Apple macOS 14 (Sonoma) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The macOS system must disable AppleID and Internet Account modifications.
The system must disable account modification. Account modification includes adding additional or modifying internet accounts in Apple Mail, Calendar, Contacts, in the Internet Account System Sett...Rule Medium Severity -
The macOS system must disable Find My service.
The Find My service must be disabled. A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service use...Rule Medium Severity -
The macOS system must disable password autofill.
Password Autofill must be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to t...Rule Medium Severity -
The macOS system must disable the Bluetooth system settings pane.
The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration.Rule Medium Severity -
The macOS system must restrict maximum password lifetime to 60 days.
The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malici...Rule Medium Severity -
The macOS system must require passwords contain a minimum of one special character.
The macOS must be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! ...Rule Medium Severity -
The macOS system must remove password hints from user accounts.
User accounts must not contain password hints. Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.Rule Medium Severity -
The macOS system must enforce smart card authentication.
Smart card authentication must be enforced. The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access. When enforceSmartCard is set to "true", the ...Rule Medium Severity -
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All users must go through multifactor authentication to prevent unauthentica...Rule Medium Severity -
The macOS system must set minimum password lifetime to 24 hours.
The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. No...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.