Apple macOS 14 (Sonoma) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The macOS system must configure Apple System Log files to mode 640 or less permissive.
The Apple System Logs (ASL) must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL log files must be configured to mode 640 permissive or...Rule Medium Severity -
The macOS system must ensure System Integrity Protection is enabled.
System Integrity Protection (SIP) must be enabled. SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended mod...Rule High Severity -
The macOS system must enable the application firewall.
The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled. When the macOS Application Firewall is enabled, the flow of information within the informatio...Rule Medium Severity -
The macOS system must disable Screen Time prompt during Setup Assistant.
The prompt for Screen Time setup during Setup Assistant must be disabled.Rule Medium Severity -
The macOS system must disable Unlock with Apple Watch during Setup Assistant.
The prompt for Apple Watch unlock setup during Setup Assistant must be disabled. Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until th...Rule Medium Severity -
The macOS system must disable Erase Content and Settings.
Erase Content and Settings must be disabled.Rule Medium Severity -
The macOS system must prohibit user installation of software into /users/.
Users must not be allowed to install software into /users/. Allowing users who do not possess explicit privileges to install software presents the risk of untested and potentially malicious softwa...Rule Medium Severity -
The macOS system must authorize USB devices before allowing connection.
USB devices connected to a Mac must be authorized. [IMPORTANT] ==== This feature is removed if a smart card is paired or smart card attribute mapping is configured. ====Rule Medium Severity -
The macOS system must ensure secure boot level set to full.
The Secure Boot security setting must be set to full. Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the i...Rule Medium Severity -
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
Software Update must be configured to update XProtect Remediator and Gatekeeper automatically. This setting enforces definition updates for XProtect Remediator and Gatekeeper; with this setting in...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.