Apple macOS 14 (Sonoma) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000355-GPOS-00143
Group -
The macOS system must be configured to use an authorized time server.
Approved time servers must be the only servers configured for use. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a ...Rule Medium Severity -
SRG-OS-000355-GPOS-00143
Group -
The macOS system must enable time synchronization daemon.
The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server. Note: The time synchronization daemon is enabled by default on macOS. S...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
SRG-OS-000032-GPOS-00013
Group -
The macOS system must be configured to audit all log on and log out events.
The audit system must be configured to record all attempts to log in and out of the system (lo). Frequently, an attacker that successfully gains access to a system has only gained access to an acc...Rule Medium Severity -
SRG-OS-000037-GPOS-00015
Group -
The macOS system must enable security auditing.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and invest...Rule Medium Severity -
SRG-OS-000047-GPOS-00023
Group -
The macOS system must configure system to shut down upon audit failure.
The audit service must be configured to shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity are no longer recorded, and malicious act...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit log files to be owned by root.
Audit log files must be owned by root. The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sens...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit log folders to be owned by root.
Audit log folders must be owned by root. The audit service must be configured to create log folders with the correct ownership to prevent normal users from reading audit logs. Audit logs contain ...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit log files group to wheel.
Audit log files must have the group set to wheel. The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit ...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit log folders group to wheel.
Audit log folders must have the group set to wheel. The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audi...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit log folders to mode 700 or less permissive.
The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. Because audit logs contain sensitive data ...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must be configured to audit all changes of object attributes.
The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes...Rule Medium Severity -
SRG-OS-000463-GPOS-00207
Group -
SRG-OS-000463-GPOS-00207
Group -
The macOS system must be configured to audit all failed write actions on the system.
The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts. Enforcement actions are the methods or mechanisms used to prev...Rule Medium Severity -
SRG-OS-000463-GPOS-00207
Group -
The macOS system must be configured to audit all failed program execution on the system.
The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. Enforcement actions are the methods or mechanisms used to...Rule Medium Severity -
SRG-OS-000341-GPOS-00132
Group -
The macOS system must configure audit retention to seven days.
The audit service must be configured to require records be kept for an organizational defined value before deletion, unless the system uses a central audit record storage facility. When "expire-af...Rule Low Severity -
SRG-OS-000046-GPOS-00022
Group -
SRG-OS-000047-GPOS-00023
Group -
SRG-OS-000365-GPOS-00152
Group -
The macOS system must configure the system to audit all authorization and authentication events.
The auditing system must be configured to flag authorization and authentication (aa) events. Authentication events contain information about the identity of a user, server, or client. Authorizatio...Rule Medium Severity -
SRG-OS-000066-GPOS-00034
Group -
The macOS system must set smart card certificate trust to moderate.
The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on...Rule Medium Severity -
SRG-OS-000109-GPOS-00056
Group -
The macOS system must disable root logon for SSH.
If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled. The macOS system must require individuals to be authenticated wi...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit_control group to wheel.
/etc/security/audit_control must have the group set to wheel. The audit service must be configured with the correct group ownership to prevent normal users from manipulation audit log configuratio...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit_control to mode 440 or less permissive.
/etc/security/audit_control must be configured so that it is readable only by the root user and group wheel. Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,S...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
SRG-OS-000067-GPOS-00035
Group -
The macOS system must disable password authentication for SSH.
If remote logon through SSH is enabled, password-based authentication must be disabled for user logon. All users must go through multifactor authentication to prevent unauthenticated access and po...Rule High Severity -
SRG-OS-000080-GPOS-00048
Group -
The macOS system must disable Server Message Block sharing.
Support for Server Message Block (SMB) file sharing is nonessential and must be disabled. The information system must be configured to provide only essential capabilities.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.