mobile Device Management (MDM). | Users must enroll their Mac in MDM software.
User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager... |
| V-268570 | | The macOS system must enable Recovery Lock. | A Recovery Lock password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macO... |
| V-268571 | | The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. | Software Update must be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect ... |
| V-268572 | | The macOS system must disable Genmoji. | Apple Intelligence features that use off-device Artificial Intelligence (AI) must be disabled.
Use of off-device AI poses a data loss risk.... |
| V-268573 | | The macOS system must disable Apple Intelligence Image Generation. | Apple Intelligence features that use off-device artificial intelligence must be disabled.
Use of off-device AI poses a data loss risk.... |
| V-268574 | | The macOS system must disable Apple Intelligence Writing Tools. | Apple Intelligence features that use off device Artificial Intelligence must be disabled.
Use of off-device AI poses a data loss risk.... |
| V-268575 | | The macOS system must be a supported release. | An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release... |
| V-269093 | | The macOS system must enforce SSH to display a policy banner. | SSH must be configured to display a policy banner.
Displaying a standardized and approved use notification before granting access to the operating sy... |
| V-269094 | | The macOS system must be configured to audit all failed program execution on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcemen... |
| V-269095 | | The macOS system must configure audit_control to not contain access control lists (ACLs). | /etc/security/audit_control must not contain ACLs.
/etc/security/audit_control contains sensitive configuration data about the audit service. This ru... |
| V-269096 | | The macOS system must disable sending audio recordings and transcripts to Apple. | The ability for Apple to store and review audio recordings and transcripts of vocal shortcuts and voice control interactions must be disabled.
The in... |
| V-269566 | | The macOS system must disable sending search data from Spotlight to Apple. | Sending data to Apple to help improve search must be disabled.
The information system must be configured to provide only essential capabilities. Disa... |
| V-272477 | | The macOS system must disable iPhone Mirroring. | iPhone Mirroring must be disabled to prevent file transfers to or from unauthorized devices.
Disabling iPhone Mirroring also prevents potentially un... |
| V-274880 | | The macOS system must configure sudoers timestamp type. | The file /etc/sudoers must be configured to not include a timestamp_type of global or ppid and be configured for timestamp record types of tty.
This ... |
| V-274881 | | The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command. | The file /etc/sudoers must include a timestamp_timout of 0.
Without reauthentication, users may access resources or perform tasks for which they do n... |
| V-268467 | | The macOS system must configure audit retention to seven days. | The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a cent... |
| V-268554 | | The macOS system must configure install.log retention to 365. | The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unless the system uses a centr... |
