Apple macOS 14 (Sonoma) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000028-GPOS-00009
Group -
The macOS system must prevent Apple Watch from terminating a session lock.
Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using authorized identification and authentication pro...Rule Medium Severity -
SRG-OS-000028-GPOS-00009
Group -
The macOS system must enforce screen saver password.
Users must authenticate when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.Rule Medium Severity -
SRG-OS-000028-GPOS-00009
Group -
SRG-OS-000030-GPOS-00011
Group -
The macOS system must configure user session lock when a smart token is removed.
The screen lock must be configured to initiate automatically when the smart token is removed from the system. Session locks are temporary actions taken when users stop work and move away from the ...Rule Medium Severity -
SRG-OS-000031-GPOS-00012
Group -
The macOS system must disable hot corners.
Hot corners must be disabled. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot corners can be used ...Rule Medium Severity -
SRG-OS-000029-GPOS-00010
Group -
The macOS system must prevent AdminHostInfo from being available at LoginWindow.
The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, IP Address, and operating system version and bu...Rule Medium Severity -
SRG-OS-000002-GPOS-00002
Group -
The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.
The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation. Emergency administrator accounts are privileg...Rule Medium Severity -
SRG-OS-000355-GPOS-00143
Group -
The macOS system must enforce time synchronization.
Time synchronization must be enforced on all networked systems. This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a net...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
SRG-OS-000023-GPOS-00006
Group -
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at remote log on.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consis...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000023-GPOS-00006
Group -
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consis...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit log files to not contain access control lists.
The audit log files must not contain access control lists (ACLs). This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators,...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
The macOS system must configure audit log folders to not contain access control lists.
The audit log folder must not contain access control lists (ACLs). Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create lo...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
The macOS system must disable FileVault automatic log on.
If FileVault is enabled, automatic log on must be disabled, so that both FileVault and login window authentication are required. The default behavior of macOS when FileVault is enabled is to autom...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
Group -
SRG-OS-000163-GPOS-00072
Group -
The macOS system must configure SSHD ClientAliveCountMax to 1.
If SSHD is enabled it must be configured with the Client Alive Maximum Count set to 1. This will set the number of client alive messages which may be sent without the SSH server receiving any mess...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
Group -
The macOS system must set Login Grace Time to 30.
If SSHD is enabled, then it must be configured to wait only 30 seconds before timing out logon attempts. Note: /etc/ssh/sshd_config will be automatically modified to its original state following a...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
Group -
SRG-OS-000033-GPOS-00014
Group -
SRG-OS-000021-GPOS-00005
Group -
The macOS system must set account lockout time to 15 minutes.
The macOS must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached. This rule protects against malicious users attempt...Rule Medium Severity -
SRG-OS-000029-GPOS-00010
Group -
The macOS system must enforce screen saver timeout.
The screen saver timeout must be set to 900 seconds or a shorter length of time. This rule ensures that a full session lock is triggered within no more than 900 seconds of inactivity.Rule Medium Severity -
SRG-OS-000104-GPOS-00051
Group -
SRG-OS-000104-GPOS-00051
Group -
The macOS system must disable root logon.
To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled. The macOS system must require individuals to be authenticated with an ...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
Group -
The macOS system must configure SSH ServerAliveInterval option set to 900.
SSH must be configured with an Active Server Alive Maximum Count set to 900. Setting the Active Server Alive Maximum Count to 900 will log users out after a 900-second interval of inactivity. Not...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
Group -
SRG-OS-000163-GPOS-00072
Group -
The macOS system must configure SSHD unused connection timeout to 900.
If SSHD is enabled, it must be configured with unused connection timeout set to 900. This will set the timeout when there are no open channels within a session. Note: /etc/ssh/sshd_config will be...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
Group -
The macOS system must set SSH Active Server Alive Maximum to 0.
SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to tak...Rule Medium Severity -
SRG-OS-000279-GPOS-00109
Group -
The macOS system must enforce auto logout after 86400 seconds of inactivity.
Auto logout must be configured to automatically terminate a user session and log out the after 86400 seconds of inactivity. Note: The maximum that macOS can be configured for autologoff is 86400 s...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.