mondoo-macos-security.mql.yaml

# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
  - uid: mondoo-macos-security
    name: Mondoo macOS Security
    version: 1.3.1
    license: BUSL-1.1
    tags:
      mondoo.com/category: security
      mondoo.com/platform: macos
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    docs:
      desc: |-
        This policy provides prescriptive guidance for establishing a secure configuration posture for Apple macOS. This guide was tested against Apple macOS 10.15, 11, 12, 13, and 14.

        ## Local scan

        Local scan refer to scans of files and operating systems where cnspec is installed.

        To scan the `localhost` against this policy:

        ```bash
        cnspec scan local
        ```

        ## Remote scan

        Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.

        For a complete list of providers run:

        ```bash
        cnspec scan --help
        ```

        ### Prerequisites

        Remote scans of macOS hosts requires **Remote login** to be enabled in the System Preferences, along with a suitable authentication method such as SSH keys.

        ### Scan a remote macOS (SSH authentication)

        ```bash
        cnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key
        ```

        ## Join the community!

        Our goal is to build policies that are simple to deploy, accurate, and actionable.

        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
    groups:
      - title: Core
        filters: |
          asset.platform == "macos"
        checks:
          - uid: mondoo-macos-security-disable-bluetooth-sharing
          - uid: mondoo-macos-security-disable-bonjour-advertising-service
          - uid: mondoo-macos-security-disable-content-caching
          - uid: mondoo-macos-security-disable-file-sharing
          - uid: mondoo-macos-security-disable-internet-sharing
          - uid: mondoo-macos-security-disable-media-sharing
          - uid: mondoo-macos-security-disable-printer-sharing
          - uid: mondoo-macos-security-disable-remote-apple-events
          - uid: mondoo-macos-security-disable-remote-login
          - uid: mondoo-macos-security-disable-remote-management
          - uid: mondoo-macos-security-disable-screen-sharing
          - uid: mondoo-macos-security-enable-filevault
          - uid: mondoo-macos-security-enable-firewall
          - uid: mondoo-macos-security-enable-firewall-stealth-mode
          - uid: mondoo-macos-security-enable-gatekeeper
          - uid: mondoo-macos-security-enable-show-wifi-status
          - uid: mondoo-macos-security-ensure-airdrop-is-disabled
          - uid: mondoo-macos-security-ensure-http-server-is-not-running
          - uid: mondoo-macos-security-ensure-nfs-server-is-not-running
          - uid: mondoo-macos-security-software-updates-automatic-check-enabled
          - uid: mondoo-macos-security-software-updates-automatic-download
          - uid: mondoo-macos-security-software-updates-install-critical-updates
          - uid: mondoo-macos-security-ensure-macos-is-up-to-date
      - title: Account Security
        filters: |
          asset.platform == "macos"
        checks:
          - uid: mondoo-macos-security-do-not-enable-the-root-account
          - uid: mondoo-macos-security-password-age
          - uid: mondoo-macos-security-password-history
          - uid: mondoo-macos-security-reduce-the-sudo-timeout-period
          - uid: mondoo-macos-security-set-a-minimum-password-length
      - title: Logging
        filters: |
          asset.platform == "macos"
        checks:
          - uid: mondoo-macos-security-control-access-to-audit-records
          - uid: mondoo-macos-security-enable-security-auditing
          - uid: mondoo-macos-security-ensure-firewall-is-configured-to-log
          - uid: mondoo-macos-security-ensure-security-auditing-retention
          - uid: mondoo-macos-security-retain-install-log-for-365-or-more-days
queries:
  - uid: mondoo-macos-security-control-access-to-audit-records
    title: Control access to audit records
    impact: 40
    mql: |
      auditControlPath = [
        "/etc/security/audit_control",
      ]
      auditControlPath.where(file(_).exists) {
        file(_) {
        path
        permissions.user_readable
        permissions.user_writeable
        permissions.user_executable == false

        permissions.group_writeable == false
        permissions.group_executable == false

        permissions.other_readable == false
        permissions.other_writeable == false
        permissions.other_executable == false

        user.name == "root"
        group.name == "wheel"
        }
      }
      files.find(from: "/var/audit/", type: "file,dir", xdev: false).all(user.name == "root" && group.name == "wheel" && permissions.other_readable == false && permissions.other_writeable == false && permissions.other_executable == false)
    docs:
      desc: The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.
      remediation: |-
        Run the following to commands to set the audit records to the root user and wheel group:

        ```
        sudo chown -R root:wheel /etc/security/audit_control

        sudo chmod -R -o-rw /etc/security/audit_control

        sudo chown -R root:wheel /var/audit/

        sudo chmod -R -o-rw /var/audit/
        ```

        **Note:**
        It is recommended to do a thorough verification process on why the audit logs have been changed before following the remediation steps. If the system has different access controls on the audit logs, and the changes cannot be traced, a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes.

        **Impact:**

        This check ensures that unwanted access to audit records is not available.
  - uid: mondoo-macos-security-disable-bluetooth-sharing
    title: Disable Bluetooth Sharing
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = home + "/Library/Preferences/ByHost/com.apple.Bluetooth." + os.machineid.upcase + ".plist"
        filePathsLocations = [filePath1]
        filePathsLocations.where(file(_).exists) {
          parse.plist(_) {
            params['PrefKeyServicesEnabled'] == false || params['PrefKeyServicesEnabled'] == null
          }
        }
      }
    docs:
      desc: Bluetooth Sharing allows files to be exchanged with Bluetooth-enabled devices.
      remediation: |-
        Perform the following to disable Bluetooth Sharing:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck Bluetooth Sharing

        Run this command to disable Bluetooth Sharing is disabled:

        ```
        sudo -u <username> defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false
        ```

        ```
        sudo -u firstuser defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false
        ```

        **Impact:**

        Control 2.1.1 discusses disabling Bluetooth if no paired devices exist. There is a general expectation that Bluetooth peripherals will be used by most users in Apple's ecosystem. It is possible that sharing is required and Bluetooth peripherals are not. Bluetooth must be enabled if sharing is an acceptable use case.
  - uid: mondoo-macos-security-disable-bonjour-advertising-service
    title: Disable Bonjour advertising service
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.mDNSResponder"]["NoMulticastAdvertisements"]["value"] == true
        }
        filePath2 = "/Library/Preferences/com.apple.mDNSResponder.plist"
        b = file(filePath2).exists && parse.plist(filePath2).params["com.apple.mDNSResponder"]["NoMulticastAdvertisements"]["value"] == true
        filePath3 = "/Library/Managed Preferences/com.apple.mDNSResponder.plist"
        c = file(filePath3).exists && parse.plist(filePath3).params["NoMulticastAdvertisements"] == true
        a || b || c
      }
    docs:
      desc: Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled.
      remediation: |-
        Run this command to disable Bonjour Advertising services:

        ```
        sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
        ```

        **Impact:**

        Some applications, like Final Cut Studio and AirPort Base Station management, may not operate properly if the `mDNSResponder`
        is turned off.
  - uid: mondoo-macos-security-disable-content-caching
    title: Disable Content Caching
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.applicationaccess"]["allowContentCaching"]["value"] == false &&
            parse.plist(filePath1).params["com.apple.AssetCache"]["Activated"]["value"] == false
        }
        filePath2 = "/Library/Preferences/com.apple.AssetCache.plist"
        filePath3 = "/Library/Preferences/com.apple.applicationaccess.plist"
        b = file(filePath2).exists &&
          parse.plist(filePath2).params["Activated"] == false &&
            file(filePath3).exists &&
              parse.plist(filePath3).params["allowContentCaching"] == false
        a || b
      }
    docs:
      desc: |-
        Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier to deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream.
        This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data.

        [Content types supported by Content Caching in macOS](https://support.apple.com/en-us/HT204675)
      remediation: |-
        Perform the following to disable Content Caching:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck Content Caching

        _Terminal Method:_

        Run this command to disable Content Caching:

        ```
        sudo AssetCacheManagerUtil deactivate
        ```

        The output will include `Content caching deactivated`

        **Impact:**

        This setting will adversely affect bandwidth usage between local subnets and the Internet.
  - uid: mondoo-macos-security-disable-file-sharing
    title: Disable File Sharing
    impact: 60
    mql: services.where( name == 'com.apple.smbd' ).all( enabled == false && running == false )
    docs:
      desc: Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access into the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled.
      remediation: |-
        Perform the following to disable File Sharing:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck File Sharing

        _Terminal Method:_

        Run this command to disable SMB file sharing:

        ```
        sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist
        ```

        **Impact:**

        File Sharing can be used to share documents with other users but hardened servers should be used rather than user endpoints. Turning on file sharing increases the visibility and attack surface of a system unnecessarily.
  - uid: mondoo-macos-security-disable-internet-sharing
    title: Disable Internet Sharing
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Preferences/SystemConfiguration/com.apple.nat.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params['NAT']['Enabled'] == 0
        }
        filePath2 = "/Library/Managed Preferences/" + name + "/complete.plist"
        b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
          parse.plist(filePath2).params["com.apple.MCX"]["forceInternetSharingOff"]["value"] == true
        }
        filePath3 = "/Library/Managed Preferences/com.apple.MCX.plist"
        c = file(filePath3).exists == true &&
          parse.plist(filePath3).params['forceInternetSharingOff'] == true
        a || b || c
      }
    docs:
      desc: Internet Sharing uses the open source `natd` process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices.
      remediation: |-
        Perform the following to disable Internet Sharing:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck Internet Sharing

        _Terminal Method:_

        Run this command to turn off Internet Sharing:

        ```
        sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
        ```

        **Note:**
        Using the Terminal Method will not uncheck the setting in System Preferences>Sharing but will disable the underlying service.

        **Impact:**

        Internet Sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices.
  - uid: mondoo-macos-security-disable-media-sharing
    title: Disable Media Sharing
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath = home + '/Library/Preferences/com.apple.amp.mediasharingd.plist'
        a = file(filePath).exists == true && [filePath].where(file(_).exists) {
            parse.plist(filePath).params['home-sharing-enabled'] == 0
          }
        filePath2 = "/Library/Managed Preferences/" + name + "/complete.plist"
        b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
            parse.plist(filePath2).params["com.apple.preferences.sharing.SharingPrefsExtension"]["homeSharingUIStatus"]["value"] == 0
          }
        filePath3 = "/Library/Managed Preferences/com.apple.preferences.sharing.SharingPrefsExtension.plist"
        c = file(filePath3).exists && parse.plist(filePath3).params["homeSharingUIStatus"] == 0
        a || b || c
      }
    docs:
      desc: |-
        Starting with macOS 10.15 Apple has provided a control to allow a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple ID. This allows a user to share downloaded Movies, Music or TV shows with other controlled macOS, iOS and iPadOS devices as well as photos with Apple TVs.

        With this capability guest users can also use media downloaded on the computer.

        The recommended best practice is not to use the computer as a server but to utilize Apple's cloud storage to download and use content stored there if content stored with Apple is used on multiple devices.

        [https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac](https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac)

        This capability requires the use of macOS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data.

        [Content types supported by content caching in macOS](https://support.apple.com/en-us/HT204675)
      remediation: |-
        Perform the following to disable Media Sharing:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck Media Sharing

        _Terminal Method:_

        Run this command to disable Media Sharing:

        ```
        sudo -u <username> defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0
        ```

        _example:_

        ```
        sudo -u test2 defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0
        ```

        **Impact:**

        Media Sharing allows for pre-downloaded content on a Mac to be available to other Apple devices on the same network. Leaving this disabled forces device users to stream or download content from each Apple authorized device. This sharing could even allow unauthorized devices on the same network media access.
  - uid: mondoo-macos-security-disable-printer-sharing
    title: Disable Printer Sharing
    impact: 20
    mql: command('cupsctl | grep _share_printers' ).stdout.contains("_share_printers=0")
    docs:
      desc: By enabling Printer Sharing, the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead.
      remediation: |-
        Perform the following to disable Printer Sharing:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck Printer Sharing

        _Terminal Method:_

        Run this command to disable Printer Sharing:

        ```
        sudo cupsctl --no-share-printers
        ```
  - uid: mondoo-macos-security-disable-remote-apple-events
    title: Disable Remote Apple Events
    impact: 50
    mql: macos.systemsetup.remoteAppleEvents == "Off"
    docs:
      desc: Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer.
      remediation: |-
        Perform the following to disable Remote Apple Events:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Verify that Remote Apple Evens is not set

        _Terminal Method:_

        Run these commands to set Remote Apple Events to Off:

        ```
        sudo systemsetup -setremoteappleevents off

        setremoteappleevents: Off
        ```

        **Impact:**

        With remote Apple events turned on, an AppleScript program running on another Mac can interact with the local computer.
  - uid: mondoo-macos-security-disable-remote-login
    title: Disable Remote Login
    impact: 60
    mql: macos.systemsetup.remoteLogin == "Off"
    docs:
      desc: Remote Login allows an interactive terminal connection to a computer.
      remediation: |-
        Perform the following to disable Remote Login:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck Remote Login

        _Terminal Method:_

        Run this command to disable Remote Login:

        ```
        sudo systemsetup -setremotelogin off

        Do you really want to turn remote login off? If you do, you will lose this connection and can only turn it back on locally at the server (yes/no)?
        ```

        Entering yes will disable remote login.

        **Impact:**

        The SSH server built-in to macOS should not be enabled on a standard user computer, particularly one that changes locations and IP addresses. A standard user that runs local applications, including email, web browser and productivity tools, should not use the same device as a server. There are Enterprise management tool-sets that do utilize SSH. If they are in use, the computer should be locked down to only respond to known, trusted IP addresses and appropriate admin service accounts.

        For macOS computers that are being used for specialized functions, there are several options to harden the SSH server to protect against unauthorized access including brute force attacks. There are some basic criteria that need to be considered:

        - Do not open an SSH server to the internet without controls in place to mitigate SSH brute force attacks. This is particularly important for systems bound to Directory environments. It is great to have controls in place to protect the system, but if they trigger after the user is already locked out of their account, they are not optimal. If authorization happens after authentication directory accounts for users that don't even use the system can be locked out.
        - Do not use SSH key pairs when there is no insight to the security of the client system that will authenticate into the server with a private key. If an attacker gets access to the remote system and can find the key they may not need a password or a key logger to access the SSH server.
        - Detailed instructions on hardening an SSH server, if needed, are available in the CIS Linux Benchmarks, but it is beyond the scope of this benchmark.
  - uid: mondoo-macos-security-disable-remote-management
    title: Disable Remote Management
    impact: 50
    mql: processes.none( command == /ARDAgent/)
    docs:
      desc: |-
        Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs.

        The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regarding screen sharing.

        Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, which is definitely a concern for mobile systems.
      remediation: |-
        Perform the following to disable Remote Management:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck Remote Management

        _Terminal Method:_

        Run this command to disable Remote Management:

        ```
        sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop

        Starting...

        Removed preference to start ARD after reboot.

        Done.
        ```

        **Impact:**

        Many organizations utilize ARD for client management.
  - uid: mondoo-macos-security-disable-screen-sharing
    title: Disable Screen Sharing
    impact: 30
    mql: services.where( name == "com.apple.screensharing" ).all( enabled == false && running == false )
    docs:
      desc: Screen Sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer.
      remediation: |-
        Perform the following to disable Screen Sharing:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Sharing
        3. Uncheck Screen Sharing

        _Terminal Method:_

        Run this command to turn off Screen Sharing:

        ```
        sudo launchctl disable system/com.apple.screensharing
        ```
  - uid: mondoo-macos-security-do-not-enable-the-root-account
    title: Do not enable the "root" account
    impact: 85
    mql: |
      command("dscl . -read /Users/root AuthenticationAuthority").stderr.contains("No such key: AuthenticationAuthority")
    docs:
      desc: The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly use the root account to perform administrative functions.
      remediation: |-
        Perform the following to ensure that the root user is disabled:

        _Graphical Method:_

        1. Open /System/Library/CoreServices/Applications/Directory Utility
        2. Select the lock icon to unlock the service
        3. Select **Edit**
        4. Select **Disable Root User**

        _Terminal Method:_

        Run this command to disable the root user:

        ```
        sudo dsenableroot -d

        username = root

        user password:
        ```

        **Impact:**

        Some legacy POSIX software might expect an available root account.
  - uid: mondoo-macos-security-enable-filevault
    title: Enable FileVault
    impact: 80
    mql: |
      command('fdesetup status').stdout.contains('FileVault is On')
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath).exists == true && [filePath].where(file(_).exists) {
            parse.plist(filePath).params["com.apple.MCX"]["dontAllowFDEDisable"]["value"] == true
          }
        filePath2 = "/Library/Managed Preferences/com.apple.MCX.plist"
        b = file(filePath2).exists && parse.plist(filePath2).params['dontAllowFDEDisable'] == true
        a || b
      }
    docs:
      desc: |-
        FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.

        FileVault may also be enabled using command line using the `fdesetup`
        command. To use this functionality, consult the Der Flounder blog for more details:

        [https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/](https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/) [https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/](https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/)
      remediation: |-
        Perform the following to enable FileVault:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Security & Privacy
        3. Select FileVault
        4. Select Turn on FileVault

        To pass make sure this encryption cannot be turned off by the system, you need to [make sure that the Device Management Profile property `dontAllowFDEDisable` is set to 'true'.](https://developer.apple.com/documentation/devicemanagement/fdefilevaultoptions).
        To do so you can use an macOS configuration profile [similar to this one.](https://github.com/gregneagle/profiles/blob/master/cant_disable_filevault.mobileconfig)

        **Impact:**

        Mounting a FileVaulted volume from an alternate boot source will require a valid password to decrypt it.
  - uid: mondoo-macos-security-enable-firewall
    title: Enable Firewall
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.security.firewall"]["EnableFirewall"]["value"] == true
        }
        filePath2 = "/Library/Preferences/com.apple.alf.plist"
        b = file(filePath2).exists == true &&
          parse.plist(filePath2).params['globalstate'] == 1
        c = macos.alf.globalState == 1
        a || b || c
      }
    docs:
      desc: |-
        A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall.

        [Block connections to your Mac with a firewall](https://support.apple.com/guide/mac-help/block-connections-to-your-mac-with-a-firewall-mh34041/mac)
      remediation: |-
        Perform the following to turn the firewall on:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Security & Privacy
        3. Select Firewall
        4. Select Turn On Firewall

        _Terminal Method:_

        Run this command to enable the firewall:

        ```
        sudo defaults write /Library/Preferences/com.apple.alf globalstate -int <value>
        ```

        For the `<value>`, use either `1`, specific services, or `2`, essential services only.

        **Impact:**

        The firewall may block legitimate traffic. Applications that are unsigned will require special handling.
  - uid: mondoo-macos-security-enable-firewall-stealth-mode
    title: Enable Firewall Stealth Mode
    impact: 60
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.security.firewall"]["EnableStealthMode"]["value"] == true
        }
        b = command('/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode').stdout.trim == "Stealth mode enabled"
        c = macos.alf.stealthEnabled == 1
        a || b || c
      }
    docs:
      desc: |-
        While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic.

        [Block connections to your Mac with a firewall](https://support.apple.com/guide/mac-help/block-connections-to-your-mac-with-a-firewall-mh34041/mac)
      remediation: |-
        Perform the following to enable stealth mode:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Security & Privacy
        3. Select Firewall Options
        4. Turn on Enable stealth mode

        _Terminal Method:_

        Run this command to enable stealth mode:

        ```
        sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

        Stealth mode enabled
        ```

        **Impact:**

        Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.

        This check aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may not be configured. In this use case, hiding from the other inmates is likely to be important. In use cases where the device is only on trusted LANs with static IP addresses, you might not want stealth mode.
  - uid: mondoo-macos-security-enable-gatekeeper
    title: Enable Gatekeeper
    impact: 50
    mql: |
      command('spctl --status').stdout.contains("assessments enabled")
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.systempolicy.control"]["AllowIdentifiedDevelopers"]["value"] == true
          parse.plist(filePath1).params["com.apple.systempolicy.control"]["EnableAssessment"]["value"] == true
        }
        filePath2 = "/Library/Managed Preferences/com.apple.systempolicy.control.plist"
        b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
          parse.plist(filePath2).params["AllowIdentifiedDevelopers"] == true
          parse.plist(filePath2).params["EnableAssessment"] == true
        }
        a || b
      }
    docs:
      desc: Gatekeeper is Apple's application allow-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization.
      remediation: |-
        Perform the following to implement the prescribed state:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Security & Privacy
        3. Select General
        4. Set Allow apps downloaded from to App Store and identified developers

        _Terminal Method:_

        Run this command to enable Gatekeeper to allow applications from App Store and identified developers:

        ```
        sudo spctl --master-enable
        ```
  - uid: mondoo-macos-security-enable-security-auditing
    title: Enable security auditing
    impact: 50
    mql: |
      service('com.apple.auditd').enabled == true
    docs:
      desc: |-
        macOS's audit facility, `auditd`, receives notifications from the kernel when certain system calls, such as `open`, `fork`, and `exit`, are made. These notifications are captured and written to an audit log.
      remediation: |-
        Perform the following to enable security auditing:

        Run this command to load auditd:

        ```
        sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
        ```
  - uid: mondoo-macos-security-enable-show-wifi-status
    title: Enable "Show Wi-Fi status in menu bar"
    impact: 20
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = home + "/Library/Preferences/ByHost/com.apple.controlcenter." + os.machineid.upcase + ".plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["WiFi"] == 18
          || parse.plist(filePath1).params["WiFi"] == 2
        }
        filePath2 = "/Library/Managed Preferences/" + name + "/complete.plist"
        b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
          parse.plist(filePath2).params["com.apple.controlcenter"]["WiFi"]["value"] == 18
            || parse.plist(filePath2).params["com.apple.controlcenter"]["WiFi"]["value"] == 2
        }
        filePath3 = "/Library/Managed Preferences/com.apple.controlcenter.plist"
        c = file(filePath3).exists == true && [filePath3].where(file(_).exists) {
          parse.plist(filePath3).params["WiFi"] == 18
            || parse.plist(filePath3).params["WiFi"] == 2
        }
        a || b || c
      }
    docs:
      desc: The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the case. This check only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected either.
      remediation: |-
        Perform the following to enable Wi-Fi status in the menu bar:

        _Graphical Method:_

        1. Open System Preferences
        2. Select Network
        3. Select Wi-Fi
        4. Set Show Wi-Fi status in menu bar

        _Terminal Method:_

        For each user, run the following to turn the Wi-Fi status on in the menu bar

        ```
        sudo -u <username> defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18
        ```

        _example:_

        ```
        sudo -u firstuser defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18
        ```

        _Please note! Both 18 and 2 are valid values for this parameter._

        **Impact:**

        The user of the system should have a quick check on their wireless network status available.
  - uid: mondoo-macos-security-ensure-airdrop-is-disabled
    title: Ensure AirDrop Is Disabled
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = home + "/Library/Preferences/com.apple.NetworkBrowser.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
            parse.plist(filePath1).params["allowAirDrop"]["value"] == false
          }
        filePath2 = "/Library/Managed Preferences/" + name + "/complete.plist"
        b = file(filePath2).exists == true && [filePath2].where(file(_).exists) {
            parse.plist(filePath2).params["com.apple.applicationaccess"]["allowAirDrop"]["value"] == false
          }
        filePath3 = "/Library/Managed Preferences/com.apple.NetworkBrowser.plist"
        c = file(filePath3).exists && parse.plist(filePath3).params['DisableAirDrop'] == true
        a || b || c
      }
    docs:
      desc: |-
        AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other.

        In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you.

        While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards.
      remediation: |-
        Perform the following to disable AirDrop:

        _Graphical Method:_

        1. Open Finder
        2. Select Go
        3. Select AirDrop
        4. Set Allow me to be discovered by: No One

        _Terminal Method:_

        Run these commands to disable AirDrop:

        ```
        sudo -u <username> defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
        ```

        _example:_

        ```
        sudo -u seconduser defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
        ```

        **Impact:**

        Disabling AirDrop can limit the ability to move files quickly over the network without using file shares.
  - uid: mondoo-macos-security-ensure-firewall-is-configured-to-log
    title: Ensure Firewall is configured to log
    impact: 20
    mql: macos.alf.loggingEnabled == 1
    docs:
      desc: The socketfilter firewall is what is used when the firewall is turned on in the Security Preference Pane. In order to appropriately monitor what access is allowed and denied logging must be enabled.
      remediation: |-
        Run this command to enable logging of the firewall:

        ```
        sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

        Turning on log mode
        ```

        **Impact:**

        Detailed logging may result in excessive storage.
  - uid: mondoo-macos-security-ensure-http-server-is-not-running
    title: Ensure http server is not running
    impact: 50
    mql: |
      service('org.apache.httpd') {
        enabled == false
        running == false
      }
    docs:
      desc: macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.
      remediation: |-
        Run this command to disable the http server services:

        ```
        sudo launchctl disable system/org.apache.httpd
        ```

        **Impact:**

        The web server is both a point of attack for the system and a means for unauthorized file transfers.
  - uid: mondoo-macos-security-ensure-nfs-server-is-not-running
    title: Ensure NFS server is not running
    impact: 50
    mql: |
      service('com.apple.nfsd') {
        enabled == false
        running == false
      }
    docs:
      desc: macOS can act as an NFS file server. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer.
      remediation: |-
        Run this command to disable the nfsd file server services:

        ```
        sudo nfsd disable
        sudo nfsd stop
        ```

        Remove the exported Directory listing.

        ```
        sudo rm /etc/exports
        ```

        **Impact:**

        The NFS server is both a point of attack for the system and a means for unauthorized file transfers.
  - uid: mondoo-macos-security-ensure-security-auditing-retention
    title: Ensure security auditing retention
    impact: 40
    mql: |
      file("/etc/security/audit_control").exists;
      ["/etc/security/audit_control"].where(file(_).exists) {
        file(_).content.lines.where( _ == /^expire-after/) {
          _.split(":")[1] == /[6-9]\dd|\d{3,}d/ || _.split(":")[1] == /\d+0G|[1-9G]/
        }
      }
    docs:
      desc: |-
        The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.

        Retention can be set to respect both size and longevity. To retain as much as possible under a certain size the recommendation is to use the following:

        expire-after:60d OR 1G

        More info in the man page
        man audit_control
      remediation: |-
        Perform the following to set the audit retention length:

        Edit the `/etc/security/audit_control` file so that `expire-after:` is at least `60d OR 1G`

        **Impact:**

        The recommendation is that at least 60 days or 1 gigabyte of audit records are retained. Systems that have very little remaining disk space may have issues retaining sufficient data.
  - uid: mondoo-macos-security-password-age
    title: Password Age
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath).exists == true && [filePath].where(file(_).exists) {
          parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["maxPINAgeInDays"]["value"] != empty &&
            parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["maxPINAgeInDays"]["value"] <= 365
        }
        b = macos.globalAccountPolicies['policyCategoryPasswordChange'] != empty &&
          macos.globalAccountPolicies['policyCategoryPasswordChange'].any(_['policyParameters']['policyAttributeDaysUntilExpiration'] <= 365)
        filePath2 = "/Library/Managed Preferences/com.apple.mobiledevice.passwordpolicy.plist"
        c = file(filePath2).exists == true &&
          parse.plist(filePath2).params['maxPINAgeInDays'] <= 365
        a || b || c
      }
    docs:
      desc: |-
        Over time passwords can be captured by third-parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users should reset passwords periodically.
        This check uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This check mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.
      remediation: |-
        Run this command to require that passwords expire after at most 365 days:

        ```
        sudo pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=<value≤525600>"
        ```

        _example:_

        ```
        sudo pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=43200"
        ```

        **Impact:**

        Required password changes will lead to some locked computers requiring admin assistance.
  - uid: mondoo-macos-security-password-history
    title: Password History
    impact: 50
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath).exists == true && [filePath].where(file(_).exists) {
          parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["pinHistory"]["value"] != empty &&
            parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["pinHistory"]["value"] >= 15
          }
        b = macos.globalAccountPolicies['policyCategoryPasswordContent'] != empty &&
          macos.globalAccountPolicies['policyCategoryPasswordContent'].any(_['policyParameters']['policyAttributePasswordHistoryDepth'] >= 15 )
        filePath2 = "/Library/Managed Preferences/com.apple.mobiledevice.passwordpolicy.plist"
        c = file(filePath2).exists == true &&
          parse.plist(filePath2).params['pinHistory'] != empty &&
            parse.plist(filePath2).params['pinHistory'] >= 15
        a || b || c
      }
    docs:
      desc: |-
        Over time passwords can be captured by third-parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users must reset passwords periodically. This check ensures that previous passwords are not reused immediately by keeping a history of previous password hashes. Ensure that password history checks are part of the password policy on the computer. This check ensures the new password is different than the previous 15.
        The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak.
      remediation: |-
        Run this command to require that the password must to be different from at least the last 15 passwords:

        ```
        sudo pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=<value≥15>"
        ```

        _example:_

        ```
        sudo pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=15"
        ```

        **Impact:**

        Required password changes will lead to some locked computers requiring admin assistance.
  - uid: mondoo-macos-security-reduce-the-sudo-timeout-period
    title: Reduce the sudo timeout period
    impact: 40
    mql: |
      command("sudo -V").stdout.contains("Authentication timestamp timeout: 0.0 minutes") ||
        command("sudo -V").stdout.contains("Authentication timestamp timeout: 0,0 minutes")
    docs:
      desc: The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This check along with the control to use a separate timestamp for each tty limits the window where an unauthorized user, process or attacker could utilize legitimate credentials that are valid for longer than required.
      remediation: |-
        Run this command to edit the sudo settings:

        ```
        sudo visudo
        ```

        Add the line `Defaults timestamp_timeout=0`
        in the `Override built-in defaults`
        section.

        **Impact:**

        This check has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this check too onerous and are better to accept the risk of not requiring a 0 grace period.

        In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password.
  - uid: mondoo-macos-security-retain-install-log-for-365-or-more-days
    title: Retain install.log for 365 or more days with no maximum size
    impact: 40
    mql: |
      file('/etc/asl/com.apple.install') {
        content != /all_max/
        content == /ttl/
      }
    docs:
      desc: |-
        macOS writes information pertaining to system-related events to the file `/var/log/install.log`
        and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.

        The default value has an "all_max" file limitation, no reference to a minimum retention and a less precise rotation argument.

        The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year and depending on the applications a size restriction could compromise the ability to store a full year.

        While this Benchmark is not scoring for a rotation flag the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired.

        Please review the File Rotation section in the man page for more information.

        ```
        man asl.conf
        ```

        - The maximum file size limitation string should be removed "all_max="
        - An organization appropriate retention should be added "ttl="
        - The rotation should be set with timestamps "rotate=utc" or "rotate=local"
      remediation: |-
        Perform the following to ensure that install logs are retained for at least 365 days:

        Edit the `/etc/asl/com.apple.install` file and add or modify the `ttl` value to `365` or greater on the `file` line. Also, remove the `all_max=` setting and value from the `file` line.

        **Impact:**

        Without log files system maintenance and security forensics cannot be properly performed.
  - uid: mondoo-macos-security-set-a-minimum-password-length
    title: Set a minimum password length
    impact: 80
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.mobiledevice.passwordpolicy"]["minLength"]["value"] != empty &&
            parse.plist(filePath1).params["com.apple.mobiledevice.passwordpolicy"]["minLength"]["value"] >= 15
        }
        b = macos.globalAccountPolicies['policyCategoryPasswordContent'] != empty &&
          macos.globalAccountPolicies['policyCategoryPasswordContent'].any(_['policyParameters']['minimumLength'] >= 15)
        filePath2 = "/Library/Managed Preferences/com.apple.mobiledevice.passwordpolicy.plist"
        c = file(filePath2).exists == true &&
          parse.plist(filePath2).params["minLength"] >= 15
        a || b || c
      }
    docs:
      desc: |-
        A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.

        Ensure that a minimum of a 15-character password is part of the password policy on the computer.

        Where the confidentiality of encrypted information in FileVault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.
      remediation: |-
        Run this command to set the password length to greater than or equal to 15:

        ```
        sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=<value≥15>"
        ```

        _example:_

        ```
        sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=15"
        ```

        **Impact:**

        Short passwords can be easily attacked.
  - uid: mondoo-macos-security-software-updates-automatic-check-enabled
    title: Ensure automatic checking of software updates enabled
    impact: 80
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.SoftwareUpdate"]["AutomaticCheckEnabled"]["value"] == true
        }
        filePath2 = "/Library/Preferences/com.apple.SoftwareUpdate.plist"
        b = file(filePath2).exists == true &&
          parse.plist(filePath2).params['AutomaticCheckEnabled'] != false
        filePath3 = "/Library/Managed Preferences/com.apple.SoftwareUpdate.plist"
        c = file(filePath3).exists == true &&
          parse.plist(filePath3).params['AutomaticCheckEnabled'] != false
        a || b || c
      }
    docs:
      desc: |
        This check determines where automatic checking for software updates is enabled
      remediation: |-
        Perform the following to enable automatic checking for updates:

        _Graphical Method:_

        1.  Open **System Preferences**.
        2.  Select **Software Update**.
        3.  Select **Advanced**.
        4.  Select **Check for updates**.

        _Terminal Method:_

        Run this command to enable auto update:

        ```bash
        sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
        ```
  - uid: mondoo-macos-security-software-updates-automatic-download
    title: Ensure automatic download of software updates enabled
    impact: 80
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.SoftwareUpdate"]["AutomaticDownload"]["value"] == true
        }
        filePath2 = "/Library/Preferences/com.apple.SoftwareUpdate.plist"
        b = file(filePath2).exists == true &&
          parse.plist(filePath2).params['AutomaticDownload'] != false
        filePath3 = "/Library/Managed Preferences/com.apple.SoftwareUpdate.plist"
        c = file(filePath3).exists == true &&
          parse.plist(filePath3).params['AutomaticDownload'] != false
        a || b || c
      }
    docs:
      desc: |
        This check determines whether automatic downloads of software updates is enabled
      remediation: |-
        Perform the following to enable automatic downloads of updates:

        _Graphical Method:_

        1.  Open **System Preferences**.
        2.  Select **Software Update**.
        3.  Select **Advanced**.
        4.  Select **Check for updates**.

        _Terminal Method:_

        Run this command to enable auto update:

        ```bash
        sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
        ```
  - uid: mondoo-macos-security-software-updates-install-critical-updates
    title: Ensure critical updates are installed automatically
    impact: 80
    mql: |
      users.where(name != /^_/ && shell != "/usr/bin/false" && name != "root") {
        name
        filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist"
        a = file(filePath1).exists == true && [filePath1].where(file(_).exists) {
          parse.plist(filePath1).params["com.apple.SoftwareUpdate"]["ConfigDataInstall"]["value"] == true
          parse.plist(filePath1).params["com.apple.SoftwareUpdate"]["CriticalUpdateInstall"]["value"] == true
        }
        filePath2 = "/Library/Preferences/com.apple.SoftwareUpdate.plist"
        b = file(filePath2).exists &&
          parse.plist(filePath2).params['ConfigDataInstall'] == true &&
            parse.plist(filePath2).params['CriticalUpdateInstall'] == true
        filePath3 = "/Library/Managed Preferences/com.apple.SoftwareUpdate.plist"
        c = file(filePath3).exists == true &&
          parse.plist(filePath3).params['ConfigDataInstall'] == true &&
            parse.plist(filePath3).params['CriticalUpdateInstall'] == true
        a || b || c
      }
    docs:
      desc: |
        This check determines whether critical software updates are installed automatically
      remediation: |-
        Perform the following to enable automatic installation of critical updates:

        _Graphical Method:_

        1.  Open **System Preferences**.
        2.  Select **Software Update**.
        3.  Select **Advanced**.
        4.  Select **Check for updates**.

        _Terminal Method:_

        Run this command to enable auto update:

        ```bash
        sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
        ```
  - uid: mondoo-macos-security-ensure-macos-is-up-to-date
    title: Ensure macOS is up to date
    impact: 100
    mql: |
      parse.plist('/Library/Preferences/com.apple.SoftwareUpdate.plist').params['RecommendedUpdates'] == empty
    docs:
      desc: |
        By staying up to date on macOS patches, vulnerabilities in the macOS can be mitigated. An educated attacker can exploit known vulnerabilities when attempting to attain access or elevate privileges on a macOS.
      remediation: |-
        Perform the following to update the macOS to the latest version:

        _Graphical Method:_

        1.  Open **General**.
        2.  Select **Software Update**.
        3.  Select **Update Now**.

        _Terminal Method:_

        Run this command to install all available updates:

        ```bash
        softwareupdate -i -a
        ```