forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mondoo-macos-security.mql.yaml
1278 lines (1031 loc) · 59.7 KB
/
mondoo-macos-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-macos-security
name: macOS Security
version: 1.3.1
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: macos
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |-
## Overview
This policy provides prescriptive guidance for establishing a secure configuration posture for Apple macOS. This guide was tested against Apple macOS 10.15, 11, 12, 13, and 14.
## Local scan
Local scan refer to scans of files and operating systems where cnspec is installed.
To scan the `localhost` against this policy:
```bash
cnspec scan local
```
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Prerequisites
Remote scans of macOS hosts requires **Remote login** to be enabled in the System Preferences, along with a suitable authentication method such as SSH keys.
### Scan a remote macOS (SSH authentication)
```bash
cnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Core
filters: |
asset.platform == "macos"
checks:
- uid: mondoo-macos-security-disable-bluetooth-sharing
- uid: mondoo-macos-security-disable-bonjour-advertising-service
- uid: mondoo-macos-security-disable-content-caching
- uid: mondoo-macos-security-disable-file-sharing
- uid: mondoo-macos-security-disable-internet-sharing
- uid: mondoo-macos-security-disable-media-sharing
- uid: mondoo-macos-security-disable-printer-sharing
- uid: mondoo-macos-security-disable-remote-apple-events
- uid: mondoo-macos-security-disable-remote-login
- uid: mondoo-macos-security-disable-remote-management
- uid: mondoo-macos-security-disable-screen-sharing
- uid: mondoo-macos-security-enable-filevault
- uid: mondoo-macos-security-enable-firewall
- uid: mondoo-macos-security-enable-firewall-stealth-mode
- uid: mondoo-macos-security-enable-gatekeeper
- uid: mondoo-macos-security-enable-show-wifi-status
- uid: mondoo-macos-security-ensure-airdrop-is-disabled
- uid: mondoo-macos-security-ensure-http-server-is-not-running
- uid: mondoo-macos-security-ensure-nfs-server-is-not-running
- uid: mondoo-macos-security-software-updates-automatic-check-enabled
- uid: mondoo-macos-security-software-updates-automatic-download
- uid: mondoo-macos-security-software-updates-install-critical-updates
- uid: mondoo-macos-security-ensure-macos-is-up-to-date
- title: Account Security
filters: |
asset.platform == "macos"
checks:
- uid: mondoo-macos-security-do-not-enable-the-root-account
- uid: mondoo-macos-security-password-age
- uid: mondoo-macos-security-password-history
- uid: mondoo-macos-security-reduce-the-sudo-timeout-period
- uid: mondoo-macos-security-set-a-minimum-password-length
- title: Logging
filters: |
asset.platform == "macos"
checks:
- uid: mondoo-macos-security-control-access-to-audit-records
- uid: mondoo-macos-security-enable-security-auditing
- uid: mondoo-macos-security-ensure-firewall-is-configured-to-log
- uid: mondoo-macos-security-ensure-security-auditing-retention
- uid: mondoo-macos-security-retain-install-log-for-365-or-more-days
queries:
- uid: mondoo-macos-security-control-access-to-audit-records
title: Control access to audit records
impact: 40
mql: |
auditControlPath = [
"/etc/security/audit_control",
]
auditControlPath.where(file(_).exists) {
file(_) {
path
permissions.user_readable
permissions.user_writeable
permissions.user_executable == false
permissions.group_writeable == false
permissions.group_executable == false
permissions.other_readable == false
permissions.other_writeable == false
permissions.other_executable == false
user.name == "root"
group.name == "wheel"
}
}
files.find(from: "/var/audit/", type: "file,dir", xdev: false).all(user.name == "root" && group.name == "wheel" && permissions.other_readable == false && permissions.other_writeable == false && permissions.other_executable == false)
docs:
desc: The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
remediation: |-
Run the following to commands to set the audit records to the root user and wheel group:
```
sudo chown -R root:wheel /etc/security/audit_control
sudo chmod -R -o-rw /etc/security/audit_control
sudo chown -R root:wheel /var/audit/
sudo chmod -R -o-rw /var/audit/
```
**Note:**
It is recommended to do a thorough verification process on why the audit logs have been changed before following the remediation steps. If the system has different access controls on the audit logs, and the changes cannot be traced, a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes.
**Impact:**
This check ensures that unwanted access to audit records is not available.
- uid: mondoo-macos-security-disable-bluetooth-sharing
title: Disable Bluetooth Sharing
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = home + "/Library/Preferences/ByHost/com.apple.Bluetooth." + os.machineid.upcase + ".plist"
filePathsLocations = [filePath1]
filePathsLocations.where(file(_).exists) {
parse.plist(_) {
params['PrefKeyServicesEnabled'] == false || params['PrefKeyServicesEnabled'] == null
}
}
}
docs:
desc: Bluetooth Sharing allows files to be exchanged with Bluetooth-enabled devices.
remediation: |-
Perform the following to disable Bluetooth Sharing:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck Bluetooth Sharing
Run this command to disable Bluetooth Sharing is disabled:
```
sudo -u <username> defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false
```
```
sudo -u firstuser defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false
```
**Impact:**
Control 2.1.1 discusses disabling Bluetooth if no paired devices exist. There is a general expectation that Bluetooth peripherals will be used by most users in Apple's ecosystem. It is possible that sharing is required and Bluetooth peripherals are not. Bluetooth must be enabled if sharing is an acceptable use case.
- uid: mondoo-macos-security-disable-bonjour-advertising-service
title: Disable Bonjour advertising service
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
parse.plist(filePath1).params["com.apple.mDNSResponder"]["NoMulticastAdvertisements"]["value"] == true
}
filePath2 = "/Library/Preferences/com.apple.mDNSResponder.plist"
b = file(filePath2).exists && parse.plist(filePath2).params["com.apple.mDNSResponder"]["NoMulticastAdvertisements"]["value"] == true
filePath3 = "/Library/Managed Preferences/com.apple.mDNSResponder.plist"
c = file(filePath3).exists && parse.plist(filePath3).params["NoMulticastAdvertisements"] == true
a || b || c
}
docs:
desc: Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled.
remediation: |-
Run this command to disable Bonjour Advertising services:
```
sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
```
**Impact:**
Some applications, like Final Cut Studio and AirPort Base Station management, may not operate properly if the `mDNSResponder`
is turned off.
- uid: mondoo-macos-security-disable-content-caching
title: Disable Content Caching
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
parse.plist(filePath1).params["com.apple.applicationaccess"]["allowContentCaching"]["value"] == false &&
parse.plist(filePath1).params["com.apple.AssetCache"]["Activated"]["value"] == false
}
filePath2 = "/Library/Preferences/com.apple.AssetCache.plist"
filePath3 = "/Library/Preferences/com.apple.applicationaccess.plist"
b = file(filePath2).exists &&
parse.plist(filePath2).params["Activated"] == false &&
file(filePath3).exists &&
parse.plist(filePath3).params["allowContentCaching"] == false
a || b
}
docs:
desc: |-
Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier to deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream.
This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data.
[Content types supported by Content Caching in macOS](https://support.apple.com/en-us/HT204675)
remediation: |-
Perform the following to disable Content Caching:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck Content Caching
_Terminal Method:_
Run this command to disable Content Caching:
```
sudo AssetCacheManagerUtil deactivate
```
The output will include `Content caching deactivated`
**Impact:**
This setting will adversely affect bandwidth usage between local subnets and the Internet.
- uid: mondoo-macos-security-disable-file-sharing
title: Disable File Sharing
impact: 60
mql: services.where( name == 'com.apple.smbd' ).all( enabled == false && running == false )
docs:
desc: Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access into the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled.
remediation: |-
Perform the following to disable File Sharing:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck File Sharing
_Terminal Method:_
Run this command to disable SMB file sharing:
```
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
```
**Impact:**
File Sharing can be used to share documents with other users but hardened servers should be used rather than user endpoints. Turning on file sharing increases the visibility and attack surface of a system unnecessarily.
- uid: mondoo-macos-security-disable-internet-sharing
title: Disable Internet Sharing
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = "/Library/Preferences/SystemConfiguration/com.apple.nat.plist"
a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
parse.plist(filePath1).params['NAT']['Enabled'] == 0
}
filePath2 = "/Library/Managed Preferences/" + name + "/complete.plist"
b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
parse.plist(filePath2).params["com.apple.MCX"]["forceInternetSharingOff"]["value"] == true
}
filePath3 = "/Library/Managed Preferences/com.apple.MCX.plist"
c = file(filePath3).exists == true &&
parse.plist(filePath3).params['forceInternetSharingOff'] == true
a || b || c
}
docs:
desc: Internet Sharing uses the open source `natd` process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices.
remediation: |-
Perform the following to disable Internet Sharing:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck Internet Sharing
_Terminal Method:_
Run this command to turn off Internet Sharing:
```
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
```
**Note:**
Using the Terminal Method will not uncheck the setting in System Preferences>Sharing but will disable the underlying service.
**Impact:**
Internet Sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices.
- uid: mondoo-macos-security-disable-media-sharing
title: Disable Media Sharing
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath = home + '/Library/Preferences/com.apple.amp.mediasharingd.plist'
a = file(filePath).exists == true && [filePath].where(file(_).exists) {
parse.plist(filePath).params['home-sharing-enabled'] == 0
}
filePath2 = "/Library/Managed Preferences/" + name + "/complete.plist"
b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
parse.plist(filePath2).params["com.apple.preferences.sharing.SharingPrefsExtension"]["homeSharingUIStatus"]["value"] == 0
}
filePath3 = "/Library/Managed Preferences/com.apple.preferences.sharing.SharingPrefsExtension.plist"
c = file(filePath3).exists && parse.plist(filePath3).params["homeSharingUIStatus"] == 0
a || b || c
}
docs:
desc: |-
Starting with macOS 10.15 Apple has provided a control to allow a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple ID. This allows a user to share downloaded Movies, Music or TV shows with other controlled macOS, iOS and iPadOS devices as well as photos with Apple TVs.
With this capability guest users can also use media downloaded on the computer.
The recommended best practice is not to use the computer as a server but to utilize Apple's cloud storage to download and use content stored there if content stored with Apple is used on multiple devices.
[https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac](https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac)
This capability requires the use of macOS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data.
[Content types supported by content caching in macOS](https://support.apple.com/en-us/HT204675)
remediation: |-
Perform the following to disable Media Sharing:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck Media Sharing
_Terminal Method:_
Run this command to disable Media Sharing:
```
sudo -u <username> defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0
```
_example_
:
```
sudo -u test2 defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0
```
**Impact:**
Media Sharing allows for pre-downloaded content on a Mac to be available to other Apple devices on the same network. Leaving this disabled forces device users to stream or download content from each Apple authorized device. This sharing could even allow unauthorized devices on the same network media access.
- uid: mondoo-macos-security-disable-printer-sharing
title: Disable Printer Sharing
impact: 20
mql: command('cupsctl | grep _share_printers' ).stdout.contains("_share_printers=0")
docs:
desc: By enabling Printer Sharing, the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead.
remediation: |-
Perform the following to disable Printer Sharing:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck Printer Sharing
_Terminal Method:_
Run this command to disable Printer Sharing:
```
sudo cupsctl --no-share-printers
```
- uid: mondoo-macos-security-disable-remote-apple-events
title: Disable Remote Apple Events
impact: 50
mql: macos.systemsetup.remoteAppleEvents == "Off"
docs:
desc: Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer.
remediation: |-
Perform the following to disable Remote Apple Events:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Verify that Remote Apple Evens is not set
_Terminal Method:_
Run these commands to set Remote Apple Events to Off:
```
sudo systemsetup -setremoteappleevents off
setremoteappleevents: Off
```
**Impact:**
With remote Apple events turned on, an AppleScript program running on another Mac can interact with the local computer.
- uid: mondoo-macos-security-disable-remote-login
title: Disable Remote Login
impact: 60
mql: macos.systemsetup.remoteLogin == "Off"
docs:
desc: Remote Login allows an interactive terminal connection to a computer.
remediation: |-
Perform the following to disable Remote Login:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck Remote Login
_Terminal Method:_
Run this command to disable Remote Login:
```
sudo systemsetup -setremotelogin off
Do you really want to turn remote login off? If you do, you will lose this connection and can only turn it back on locally at the server (yes/no)?
```
Entering yes will disable remote login.
**Impact:**
The SSH server built-in to macOS should not be enabled on a standard user computer, particularly one that changes locations and IP addresses. A standard user that runs local applications, including email, web browser and productivity tools, should not use the same device as a server. There are Enterprise management tool-sets that do utilize SSH. If they are in use, the computer should be locked down to only respond to known, trusted IP addresses and appropriate admin service accounts.
For macOS computers that are being used for specialized functions, there are several options to harden the SSH server to protect against unauthorized access including brute force attacks. There are some basic criteria that need to be considered:
- Do not open an SSH server to the internet without controls in place to mitigate SSH brute force attacks. This is particularly important for systems bound to Directory environments. It is great to have controls in place to protect the system, but if they trigger after the user is already locked out of their account, they are not optimal. If authorization happens after authentication directory accounts for users that don't even use the system can be locked out.
- Do not use SSH key pairs when there is no insight to the security of the client system that will authenticate into the server with a private key. If an attacker gets access to the remote system and can find the key they may not need a password or a key logger to access the SSH server.
- Detailed instructions on hardening an SSH server, if needed, are available in the CIS Linux Benchmarks, but it is beyond the scope of this benchmark.
- uid: mondoo-macos-security-disable-remote-management
title: Disable Remote Management
impact: 50
mql: processes.none( command == /ARDAgent/)
docs:
desc: |-
Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs.
The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regarding screen sharing.
Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, which is definitely a concern for mobile systems.
remediation: |-
Perform the following to disable Remote Management:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck Remote Management
_Terminal Method:_
Run this command to disable Remote Management:
```
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
Starting...
Removed preference to start ARD after reboot.
Done.
```
**Impact:**
Many organizations utilize ARD for client management.
- uid: mondoo-macos-security-disable-screen-sharing
title: Disable Screen Sharing
impact: 30
mql: services.where( name == "com.apple.screensharing" ).all( enabled == false && running == false )
docs:
desc: Screen Sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer.
remediation: |-
Perform the following to disable Screen Sharing:
_Graphical Method:_
1. Open System Preferences
2. Select Sharing
3. Uncheck Screen Sharing
_Terminal Method:_
Run this command to turn off Screen Sharing:
```
sudo launchctl disable system/com.apple.screensharing
```
- uid: mondoo-macos-security-do-not-enable-the-root-account
title: Do not enable the "root" account
impact: 85
mql: |
command("dscl . -read /Users/root AuthenticationAuthority").stderr.contains("No such key: AuthenticationAuthority")
docs:
desc: The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly use the root account to perform administrative functions.
remediation: |-
Perform the following to ensure that the root user is disabled:
_Graphical Method:_
1. Open /System/Library/CoreServices/Applications/Directory Utility
2. Select the lock icon to unlock the service
3. Select **Edit**
4. Select **Disable Root User**
_Terminal Method:_
Run this command to disable the root user:
```
sudo dsenableroot -d
username = root
user password:
```
**Impact:**
Some legacy POSIX software might expect an available root account.
- uid: mondoo-macos-security-enable-filevault
title: Enable FileVault
impact: 80
mql: |
command('fdesetup status').stdout.contains('FileVault is On')
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath = "/Library/Managed Preferences/" + name + "/complete.plist"
a = file(filePath).exists == true && [filePath].where(file(_).exists) {
parse.plist(filePath).params["com.apple.MCX"]["dontAllowFDEDisable"]["value"] == true
}
filePath2 = "/Library/Managed Preferences/com.apple.MCX.plist"
b = file(filePath2).exists && parse.plist(filePath2).params['dontAllowFDEDisable'] == true
a || b
}
docs:
desc: |-
FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.
FileVault may also be enabled using command line using the `fdesetup`
command. To use this functionality, consult the Der Flounder blog for more details:
[https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/](https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/) [https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/](https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/)
remediation: |-
Perform the following to enable FileVault:
_Graphical Method:_
1. Open System Preferences
2. Select Security & Privacy
3. Select FileVault
4. Select Turn on FileVault
To pass make sure this encryption cannot be turned off by the system, you need to [make sure that the Device Management Profile property `dontAllowFDEDisable` is set to 'true'.](https://developer.apple.com/documentation/devicemanagement/fdefilevaultoptions).
To do so you can use an macOS configuration profile [similar to this one.](https://github.com/gregneagle/profiles/blob/master/cant_disable_filevault.mobileconfig)
**Impact:**
Mounting a FileVaulted volume from an alternate boot source will require a valid password to decrypt it.
- uid: mondoo-macos-security-enable-firewall
title: Enable Firewall
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
parse.plist(filePath1).params["com.apple.security.firewall"]["EnableFirewall"]["value"] == true
}
filePath2 = "/Library/Preferences/com.apple.alf.plist"
b = file(filePath2).exists == true &&
parse.plist(filePath2).params['globalstate'] == 1
c = macos.alf.globalState == 1
a || b || c
}
docs:
desc: |-
A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall.
[Block connections to your Mac with a firewall](https://support.apple.com/guide/mac-help/block-connections-to-your-mac-with-a-firewall-mh34041/mac)
remediation: |-
Perform the following to turn the firewall on:
_Graphical Method:_
1. Open System Preferences
2. Select Security & Privacy
3. Select Firewall
4. Select Turn On Firewall
_Terminal Method:_
Run this command to enable the firewall:
```
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int <value>
```
For the `<value>`
, use either `1`
, specific services, or `2`
, essential services only.
**Impact:**
The firewall may block legitimate traffic. Applications that are unsigned will require special handling.
- uid: mondoo-macos-security-enable-firewall-stealth-mode
title: Enable Firewall Stealth Mode
impact: 60
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
parse.plist(filePath1).params["com.apple.security.firewall"]["EnableStealthMode"]["value"] == true
}
b = command('/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode').stdout.trim == "Stealth mode enabled"
c = macos.alf.stealthEnabled == 1
a || b || c
}
docs:
desc: |-
While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic.
[Block connections to your Mac with a firewall](https://support.apple.com/guide/mac-help/block-connections-to-your-mac-with-a-firewall-mh34041/mac)
remediation: |-
Perform the following to enable stealth mode:
_Graphical Method:_
1. Open System Preferences
2. Select Security & Privacy
3. Select Firewall Options
4. Turn on Enable stealth mode
_Terminal Method:_
Run this command to enable stealth mode:
```
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Stealth mode enabled
```
**Impact:**
Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.
This check aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may not be configured. In this use case, hiding from the other inmates is likely to be important. In use cases where the device is only on trusted LANs with static IP addresses, you might not want stealth mode.
- uid: mondoo-macos-security-enable-gatekeeper
title: Enable Gatekeeper
impact: 50
mql: |
command('spctl --status').stdout.contains("assessments enabled")
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
parse.plist(filePath1).params["com.apple.systempolicy.control"]["AllowIdentifiedDevelopers"]["value"] == true
parse.plist(filePath1).params["com.apple.systempolicy.control"]["EnableAssessment"]["value"] == true
}
filePath2 = "/Library/Managed Preferences/com.apple.systempolicy.control.plist"
b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
parse.plist(filePath2).params["AllowIdentifiedDevelopers"] == true
parse.plist(filePath2).params["EnableAssessment"] == true
}
a || b
}
docs:
desc: Gatekeeper is Apple's application allow-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization.
remediation: |-
Perform the following to implement the prescribed state:
_Graphical Method:_
1. Open System Preferences
2. Select Security & Privacy
3. Select General
4. Set Allow apps downloaded from to App Store and identified developers
_Terminal Method:_
Run this command to enable Gatekeeper to allow applications from App Store and identified developers:
```
sudo spctl --master-enable
```
- uid: mondoo-macos-security-enable-security-auditing
title: Enable security auditing
impact: 50
mql: |
service('com.apple.auditd').enabled == true
docs:
desc: |-
macOS's audit facility, `auditd`
, receives notifications from the kernel when certain system calls, such as `open`
, `fork`
, and `exit`
, are made. These notifications are captured and written to an audit log.
remediation: |-
Perform the following to enable security auditing:
Run this command to load auditd:
```
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
```
- uid: mondoo-macos-security-enable-show-wifi-status
title: Enable "Show Wi-Fi status in menu bar"
impact: 20
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = home + "/Library/Preferences/ByHost/com.apple.controlcenter." + os.machineid.upcase + ".plist"
a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
parse.plist(filePath1).params["WiFi"] == 18
|| parse.plist(filePath1).params["WiFi"] == 2
}
filePath2 = "/Library/Managed Preferences/" + name + "/complete.plist"
b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
parse.plist(filePath2).params["com.apple.controlcenter"]["WiFi"]["value"] == 18
|| parse.plist(filePath2).params["com.apple.controlcenter"]["WiFi"]["value"] == 2
}
filePath3 = "/Library/Managed Preferences/com.apple.controlcenter.plist"
c = file(filePath3).exists == true && [filePath3].where(file(_).exists) {
parse.plist(filePath3).params["WiFi"] == 18
|| parse.plist(filePath3).params["WiFi"] == 2
}
a || b || c
}
docs:
desc: The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the case. This check only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected either.
remediation: |-
Perform the following to enable Wi-Fi status in the menu bar:
_Graphical Method:_
1. Open System Preferences
2. Select Network
3. Select Wi-Fi
4. Set Show Wi-Fi status in menu bar
_Terminal Method:_
For each user, run the following to turn the Wi-Fi status on in the menu bar
```
sudo -u <username> defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18
```
_example_
:
```
sudo -u firstuser defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18
```
_Please note! Both 18 and 2 are valid values for this parameter._
**Impact:**
The user of the system should have a quick check on their wireless network status available.
- uid: mondoo-macos-security-ensure-airdrop-is-disabled
title: Ensure AirDrop Is Disabled
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath1 = home + "/Library/Preferences/com.apple.NetworkBrowser.plist"
a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
parse.plist(filePath1).params["allowAirDrop"]["value"] == false
}
filePath2 = "/Library/Managed Preferences/" + name + "/complete.plist"
b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
parse.plist(filePath2).params["com.apple.applicationaccess"]["allowAirDrop"]["value"] == false
}
filePath3 = "/Library/Managed Preferences/com.apple.NetworkBrowser.plist"
c = file(filePath3).exists && parse.plist(filePath3).params['DisableAirDrop'] == true
a || b || c
}
docs:
desc: |-
AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other.
In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you.
While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards.
remediation: |-
Perform the following to disable AirDrop:
_Graphical Method:_
1. Open Finder
2. Select Go
3. Select AirDrop
4. Set Allow me to be discovered by: No One
_Terminal Method:_
Run these commands to disable AirDrop:
```
sudo -u <username> defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
```
_example_
:
```
sudo -u seconduser defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
```
**Impact:**
Disabling AirDrop can limit the ability to move files quickly over the network without using file shares.
- uid: mondoo-macos-security-ensure-firewall-is-configured-to-log
title: Ensure Firewall is configured to log
impact: 20
mql: macos.alf.loggingEnabled == 1
docs:
desc: The socketfilter firewall is what is used when the firewall is turned on in the Security Preference Pane. In order to appropriately monitor what access is allowed and denied logging must be enabled.
remediation: |-
Run this command to enable logging of the firewall:
```
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode
```
**Impact:**
Detailed logging may result in excessive storage.
- uid: mondoo-macos-security-ensure-http-server-is-not-running
title: Ensure http server is not running
impact: 50
mql: |
service('org.apache.httpd') {
enabled == false
running == false
}
docs:
desc: macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.
remediation: |-
Run this command to disable the http server services:
```
sudo launchctl disable system/org.apache.httpd
```
**Impact:**
The web server is both a point of attack for the system and a means for unauthorized file transfers.
- uid: mondoo-macos-security-ensure-nfs-server-is-not-running
title: Ensure NFS server is not running
impact: 50
mql: |
service('com.apple.nfsd') {
enabled == false
running == false
}
docs:
desc: macOS can act as an NFS file server. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer.
remediation: |-
Run this command to disable the nfsd file server services:
```
sudo nfsd disable
sudo nfsd stop
```
Remove the exported Directory listing.
```
sudo rm /etc/exports
```
**Impact:**
The NFS server is both a point of attack for the system and a means for unauthorized file transfers.
- uid: mondoo-macos-security-ensure-security-auditing-retention
title: Ensure security auditing retention
impact: 40
mql: |
file("/etc/security/audit_control").exists;
["/etc/security/audit_control"].where(file(_).exists) {
file(_).content.lines.where( _ == /^expire-after/) {
_.split(":")[1] == /[6-9]\dd|\d{3,}d/ || _.split(":")[1] == /\d+0G|[1-9G]/
}
}
docs:
desc: |-
The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible under a certain size the recommendation is to use the following:
expire-after:60d OR 1G
More info in the man page
man audit_control
remediation: |-
Perform the following to set the audit retention length:
Edit the `/etc/security/audit_control` file so that `expire-after:` is at least `60d OR 1G`
**Impact:**
The recommendation is that at least 60 days or 1 gigabyte of audit records are retained. Systems that have very little remaining disk space may have issues retaining sufficient data.
- uid: mondoo-macos-security-password-age
title: Password Age
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
name
filePath = "/Library/Managed Preferences/" + name + "/complete.plist"
a = file(filePath).exists == true && [filePath].where(file(_).exists) {
parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["maxPINAgeInDays"]["value"] != empty &&
parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["maxPINAgeInDays"]["value"] <= 365
}
b = macos.globalAccountPolicies['policyCategoryPasswordChange'] != empty &&
macos.globalAccountPolicies['policyCategoryPasswordChange'].any(_['policyParameters']['policyAttributeDaysUntilExpiration'] <= 365)
filePath2 = "/Library/Managed Preferences/com.apple.mobiledevice.passwordpolicy.plist"
c = file(filePath2).exists == true &&
parse.plist(filePath2).params['maxPINAgeInDays'] <= 365
a || b || c
}
docs:
desc: |-
Over time passwords can be captured by third-parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users should reset passwords periodically.
This check uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This check mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.
remediation: |-
Run this command to require that passwords expire after at most 365 days:
```
sudo pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=<value≤525600>"
```
_example_
:
```
sudo pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=43200"
```
**Impact:**
Required password changes will lead to some locked computers requiring admin assistance.
- uid: mondoo-macos-security-password-history
title: Password History
impact: 50
mql: |
users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {