Guide to the Secure Configuration of Apple macOS 10.15
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Apple macOS 10.15...Group -
System Accounting with audit
The Basic Security Module (BSM) security audit API and file format is Apple's auditing system. The audit() function submits a record to the kernel ...Group -
Enable audit Service
Theauditservice is an essential userspace component of the auditing system, as it is responsible for writing audit records to disk.Rule High Severity -
Configure auditd
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...Group -
Shutdown System When Auditing Failures Occur
The macOS system must shut down by default upon audit failure unless availability is an overriding concern.Rule Medium Severity -
Introduction
The purpose of this guidance is to provide security configuration recommendations and baselines for the Apple macOS 10.15 operating system. Recomme...Group -
General Principles
The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not expli...Group -
Encrypt Transmitted Data Whenever Possible
Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...Group -
Least Privilege
Grant the least privilege necessary for user accounts and software to perform tasks. For example, <code>sudo</code> can be implemented to limit aut...Group -
Minimize Software to Minimize Vulnerability
The simplest way to avoid vulnerabilities in software is to avoid installing that software. Apple macOS 10.15 allows for careful management of the ...Group -
Run Different Network Services on Separate Systems
Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compro...Group -
Configure Security Tools to Improve System Robustness
Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve rob...Group -
How to Use This Guide
Readers should heed the following points when using the guide.Group -
Formatting Conventions
Commands intended for shell execution, as well as configuration file text, are featured in a <code>monospace font</code>. <i>Italics</i> are used t...Group -
Read Sections Completely and in Order
Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instr...Group -
Reboot Required
A system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will n...Group -
Root Shell Environment Assumed
Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the <code>/bin/bash...Group -
Test in Non-Production Environment
This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which t...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.