Apple macOS 15 (Sequoia) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The macOS system must enable firmware password.
A firmware password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. S...Rule Medium Severity -
The macOS system must remove password hints from user accounts.
User accounts must not contain password hints. Password hints leak information about passwords in use and can lead to loss of confidentiality.Rule Medium Severity -
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All users must go through multifactor authentication to prevent unauthentica...Rule Medium Severity -
The macOS system must set minimum password lifetime to 24 hours.
The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. NO...Rule Medium Severity -
The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive.
The Apple System Logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL files must be configured to mode 640 permissive or less, the...Rule Medium Severity -
The macOS system must ensure System Integrity Protection is enabled.
System Integrity Protection is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected file...Rule High Severity -
The macOS system must disable the Screen Time prompt during Setup Assistant.
The prompt for Screen Time setup during Setup Assistant must be disabled. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface ...Rule Medium Severity -
The macOS system must disable Erase Content and Settings.
Erase Content and Settings must be disabled. Without disabling the Erase Content and Settings configuration, forensics data could be lost if this feature is activated on a compromised system.Rule Medium Severity -
The macOS system must prohibit user installation of software into /users/.
Users must not be allowed to install software into /users/. Allowing regular users without explicit privileges to install software presents the risk of untested and potentially malicious software ...Rule Medium Severity -
The macOS system must ensure Secure Boot level is set to "full".
The Secure Boot security setting must be set to "full". Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.