Skip to content
Log In

Apple macOS 15 (Sequoia) Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The macOS system must be configured to audit all login and logout events.

    The audit system must be configured to record all attempts to log in and out of the system (lo). Frequently, an attacker that successfully gains access to a system has only gained access to an acc...
    Rule Medium Severity
    Show

  • SRG-OS-000037-GPOS-00015

    Group
    Show

  • The macOS system must enable security auditing.

    The information system must be configured to generate audit records. Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records ai...
    Rule Medium Severity
    Show

  • SRG-OS-000047-GPOS-00023

    Group
    Show

  • The macOS system must be configured to shut down upon audit failure.

    The audit service must be configured to shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity are no longer recorded, and malicious act...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • The macOS system must configure the audit log files group to wheel.

    Audit log files must have the group set to wheel. The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit ...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • The macOS system must configure the audit log folders group to wheel.

    Audit log files must have the group set to wheel. The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit ...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • The macOS system must configure audit log files to mode 440 or less permissive.

    The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files must be configured to mode 440 or less permissive ...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • The macOS system must be configured to audit all failed read actions on the system.

    The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. Enforcement actions are the methods or mechanisms used to preve...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • The macOS system must configure audit retention to seven days.

    The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility. When "expir...
    Rule Low Severity
    Show

  • SRG-OS-000046-GPOS-00022

    Group
    Show

  • SRG-OS-000047-GPOS-00023

    Group
    Show

  • The macOS system must configure audit failure notification.

    The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be m...
    Rule Medium Severity
    Show

  • SRG-OS-000365-GPOS-00152

    Group
    Show

  • SRG-OS-000066-GPOS-00034

    Group
    Show

  • The macOS system must set smart card certificate trust to moderate.

    The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on...
    Rule Medium Severity
    Show

  • SRG-OS-000109-GPOS-00056

    Group
    Show

  • The macOS system must disable root login for SSH.

    If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled. The macOS system MUST require individuals to be authenticated wi...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • The macOS system must configure audit_control owner to root.

    /etc/security/audit_control must have the owner set to root. The audit service must be configured with the correct ownership to prevent normal users from manipulating audit log configurations. Sa...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • The macOS system must configure audit_control owner to mode 440 or less permissive.

    /etc/security/audit_control must be configured so that it is readable only by the root user and group wheel. The audit service must be configured with the correct mode to prevent normal users from...
    Rule Medium Severity
    Show

  • SRG-OS-000067-GPOS-00035

    Group
    Show

  • The macOS system must disable password authentication for SSH.

    If remote login through SSH is enabled, password-based authentication must be disabled for user login. All users must go through multifactor authentication to prevent unauthenticated access and po...
    Rule High Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • The macOS system must disable Server Message Block (SMB) sharing.

    Support for SMB file sharing is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Enabling any service increases the attack surfa...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • The macOS system must disable Network File System (NFS) service.

    Support for NFS services is nonessential and, therefore, must be disabled. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface i...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must disable Bonjour multicast.

    Bonjour multicast advertising must be disabled to prevent the system from broadcasting its presence and available services over network interfaces.
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must disable Internet Sharing.

    If the system does not require Internet Sharing, support for it is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Disabling In...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • The macOS system must disable the built-in web server.

    The built-in web server is a nonessential service built into macOS and must be disabled. NOTE: The built-in web server is disabled at startup by default with macOS.
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • The macOS system must disable AirDrop.

    AirDrop must be disabled to prevent file transfers to or from unauthorized devices. AirDrop allows users to share and receive files from other nearby Apple devices. Satisfies: SRG-OS-000080-GPOS-...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules