UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Apple macOS 14 (Sonoma) Security Technical Implementation Guide


Overview

Date Finding Count (157)
2024-05-30 CAT I (High): 10 CAT II (Med): 145 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-259477 High The macOS system must disable password authentication for SSH.
V-259499 High The macOS system must disable Trivial File Transfer Protocol service.
V-259438 High The macOS system must limit SSHD to FIPS-compliant connections.
V-259439 High The macOS system must limit SSH to FIPS-compliant connections.
V-259509 High The macOS system must apply gatekeeper settings to block applications from unidentified developers.
V-259512 High The macOS system must enable Gatekeeper.
V-259515 High The macOS system must require administrator privileges to modify systemwide settings.
V-259510 High The macOS system must disable Bluetooth when no approved device is connected.
V-259560 High The macOS system must ensure System Integrity Protection is enabled.
V-259561 High The macOS system must enforce FileVault.
V-259576 Medium The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
V-259575 Medium The macOS system must enable recovery lock.
V-259574 Medium The macOS system must enforce enrollment in mobile device management.
V-259573 Medium The macOS system must ensure secure boot level set to full.
V-259572 Medium The macOS system must authorize USB devices before allowing connection.
V-259478 Medium The macOS system must disable Server Message Block sharing.
V-259479 Medium The macOS system must disable Network File System service.
V-259476 Medium The macOS system must configure audit_control to not contain access control lists.
V-259474 Medium The macOS system must configure audit_control owner to root.
V-259475 Medium The macOS system must configure audit_control to mode 440 or less permissive.
V-259472 Medium The macOS system must disable root logon for SSH.
V-259473 Medium The macOS system must configure audit_control group to wheel.
V-259470 Medium The macOS system must configure the system to audit all authorization and authentication events.
V-259471 Medium The macOS system must set smart card certificate trust to moderate.
V-259548 Medium The macOS system must enforce multifactor authentication for the su command.
V-259549 Medium The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
V-259542 Medium The macOS system must disable password hints.
V-259543 Medium The macOS system must enable firmware password.
V-259540 Medium The macOS system must require a minimum password length of 14 characters.
V-259541 Medium The macOS system must require passwords contain a minimum of one special character.
V-259546 Medium The macOS system must allow smart card authentication.
V-259547 Medium The macOS system must enforce multifactor authentication for logon.
V-259544 Medium The macOS system must remove password hints from user accounts.
V-259545 Medium The macOS system must enforce smart card authentication.
V-259461 Medium The macOS system must configure audit log folders to mode 700 or less permissive.
V-259460 Medium The macOS system must configure audit log files to mode 440 or less permissive.
V-259463 Medium The macOS system must be configured to audit all changes of object attributes.
V-259462 Medium The macOS system must be configured to audit all deletions of object attributes.
V-259465 Medium The macOS system must be configured to audit all failed write actions on the system.
V-259464 Medium The macOS system must be configured to audit all failed read actions on the system.
V-259466 Medium The macOS system must be configured to audit all failed program execution on the system.
V-259469 Medium The macOS system must configure audit failure notification.
V-259468 Medium The macOS system must configure audit capacity warning.
V-259498 Medium The macOS system must disable iCloud Storage Setup during Setup Assistant.
V-259494 Medium The macOS system must disable sending diagnostic and usage data to Apple.
V-259495 Medium The macOS system must disable Remote Apple Events.
V-259496 Medium The macOS system must disable Apple ID setup during Setup Assistant.
V-259497 Medium The macOS system must disable Privacy Setup services during Setup Assistant.
V-259490 Medium The macOS system must disable iCloud Mail.
V-259491 Medium The macOS system must disable iCloud Notes.
V-259492 Medium The macOS system must disable the camera.
V-259493 Medium The macOS system must disable Siri.
V-259559 Medium The macOS system must configure sudoers timestamp type.
V-259555 Medium The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
V-259554 Medium The macOS system must configure Apple System Log files to mode 640 or less permissive.
V-259557 Medium The macOS system must configure system log files to mode 640 or less permissive.
V-259556 Medium The macOS system must configure system log files to be owned by root and group to wheel.
V-259551 Medium The macOS system must set minimum password lifetime to 24 hours.
V-259550 Medium The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character.
V-259553 Medium The macOS system must configure Apple System Log files to be owned by root and group to wheel.
V-259552 Medium The macOS system must disable accounts after 35 days of inactivity.
V-259418 Medium The macOS system must prevent Apple Watch from terminating a session lock.
V-259419 Medium The macOS system must enforce screen saver password.
V-259489 Medium The macOS system must disable iCloud Address Book.
V-259488 Medium The macOS system must disable iCloud Reminders.
V-259487 Medium The macOS system must disable the iCloud Calendar services.
V-259486 Medium The macOS system must disable FaceTime.app.
V-259485 Medium The macOS system must disable AirDrop.
V-259484 Medium The macOS system must disable the built-in web server.
V-259483 Medium The macOS system must disable Internet Sharing.
V-259482 Medium The macOS system must disable Unix-to-Unix Copy Protocol service.
V-259481 Medium The macOS system must disable Bonjour multicast.
V-259480 Medium The macOS system must disable Location Services.
V-259528 Medium The macOS system must disable personalized advertising.
V-259529 Medium The macOS system must disable sending Siri and Dictation information to Apple.
V-259571 Medium The macOS system must prohibit user installation of software into /users/.
V-259520 Medium The macOS system must disable AppleID and Internet Account modifications.
V-259521 Medium The macOS system must disable CD/DVD Sharing.
V-259522 Medium The macOS system must disable content caching service.
V-259570 Medium The macOS system must enable Authenticated Root.
V-259524 Medium The macOS system must disable iCloud Game Center.
V-259525 Medium The macOS system must disable iCloud Private Relay.
V-259526 Medium The macOS system must disable Find My service.
V-259527 Medium The macOS system must disable password autofill.
V-259432 Medium The macOS system must configure audit log files to not contain access control lists.
V-259433 Medium The macOS system must configure audit log folders to not contain access control lists.
V-259430 Medium The macOS system must enforce SSH to display the Standard Mandatory DOD Notice and Consent Banner.
V-259431 Medium The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.
V-259436 Medium The macOS system must configure SSHD ClientAliveCountMax to 1.
V-259437 Medium The macOS system must set Login Grace Time to 30.
V-259434 Medium The macOS system must disable FileVault automatic log on.
V-259435 Medium The macOS system must configure SSHD ClientAliveInterval to 900.
V-259538 Medium The macOS system must restrict maximum password lifetime to 60 days.
V-259533 Medium The macOS system must disable Remote Management.
V-259532 Medium The macOS system must disable Printer Sharing.
V-259531 Medium The macOS system must disable dictation.
V-259530 Medium The macOS system must enforce on device dictation.
V-259537 Medium The macOS system must require passwords contain a minimum of one numeric character.
V-259536 Medium The macOS system must issue or obtain public key certificates from an approved service provider.
V-259535 Medium The macOS system must disable the iCloud Freeform services.
V-259534 Medium The macOS system must disable the Bluetooth system settings pane.
V-259449 Medium The macOS system must enforce auto logout after 86400 seconds of inactivity.
V-259448 Medium The macOS system must set SSH Active Server Alive Maximum to 0.
V-259429 Medium The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at remote log on.
V-259428 Medium The macOS system must limit consecutive failed log on attempts to three.
V-259425 Medium The macOS system must enforce time synchronization.
V-259424 Medium The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.
V-259427 Medium The macOS system must be integrated into a directory services infrastructure.
V-259421 Medium The macOS system must configure user session lock when a smart token is removed.
V-259420 Medium The macOS system must enforce session lock no more than five seconds after screen saver is started.
V-259423 Medium The macOS system must prevent AdminHostInfo from being available at LoginWindow.
V-259422 Medium The macOS system must disable hot corners.
V-259508 Medium The macOS system must disable the system settings pane for Siri.
V-259506 Medium The macOS system must disable the TouchID System Settings pane.
V-259507 Medium The macOS system must disable the System Settings pane for Wallet and Apple Pay.
V-259504 Medium The macOS system must disable iCloud Photo Library.
V-259505 Medium The macOS system must disable Screen Sharing and Apple Remote Desktop.
V-259502 Medium The macOS system must disable iCloud Document synchronization.
V-259503 Medium The macOS system must disable iCloud Bookmarks.
V-259500 Medium The macOS system must disable Siri Setup during Setup Assistant.
V-259501 Medium The macOS system must disable iCloud Keychain synchronization.
V-259523 Medium The macOS system must disable iCloud desktop and document folder synchronization.
V-259447 Medium The macOS system must configure SSHD unused connection timeout to 900.
V-259446 Medium The macOS system must configure SSHD Channel Timeout to 900.
V-259458 Medium The macOS system must configure audit log files group to wheel.
V-259459 Medium The macOS system must configure audit log folders group to wheel.
V-259513 Medium The macOS system must disable unattended or automatic log on to the system.
V-259514 Medium The macOS system must secure user's home folders.
V-259517 Medium The macOS system must disable TouchID for unlocking the device.
V-259516 Medium The macOS system must disable Airplay Receiver.
V-259450 Medium The macOS system must be configured to use an authorized time server.
V-259451 Medium The macOS system must enable time synchronization daemon.
V-259452 Medium The macOS system must be configured to audit all administrative action events.
V-259453 Medium The macOS system must be configured to audit all log on and log out events.
V-259454 Medium The macOS system must enable security auditing.
V-259455 Medium The macOS system must configure system to shut down upon audit failure.
V-259456 Medium The macOS system must configure audit log files to be owned by root.
V-259457 Medium The macOS system must configure audit log folders to be owned by root.
V-259511 Medium The macOS system must disable the guest account.
V-259564 Medium The macOS system must disable TouchID prompt during Setup Assistant.
V-259565 Medium The macOS system must disable Screen Time prompt during Setup Assistant.
V-259566 Medium The macOS system must disable Unlock with Apple Watch during Setup Assistant.
V-259567 Medium The macOS system must disable Handoff.
V-259562 Medium The macOS system must enable the application firewall.
V-259563 Medium The macOS system must configure login window to prompt for username and password.
V-259443 Medium The macOS system must disable logon to other user's active and locked sessions.
V-259442 Medium The macOS system must enable SSH server for remote access sessions.
V-259441 Medium The macOS system must enforce screen saver timeout.
V-259440 Medium The macOS system must set account lockout time to 15 minutes.
V-259568 Medium The macOS system must disable proximity-based password sharing requests.
V-259569 Medium The macOS system must disable Erase Content and Settings.
V-259445 Medium The macOS system must configure SSH ServerAliveInterval option set to 900.
V-259444 Medium The macOS system must disable root logon.
V-259519 Medium The macOS system must disable Bluetooth sharing.
V-259518 Medium The macOS system must disable Media Sharing.
V-259467 Low The macOS system must configure audit retention to seven days.
V-259558 Low The macOS system must configure install.log retention to 365.