Apple macOS 15 (Sequoia) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The macOS system must configure audit_control to not contain access control lists (ACLs).
/etc/security/audit_control must not contain ACLs. /etc/security/audit_control contains sensitive configuration data about the audit service. This rule ensures that the audit service is configured...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The macOS system must disable sending audio recordings and transcripts to Apple.
The ability for Apple to store and review audio recordings and transcripts of vocal shortcuts and voice control interactions must be disabled. The information system must be configured to provide ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The macOS system must disable sending search data from Spotlight to Apple.
Sending data to Apple to help improve search must be disabled. The information system must be configured to provide only essential capabilities. Disabling the submission of search data will mitiga...Rule Medium Severity -
The macOS system must configure user session lock when a smart token is removed.
The screen lock must be configured to initiate automatically when the smart token is removed from the system. Session locks are temporary actions taken when users stop work and move away from the ...Rule Medium Severity -
The macOS system must disable hot corners.
Hot corners must be disabled. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot corners can be used ...Rule Medium Severity -
The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.
The macOS system can be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation. Emergency administrator accounts are privileg...Rule Medium Severity -
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consis...Rule Medium Severity -
The macOS system must disable FileVault automatic login.
If FileVault is enabled, automatic login must be disabled so that both FileVault and login window authentication are required. The default behavior of macOS when FileVault is enabled is to automat...Rule Medium Severity -
The macOS system must configure SSHD ClientAliveCountMax to 1.
If SSHD is enabled, it must be configured with the Client Alive Maximum Count set to 1. This will set the number of client alive messages that may be sent without the SSH server receiving any mess...Rule Medium Severity -
The macOS system must set login grace time to 30.
If SSHD is enabled, it must be configured to wait only 30 seconds before timing out login attempts. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any up...Rule Medium Severity -
The macOS system must limit SSHD to FIPS-compliant connections.
If SSHD is enabled, it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms th...Rule High Severity -
The macOS system must set account lockout time to 15 minutes.
The macOS system must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed login attempts is reached. This rule protects against malicious users ...Rule Medium Severity -
The macOS system must disable login to other users' active and locked sessions.
The ability to log in to another user's active or locked session must be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active users' sessions....Rule Medium Severity -
The macOS system must configure the SSH ServerAliveInterval to 900.
SSH must be configured with an Active Server Alive Maximum Count set to 900. Setting the Active Server Alive Maximum Count to 900 will log users out after a 900-second interval of inactivity. NOT...Rule Medium Severity -
The macOS system must set SSH Active Server Alive Maximum to 0.
SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to tak...Rule Medium Severity -
The macOS system must be configured to use an authorized time server.
An approved time server must be the only server configured for use. As of macOS 10.13, only one time server is supported. This rule ensures the uniformity of time stamps for information systems wi...Rule Medium Severity -
The macOS system must enable the time synchronization daemon.
The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server. NOTE: The time synchronization daemon is enabled by default on macOS. S...Rule Medium Severity -
The macOS system must be configured to audit all administrative action events.
The auditing system must be configured to flag administrative action (ad) events. Administrative action events include changes made to the system (e.g., modifying authentication policies). If audi...Rule Medium Severity -
The macOS system must configure audit log files to be owned by root.
Audit log files must be owned by root. The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sens...Rule Medium Severity -
The macOS system must configure audit log folders to be owned by root.
Audit log folders must be owned by root. The audit service must be configured to create log folders with the correct ownership to prevent normal users from reading audit logs. Audit logs contain ...Rule Medium Severity -
The macOS system must configure audit log folders to mode 700 or less permissive.
The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. Because audit logs contain sensitive data ...Rule Medium Severity -
The macOS system must be configured to audit all deletions of object attributes.
The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd). ***Enforcement actions are the methods or mechanisms used to prevent unauthorized chan...Rule Medium Severity -
The macOS system must be configured to audit all changes of object attributes.
The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm). Enforcement actions are the methods or mechanisms used to prevent unauthorized changes...Rule Medium Severity -
The macOS system must be configured to audit all failed write actions on the system.
The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts. Enforcement actions are the methods or mechanisms used to prev...Rule Medium Severity -
The macOS system must configure audit capacity warning.
The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization-defined value. This rule ensures that the system admini...Rule Medium Severity -
The macOS system must be configured to audit all authorization and authentication events.
The auditing system must be configured to flag authorization and authentication (aa) events. Authentication events contain information about the identity of a user, server, or client. Authorizatio...Rule Medium Severity -
The macOS system must configure audit_control group to wheel.
/etc/security/audit_control must have the group set to wheel. The audit service must be configured with the correct group ownership to prevent normal users from manipulating audit log configuratio...Rule Medium Severity -
The macOS system must disable Location Services.
Location Services must be disabled. The information system must be configured to provide only essential capabilities. Disabling Location Services helps prevent unauthorized connection of devices, ...Rule Medium Severity -
The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.
The system must not have the UUCP service active. UUCP, a set of programs that enables sending files between different Unix systems and sending commands to be executed on another system, is not es...Rule Medium Severity -
The macOS system must disable FaceTime.app.
The macOS built-in FaceTime.app must be disabled. The FaceTime.app establishes a connection to Apple's iCloud service even when security controls have been put in place to disable iCloud access. ...Rule Medium Severity -
The macOS system must disable the iCloud Calendar services.
The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of da...Rule Medium Severity -
The macOS system must disable Siri.
Support for Siri is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Enabling any service increases the attack surface for an in...Rule Medium Severity -
The macOS system must disable Trivial File Transfer Protocol (TFTP) service.
If the system does not require TFTP support, it is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Disabling TFTP helps prevent...Rule High Severity -
The macOS system must disable iCloud Document Sync.
The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nonapproved storage. Apple's iCloud service does n...Rule Medium Severity -
The macOS system must apply gatekeeper settings to block applications from unidentified developers.
The information system implements cryptographic mechanisms to authenticate software prior to installation. Gatekeeper settings must be configured correctly to allow the system to run only applicat...Rule High Severity -
The macOS system must disable the guest account.
Guest access must be disabled. Turning off guest access prevents anonymous users from accessing files.Rule Medium Severity -
The macOS system must secure users' home folders.
The system must be configured to prevent access to other users' home folders. The default behavior of macOS is to allow all valid users access to the top level of every other user's home folder wh...Rule Medium Severity -
The macOS system must disable Airplay Receiver.
Airplay Receiver allows users to send content from one Apple device to be displayed on the screen as it is being played from another device. Support for Airplay Receiver is nonessential and must b...Rule Medium Severity -
The macOS system must disable Media Sharing.
Media Sharing must be disabled. When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same ...Rule Medium Severity -
The macOS system must disable AppleID and internet Account Modification.
The system must disable Account Modification. Account Modification includes adding or modifying internet accounts in Apple Mail, Calendar, or Contacts in the Internet Account System Setting Pane ...Rule Medium Severity -
The macOS system must disable Content Caching service.
Content Caching must be disabled. Content Caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac computers. It is not recommended for devices fu...Rule Medium Severity -
The macOS system must disable iCloud Desktop and Document folder sync.
The macOS system's ability to automatically synchronize a user's Desktop and Documents folder to their iCloud Drive must be disabled. Apple's iCloud service does not provide an organization with e...Rule Medium Severity -
The macOS system must disable iCloud Game Center.
This works only with supervised devices (mobile device management [MDM]) and allows to disable Apple Game Center. The rationale is that Game Center is using Apple ID and will share data on AppleID-...Rule Medium Severity -
The macOS system must disable Find My service.
The Find My service must be disabled. A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service use...Rule Medium Severity -
The macOS system must disable Printer Sharing.
Printer Sharing must be disabled.Rule Medium Severity -
The macOS system must disable the iCloud Freeform services.
The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the att...Rule Medium Severity -
The macOS system must require that passwords contain a minimum of one numeric character.
The macOS must be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less ...Rule Medium Severity -
The macOS system must require a minimum password length of 14 characters.
The macOS must be configured to require that a minimum of 14 characters be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.