| Finding ID |
Severity |
Title |
Description |
|
V-268556
|
High |
The macOS system must enforce FileVault. |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184 |
|
V-268555
|
High |
The macOS system must ensure System Integrity Protection is enabled. |
System Integrity Protection is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit... |
|
V-268514
|
High |
The macOS system must require an administrator password to modify systemwide preferences. |
The system must be configured to require an administrator password to modify the systemwide preferences in System Settings.
Some Preference Panes in System Settings contain settings that affect the entire system. Requiring a password to unlock these systemwide settings reduces the risk of an unauthorized user modifying system configurations. |
|
V-268512
|
High |
The macOS system must disable unattended or automatic login to the system. |
Automatic login must be disabled.
When automatic logins are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged... |
|
V-268511
|
High |
The macOS system must enable gatekeeper. |
Gatekeeper must be enabled.
Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.
Administrator users will still... |
|
V-268509
|
High |
The macOS system must disable Bluetooth when no approved device is connected. |
The macOS system must be configured to disable Bluetooth unless an approved device is connected.
[IMPORTANT]
====
Information system security officers (ISSOs) may make the risk-based decision not to disable Bluetooth to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization.... |
|
V-268508
|
High |
The macOS system must apply gatekeeper settings to block applications from unidentified developers. |
The information system implements cryptographic mechanisms to authenticate software prior to installation.
Gatekeeper settings must be configured correctly to allow the system to run only applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to... |
|
V-268499
|
High |
The macOS system must disable Trivial File Transfer Protocol (TFTP) service. |
If the system does not require TFTP support, it is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and unauthorized transfer of information.
NOTE: TFTP service is disabled at startup by default with... |
|
V-268477
|
High |
The macOS system must disable password authentication for SSH. |
If remote login through SSH is enabled, password-based authentication must be disabled for user login.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the... |
|
V-268439
|
High |
The macOS system must limit SSH to FIPS-compliant connections. |
SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS-140 validated.
FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets federal requirements.
Operating systems using encryption must use FIPS-validated mechanisms for... |
|
V-268438
|
High |
The macOS system must limit SSHD to FIPS-compliant connections. |
If SSHD is enabled, it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS-140 validated.
FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets federal requirements.
Operating systems using encryption must... |
|
V-269566
|
Medium |
The macOS system must disable sending search data from Spotlight to Apple. |
Sending data to Apple to help improve search must be disabled.
The information system must be configured to provide only essential capabilities. Disabling the submission of search data will mitigate the risk of unwanted data being sent to Apple. |
|
V-269096
|
Medium |
The macOS system must disable sending audio recordings and transcripts to Apple. |
The ability for Apple to store and review audio recordings and transcripts of vocal shortcuts and voice control interactions must be disabled.
The information system must be configured to provide only essential capabilities. Disabling the submission of this information will mitigate the risk of unwanted data being sent to Apple. |
|
V-269095
|
Medium |
The macOS system must configure audit_control to not contain access control lists (ACLs). |
/etc/security/audit_control must not contain ACLs.
/etc/security/audit_control contains sensitive configuration data about the audit service. This rule ensures that the audit service is configured to be readable and writable only by system administrators to prevent normal users from manipulating audit logs.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099 |
|
V-269094
|
Medium |
The macOS system must be configured to audit all failed program execution on the system. |
The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying... |
|
V-269093
|
Medium |
The macOS system must enforce SSH to display a policy banner. |
SSH must be configured to display a policy banner.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System... |
|
V-268575
|
Medium |
The macOS system must be a supported release. |
An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. |
|
V-268574
|
Medium |
The macOS system must disable Apple Intelligence Writing Tools. |
Apple Intelligence features that use off device Artificial Intelligence must be disabled.
Use of off-device AI poses a data loss risk. |
|
V-268573
|
Medium |
The macOS system must disable Apple Intelligence Image Generation. |
Apple Intelligence features that use off-device artificial intelligence must be disabled.
Use of off-device AI poses a data loss risk. |
|
V-268572
|
Medium |
The macOS system must disable Genmoji. |
Apple Intelligence features that use off-device Artificial Intelligence (AI) must be disabled.
Use of off-device AI poses a data loss risk. |
|
V-268571
|
Medium |
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. |
Software Update must be configured to update XProtect Remediator and Gatekeeper automatically.
This setting enforces definition updates for XProtect Remediator and Gatekeeper. With this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not... |
|
V-268570
|
Medium |
The macOS system must enable Recovery Lock. |
A Recovery Lock password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools.
IMPORTANT: Recovery lock passwords are not supported on... |
|
V-268569
|
Medium |
The macOS system must enforce enrollment in Mobile Device Management (MDM). |
Users must enroll their Mac in MDM software.
User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently, these include:
* Allowed Kernel Extensions.
* Allowed Approved System Extensions.
* Privacy Preferences Policy Control Payload.
* ExtensibleSingleSignOn.... |
|
V-268568
|
Medium |
The macOS system must ensure Secure Boot level is set to "full". |
The Secure Boot security setting must be set to "full".
Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot.
NOTE: This will... |
|
V-268567
|
Medium |
The macOS system must authorize USB devices before allowing connection. |
USB devices connected to a Mac must be authorized.
[IMPORTANT]
====
This feature is removed if a smart card is paired or smart card attribute mapping is configured.
====
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Satisfies: SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140 |
|
V-268566
|
Medium |
The macOS system must prohibit user installation of software into /users/. |
Users must not be allowed to install software into /users/.
Allowing regular users without explicit privileges to install software presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds... |
|
V-268565
|
Medium |
The macOS system must enable Authenticated Root. |
Authenticated Root must be enabled.
When Authenticated Root is enabled, the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
NOTE: Authenticated Root is enabled by default on macOS systems.
WARNING: If more than one partition with macOS is detected, the... |
|
V-268564
|
Medium |
The macOS system must disable Erase Content and Settings. |
Erase Content and Settings must be disabled.
Without disabling the Erase Content and Settings configuration, forensics data could be lost if this feature is activated on a compromised system. |
|
V-268563
|
Medium |
The macOS system must disable proximity-based password sharing requests. |
Proximity-based password sharing requests must be disabled.
The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature must be disabled to prevent passwords from being shared. |
|
V-268562
|
Medium |
The macOS system must disable Handoff. |
Handoff must be disabled.
Handoff allows users to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices.
Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118 |
|
V-268561
|
Medium |
The macOS system must disable Unlock with Apple Watch during Setup Assistant. |
The prompt for Apple Watch unlock setup during Setup Assistant must be disabled.
Disabling Apple watches is a necessary step to ensuring the information system retains a session lock until the user reestablishes access using authorized identification and authentication procedures. |
|
V-268560
|
Medium |
The macOS system must disable the Screen Time prompt during Setup Assistant. |
The prompt for Screen Time setup during Setup Assistant must be disabled.
Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized. |
|
V-268559
|
Medium |
The macOS system must disable the TouchID prompt during Setup Assistant. |
The prompt for TouchID during Setup Assistant must be disabled.
macOS prompts new users through enabling TouchID during Setup Assistant; this is not essential and, therefore, must be disabled to prevent the risk of individuals electing to enable TouchID to override organizationwide settings. |
|
V-268558
|
Medium |
The macOS system must configure the login window to prompt for username and password. |
The login window must be configured to prompt all users for both a username and a password.
By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to... |
|
V-268557
|
Medium |
The macOS system must enable macOS Application Firewall. |
The macOS Application Firewall is the built-in firewall that comes with macOS, and it must be enabled.
When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. |
|
V-268553
|
Medium |
The macOS system must configure system log files to mode 640 or less permissive. |
The system logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, system log files must be configured to mode 640 permissive or less, thereby preventing normal users from reading, modifying, or deleting audit logs.
System logs frequently... |
|
V-268552
|
Medium |
The macOS system must configure system log files owned by root and group to wheel. |
The system log files must be owned by root.
System logs contain sensitive data about the system and users. Setting log files to be readable and writable only by system administrators mitigates the risk.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000206-GPOS-00084 |
|
V-268551
|
Medium |
The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive. |
The Apple System Logs must be configured to be writable by root and readable only by the root user and group wheel. To achieve this, ASL files must be configured to mode 640 permissive or less, thereby preventing normal users from reading, modifying, or deleting audit logs.
System logs frequently... |
|
V-268550
|
Medium |
The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel. |
The Apple System Logs must be owned by root.
ASLs contain sensitive data about the system and users. Setting ASL files to be readable and writable only by system administrators mitigates the risk.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000206-GPOS-00084 |
|
V-268549
|
Medium |
The macOS system must disable accounts after 35 days of inactivity. |
The macOS must be configured to disable accounts after 35 days of inactivity.
This rule prevents malicious users from employing unused accounts to gain access to the system while avoiding detection.
Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110 |
|
V-268548
|
Medium |
The macOS system must set minimum password lifetime to 24 hours. |
The macOS must be configured to enforce a minimum password lifetime limit of 24 hours.
This rule discourages users from cycling through their previous passwords to get back to a preferred one.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B states that complexity rules... |
|
V-268547
|
Medium |
The macOS system must require that passwords contain a minimum of one lowercase character and one uppercase character. |
The macOS must be configured to require that at least one lowercase character and one uppercase character be used when a password is created.
This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
NOTE: The guidance for password-based authentication in NIST... |
|
V-268546
|
Medium |
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. |
The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization, or use of a... |
|
V-268545
|
Medium |
The macOS system must enforce multifactor authentication for the su command. |
The system must be configured such that, when the su command is used, multifactor authentication is enforced.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy... |
|
V-268544
|
Medium |
The macOS system must enforce multifactor authentication for login. |
The system must be configured to enforce multifactor authentication.
All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that... |
|
V-268543
|
Medium |
The macOS system must allow smart card authentication. |
Smart card authentication must be allowed.
The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access.
When enabled, the smart card can be used for login, authorization, and screen saver unlocking.
Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000376-GPOS-00161 |
|
V-268542
|
Medium |
The macOS system must enforce smart card authentication. |
Smart card authentication must be enforced.
The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access.
When enforceSmartCard is set to "true", the smart card must be used for login, authorization, and unlocking the screen saver.
CAUTION: enforceSmartCard will apply to the whole system. No... |
|
V-268541
|
Medium |
The macOS system must remove password hints from user accounts. |
User accounts must not contain password hints.
Password hints leak information about passwords in use and can lead to loss of confidentiality. |
|
V-268540
|
Medium |
The macOS system must enable firmware password. |
A firmware password must be enabled and set.
Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools.
To set a firmware passcode, use the following command:... |
|
V-268539
|
Medium |
The macOS system must disable password hints. |
Password hints must be disabled.
Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. |
|
V-268538
|
Medium |
The macOS system must require that passwords contain a minimum of one special character. |
The macOS must be configured to require that at least one special character be used when a password is created.
Special characters are characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
This rule enforces password complexity by requiring users to set passwords that... |
|
V-268537
|
Medium |
The macOS system must require a minimum password length of 14 characters. |
The macOS must be configured to require that a minimum of 14 characters be used when a password is created.
This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and... |
|
V-268536
|
Medium |
The macOS system must restrict maximum password lifetime to 60 days. |
The macOS must be configured to enforce a maximum password lifetime limit of at least 60 days.
This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system.
NOTE: The guidance for password-based authentication in NIST... |
|
V-268535
|
Medium |
The macOS system must require that passwords contain a minimum of one numeric character. |
The macOS must be configured to require at least one numeric character be used when a password is created.
This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST... |
|
V-268534
|
Medium |
The macOS system must issue or obtain public key certificates from an approved service provider. |
The organization must issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain.
Satisfies: SRG-OS-000403-GPOS-00182, SRG-OS-000775-GPOS-00230 |
|
V-268533
|
Medium |
The macOS system must disable the iCloud Freeform services. |
The macOS built-in Freeform.app connection to Apple's iCloud service must be disabled.
Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized. |
|
V-268532
|
Medium |
The macOS system must disable the Bluetooth System Settings pane. |
The Bluetooth System Setting pane must be disabled to prevent access to the Bluetooth configuration. |
|
V-268531
|
Medium |
The macOS system must disable Remote Management. |
Remote Management must be disabled. |
|
V-268530
|
Medium |
The macOS system must disable Printer Sharing. |
Printer Sharing must be disabled. |
|
V-268529
|
Medium |
The macOS system must disable Dictation. |
Dictation must be disabled on Intel-based Macs as the feature On Device Dictation is only available on Apple Silicon devices. |
|
V-268528
|
Medium |
The macOS system must enforce On Device Dictation. |
Dictation must be restricted to On Device Only to prevent potential data exfiltration.
The information system must be configured to provide only essential capabilities. |
|
V-268527
|
Medium |
The macOS system must disable sending Siri and Dictation information to Apple. |
The ability for Apple to store and review audio of Siri and Dictation interactions must be disabled.
The information system must be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple. |
|
V-268526
|
Medium |
The macOS system must disable Personalized Advertising. |
Ad tracking and targeted ads must be disabled.
The information system must be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. |
|
V-268525
|
Medium |
The macOS system must disable Find My service. |
The Find My service must be disabled.
A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service.
Apple's Find My service uses a personal AppleID for authentication. Organizations must rely on MDM solutions, which have much more secure... |
|
V-268524
|
Medium |
The macOS system must disable iCloud Private Relay. |
Enterprise networks may be required to audit all network traffic by policy; therefore, iCloud Private Relay must be disabled.
Network administrators can also prevent the use of this feature by blocking DNS resolution of mask.icloud.com and mask-h2.icloud.com. |
|
V-268523
|
Medium |
The macOS system must disable iCloud Game Center. |
This works only with supervised devices (mobile device management [MDM]) and allows to disable Apple Game Center. The rationale is that Game Center is using Apple ID and will share data on AppleID-based services; therefore, Game Center must be disabled.
This setting also prohibits the functionality of adding friends to... |
|
V-268522
|
Medium |
The macOS system must disable iCloud Desktop and Document folder sync. |
The macOS system's ability to automatically synchronize a user's Desktop and Documents folder to their iCloud Drive must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization must be controlled by an organization-approved service. |
|
V-268521
|
Medium |
The macOS system must disable Content Caching service. |
Content Caching must be disabled.
Content Caching is a macOS service that helps reduce internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. |
|
V-268520
|
Medium |
The macOS system must disable CD/DVD Sharing. |
CD/DVD Sharing must be disabled. |
|
V-268519
|
Medium |
The macOS system must disable AppleID and internet Account Modification. |
The system must disable Account Modification.
Account Modification includes adding or modifying internet accounts in Apple Mail, Calendar, or Contacts in the Internet Account System Setting Pane or the AppleID System Setting Pane.
This prevents the addition of unauthorized accounts.
[IMPORTANT]
====
Some organizations may allow the use and configuration... |
|
V-268518
|
Medium |
The macOS system must disable Bluetooth Sharing. |
|
|
V-268517
|
Medium |
The macOS system must disable Media Sharing. |
Media Sharing must be disabled.
When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet.
The information system must be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the... |
|
V-268516
|
Medium |
The macOS system must disable TouchID for unlocking the device. |
TouchID enables the ability to unlock a Mac system with a user's fingerprint.
TouchID must be disabled for "Unlocking your Mac" on all macOS devices that are capable of using TouchID.
The system must remain locked until the user establishes access using an authorized identification and authentication method.
NOTE: TouchID... |
|
V-268515
|
Medium |
The macOS system must disable Airplay Receiver. |
Airplay Receiver allows users to send content from one Apple device to be displayed on the screen as it is being played from another device.
Support for Airplay Receiver is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118 |
|
V-268513
|
Medium |
The macOS system must secure users' home folders. |
The system must be configured to prevent access to other users' home folders.
The default behavior of macOS is to allow all valid users access to the top level of every other user's home folder while restricting access only to the Apple default folders within.
Satisfies: SRG-OS-000480-GPOS-00230, SRG-OS-000480-GPOS-00228 |
|
V-268510
|
Medium |
The macOS system must disable the guest account. |
Guest access must be disabled.
Turning off guest access prevents anonymous users from accessing files. |
|
V-268507
|
Medium |
The macOS system must disable the system settings pane for Siri. |
The System Settings pane for Siri must be hidden.
Hiding the System Settings pane prevents users from configuring Siri. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized. |
|
V-268506
|
Medium |
The macOS system must disable the System Settings pane for Wallet and Apple Pay. |
The System Settings pane for Wallet and Apple Pay must be disabled.
Disabling the System Settings pane prevents the users from configuring Wallet and Apple Pay. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized. |
|
V-268505
|
Medium |
The macOS system must disable Screen Sharing and Apple Remote Desktop. |
Support for both Screen Sharing and Apple Remote Desktop is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Screen Sharing and Apple Remote Desktop helps prevent unauthorized connection of devices, transfer of information, and tunneling. |
|
V-268504
|
Medium |
The macOS system must disable iCloud Photo Library. |
The macOS built-in Photos.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization must be controlled by an organization-approved service. |
|
V-268503
|
Medium |
The macOS system must disable iCloud Bookmarks. |
The macOS built-in Safari.app bookmark synchronization via the iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated bookmark synchronization must be controlled by an organization-approved service. |
|
V-268502
|
Medium |
The macOS system must disable iCloud Document Sync. |
The macOS built-in iCloud document synchronization service must be disabled to prevent organizational data from being synchronized to personal or nonapproved storage.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization must be controlled by an... |
|
V-268501
|
Medium |
The macOS system must disable iCloud Keychain Sync. |
The macOS system's ability to automatically synchronize a user's passwords to their iCloud account must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization must be controlled by an organization-approved service. |
|
V-268500
|
Medium |
The macOS system must disable Siri Setup during Setup Assistant. |
The prompt for Siri during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The macOS Siri Assistant Setup prompt guides new users through enabling their own specific Siri settings. This is not essential and, therefore, must be disabled to prevent the risk of individuals electing Siri settings... |
|
V-268498
|
Medium |
The macOS system must disable iCloud storage setup during Setup Assistant. |
The prompt to set up iCloud storage services during Setup Assistant must be disabled.
The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations with more control over their data storage. |
|
V-268497
|
Medium |
The macOS system must disable Privacy Setup services during Setup Assistant. |
The prompt for Privacy Setup services during Setup Assistant must be disabled.
Organizations must apply organizationwide configuration settings. The macOS Privacy Setup services prompt guides new users through enabling their own specific privacy settings. This is not essential and, therefore, must be disabled to prevent the risk of individuals electing... |
|
V-268496
|
Medium |
The macOS system must disable Apple ID setup during Setup Assistant. |
The prompt for Apple ID setup during Setup Assistant must be disabled.
macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled. This can mislead new users into thinking they need to create Apple ID accounts... |
|
V-268495
|
Medium |
The macOS system must disable Remote Apple Events. |
If the system does not require Remote Apple Events, support for Apple Remote Events is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent unauthorized connection of devices, transfer of information, and tunneling.
Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000096-GPOS-00050 |
|
V-268494
|
Medium |
The macOS system must disable sending diagnostic and usage data to Apple. |
The ability to submit diagnostic data to Apple must be disabled.
The information system must be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000206-GPOS-00084 |
|
V-268493
|
Medium |
The macOS system must disable Siri. |
Support for Siri is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized. |
|
V-268492
|
Medium |
The macOS system must disable the camera. |
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Failing to disconnect from collaborative computing devices... |
|
V-268491
|
Medium |
The macOS system must disable iCloud Notes. |
The macOS built-in Notes.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization must be controlled by an organization-approved service. |
|
V-268490
|
Medium |
The macOS system must disable iCloud Mail. |
The macOS built-in Mail.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated mail synchronization must be controlled by an organization-approved service. |
|
V-268489
|
Medium |
The macOS system must disable iCloud Address Book. |
The macOS built-in Contacts.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization must be controlled by an organization-approved service. |
|
V-268488
|
Medium |
The macOS system must disable iCloud Reminders. |
The macOS built-in Reminders.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization must be controlled by an organization-approved service. |
|
V-268487
|
Medium |
The macOS system must disable the iCloud Calendar services. |
The macOS built-in Calendar.app connection to Apple's iCloud service must be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization must be controlled by an organization-approved service. |
|
V-268486
|
Medium |
The macOS system must disable FaceTime.app. |
The macOS built-in FaceTime.app must be disabled.
The FaceTime.app establishes a connection to Apple's iCloud service even when security controls have been put in place to disable iCloud access.
[IMPORTANT]
====
Apple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third-party... |
|
V-268485
|
Medium |
The macOS system must disable AirDrop. |
AirDrop must be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118 |
|
V-268484
|
Medium |
The macOS system must disable the built-in web server. |
The built-in web server is a nonessential service built into macOS and must be disabled.
NOTE: The built-in web server is disabled at startup by default with macOS. |
|
V-268483
|
Medium |
The macOS system must disable Internet Sharing. |
If the system does not require Internet Sharing, support for it is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Internet Sharing helps prevent unauthorized connection of devices, transfer of information, and tunneling. |
|
V-268482
|
Medium |
The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service. |
The system must not have the UUCP service active.
UUCP, a set of programs that enables sending files between different Unix systems and sending commands to be executed on another system, is not essential and must be disabled to prevent unauthorized connection of devices, transfer of information, and tunneling.
NOTE:... |
|
V-268481
|
Medium |
The macOS system must disable Bonjour multicast. |
Bonjour multicast advertising must be disabled to prevent the system from broadcasting its presence and available services over network interfaces. |
|
V-268480
|
Medium |
The macOS system must disable Location Services. |
Location Services must be disabled.
The information system must be configured to provide only essential capabilities. Disabling Location Services helps prevent unauthorized connection of devices, transfer of information, and tunneling. |
|
V-268479
|
Medium |
The macOS system must disable Network File System (NFS) service. |
Support for NFS services is nonessential and, therefore, must be disabled. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized. |
|
V-268478
|
Medium |
The macOS system must disable Server Message Block (SMB) sharing. |
Support for SMB file sharing is nonessential and must be disabled.
The information system must be configured to provide only essential capabilities. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized. |
|
V-268475
|
Medium |
The macOS system must configure audit_control owner to mode 440 or less permissive. |
/etc/security/audit_control must be configured so that it is readable only by the root user and group wheel.
The audit service must be configured with the correct mode to prevent normal users from manipulating audit log configurations.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099 |
|
V-268474
|
Medium |
The macOS system must configure audit_control owner to root. |
/etc/security/audit_control must have the owner set to root.
The audit service must be configured with the correct ownership to prevent normal users from manipulating audit log configurations.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099 |
|
V-268473
|
Medium |
The macOS system must configure audit_control group to wheel. |
/etc/security/audit_control must have the group set to wheel.
The audit service must be configured with the correct group ownership to prevent normal users from manipulating audit log configurations.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099 |
|
V-268472
|
Medium |
The macOS system must disable root login for SSH. |
If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled.
The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.... |
|
V-268471
|
Medium |
The macOS system must set smart card certificate trust to moderate. |
The macOS system must be configured to block access to users who are no longer authorized (i.e., users with revoked certificates).
To prevent the use of untrusted certificates, the certificates on a smart card must meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired,... |
|
V-268470
|
Medium |
The macOS system must be configured to audit all authorization and authentication events. |
The auditing system must be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and... |
|
V-268469
|
Medium |
The macOS system must configure audit failure notification. |
The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs.
It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a... |
|
V-268468
|
Medium |
The macOS system must configure audit capacity warning. |
The audit service must be configured to notify the system administrator when the amount of free disk space remaining reaches an organization-defined value.
This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.
Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134 |
|
V-268465
|
Medium |
The macOS system must be configured to audit all failed write actions on the system. |
The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users... |
|
V-268464
|
Medium |
The macOS system must be configured to audit all failed read actions on the system. |
The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access... |
|
V-268463
|
Medium |
The macOS system must be configured to audit all changes of object attributes. |
The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm).
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying... |
|
V-268462
|
Medium |
The macOS system must be configured to audit all deletions of object attributes. |
The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd).
***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by... |
|
V-268461
|
Medium |
The macOS system must configure audit log folders to mode 700 or less permissive. |
The audit log folder must be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.
Because audit logs contain sensitive data about the system and users, the audit service must be configured to mode 700 or... |
|
V-268460
|
Medium |
The macOS system must configure audit log files to mode 440 or less permissive. |
The audit service must be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files must be configured to mode 440 or less permissive to prevent normal users from reading, modifying, or deleting audit logs.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028,... |
|
V-268459
|
Medium |
The macOS system must configure the audit log folders group to wheel. |
Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be... |
|
V-268458
|
Medium |
The macOS system must configure the audit log files group to wheel. |
Audit log files must have the group set to wheel.
The audit service must be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be... |
|
V-268457
|
Medium |
The macOS system must configure audit log folders to be owned by root. |
Audit log folders must be owned by root.
The audit service must be configured to create log folders with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log folders are set to be readable and writable... |
|
V-268456
|
Medium |
The macOS system must configure audit log files to be owned by root. |
Audit log files must be owned by root.
The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable... |
|
V-268455
|
Medium |
The macOS system must be configured to shut down upon audit failure. |
The audit service must be configured to shut down the computer if it is unable to audit system events.
Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit... |
|
V-268454
|
Medium |
The macOS system must enable security auditing. |
The information system must be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The... |
|
V-268453
|
Medium |
The macOS system must be configured to audit all login and logout events. |
The audit system must be configured to record all attempts to log in and out of the system (lo).
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or service account. The attacker must... |
|
V-268452
|
Medium |
The macOS system must be configured to audit all administrative action events. |
The auditing system must be configured to flag administrative action (ad) events.
Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Audit records can be... |
|
V-268451
|
Medium |
The macOS system must configure sudo to log events. |
Sudo must be configured to log privilege escalation.
Without logging privilege escalation, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation. |
|
V-268450
|
Medium |
The macOS system must enable the time synchronization daemon. |
The macOS time synchronization daemon (timed) must be enabled for proper time synchronization to an authorized time server.
NOTE: The time synchronization daemon is enabled by default on macOS.
Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000785-GPOS-00250 |
|
V-268449
|
Medium |
The macOS system must be configured to use an authorized time server. |
An approved time server must be the only server configured for use. As of macOS 10.13, only one time server is supported.
This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144 |
|
V-268448
|
Medium |
The macOS system must enforce auto logout after 86400 seconds of inactivity. |
Auto logout must be configured to automatically terminate a user session and log out after 86400 seconds of inactivity.
NOTE: The maximum that macOS can be configured for autologoff is 86400 seconds.
[IMPORTANT]
====
The automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information system... |
|
V-268447
|
Medium |
The macOS system must set SSH Active Server Alive Maximum to 0. |
SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.... |
|
V-268446
|
Medium |
The macOS system must configure SSHD unused connection timeout to 900. |
If SSHD is enabled, it must be configured with unused connection timeout set to 900.
This will set the timeout when there are no open channels within a session.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies:... |
|
V-268445
|
Medium |
The macOS system must configure SSHD channel timeout to 900. |
If SSHD is enabled, it must be configured with session ChannelTimeout set to 900.
This will set the timeout when the session is inactive.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109 |
|
V-268444
|
Medium |
The macOS system must configure the SSH ServerAliveInterval to 900. |
SSH must be configured with an Active Server Alive Maximum Count set to 900.
Setting the Active Server Alive Maximum Count to 900 will log users out after a 900-second interval of inactivity.
NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to... |
|
V-268443
|
Medium |
The macOS system must disable root login. |
To assure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.
The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.
Satisfies: SRG-OS-000104-GPOS-00051,... |
|
V-268442
|
Medium |
The macOS system must disable login to other users' active and locked sessions. |
The ability to log in to another user's active or locked session must be disabled.
macOS has a privilege that can be granted to any user that will allow that user to unlock active users' sessions. Disabling the administrator's and/or user's ability to log in to another user's active and... |
|
V-268441
|
Medium |
The macOS system must enforce screen saver timeout. |
The screen saver timeout must be set to 900 seconds or a shorter length of time.
This rule ensures that a full session lock is triggered within no more than 900 seconds of inactivity. |
|
V-268440
|
Medium |
The macOS system must set account lockout time to 15 minutes. |
The macOS system must be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed login attempts is reached.
This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.
Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 |
|
V-268437
|
Medium |
The macOS system must set login grace time to 30. |
If SSHD is enabled, it must be configured to wait only 30 seconds before timing out login attempts.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
|
V-268436
|
Medium |
The macOS system must configure SSHD ClientAliveCountMax to 1. |
If SSHD is enabled, it must be configured with the Client Alive Maximum Count set to 1.
This will set the number of client alive messages that may be sent without the SSH server receiving any messages back from the client. If this threshold is reached while client alive messages... |
|
V-268435
|
Medium |
The macOS system must configure SSHD ClientAliveInterval to 900. |
If SSHD is enabled, it must be configured with the Client Alive Interval set to 900.
This sets a timeout interval in seconds, after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.... |
|
V-268434
|
Medium |
The macOS system must disable FileVault automatic login. |
If FileVault is enabled, automatic login must be disabled so that both FileVault and login window authentication are required.
The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing FileVault credentials.
NOTE: DisableFDEAutoLogin does not have to be set on... |
|
V-268433
|
Medium |
The macOS system must configure the audit log folder to not contain access control lists (ACLs). |
The audit log folder must not contain ACLs.
Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators to prevent normal users from reading audit logs.
Satisfies: SRG-OS-000057-GPOS-00027,... |
|
V-268432
|
Medium |
The macOS system must configure audit log files to not contain access control lists (ACLs). |
The audit log files must not contain ACLs.
This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099 |
|
V-268431
|
Medium |
The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window. |
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login... |
|
V-268429
|
Medium |
The macOS system must display a policy banner at remote login. |
Remote login service must be configured to display a policy banner at login.
Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,... |
|
V-268428
|
Medium |
The macOS system must limit consecutive failed login attempts to three. |
The macOS must be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached, the account must be locked for a period of time.
This rule protects against malicious users attempting to gain access to the system... |
|
V-268427
|
Medium |
The macOS system must enforce time synchronization. |
Time synchronization must be enforced on all networked systems.
This rule ensures the uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000785-GPOS-00250 |
|
V-268426
|
Medium |
The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours. |
The macOS system can be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation.
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation... |
|
V-268425
|
Medium |
The macOS system must prevent AdminHostInfo from being available at LoginWindow. |
The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo, when configured, will allow the HostName, IP Address, and operating system version and build to be displayed. |
|
V-268424
|
Medium |
The macOS system must disable hot corners. |
Hot corners must be disabled.
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot corners can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session... |
|
V-268423
|
Medium |
The macOS system must configure user session lock when a smart token is removed. |
The screen lock must be configured to initiate automatically when the smart token is removed from the system.
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary... |
|
V-268422
|
Medium |
The macOS system must enforce session lock no more than five seconds after screen saver is started. |
A screen saver must be enabled and the system must be configured to require a password to unlock once the screen saver has been on for a maximum of five seconds.
An unattended system with an excessive grace period is vulnerable to a malicious user. |
|
V-268421
|
Medium |
The macOS system must enforce screen saver password. |
Users must authenticate when unlocking the screen saver.
The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account. |
|
V-268420
|
Medium |
The macOS system must prevent Apple Watch from terminating a session lock. |
Apple Watches are not an approved authenticator and their use must be disabled.
Disabling Apple Watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
NOTE: Unlocking the system with an Apple Watch... |
|
V-268554
|
Low |
The macOS system must configure install.log retention to 365. |
The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility.
Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events. |
|
V-268467
|
Low |
The macOS system must configure audit retention to seven days. |
The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met. |
