| V-277028 | | The macOS system must prevent Apple Watch from terminating a session lock. | Apple Watches are not an approved authenticator and their use must be disabled.
Disabling Apple Watches is a necessary step to ensuring that the info... |
| V-277029 | | The macOS system must enforce screen saver password. | Users must authenticate when unlocking the screen saver.
The screen saver acts as a session lock and prevents unauthorized users from accessing the c... |
| V-277030 | | The macOS system must enforce session lock no more than five seconds after screen saver is started. | A screen saver must be enabled and the system must be configured to require a password to unlock once the screen saver has been on for a maximum of fi... |
| V-277031 | | The macOS system must configure user session lock when a smart token is removed. | The screen lock must be configured to initiate automatically when the smart token is removed from the system.
Session locks are temporary actions tak... |
| V-277032 | | The macOS system must disable hot corners. | Hot corners must be disabled.
The information system conceals, via the session lock, information previously visible on the display with a publicly vi... |
| V-277033 | | The macOS system must prevent AdminHostInfo from being available at LoginWindow. | The system must be configured to not display sensitive information at the LoginWindow. If the key "AdminHostInfo" is configured with a string value, i... |
| V-277034 | | The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours. | The macOS system can be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation.... |
| V-277035 | | The macOS system must enforce time synchronization. | Time synchronization must be enforced on all networked systems.
This rule ensures the uniformity of time stamps for information systems with multiple... |
| V-277036 | | The macOS system must limit consecutive failed login attempts to three. | The macOS must be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached... |
| V-277037 | | The macOS system must display a policy banner at remote login. | Remote login service must be configured to display a policy banner at login.
Displaying a standardized and approved use notification before granting ... |
| V-277038 | | The macOS system must enforce SSH to display a policy banner. | SSH must be configured to display a policy banner.
Displaying a standardized and approved use notification before granting access to the operating sy... |
| V-277039 | | The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window. | Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy an... |
| V-277040 | | The macOS system must configure audit log files to not contain access control lists (ACLs). | The audit log files must not contain ACLs.
This rule ensures that audit information and audit files are configured to be readable and writable only b... |
| V-277041 | | The macOS system must configure the audit log folder to not contain access control lists (ACLs). | The audit log folder must not contain ACLs.
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is... |
| V-277042 | | The macOS system must disable FileVault automatic login. | If FileVault is enabled, automatic login must be disabled so that both FileVault and login window authentication are required.
The default behavior o... |
| V-277043 | | The macOS system must configure SSHD ClientAliveInterval to 900. | If SSHD is enabled, it must be configured with the Client Alive Interval set to 900.
This sets a timeout interval in seconds, after which if no data ... |
| V-277044 | | The macOS system must configure SSHD ClientAliveCountMax to 1. | If SSHD is enabled, it must be configured with the Client Alive Maximum Count set to 1.
This will set the number of client alive messages that may be... |
| V-277045 | | The macOS system must set login grace time to 30. | If SSHD is enabled, it must be configured to wait only 30 seconds before timing out login attempts.
Note: /etc/ssh/sshd_config will be automatically ... |
| V-277048 | | The macOS system must set account lockout time to 15 minutes. | The macOS system must be configured to enforce a lockout time of at least 15 minutes when the maximum number of failed login attempts is reached.
Thi... |
| V-277049 | | The macOS system must enforce screen saver timeout. | The screen saver timeout must be set to 900 seconds or a shorter length of time.
This rule ensures that a full session lock is triggered within no mo... |
| V-277050 | | The macOS system must disable login to other users' active and locked sessions. | The ability to log in to another user's active or locked session must be disabled.
WARNING: This rule may cause issues when platformSSO is configured... |
| V-277051 | | The macOS system must disable root login. | To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.
The macOS system must r... |
| V-277052 | | The macOS system must configure the SSH ServerAliveInterval to 900. | SSH must be configured with an Active Server Alive Maximum Count set to 900.
Setting the Active Server Alive Maximum Count to 900 will log users out ... |
| V-277053 | | The macOS system must configure SSHD channel timeout to 900. | If SSHD is enabled, it must be configured with session ChannelTimeout set to 900.
This will set the timeout when the session is inactive.
Note: /etc... |
| V-277054 | | The macOS system must configure SSHD unused connection timeout to 900. | If SSHD is enabled, it must be configured with unused connection timeout set to 900.
This will set the timeout when there are no open channels within... |
| V-277055 | | The macOS system must set SSH Active Server Alive Maximum to 0. | SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time reduces the window of oppor... |
| V-277056 | | The macOS system must enforce auto logout after 86400 seconds of inactivity. | Auto logout must be configured to automatically terminate a user session and log out after 86400 seconds of inactivity.
Note: The maximum that macOS ... |
| V-277057 | | The macOS system must be configured to use an authorized time server. | An approved time server must be the only server configured for use. As of macOS 10.13, only one time server is supported.
This rule ensures the unifo... |
| V-277058 | | The macOS system must enable the time synchronization daemon. | The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server.
Note: The time synchroniz... |
| V-277059 | | The macOS system must configure sudo to log events. | Sudo must be configured to log privilege escalation.
Without logging privilege escalation, it is difficult to identify attempted attacks because no a... |
| V-277060 | | The macOS system must be configured to audit all administrative action events. | The auditing system must be configured to flag administrative action (ad) events.
Administrative action events include changes made to the system (e.... |
| V-277061 | | The macOS system must be configured to audit all login and logout events. | The audit system must be configured to record all attempts to log in and out of the system (lo).
Frequently, an attacker that successfully gains acce... |
| V-277062 | | The macOS system must enable security auditing. | The information system must be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, ... |
| V-277063 | | The macOS system must configure audit log files to be owned by root. | Audit log files must be owned by root.
The audit service must be configured to create log files with the correct ownership to prevent normal users fr... |
| V-277064 | | The macOS system must configure audit log folders to be owned by root. | Audit log folders must be owned by root.
The audit service must be configured to create log folders with the correct ownership to prevent normal user... |
| V-277065 | | The macOS system must configure the audit log files group to wheel. | Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to preven... |
| V-277066 | | The macOS system must configure the audit log folders group to wheel. | Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to preven... |
| V-277067 | | The macOS system must configure audit log files to mode 440 or less permissive. | The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files mus... |
| V-277068 | | The macOS system must configure audit log folders to mode 700 or less permissive. | The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folde... |
| V-277069 | | The macOS system must be configured to audit all deletions of object attributes. | The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd).
Enforcement actions are the methods or ... |
| V-277070 | | The macOS system must be configured to audit all changes of object attributes. | The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm).
Enforcement actions are the methods or ... |
| V-277071 | | The macOS system must be configured to audit all failed read actions on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.
Enforcement acti... |
| V-277072 | | The macOS system must be configured to audit all failed write actions on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.
Enforcement act... |
| V-277073 | | The macOS system must be configured to audit all failed program execution on the system. | The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcemen... |
| V-277075 | | The macOS system must configure audit capacity warning. | The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization-defined v... |
| V-277076 | | The macOS system must configure audit failure notification. | The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.
It is... |
| V-277077 | | The macOS system must be configured to audit all authorization and authentication events. | The auditing system must be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the iden... |
| V-277078 | | The macOS system must set smart card certificate trust to moderate. | The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
To prevent the use... |
| V-277079 | | The macOS system must disable root login for SSH. | If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled.
The macOS system ... |
| V-277080 | | The macOS system must configure audit_control group to wheel. | /etc/security/audit_control must have the group set to wheel.
The audit service must be configured with the correct group ownership to prevent normal... |
| V-277081 | | The macOS system must configure audit_control owner to root. | /etc/security/audit_control must have the owner set to root.
The audit service must be configured with the correct ownership to prevent normal users ... |
| V-277082 | | The macOS system must configure audit_control owner to mode 440 or less permissive. | /etc/security/audit_control must be configured so that it is readable only by the root user and group wheel.
The audit service must be configured wit... |
| V-277083 | | The macOS system must configure audit_control to not contain access control lists (ACLs). | /etc/security/audit_control must not contain ACLs.
/etc/security/audit_control contains sensitive configuration data about the audit service. This ru... |
| V-277085 | | The macOS system must disable Server Message Block (SMB) sharing. | Support for SMB file sharing is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. ... |
| V-277086 | | The macOS system must disable Network File System (NFS) service. | Support for NFS services is nonessential and, therefore, must be disabled. Enabling any service increases the attack surface for an intruder. By disab... |
| V-277087 | | The macOS system must disable Location Services. | Location Services must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Location Services hel... |
| V-277088 | | The macOS system must disable Bonjour multicast. | Bonjour multicast advertising must be disabled to prevent the system from broadcasting its presence and available services over network interfaces.... |
| V-277089 | | The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service. | The system must not have the UUCP service active.
UUCP, a set of programs that enables sending files between different Unix systems and sending comma... |
| V-277090 | | The macOS system must disable Internet Sharing. | If the system does not require Internet Sharing, support for it is nonessential and must be disabled.
The information system must be configured to pr... |
| V-277091 | | The macOS system must disable the built-in web server. | The built-in web server managed by launchd is a nonessential service built into macOS and must be disabled and not running.
Note: The built-in web se... |
| V-277092 | | The macOS system must disable AirDrop. | AirDrop must be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby... |
| V-277093 | | The macOS system must disable FaceTime.app. | The macOS built-in FaceTime.app must be disabled.
The FaceTime.app establishes a connection to Apple's iCloud service even when security controls hav... |
| V-277094 | | The macOS system must disable the iCloud Calendar services. | The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with e... |
| V-277095 | | The macOS system must disable iCloud Reminders. | The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with ... |
| V-277096 | | The macOS system must disable iCloud Address Book. | The macOS built-in Contacts.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with e... |
| V-277097 | | The macOS system must disable iCloud Mail. | The macOS built-in Mail.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enoug... |
| V-277098 | | The macOS system must disable iCloud Notes. | The macOS built-in Notes.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enou... |
| V-277099 | | The macOS system must disable the camera. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-277100 | | The macOS system must disable Siri. | Support for Siri is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Enabling any... |
| V-277101 | | The macOS system must disable sending diagnostic and usage data to Apple. | The ability to submit diagnostic data to Apple must be disabled.
The information system must be configured to provide only essential capabilities. Di... |
| V-277102 | | The macOS system must disable Remote Apple Events. | If the system does not require Remote Apple Events, support for Apple Remote Events is nonessential and must be disabled.
The information system must... |
| V-277103 | | The macOS system must disable sending audio recordings and transcripts to Apple. | The ability for Apple to store and review audio recordings and transcripts of vocal shortcuts and voice control interactions must be disabled.
The in... |
| V-277104 | | The macOS system must disable sending search data from Spotlight to Apple. | Sending data to Apple to help improve search must be disabled.
The information system must be configured to provide only essential capabilities. Disa... |
| V-277105 | | The macOS system must disable Apple ID setup during Setup Assistant. | The prompt for Apple ID setup during Setup Assistant must be disabled.
macOS will automatically prompt new users to set up an Apple ID while they are... |
| V-277106 | | The macOS system must disable Privacy Setup services during Setup Assistant. | The prompt for Privacy Setup services during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The ... |
| V-277107 | | The macOS system must disable iCloud storage setup during Setup Assistant. | The prompt to set up iCloud storage services during Setup Assistant must be disabled.
The default behavior of macOS is to prompt new users to set up ... |
| V-277109 | | The macOS system must disable Siri Setup during Setup Assistant. | The prompt for Siri during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The macOS Siri Assista... |
| V-277110 | | The macOS system must disable iCloud Keychain Sync. | The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled.
Apple's iCloud service does not ... |
| V-277111 | | The macOS system must disable iCloud Document Sync. | The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nona... |
| V-277112 | | The macOS system must disable iCloud Bookmarks. | The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled.
Apple's iCloud service does not provide an organizati... |
| V-277113 | | The macOS system must disable iCloud Photo Library. | The macOS built-in Photos.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with eno... |
| V-277114 | | The macOS system must disable Screen Sharing and Apple Remote Desktop. | Support for both Screen Sharing and Apple Remote Desktop is nonessential and must be disabled.
The information system must be configured to provide o... |
| V-277115 | | The macOS system must disable the System Settings pane for Wallet and Apple Pay. | The System Settings pane for Wallet and Apple Pay must be disabled.
Disabling the System Settings pane prevents users from configuring Wallet and App... |
| V-277116 | | The macOS system must disable the system settings pane for Siri. | The System Settings pane for Siri must be hidden.
Hiding the System Settings pane prevents users from configuring Siri. Enabling any service increase... |
| V-277119 | | The macOS system must disable the guest account. | Guest access must be disabled.
Turning off guest access prevents anonymous users from accessing files.... |
| V-277122 | | The macOS system must secure users' home folders. | The system must be configured to prevent access to other users' home folders.
The default behavior of macOS is to allow all valid users access to the... |
| V-277124 | | The macOS system must disable Airplay Receiver. | Airplay Receiver allows users to send content from one Apple device to be displayed on the screen as it is being played from another device.
Support ... |
| V-277125 | | The macOS system must disable TouchID for unlocking the device. | TouchID enables the ability to unlock a Mac system with a user's fingerprint.
TouchID must be disabled for "Unlocking your Mac" on all macOS devices ... |
| V-277126 | | The macOS system must disable Media Sharing. | Media Sharing must be disabled.
When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's... |
| V-277127 | | The macOS system must disable Bluetooth Sharing. | Bluetooth Sharing must be disabled.
Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, incl... |
| V-277128 | | The macOS system must disable AppleID and internet Account Modification. | The system must disable Account Modification.
Account Modification includes adding or modifying internet accounts in Apple Mail, Calendar, or Contac... |
| V-277129 | | The macOS system must disable Content Caching service. | Content Caching must be disabled.
Content Caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac ... |
| V-277130 | | The macOS system must disable iCloud Desktop and Document folder sync. | The macOS system's ability to automatically synchronize a user's Desktop and Documents folder to their iCloud Drive must be disabled.
Apple's iCloud ... |
| V-277131 | | The macOS system must disable iCloud Game Center. | This works only with supervised devices (mobile device management [MDM]) and allows users to disable Apple Game Center. The rationale is that Game Cen... |
| V-277132 | | The macOS system must disable iCloud Private Relay. | Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled.
Network administrators ... |
| V-277133 | | The macOS system must disable Find My service. | The Find My service must be disabled.
A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple'... |
| V-277134 | | The macOS system must disable Personalized Advertising. | Ad tracking and targeted ads must be disabled.
The information system must be configured to provide only essential capabilities. Disabling ad trackin... |
| V-277135 | | The macOS system must disable sending Siri and Dictation information to Apple. | The ability for Apple to store and review audio of Siri and Dictation interactions must be disabled.
The information system must be configured to pro... |
| V-277136 | | The macOS system must enforce On Device Dictation. | Dictation must be restricted to On Device Only to prevent potential data exfiltration.
The information system must be configured to provide only esse... |
| V-277137 | | The macOS system must disable Dictation. | Dictation must be disabled on Intel-based Macs as the feature On Device Dictation is only available on Apple Silicon devices.... |
| V-277138 | | The macOS system must disable Printer Sharing. | Printer Sharing must be disabled.... |
| V-277139 | | The macOS system must disable Remote Management. | Remote Management must be disabled.... |
| V-277140 | | The macOS system must disable the Bluetooth System Settings pane. | The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration.... |
| V-277141 | | The macOS system must disable the iCloud Freeform services. | The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled.
Enabling any service increases the attack surface for an intru... |
| V-277142 | | The macOS system must disable iPhone Mirroring. | iPhone Mirroring must be disabled to prevent file transfers to or from unauthorized devices.
Disabling iPhone Mirroring also prevents potentially un... |
| V-277143 | | The macOS system must issue or obtain public key certificates from an approved service provider. | The organization must issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors ar... |
| V-277144 | | The macOS system must require that passwords contain a minimum of one numeric character. | The macOS must be configured to require at least one numeric character be used when a password is created.
This rule enforces password complexity by ... |
| V-277145 | | The macOS system must restrict maximum password lifetime to 60 days. | The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days.
This rule ensures that users are forced to change thei... |
| V-277146 | | The macOS system must require a minimum password length of 14 characters. | The macOS must be configured to require that a minimum of 14 characters be used when a password is created.
This rule enforces password complexity by... |
| V-277147 | | The macOS system must require that passwords contain a minimum of one special character. | The macOS must be configured to require that at least one special character be used when a password is created.
Special characters are characters tha... |
| V-277148 | | The macOS system must disable password hints. | Password hints must be disabled.
Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.... |
| V-277149 | | The macOS system must remove password hints from user accounts. | User accounts must not contain password hints.
Password hints leak information about passwords in use and can lead to loss of confidentiality.... |
| V-277150 | | The macOS system must enforce smart card authentication. | Smart card authentication must be enforced.
Using smart card credentials facilitates standardization and reduces the risk of unauthorized access.
Wh... |
| V-277151 | | The macOS system must allow smart card authentication. | Smart card authentication must be allowed.
Using smart card credentials facilitates standardization and reduces the risk of unauthorized access.
Whe... |
| V-277152 | | The macOS system must enforce multifactor authentication for login. | The system must be configured to enforce multifactor authentication.
All users must go through multifactor authentication to prevent unauthenticated ... |
| V-277153 | | The macOS system must enforce multifactor authentication for the su command. | The system must be configured such that, when the su command is used, multifactor authentication is enforced.
All users must go through multifactor a... |
| V-277154 | | The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. | The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.
All users must go through mul... |
| V-277155 | | The macOS system must require that passwords contain a minimum of one lowercase character and one uppercase character. | The macOS must be configured to require at least one lowercase character and one uppercase character be used when a password is created.
This rule en... |
| V-277156 | | The macOS system must set minimum password lifetime to 24 hours. | The macOS must be configured to enforce a minimum password lifetime limit of 24 hours.
This rule discourages users from cycling through their previou... |
| V-277157 | | The macOS system must disable accounts after 35 days of inactivity. | The macOS must be configured to disable accounts after 35 days of inactivity.
This rule prevents malicious users from employing unused accounts to ga... |
| V-277158 | | The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel. | The ASL must be owned by root.
ASLs contain sensitive data about the system and users. Setting ASL files to be readable and writable only by system a... |
| V-277159 | | The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive. | The ASLs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL files must be configured t... |
| V-277160 | | The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command. | The file /etc/sudoers must include a timestamp_timout of 0.
Without reauthentication, users may access resources or perform tasks for which they do n... |
| V-277161 | | The macOS system must configure system log files owned by root and group to wheel. | The system log files must be owned by root.
System logs contain sensitive data about the system and users. Setting log files to be readable and writa... |
| V-277162 | | The macOS system must configure system log files to mode 640 or less permissive. | The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files must b... |
| V-277164 | | The macOS system must configure sudoers timestamp type. | The file /etc/sudoers must be configured to not include a timestamp_type of global or ppid and be configured for timestamp record types of tty.
This ... |
| V-277167 | | The macOS system must enable macOS Application Firewall. | The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled.
When the macOS Application Firewall is enabled... |
| V-277168 | | The macOS system must configure the login window to prompt for username and password. | The login window must be configured to prompt all users for both a username and a password.
By default, the system displays a list of known users on ... |
| V-277169 | | The macOS system must disable the TouchID prompt during Setup Assistant. | The prompt for TouchID during Setup Assistant must be disabled.
macOS prompts new users through enabling TouchID during Setup Assistant; this is not ... |
| V-277170 | | The macOS system must disable the Screen Time prompt during Setup Assistant. | The prompt for Screen Time setup during Setup Assistant must be disabled.
Enabling any service increases the attack surface for an intruder. By disab... |
| V-277171 | | The macOS system must disable Unlock with Apple Watch during Setup Assistant. | The prompt for Apple Watch unlock setup during Setup Assistant must be disabled.
Disabling Apple watches is a necessary step to ensuring the informat... |
| V-277172 | | The macOS system must disable Handoff. | Handoff must be disabled.
Handoff allows users to continue working on a document or project when the user switches from one Apple device to another. ... |
| V-277173 | | The macOS system must disable proximity-based password sharing requests. | Proximity-based password sharing requests must be disabled.
The default behavior of macOS is to allow users to request passwords from other known dev... |
| V-277174 | | The macOS system must disable Erase Content and Settings. | Erase Content and Settings must be disabled.
Without disabling the Erase Content and Settings configuration, forensics data could be lost if this fea... |
| V-277175 | | The macOS system must enable Authenticated Root. | Authenticated Root must be enabled.
When Authenticated Root is enabled, the macOS is booted from a signed volume that is cryptographically protected ... |
| V-277176 | | The macOS system must prohibit user installation of software into /users/. | Users must not be allowed to install software into /users/.
Allowing regular users without explicit privileges to install software presents the risk ... |
| V-277177 | | The macOS system must authorize USB devices before allowing connection. | USB devices connected to a Mac must be authorized.
[IMPORTANT]
====
This feature is removed if a smart card is paired or smart card attribute mapping... |
| V-277178 | | The macOS system must ensure Secure Boot level is set to "full". | The Secure Boot security setting must be set to "full".
Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot i... |
| V-277179 | | The macOS system must enforce enrollment in Mobile Device Management (MDM). | Users must enroll their Mac in MDM software.
User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager... |
| V-277180 | | The macOS system must enable Recovery Lock. | A Recovery Lock password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macO... |
| V-277181 | | The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. | Software Update must be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect ... |
| V-277182 | | The macOS system must disable Genmoji AI Creation. | Apple Intelligence features such as Genmoji must be disabled.
Using off-device AI poses a data loss risk.... |
| V-277183 | | The macOS system must disable Apple Intelligence Image Playground. | Apple Intelligence features such as Image Playground must be disabled.
Using off-device AI poses a data loss risk.... |
| V-277184 | | The macOS system must disable Apple Intelligence Writing Tools. | Apple Intelligence features that use off device Artificial Intelligence (AI) must be disabled.
Using off-device AI poses a data loss risk.... |
| V-279329 | | The macOS system must disable Apple Intelligence during Setup Assistant. | The prompt for Apple Intelligence setup during Setup Assistant must be disabled.
Disabling Apple watches is a necessary step to ensuring the informat... |
| V-277074 | | The macOS system must configure audit retention to seven days. | The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a cent... |
| V-277163 | | The macOS system must configure install.log retention to 365. | The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unless the system uses a centr... |
| V-277046 | | The macOS system must limit SSHD to FIPS-compliant connections. | If SSHD is enabled, it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlg... |
| V-277047 | | The macOS system must limit SSH to FIPS-compliant connections. | SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatur... |
| V-277084 | | The macOS system must disable password authentication for SSH. | If remote login through SSH is enabled, password-based authentication must be disabled for user login.
All users must go through multifactor authenti... |
| V-277108 | | The macOS system must disable Trivial File Transfer Protocol (TFTP) service. | If the system does not require TFTP support, it is nonessential and must be disabled.
The information system must be configured to provide only essen... |
| V-277117 | | The macOS system must apply gatekeeper settings to block applications from unidentified developers. | The information system implements cryptographic mechanisms to authenticate software prior to installation.
Gatekeeper settings must be configured cor... |
| V-277118 | | The macOS system must disable Bluetooth when no approved device is connected. | The macOS system must be configured to disable Bluetooth unless an approved device is connected.
[IMPORTANT]
====
Information system security officer... |
| V-277120 | | The macOS system must enable gatekeeper. | Gatekeeper must be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate befor... |
| V-277121 | | The macOS system must disable unattended or automatic login to the system. | Automatic login must be disabled.
When automatic logins are enabled, the default user account is automatically logged on at boot time without prompti... |
| V-277123 | | The macOS system must require an administrator password to modify systemwide preferences. | The system must be configured to require an administrator password to modify the systemwide preferences in System Settings.
Some Preference Panes in ... |
| V-277165 | | The macOS system must ensure System Integrity Protection (SIP) is enabled. | SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifica... |
| V-277166 | | The macOS system must enforce FileVault. | The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during ... |
| V-277185 | | The macOS system must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs). | Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered se... |
| V-282964 | | The macOS system must be a version supported by the vendor. | Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support ... |
