Skip to content
Log In

Apple macOS 13 (Ventura) Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.

    By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identi...
    Rule Medium Severity
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • SRG-OS-000343-GPOS-00134

    Group
    Show

  • The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

    The audit service must be configured to require a minimum percentage of free disk space to run. This ensures that audit will notify the administrator that action is required to free up more disk sp...
    Rule Low Severity
    Show

  • SRG-OS-000344-GPOS-00135

    Group
    Show

  • SRG-OS-000470-GPOS-00214

    Group
    Show

  • The macOS system must generate audit records for DOD-defined events such as successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-OS-000067-GPOS-00035

    Group
    Show

  • SRG-OS-000109-GPOS-00056

    Group
    Show

  • The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.

    Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administra...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable SMB File Sharing unless it is required.

    File sharing is usually nonessential and must be disabled if not required. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface i...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable Bonjour multicast advertising.

    To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restr...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable Web Sharing.

    To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restr...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable the iCloud Calendar services.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Low Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable iCloud Address Book services.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Low Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable the iCloud Mail services.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Low Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable the iCloud Notes services.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Low Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable Siri and dictation.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000096-GPOS-00050

    Group
    Show

  • SRG-OS-000096-GPOS-00050

    Group
    Show

  • The macOS system must be configured to disable Remote Apple Events.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000370-GPOS-00155

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable the system preference pane for Internet Accounts.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must be configured to disable the Privacy Setup services.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000074-GPOS-00042

    Group
    Show

  • The macOS system must be configured to disable the "tftp" service.

    The "tftp" service must be disabled as it sends all data in a clear-text form that can be easily intercepted and read. The data needs to be protected at all times during transmission, and encryptio...
    Rule High Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The macOS system must disable iCloud Keychain synchronization.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules