Apple macOS 14 (Sonoma) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The macOS system must disable proximity-based password sharing requests.
Proximity-based password sharing requests must be disabled. The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature must be disa...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
SRG-OS-000080-GPOS-00048
Group -
The macOS system must enable Authenticated Root.
Authenticated Root must be enabled. When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. No...Rule Medium Severity -
SRG-OS-000362-GPOS-00149
Group -
SRG-OS-000378-GPOS-00163
Group -
SRG-OS-000445-GPOS-00199
Group -
SRG-OS-000480-GPOS-00227
Group -
The macOS system must enforce enrollment in mobile device management.
Users must enroll their Mac in a Mobile Device Management (MDM) software. User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The macOS system must enable recovery lock.
A recovery lock password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations dur...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The macOS system must enforce session lock no more than five seconds after screen saver is started.
A screen saver must be enabled and the system must be configured to require a password to unlock once the screensaver has been on for a maximum of five seconds. An unattended system with an excess...Rule Medium Severity -
The macOS system must limit consecutive failed log on attempts to three.
The macOS must be configured to limit the number of failed log on attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of t...Rule Medium Severity -
The macOS system must enforce SSH to display the Standard Mandatory DOD Notice and Consent Banner.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consis...Rule Medium Severity -
The macOS system must configure SSHD ClientAliveInterval to 900.
If SSHD is enabled, then it must be configured with the Client Alive Interval set to 900. Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will ...Rule Medium Severity -
The macOS system must limit SSHD to FIPS-compliant connections.
If SSHD is enabled then it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithm...Rule High Severity -
The macOS system must limit SSH to FIPS-compliant connections.
SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 val...Rule High Severity -
The macOS system must disable logon to other user's active and locked sessions.
The ability to log in to another user's active or locked session must be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions....Rule Medium Severity -
The macOS system must configure SSHD Channel Timeout to 900.
If SSHD is enabled it must be configured with session Channel Timeout set to 900. This will set the time out when the session is inactive. Note: /etc/ssh/sshd_config will be automatically modifie...Rule Medium Severity -
The macOS system must be configured to audit all administrative action events.
Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include "ad" events, it is difficult to identify incidents and to ...Rule Medium Severity -
The macOS system must configure audit log files to mode 440 or less permissive.
The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files must be configured to mode 440 or less permissive;...Rule Medium Severity -
The macOS system must be configured to audit all deletions of object attributes.
The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd). ***Enforcement actions are the methods or mechanisms used to prevent unauthorized chan...Rule Medium Severity -
The macOS system must be configured to audit all failed read actions on the system.
The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. Enforcement actions are the methods or mechanisms used to preve...Rule Medium Severity -
The macOS system must configure audit capacity warning.
The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. This rule ensures that the system admini...Rule Medium Severity -
The macOS system must configure audit failure notification.
The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be m...Rule Medium Severity -
The macOS system must configure audit_control owner to root.
/etc/security/audit_control must have the owner set to root. The audit service must be configured with the correct ownership to prevent normal users from manipulation audit log configurations. Au...Rule Medium Severity -
The macOS system must configure audit_control to not contain access control lists.
/etc/security/audit_control must not contain Access Control Lists (ACLs). /etc/security/audit_control contains sensitive configuration data about the audit service. This rule ensures that the audi...Rule Medium Severity -
The macOS system must disable Unix-to-Unix Copy Protocol service.
The system must not have the Unix-to-Unix Copy Protocol (UUCP) service active. UUCP, a set of programs that enable the sending of files between different Unix systems as well as sending commands t...Rule Medium Severity -
The macOS system must disable FaceTime.app.
The macOS built-in FaceTime.app must be disabled. The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. ...Rule Medium Severity -
The macOS system must disable Siri.
Support for Siri is nonessential and must be disabled. The information system must be configured to provide only essential capabilities.Rule Medium Severity -
The macOS system must disable Trivial File Transfer Protocol service.
If the system does not require Trivial File Transfer Protocol (TFTP), support it is nonessential and must be disabled. The information system must be configured to provide only essential capabilit...Rule High Severity -
The macOS system must disable Siri Setup during Setup Assistant.
The prompt for Siri during Setup Assistant must be disabled. Organizations must apply organizationwide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabli...Rule Medium Severity -
The macOS system must disable iCloud Document synchronization.
The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nonapproved storage. Apple's iCloud service does n...Rule Medium Severity -
The macOS system must disable the system settings pane for Siri.
The System Settings pane for Siri must be hidden. Hiding the System Settings pane prevents the users from configuring Siri.Rule Medium Severity -
The macOS system must apply gatekeeper settings to block applications from unidentified developers.
The information system implements cryptographic mechanisms to authenticate software prior to installation. Gatekeeper settings must be configured correctly to only allow the system to run applicat...Rule High Severity -
The macOS system must enable Gatekeeper.
Gatekeeper must be enabled. Gatekeeper is a security feature that ensures applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allo...Rule High Severity -
The macOS system must secure user's home folders.
The system must be configured to prevent access to other user's home folders. The default behavior of macOS is to allow all valid users access to the top level of every other user's home folder wh...Rule Medium Severity -
The macOS system must disable Airplay Receiver.
Airplay Receiver allows users to send content from another Apple device to be displayed on the screen as it is being played from another device. Support for Airplay Receiver is nonessential and mu...Rule Medium Severity -
The macOS system must disable Bluetooth sharing.
Bluetooth Sharing must be disabled. Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. ...Rule Medium Severity -
The macOS system must disable AppleID and Internet Account modifications.
The system must disable account modification. Account modification includes adding additional or modifying internet accounts in Apple Mail, Calendar, Contacts, in the Internet Account System Sett...Rule Medium Severity -
The macOS system must disable Find My service.
The Find My service must be disabled. A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service use...Rule Medium Severity -
The macOS system must disable password autofill.
Password Autofill must be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to t...Rule Medium Severity -
The macOS system must disable the Bluetooth system settings pane.
The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration.Rule Medium Severity -
The macOS system must restrict maximum password lifetime to 60 days.
The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malici...Rule Medium Severity -
The macOS system must require passwords contain a minimum of one special character.
The macOS must be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! ...Rule Medium Severity -
The macOS system must remove password hints from user accounts.
User accounts must not contain password hints. Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality.Rule Medium Severity -
The macOS system must enforce smart card authentication.
Smart card authentication must be enforced. The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access. When enforceSmartCard is set to "true", the ...Rule Medium Severity -
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All users must go through multifactor authentication to prevent unauthentica...Rule Medium Severity -
The macOS system must set minimum password lifetime to 24 hours.
The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. No...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.