Apple macOS 15 (Sequoia) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000075-GPOS-00043
<GroupDescription></GroupDescription>Group -
The macOS system must set minimum password lifetime to 24 hours.
<VulnDiscussion>The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycl...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
<GroupDescription></GroupDescription>Group -
The macOS system must disable accounts after 35 days of inactivity.
<VulnDiscussion>The macOS must be configured to disable accounts after 35 days of inactivity. This rule prevents malicious users from employ...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel.
<VulnDiscussion>The Apple System Logs must be owned by root. ASLs contain sensitive data about the system and users. Setting ASL files to be...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive.
<VulnDiscussion>The Apple System Logs must be configured to be writable by root and readable only by the root user and group wheel. To achiev...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The macOS system must configure system log files owned by root and group to wheel.
<VulnDiscussion>The system log files must be owned by root. System logs contain sensitive data about the system and users. Setting log files...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
<GroupDescription></GroupDescription>Group -
The macOS system must configure system log files to mode 640 or less permissive.
<VulnDiscussion>The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this...Rule Medium Severity -
SRG-OS-000341-GPOS-00132
<GroupDescription></GroupDescription>Group -
The macOS system must configure install.log retention to 365.
<VulnDiscussion>The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unles...Rule Low Severity -
SRG-OS-000051-GPOS-00024
<GroupDescription></GroupDescription>Group -
The macOS system must ensure System Integrity Protection is enabled.
<VulnDiscussion>System Integrity Protection is vital to protecting the integrity of the system as it prevents malicious users and software fr...Rule High Severity -
SRG-OS-000185-GPOS-00079
<GroupDescription></GroupDescription>Group -
The macOS system must enforce FileVault.
<VulnDiscussion>The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored...Rule High Severity -
SRG-OS-000480-GPOS-00232
<GroupDescription></GroupDescription>Group -
The macOS system must enable macOS Application Firewall.
<VulnDiscussion>The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled. When the macOS Applic...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
The macOS system must configure the login window to prompt for username and password.
<VulnDiscussion>The login window must be configured to prompt all users for both a username and a password. By default, the system displays ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable the TouchID prompt during Setup Assistant.
<VulnDiscussion>The prompt for TouchID during Setup Assistant must be disabled. macOS prompts new users through enabling TouchID during Setu...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable the Screen Time prompt during Setup Assistant.
<VulnDiscussion>The prompt for Screen Time setup during Setup Assistant must be disabled. Enabling any service increases the attack surface...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable Unlock with Apple Watch during Setup Assistant.
<VulnDiscussion>The prompt for Apple Watch unlock setup during Setup Assistant must be disabled. Disabling Apple watches is a necessary step...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
The macOS system must disable Handoff.
<VulnDiscussion>Handoff must be disabled. Handoff allows users to continue working on a document or project when the user switches from one ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable proximity-based password sharing requests.
<VulnDiscussion>Proximity-based password sharing requests must be disabled. The default behavior of macOS is to allow users to request passw...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable Erase Content and Settings.
<VulnDiscussion>Erase Content and Settings must be disabled. Without disabling the Erase Content and Settings configuration, forensics data ...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
The macOS system must enable Authenticated Root.
<VulnDiscussion>Authenticated Root must be enabled. When Authenticated Root is enabled, the macOS is booted from a signed volume that is cry...Rule Medium Severity -
SRG-OS-000362-GPOS-00149
<GroupDescription></GroupDescription>Group -
The macOS system must prohibit user installation of software into /users/.
<VulnDiscussion>Users must not be allowed to install software into /users/. Allowing regular users without explicit privileges to install so...Rule Medium Severity -
SRG-OS-000378-GPOS-00163
<GroupDescription></GroupDescription>Group -
The macOS system must authorize USB devices before allowing connection.
<VulnDiscussion>USB devices connected to a Mac must be authorized. [IMPORTANT] ==== This feature is removed if a smart card is paired or sma...Rule Medium Severity -
SRG-OS-000445-GPOS-00199
<GroupDescription></GroupDescription>Group -
The macOS system must ensure Secure Boot level is set to "full".
<VulnDiscussion>The Secure Boot security setting must be set to "full". Full security is the default Secure Boot setting in macOS. During st...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The macOS system must enforce enrollment in Mobile Device Management (MDM).
<VulnDiscussion>Users must enroll their Mac in MDM software. User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The macOS system must enable Recovery Lock.
<VulnDiscussion>A Recovery Lock password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other to...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
<VulnDiscussion>Software Update must be configured to update XProtect Remediator and Gatekeeper automatically. This setting enforces definit...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The macOS system must disable Genmoji.
<VulnDiscussion>Apple Intelligence features that use off-device Artificial Intelligence (AI) must be disabled. Use of off-device AI poses a ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.