Apple macOS 14 (Sonoma) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000079-GPOS-00047
<GroupDescription></GroupDescription>Group -
The macOS system must remove password hints from user accounts.
<VulnDiscussion>User accounts must not contain password hints. Password hints leak information about passwords that are currently in use and ...Rule Medium Severity -
SRG-OS-000067-GPOS-00035
<GroupDescription></GroupDescription>Group -
The macOS system must enforce smart card authentication.
<VulnDiscussion>Smart card authentication must be enforced. The use of smart card credentials facilitates standardization and reduces the ri...Rule Medium Severity -
SRG-OS-000068-GPOS-00036
<GroupDescription></GroupDescription>Group -
The macOS system must allow smart card authentication.
<VulnDiscussion>Smart card authentication must be allowed. The use of smart card credentials facilitates standardization and reduces the ris...Rule Medium Severity -
SRG-OS-000105-GPOS-00052
<GroupDescription></GroupDescription>Group -
The macOS system must enforce multifactor authentication for logon.
<VulnDiscussion>The system must be configured to enforce multifactor authentication. All users must go through multifactor authentication to...Rule Medium Severity -
SRG-OS-000105-GPOS-00052
<GroupDescription></GroupDescription>Group -
The macOS system must enforce multifactor authentication for the su command.
<VulnDiscussion>The system must be configured such that, when the su command is used, multifactor authentication is enforced. All users must...Rule Medium Severity -
SRG-OS-000105-GPOS-00052
<GroupDescription></GroupDescription>Group -
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
<VulnDiscussion>The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All ...Rule Medium Severity -
SRG-OS-000069-GPOS-00037
<GroupDescription></GroupDescription>Group -
The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character.
<VulnDiscussion>The macOS be configured to require at least one lowercase character and one uppercase character be used when a password is cr...Rule Medium Severity -
SRG-OS-000075-GPOS-00043
<GroupDescription></GroupDescription>Group -
The macOS system must set minimum password lifetime to 24 hours.
<VulnDiscussion>The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycl...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
<GroupDescription></GroupDescription>Group -
The macOS system must disable accounts after 35 days of inactivity.
<VulnDiscussion>The macOS must be configured to disable accounts after 35 days of inactivity. This rule prevents malicious users from making...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The macOS system must configure Apple System Log files to be owned by root and group to wheel.
<VulnDiscussion>The Apple System Logs (ASL) must be owned by root. ASL logs contain sensitive data about the system and users. If ASL log fi...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The macOS system must configure Apple System Log files to mode 640 or less permissive.
<VulnDiscussion>The Apple System Logs (ASL) must be configured to be writable by root and readable only by the root user and group wheel. To ...Rule Medium Severity -
SRG-OS-000373-GPOS-00156
<GroupDescription></GroupDescription>Group -
The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
<VulnDiscussion>The file /etc/sudoers must include a timestamp_timout of 0. Without reauthentication, users may access resources or perform ...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The macOS system must configure system log files to be owned by root and group to wheel.
<VulnDiscussion>The system log files must be owned by root. System logs contain sensitive data about the system and users. If log files are ...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The macOS system must configure system log files to mode 640 or less permissive.
<VulnDiscussion>The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this...Rule Medium Severity -
SRG-OS-000341-GPOS-00132
<GroupDescription></GroupDescription>Group -
The macOS system must configure install.log retention to 365.
<VulnDiscussion>The install.log must be configured to require records be kept for an organizational-defined value before deletion, unless the...Rule Low Severity -
SRG-OS-000373-GPOS-00156
<GroupDescription></GroupDescription>Group -
The macOS system must configure sudoers timestamp type.
<VulnDiscussion>The file /etc/sudoers must be configured to not include a timestamp_type of global or ppid and be configured for timestamp re...Rule Medium Severity -
SRG-OS-000051-GPOS-00024
<GroupDescription></GroupDescription>Group -
The macOS system must ensure System Integrity Protection is enabled.
<VulnDiscussion>System Integrity Protection (SIP) must be enabled. SIP is vital to protecting the integrity of the system as it prevents mal...Rule High Severity -
SRG-OS-000185-GPOS-00079
<GroupDescription></GroupDescription>Group -
The macOS system must enforce FileVault.
<VulnDiscussion>FileVault must be enforced. The information system implements cryptographic mechanisms to protect the confidentiality and in...Rule High Severity -
SRG-OS-000480-GPOS-00232
<GroupDescription></GroupDescription>Group -
The macOS system must enable the application firewall.
<VulnDiscussion>The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled. When the macOS Applic...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
The macOS system must configure login window to prompt for username and password.
<VulnDiscussion>The login window must be configured to prompt all users for both a username and a password. By default, the system displays ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable TouchID prompt during Setup Assistant.
<VulnDiscussion>The prompt for TouchID during Setup Assistant must be disabled. macOS prompts new users through enabling TouchID during Setu...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable Screen Time prompt during Setup Assistant.
<VulnDiscussion>The prompt for Screen Time setup during Setup Assistant must be disabled.</VulnDiscussion><FalsePositives></Fa...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable Unlock with Apple Watch during Setup Assistant.
<VulnDiscussion>The prompt for Apple Watch unlock setup during Setup Assistant must be disabled. Disabling Apple watches is a necessary step...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
The macOS system must disable Handoff.
<VulnDiscussion>Handoff must be disabled. Handoff allows users to continue working on a document or project when the user switches from one ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable proximity-based password sharing requests.
<VulnDiscussion>Proximity-based password sharing requests must be disabled. The default behavior of macOS is to allow users to request passw...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.