diff --git a/config/config.yaml b/config/config.yaml
index 5ceaf7e76..3194c6d23 100644
--- a/config/config.yaml
+++ b/config/config.yaml
@@ -4,6 +4,7 @@ logging_config: "config/logging_config.yaml"
output_dir: "build/"
includes_dir: "config/includes"
mspc_data: "config/includes/mscp-data.yaml"
+environment: "development"
defaults:
adoc_templates_dir: "config/default/templates/asciidoctor"
diff --git a/config/default/baselines/macos/15/800-53r5_high_test.yaml b/config/default/baselines/macos/15/800-53r5_high_test.yaml
index bf56985d7..bf45a23cf 100644
--- a/config/default/baselines/macos/15/800-53r5_high_test.yaml
+++ b/config/default/baselines/macos/15/800-53r5_high_test.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../schemas/baseline.json
title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
description: |
This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
diff --git a/config/default/rules/macos/15/audit/audit_acls_files_configure.yaml b/config/default/rules/macos/15/audit/audit_acls_files_configure.yaml
index 521f93586..24a1ac010 100644
--- a/config/default/rules/macos/15/audit/audit_acls_files_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_acls_files_configure.yaml
@@ -46,8 +46,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r4_low
diff --git a/config/default/rules/macos/15/audit/audit_acls_folders_configure.yaml b/config/default/rules/macos/15/audit/audit_acls_folders_configure.yaml
index 3aeffc046..f034ac99f 100644
--- a/config/default/rules/macos/15/audit/audit_acls_folders_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_acls_folders_configure.yaml
@@ -46,8 +46,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_alert_processing_fail.yaml b/config/default/rules/macos/15/audit/audit_alert_processing_fail.yaml
index e3b855929..96951360e 100644
--- a/config/default/rules/macos/15/audit/audit_alert_processing_fail.yaml
+++ b/config/default/rules/macos/15/audit/audit_alert_processing_fail.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- permanent
mobileconfig: false
diff --git a/config/default/rules/macos/15/audit/audit_auditd_enabled.yaml b/config/default/rules/macos/15/audit/audit_auditd_enabled.yaml
index 73308e728..2559cadb3 100644
--- a/config/default/rules/macos/15/audit/audit_auditd_enabled.yaml
+++ b/config/default/rules/macos/15/audit/audit_auditd_enabled.yaml
@@ -115,8 +115,10 @@ references:
cmmc:
- AU.L2-3.3.2
- AU.L2-3.3.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_configure_capacity_notify.yaml b/config/default/rules/macos/15/audit/audit_configure_capacity_notify.yaml
index 6598765bc..112389a27 100644
--- a/config/default/rules/macos/15/audit/audit_configure_capacity_notify.yaml
+++ b/config/default/rules/macos/15/audit/audit_configure_capacity_notify.yaml
@@ -28,8 +28,10 @@ references:
- SRG-OS-000343-GPOS-00134
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Percentage of free space.
recommended: 25
diff --git a/config/default/rules/macos/15/audit/audit_control_acls_configure.yaml b/config/default/rules/macos/15/audit/audit_control_acls_configure.yaml
index 22ee4af04..97b3fac58 100644
--- a/config/default/rules/macos/15/audit/audit_control_acls_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_control_acls_configure.yaml
@@ -45,8 +45,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/audit/audit_control_group_configure.yaml b/config/default/rules/macos/15/audit/audit_control_group_configure.yaml
index c69d26219..2aea211bd 100644
--- a/config/default/rules/macos/15/audit/audit_control_group_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_control_group_configure.yaml
@@ -45,8 +45,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/audit/audit_control_mode_configure.yaml b/config/default/rules/macos/15/audit/audit_control_mode_configure.yaml
index f1888919c..979ead5ac 100644
--- a/config/default/rules/macos/15/audit/audit_control_mode_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_control_mode_configure.yaml
@@ -45,8 +45,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/audit/audit_control_owner_configure.yaml b/config/default/rules/macos/15/audit/audit_control_owner_configure.yaml
index 8bc3492b2..4d49cffaf 100644
--- a/config/default/rules/macos/15/audit/audit_control_owner_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_control_owner_configure.yaml
@@ -45,8 +45,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/audit/audit_enforce_dual_auth.yaml b/config/default/rules/macos/15/audit/audit_enforce_dual_auth.yaml
index 4d6f73356..d735cd23e 100644
--- a/config/default/rules/macos/15/audit/audit_enforce_dual_auth.yaml
+++ b/config/default/rules/macos/15/audit/audit_enforce_dual_auth.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000360-GPOS-00147
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- permanent
- cnssi-1253_high
diff --git a/config/default/rules/macos/15/audit/audit_failure_halt.yaml b/config/default/rules/macos/15/audit/audit_failure_halt.yaml
index dc0bd4e37..accc24b42 100644
--- a/config/default/rules/macos/15/audit/audit_failure_halt.yaml
+++ b/config/default/rules/macos/15/audit/audit_failure_halt.yaml
@@ -30,8 +30,10 @@ references:
- 03.03.04
cmmc:
- AU.L2-3.3.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_files_group_configure.yaml b/config/default/rules/macos/15/audit/audit_files_group_configure.yaml
index 0e79c942b..97f4ade8c 100644
--- a/config/default/rules/macos/15/audit/audit_files_group_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_files_group_configure.yaml
@@ -47,8 +47,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_files_mode_configure.yaml b/config/default/rules/macos/15/audit/audit_files_mode_configure.yaml
index 3d957818a..1aeaf793b 100644
--- a/config/default/rules/macos/15/audit/audit_files_mode_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_files_mode_configure.yaml
@@ -43,8 +43,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_files_owner_configure.yaml b/config/default/rules/macos/15/audit/audit_files_owner_configure.yaml
index c7e8cf975..1ff353587 100644
--- a/config/default/rules/macos/15/audit/audit_files_owner_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_files_owner_configure.yaml
@@ -47,8 +47,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_flags_aa_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_aa_configure.yaml
index 97dcd3a95..7c104e4b7 100644
--- a/config/default/rules/macos/15/audit/audit_flags_aa_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_aa_configure.yaml
@@ -61,8 +61,10 @@ references:
- AU.L2-3.3.3
- AU.L2-3.3.6
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/config/default/rules/macos/15/audit/audit_flags_ad_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_ad_configure.yaml
index 42bcbbb74..2b22cdd8f 100644
--- a/config/default/rules/macos/15/audit/audit_flags_ad_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_ad_configure.yaml
@@ -77,8 +77,10 @@ references:
- AU.L2-3.3.3
- AU.L2-3.3.6
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/config/default/rules/macos/15/audit/audit_flags_ex_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_ex_configure.yaml
index 3f1775718..c88495359 100644
--- a/config/default/rules/macos/15/audit/audit_flags_ex_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_ex_configure.yaml
@@ -52,8 +52,10 @@ references:
- AU.L2-3.3.3
- AU.L2-3.3.6
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/config/default/rules/macos/15/audit/audit_flags_fd_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_fd_configure.yaml
index 832c52ec9..eb336c530 100644
--- a/config/default/rules/macos/15/audit/audit_flags_fd_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_fd_configure.yaml
@@ -70,8 +70,10 @@ references:
- AU.L2-3.3.6
- AU.L2-3.3.8
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- 800-53r5_low
diff --git a/config/default/rules/macos/15/audit/audit_flags_fm_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_fm_configure.yaml
index 923854f2c..6733c8fba 100644
--- a/config/default/rules/macos/15/audit/audit_flags_fm_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_fm_configure.yaml
@@ -71,8 +71,10 @@ references:
- AU.L2-3.3.6
- AU.L2-3.3.8
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/audit/audit_flags_fm_failed_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_fm_failed_configure.yaml
index 03f1f54ce..8955ce5e9 100644
--- a/config/default/rules/macos/15/audit/audit_flags_fm_failed_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_fm_failed_configure.yaml
@@ -55,8 +55,10 @@ references:
- AU.L2-3.3.6
- AU.L2-3.3.8
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- 800-53r5_low
diff --git a/config/default/rules/macos/15/audit/audit_flags_fr_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_fr_configure.yaml
index 4a40208b1..ef9e6239b 100644
--- a/config/default/rules/macos/15/audit/audit_flags_fr_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_fr_configure.yaml
@@ -69,8 +69,10 @@ references:
- AU.L2-3.3.6
- AU.L2-3.3.8
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/config/default/rules/macos/15/audit/audit_flags_fw_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_fw_configure.yaml
index 6d0049d91..c836a1989 100644
--- a/config/default/rules/macos/15/audit/audit_flags_fw_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_fw_configure.yaml
@@ -70,8 +70,10 @@ references:
- AU.L2-3.3.6
- AU.L2-3.3.8
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/config/default/rules/macos/15/audit/audit_flags_lo_configure.yaml b/config/default/rules/macos/15/audit/audit_flags_lo_configure.yaml
index 62b18b1ff..214c87782 100644
--- a/config/default/rules/macos/15/audit/audit_flags_lo_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_flags_lo_configure.yaml
@@ -60,8 +60,10 @@ references:
- AU.L2-3.3.3
- AU.L2-3.3.6
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- 800-53r4_low
diff --git a/config/default/rules/macos/15/audit/audit_folder_group_configure.yaml b/config/default/rules/macos/15/audit/audit_folder_group_configure.yaml
index 96e4e3cff..29513683e 100644
--- a/config/default/rules/macos/15/audit/audit_folder_group_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_folder_group_configure.yaml
@@ -47,8 +47,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_folder_owner_configure.yaml b/config/default/rules/macos/15/audit/audit_folder_owner_configure.yaml
index a8cff947f..c7b1e6f44 100644
--- a/config/default/rules/macos/15/audit/audit_folder_owner_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_folder_owner_configure.yaml
@@ -47,8 +47,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_folders_mode_configure.yaml b/config/default/rules/macos/15/audit/audit_folders_mode_configure.yaml
index 4d79d4e43..4e5bbcf50 100644
--- a/config/default/rules/macos/15/audit/audit_folders_mode_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_folders_mode_configure.yaml
@@ -45,8 +45,10 @@ references:
- 3.3
cmmc:
- AU.L2-3.3.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/audit/audit_off_load_records.yaml b/config/default/rules/macos/15/audit/audit_off_load_records.yaml
index 3acb23f1c..938962595 100644
--- a/config/default/rules/macos/15/audit/audit_off_load_records.yaml
+++ b/config/default/rules/macos/15/audit/audit_off_load_records.yaml
@@ -29,8 +29,10 @@ references:
- N/A
controls v8:
- 8.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- permanent
- cisv8
diff --git a/config/default/rules/macos/15/audit/audit_record_reduction_report_generation.yaml b/config/default/rules/macos/15/audit/audit_record_reduction_report_generation.yaml
index 77bec6716..5042e161c 100644
--- a/config/default/rules/macos/15/audit/audit_record_reduction_report_generation.yaml
+++ b/config/default/rules/macos/15/audit/audit_record_reduction_report_generation.yaml
@@ -33,8 +33,10 @@ references:
- 03.03.06
cmmc:
- AU.L2-3.3.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/config/default/rules/macos/15/audit/audit_records_processing.yaml b/config/default/rules/macos/15/audit/audit_records_processing.yaml
index 760fdd765..965049285 100644
--- a/config/default/rules/macos/15/audit/audit_records_processing.yaml
+++ b/config/default/rules/macos/15/audit/audit_records_processing.yaml
@@ -26,8 +26,10 @@ references:
- N/A
cmmc:
- AU.L2-3.3.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/config/default/rules/macos/15/audit/audit_retention_configure.yaml b/config/default/rules/macos/15/audit/audit_retention_configure.yaml
index a741e2e2a..b55b2b98b 100644
--- a/config/default/rules/macos/15/audit/audit_retention_configure.yaml
+++ b/config/default/rules/macos/15/audit/audit_retention_configure.yaml
@@ -38,8 +38,10 @@ references:
- AU.L2-3.3.1
800-171r3:
- 03.03.03
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: See man audit_control for possible values.
recommended: 7d
diff --git a/config/default/rules/macos/15/audit/audit_settings_failure_notify.yaml b/config/default/rules/macos/15/audit/audit_settings_failure_notify.yaml
index 3898b9550..dcc30941a 100644
--- a/config/default/rules/macos/15/audit/audit_settings_failure_notify.yaml
+++ b/config/default/rules/macos/15/audit/audit_settings_failure_notify.yaml
@@ -34,8 +34,10 @@ references:
- 03.03.04
cmmc:
- AU.L2-3.3.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/auth/auth_pam_login_smartcard_enforce copy.yaml b/config/default/rules/macos/15/auth/auth_pam_login_smartcard_enforce copy.yaml
index fd9a71cdb..00389762f 100644
--- a/config/default/rules/macos/15/auth/auth_pam_login_smartcard_enforce copy.yaml
+++ b/config/default/rules/macos/15/auth/auth_pam_login_smartcard_enforce copy.yaml
@@ -75,8 +75,9 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
operating_system:
- name: "macos"
- version: 15.0
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -93,7 +94,6 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
ddm_info:
declarationtype: com.apple.configuration.services.configuration-files
service: com.apple.pam
diff --git a/config/default/rules/macos/15/auth/auth_pam_login_smartcard_enforce.yaml b/config/default/rules/macos/15/auth/auth_pam_login_smartcard_enforce.yaml
index aefc82048..a8d691ed4 100644
--- a/config/default/rules/macos/15/auth/auth_pam_login_smartcard_enforce.yaml
+++ b/config/default/rules/macos/15/auth/auth_pam_login_smartcard_enforce.yaml
@@ -73,8 +73,10 @@ references:
cmmc:
- IA.L2-3.5.3
- IA.L2-3.5.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/auth/auth_pam_su_smartcard_enforce.yaml b/config/default/rules/macos/15/auth/auth_pam_su_smartcard_enforce.yaml
index d9c291bdb..aef83d0ff 100644
--- a/config/default/rules/macos/15/auth/auth_pam_su_smartcard_enforce.yaml
+++ b/config/default/rules/macos/15/auth/auth_pam_su_smartcard_enforce.yaml
@@ -68,8 +68,10 @@ references:
cmmc:
- IA.L2-3.5.3
- IA.L2-3.5.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -99,4 +101,4 @@ ddm_info:
account required pam_permit.so
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
- session required pam_launchd.so
\ No newline at end of file
+ session required pam_launchd.so
diff --git a/config/default/rules/macos/15/auth/auth_pam_sudo_smartcard_enforce.yaml b/config/default/rules/macos/15/auth/auth_pam_sudo_smartcard_enforce.yaml
index f2f202629..4ffe3a1bf 100644
--- a/config/default/rules/macos/15/auth/auth_pam_sudo_smartcard_enforce.yaml
+++ b/config/default/rules/macos/15/auth/auth_pam_sudo_smartcard_enforce.yaml
@@ -67,8 +67,10 @@ references:
cmmc:
- IA.L2-3.5.3
- IA.L2-3.5.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -97,4 +99,4 @@ ddm_info:
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
- session required pam_permit.so
\ No newline at end of file
+ session required pam_permit.so
diff --git a/config/default/rules/macos/15/auth/auth_smartcard_allow.yaml b/config/default/rules/macos/15/auth/auth_smartcard_allow.yaml
index 8d37d5c61..0da042ede 100644
--- a/config/default/rules/macos/15/auth/auth_smartcard_allow.yaml
+++ b/config/default/rules/macos/15/auth/auth_smartcard_allow.yaml
@@ -56,8 +56,10 @@ references:
- IA.L2-3.5.3
800-171r3:
- 03.05.03
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r5_low
diff --git a/config/default/rules/macos/15/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/config/default/rules/macos/15/auth/auth_smartcard_certificate_trust_enforce_high.yaml
index 352c46d4f..42c94f3a5 100644
--- a/config/default/rules/macos/15/auth/auth_smartcard_certificate_trust_enforce_high.yaml
+++ b/config/default/rules/macos/15/auth/auth_smartcard_certificate_trust_enforce_high.yaml
@@ -34,8 +34,10 @@ references:
- N/A
cmmc:
- SC.L2-3.13.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r4_high
- 800-53r5_high
diff --git a/config/default/rules/macos/15/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/config/default/rules/macos/15/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
index 3bf7a1329..c3a8febee 100644
--- a/config/default/rules/macos/15/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
+++ b/config/default/rules/macos/15/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml
@@ -41,8 +41,10 @@ references:
- N/A
cmmc:
- SC.L2-3.13.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r4_moderate
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/auth/auth_smartcard_enforce.yaml b/config/default/rules/macos/15/auth/auth_smartcard_enforce.yaml
index 13e3c6f48..031dd7270 100644
--- a/config/default/rules/macos/15/auth/auth_smartcard_enforce.yaml
+++ b/config/default/rules/macos/15/auth/auth_smartcard_enforce.yaml
@@ -76,8 +76,10 @@ references:
- IA.L1-3.5.2
- IA.L2-3.5.3
- IA.L2-3.5.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/auth/auth_ssh_password_authentication_disable.yaml b/config/default/rules/macos/15/auth/auth_ssh_password_authentication_disable.yaml
index f6dfc114e..8e486f537 100644
--- a/config/default/rules/macos/15/auth/auth_ssh_password_authentication_disable.yaml
+++ b/config/default/rules/macos/15/auth/auth_ssh_password_authentication_disable.yaml
@@ -90,8 +90,10 @@ references:
- IA.L2-3.5.3
- IA.L2-3.5.4
- MA.L2-3.7.5
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_addressbook_disable.yaml b/config/default/rules/macos/15/icloud/icloud_addressbook_disable.yaml
index 9ec79185a..30d17eac5 100644
--- a/config/default/rules/macos/15/icloud/icloud_addressbook_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_addressbook_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_appleid_system_settings_disable.yaml b/config/default/rules/macos/15/icloud/icloud_appleid_system_settings_disable.yaml
index 90d0d396a..b0dd74b3f 100644
--- a/config/default/rules/macos/15/icloud/icloud_appleid_system_settings_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_appleid_system_settings_disable.yaml
@@ -42,8 +42,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_bookmarks_disable.yaml b/config/default/rules/macos/15/icloud/icloud_bookmarks_disable.yaml
index dc37b17ce..323036d71 100644
--- a/config/default/rules/macos/15/icloud/icloud_bookmarks_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_bookmarks_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_calendar_disable.yaml b/config/default/rules/macos/15/icloud/icloud_calendar_disable.yaml
index ba15ad129..d714bbf1d 100644
--- a/config/default/rules/macos/15/icloud/icloud_calendar_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_calendar_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_drive_disable.yaml b/config/default/rules/macos/15/icloud/icloud_drive_disable.yaml
index 26cc67040..491847e65 100644
--- a/config/default/rules/macos/15/icloud/icloud_drive_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_drive_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_freeform_disable.yaml b/config/default/rules/macos/15/icloud/icloud_freeform_disable.yaml
index 630fe37e6..a2a177633 100644
--- a/config/default/rules/macos/15/icloud/icloud_freeform_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_freeform_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_game_center_disable.yaml b/config/default/rules/macos/15/icloud/icloud_game_center_disable.yaml
index f2b7f4286..cc7e75ba1 100644
--- a/config/default/rules/macos/15/icloud/icloud_game_center_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_game_center_disable.yaml
@@ -46,8 +46,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_keychain_disable.yaml b/config/default/rules/macos/15/icloud/icloud_keychain_disable.yaml
index 545211eaa..99c00a42f 100644
--- a/config/default/rules/macos/15/icloud/icloud_keychain_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_keychain_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_mail_disable.yaml b/config/default/rules/macos/15/icloud/icloud_mail_disable.yaml
index 4a48a5569..70391f366 100644
--- a/config/default/rules/macos/15/icloud/icloud_mail_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_mail_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_notes_disable.yaml b/config/default/rules/macos/15/icloud/icloud_notes_disable.yaml
index 7ecc600ce..77d7d84a7 100644
--- a/config/default/rules/macos/15/icloud/icloud_notes_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_notes_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_photos_disable.yaml b/config/default/rules/macos/15/icloud/icloud_photos_disable.yaml
index dbcf22af3..41e48d1d3 100644
--- a/config/default/rules/macos/15/icloud/icloud_photos_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_photos_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_private_relay_disable.yaml b/config/default/rules/macos/15/icloud/icloud_private_relay_disable.yaml
index 019833992..20bfbfc25 100644
--- a/config/default/rules/macos/15/icloud/icloud_private_relay_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_private_relay_disable.yaml
@@ -47,8 +47,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_reminders_disable.yaml b/config/default/rules/macos/15/icloud/icloud_reminders_disable.yaml
index 2c51517ff..bea58ea60 100644
--- a/config/default/rules/macos/15/icloud/icloud_reminders_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_reminders_disable.yaml
@@ -48,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/icloud/icloud_sync_disable.yaml b/config/default/rules/macos/15/icloud/icloud_sync_disable.yaml
index b4dffd47f..50655f264 100644
--- a/config/default/rules/macos/15/icloud/icloud_sync_disable.yaml
+++ b/config/default/rules/macos/15/icloud/icloud_sync_disable.yaml
@@ -47,8 +47,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_access_control_mobile_devices.yaml b/config/default/rules/macos/15/os/os_access_control_mobile_devices.yaml
index 5edaaaa02..2b4f649e7 100644
--- a/config/default/rules/macos/15/os/os_access_control_mobile_devices.yaml
+++ b/config/default/rules/macos/15/os/os_access_control_mobile_devices.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: os_access_control_mobile_devices
title: Access Control for Mobile Devices
discussion: |
@@ -32,8 +34,10 @@ references:
- AC.L2-3.1.18
800-171r3:
- 03.01.18
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r5_low
@@ -46,4 +50,3 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/os/os_account_modification_disable.yaml b/config/default/rules/macos/15/os/os_account_modification_disable.yaml
index 80203ba9d..4cc9c0283 100644
--- a/config/default/rules/macos/15/os/os_account_modification_disable.yaml
+++ b/config/default/rules/macos/15/os/os_account_modification_disable.yaml
@@ -1,10 +1,10 @@
id: os_account_modification_disable
title: "Disable AppleID and Internet Account Modifications"
discussion: |
- The system _MUST_ disable account modification.
-
+ The system _MUST_ disable account modification.
+
Account modification includes adding additional or modifying internet accounts in Apple Mail, Calendar, Contacts, in the Internet Account System Setting Pane, or the AppleID System Setting Pane.
-
+
This prevents the addition of unauthorized accounts.
[IMPORTANT]
@@ -53,8 +53,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -74,4 +76,4 @@ severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
- allowAccountModification: false
\ No newline at end of file
+ allowAccountModification: false
diff --git a/config/default/rules/macos/15/os/os_airdrop_disable.yaml b/config/default/rules/macos/15/os/os_airdrop_disable.yaml
index ccd655e3d..2bcea9643 100644
--- a/config/default/rules/macos/15/os/os_airdrop_disable.yaml
+++ b/config/default/rules/macos/15/os/os_airdrop_disable.yaml
@@ -51,8 +51,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_allow_info_passed.yaml b/config/default/rules/macos/15/os/os_allow_info_passed.yaml
index 887309821..b4e1122fe 100644
--- a/config/default/rules/macos/15/os/os_allow_info_passed.yaml
+++ b/config/default/rules/macos/15/os/os_allow_info_passed.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000312-GPOS-00122
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_anti_virus_installed.yaml b/config/default/rules/macos/15/os/os_anti_virus_installed.yaml
index 0ac67cf5e..03c633f39 100644
--- a/config/default/rules/macos/15/os/os_anti_virus_installed.yaml
+++ b/config/default/rules/macos/15/os/os_anti_virus_installed.yaml
@@ -36,8 +36,10 @@ references:
- 10.5
- 10.1
- 10.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_appleid_prompt_disable.yaml b/config/default/rules/macos/15/os/os_appleid_prompt_disable.yaml
index 2f907331f..f011e7bf7 100644
--- a/config/default/rules/macos/15/os/os_appleid_prompt_disable.yaml
+++ b/config/default/rules/macos/15/os/os_appleid_prompt_disable.yaml
@@ -36,8 +36,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.20
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_application_sandboxing.yaml b/config/default/rules/macos/15/os/os_application_sandboxing.yaml
index aab02186e..7fc2064dd 100644
--- a/config/default/rules/macos/15/os/os_application_sandboxing.yaml
+++ b/config/default/rules/macos/15/os/os_application_sandboxing.yaml
@@ -23,8 +23,10 @@ references:
- N/A
cci:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- 800-53r5_low
diff --git a/config/default/rules/macos/15/os/os_asl_log_files_owner_group_configure.yaml b/config/default/rules/macos/15/os/os_asl_log_files_owner_group_configure.yaml
index c88909c48..4a5faf228 100644
--- a/config/default/rules/macos/15/os/os_asl_log_files_owner_group_configure.yaml
+++ b/config/default/rules/macos/15/os/os_asl_log_files_owner_group_configure.yaml
@@ -30,8 +30,10 @@ references:
- N/A
800-171r3:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_asl_log_files_permissions_configure.yaml b/config/default/rules/macos/15/os/os_asl_log_files_permissions_configure.yaml
index 929ec20e0..83ef48def 100644
--- a/config/default/rules/macos/15/os/os_asl_log_files_permissions_configure.yaml
+++ b/config/default/rules/macos/15/os/os_asl_log_files_permissions_configure.yaml
@@ -28,8 +28,10 @@ references:
- N/A
800-171r3:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_auth_peripherals.yaml b/config/default/rules/macos/15/os/os_auth_peripherals.yaml
index 97734334b..e2fccc110 100644
--- a/config/default/rules/macos/15/os/os_auth_peripherals.yaml
+++ b/config/default/rules/macos/15/os/os_auth_peripherals.yaml
@@ -29,8 +29,10 @@ references:
- 13.9
cmmc:
- IA.L1-3.5.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_authenticated_root_enable.yaml b/config/default/rules/macos/15/os/os_authenticated_root_enable.yaml
index a809c8b07..f91469de4 100644
--- a/config/default/rules/macos/15/os/os_authenticated_root_enable.yaml
+++ b/config/default/rules/macos/15/os/os_authenticated_root_enable.yaml
@@ -53,8 +53,10 @@ references:
- AC.L1-3.1.1
- CM.L2-3.4.5
- SC.L2-3.13.11
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_blank_bluray_disable.yaml b/config/default/rules/macos/15/os/os_blank_bluray_disable.yaml
index 2ecde48fa..5db426c92 100644
--- a/config/default/rules/macos/15/os/os_blank_bluray_disable.yaml
+++ b/config/default/rules/macos/15/os/os_blank_bluray_disable.yaml
@@ -39,8 +39,10 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_blank_cd_disable.yaml b/config/default/rules/macos/15/os/os_blank_cd_disable.yaml
index ff4aa0987..4a6c91cc1 100644
--- a/config/default/rules/macos/15/os/os_blank_cd_disable.yaml
+++ b/config/default/rules/macos/15/os/os_blank_cd_disable.yaml
@@ -39,8 +39,10 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_blank_dvd_disable.yaml b/config/default/rules/macos/15/os/os_blank_dvd_disable.yaml
index d7dac1c74..57fd78445 100644
--- a/config/default/rules/macos/15/os/os_blank_dvd_disable.yaml
+++ b/config/default/rules/macos/15/os/os_blank_dvd_disable.yaml
@@ -39,8 +39,10 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_bluray_read_only_enforce.yaml b/config/default/rules/macos/15/os/os_bluray_read_only_enforce.yaml
index 34e725f28..dabb41560 100644
--- a/config/default/rules/macos/15/os/os_bluray_read_only_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_bluray_read_only_enforce.yaml
@@ -39,8 +39,10 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_bonjour_disable.yaml b/config/default/rules/macos/15/os/os_bonjour_disable.yaml
index 8aa722a40..97add02f6 100644
--- a/config/default/rules/macos/15/os/os_bonjour_disable.yaml
+++ b/config/default/rules/macos/15/os/os_bonjour_disable.yaml
@@ -37,8 +37,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_burn_support_disable.yaml b/config/default/rules/macos/15/os/os_burn_support_disable.yaml
index 4abe731fc..34e250a7c 100644
--- a/config/default/rules/macos/15/os/os_burn_support_disable.yaml
+++ b/config/default/rules/macos/15/os/os_burn_support_disable.yaml
@@ -31,8 +31,10 @@ references:
- MP.L2-3.8.8
800-171r3:
- 03.08.07
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_calendar_app_disable.yaml b/config/default/rules/macos/15/os/os_calendar_app_disable.yaml
index e5bd75a54..faf8e2dd2 100644
--- a/config/default/rules/macos/15/os/os_calendar_app_disable.yaml
+++ b/config/default/rules/macos/15/os/os_calendar_app_disable.yaml
@@ -61,8 +61,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_camera_disable.yaml b/config/default/rules/macos/15/os/os_camera_disable.yaml
index e6e46c36e..48a6c2a67 100644
--- a/config/default/rules/macos/15/os/os_camera_disable.yaml
+++ b/config/default/rules/macos/15/os/os_camera_disable.yaml
@@ -37,8 +37,10 @@ references:
- SRG-OS-000095-GPOS-00049
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- stig
severity: medium
diff --git a/config/default/rules/macos/15/os/os_cd_read_only_enforce.yaml b/config/default/rules/macos/15/os/os_cd_read_only_enforce.yaml
index d06e82259..737eec35e 100644
--- a/config/default/rules/macos/15/os/os_cd_read_only_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_cd_read_only_enforce.yaml
@@ -39,8 +39,10 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_certificate_authority_trust.yaml b/config/default/rules/macos/15/os/os_certificate_authority_trust.yaml
index effa6d771..30212f228 100644
--- a/config/default/rules/macos/15/os/os_certificate_authority_trust.yaml
+++ b/config/default/rules/macos/15/os/os_certificate_authority_trust.yaml
@@ -12,7 +12,7 @@ references:
cce:
- CCE-94174-0
cci:
- - CCI-002470
+ - CCI-002470
- CCI-000185
- CCI-002450
800-53r5:
@@ -25,8 +25,10 @@ references:
- N/A
cmmc:
- SC.L2-3.13.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_change_security_attributes.yaml b/config/default/rules/macos/15/os/os_change_security_attributes.yaml
index 5054c6783..cacfdabaa 100644
--- a/config/default/rules/macos/15/os/os_change_security_attributes.yaml
+++ b/config/default/rules/macos/15/os/os_change_security_attributes.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000312-GPOS-00123
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_config_data_install_enforce.yaml b/config/default/rules/macos/15/os/os_config_data_install_enforce.yaml
index e243cbd67..64970c3e1 100644
--- a/config/default/rules/macos/15/os/os_config_data_install_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_config_data_install_enforce.yaml
@@ -44,8 +44,10 @@ references:
- SI.L1-3.14.1
- SI.L1-3.14.2
- SI.L1-3.14.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_config_profile_ui_install_disable.yaml b/config/default/rules/macos/15/os/os_config_profile_ui_install_disable.yaml
index f70bac32e..e0e8ea55f 100644
--- a/config/default/rules/macos/15/os/os_config_profile_ui_install_disable.yaml
+++ b/config/default/rules/macos/15/os/os_config_profile_ui_install_disable.yaml
@@ -31,8 +31,10 @@ references:
- N/A
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_continuous_monitoring.yaml b/config/default/rules/macos/15/os/os_continuous_monitoring.yaml
index 4bcabb2de..eb209a716 100644
--- a/config/default/rules/macos/15/os/os_continuous_monitoring.yaml
+++ b/config/default/rules/macos/15/os/os_continuous_monitoring.yaml
@@ -19,8 +19,10 @@ references:
- SRG-OS-000191-GPOS-00080
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_crypto_audit.yaml b/config/default/rules/macos/15/os/os_crypto_audit.yaml
index 538d7c272..a5352f109 100644
--- a/config/default/rules/macos/15/os/os_crypto_audit.yaml
+++ b/config/default/rules/macos/15/os/os_crypto_audit.yaml
@@ -25,8 +25,10 @@ references:
- N/A
srg:
- SRG-OS-000278-GPOS-00108
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_dictation_disable.yaml b/config/default/rules/macos/15/os/os_dictation_disable.yaml
index 45826e1aa..0f3ff0575 100644
--- a/config/default/rules/macos/15/os/os_dictation_disable.yaml
+++ b/config/default/rules/macos/15/os/os_dictation_disable.yaml
@@ -42,8 +42,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- i386
- 800-53r5_low
diff --git a/config/default/rules/macos/15/os/os_directory_services_configured.yaml b/config/default/rules/macos/15/os/os_directory_services_configured.yaml
index d8ba14526..a527142d0 100644
--- a/config/default/rules/macos/15/os/os_directory_services_configured.yaml
+++ b/config/default/rules/macos/15/os/os_directory_services_configured.yaml
@@ -28,8 +28,10 @@ references:
- N/A
controls v8:
- 6.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cisv8
- stig
diff --git a/config/default/rules/macos/15/os/os_disk_image_disable.yaml b/config/default/rules/macos/15/os/os_disk_image_disable.yaml
index a35b9f2ec..b94faed2b 100644
--- a/config/default/rules/macos/15/os/os_disk_image_disable.yaml
+++ b/config/default/rules/macos/15/os/os_disk_image_disable.yaml
@@ -39,8 +39,10 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_dvdram_disable.yaml b/config/default/rules/macos/15/os/os_dvdram_disable.yaml
index 8e9a8af64..eb939c2bd 100644
--- a/config/default/rules/macos/15/os/os_dvdram_disable.yaml
+++ b/config/default/rules/macos/15/os/os_dvdram_disable.yaml
@@ -39,8 +39,10 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_enforce_access_restrictions.yaml b/config/default/rules/macos/15/os/os_enforce_access_restrictions.yaml
index 11dbc04d6..919023955 100644
--- a/config/default/rules/macos/15/os/os_enforce_access_restrictions.yaml
+++ b/config/default/rules/macos/15/os/os_enforce_access_restrictions.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000364-GPOS-00151
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_erase_content_and_settings_disable.yaml b/config/default/rules/macos/15/os/os_erase_content_and_settings_disable.yaml
index 40741d6db..02519bb9f 100644
--- a/config/default/rules/macos/15/os/os_erase_content_and_settings_disable.yaml
+++ b/config/default/rules/macos/15/os/os_erase_content_and_settings_disable.yaml
@@ -33,8 +33,10 @@ references:
- CM.L2-3.4.7
800-171r3:
- 03.04.06
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_error_message.yaml b/config/default/rules/macos/15/os/os_error_message.yaml
index 2d1d25cc1..b18833e6c 100644
--- a/config/default/rules/macos/15/os/os_error_message.yaml
+++ b/config/default/rules/macos/15/os/os_error_message.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
mobileconfig: false
diff --git a/config/default/rules/macos/15/os/os_ess_installed.yaml b/config/default/rules/macos/15/os/os_ess_installed.yaml
index dcd4bad29..e81064a69 100644
--- a/config/default/rules/macos/15/os/os_ess_installed.yaml
+++ b/config/default/rules/macos/15/os/os_ess_installed.yaml
@@ -22,8 +22,10 @@ references:
- SRG-OS-000191-GPOS-00080
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- manual
- cisv8
diff --git a/config/default/rules/macos/15/os/os_external_storage_access_defined.yaml b/config/default/rules/macos/15/os/os_external_storage_access_defined.yaml
index c1007cb4c..67db40d2c 100644
--- a/config/default/rules/macos/15/os/os_external_storage_access_defined.yaml
+++ b/config/default/rules/macos/15/os/os_external_storage_access_defined.yaml
@@ -1,8 +1,8 @@
id: os_external_storage_access_defined
title: Access to External Storage Must Be Defined
discussion: |-
- Access to external storage _MUST_ be managed.
-
+ Access to external storage _MUST_ be managed.
+
NOTE: Apple's built in method using declative device management method only allows you to set external storage manament to Allowed, ReadOnly, and Disallowed.
check: |
/usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq '.Restrictions | .ExternalStorage'
@@ -25,14 +25,16 @@ references:
- 03.08.07
cmmc:
- MP.L2-3.8.7
- - MP.L2-3.8.8
-macOS:
- - '15.0'
+ - MP.L2-3.8.8
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cmmc_lvl2
- 800-53r5_low
- 800-53r5_moderate
- - 800-53r5_high
+ - 800-53r5_high
odv:
hint: Allowed, ReadOnly, or Disallowed
recommended: Allowed
@@ -41,4 +43,4 @@ mobileconfig_info:
ddm_info:
declarationtype: com.apple.configuration.diskmanagement.settings
ddm_key: ExternalStorage
- ddm_value: $ODV
\ No newline at end of file
+ ddm_value: $ODV
diff --git a/config/default/rules/macos/15/os/os_facetime_app_disable.yaml b/config/default/rules/macos/15/os/os_facetime_app_disable.yaml
index fe84e89df..b26356cf6 100644
--- a/config/default/rules/macos/15/os/os_facetime_app_disable.yaml
+++ b/config/default/rules/macos/15/os/os_facetime_app_disable.yaml
@@ -58,8 +58,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_fail_secure_state.yaml b/config/default/rules/macos/15/os/os_fail_secure_state.yaml
index 090032a21..5495842e9 100644
--- a/config/default/rules/macos/15/os/os_fail_secure_state.yaml
+++ b/config/default/rules/macos/15/os/os_fail_secure_state.yaml
@@ -26,8 +26,10 @@ references:
srg:
- SRG-OS-000269-GPOS-00103
- SRG-OS-000184-GPOS-00078
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_filevault_authorized_users.yaml b/config/default/rules/macos/15/os/os_filevault_authorized_users.yaml
index a4ad1525d..86215b59b 100644
--- a/config/default/rules/macos/15/os/os_filevault_authorized_users.yaml
+++ b/config/default/rules/macos/15/os/os_filevault_authorized_users.yaml
@@ -26,8 +26,10 @@ references:
- N/A
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- manual
diff --git a/config/default/rules/macos/15/os/os_filevault_autologin_disable.yaml b/config/default/rules/macos/15/os/os_filevault_autologin_disable.yaml
index 22e8bed77..132835418 100644
--- a/config/default/rules/macos/15/os/os_filevault_autologin_disable.yaml
+++ b/config/default/rules/macos/15/os/os_filevault_autologin_disable.yaml
@@ -43,8 +43,10 @@ references:
- 6.7
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_firewall_default_deny_require.yaml b/config/default/rules/macos/15/os/os_firewall_default_deny_require.yaml
index 00db0aae9..e6f901390 100644
--- a/config/default/rules/macos/15/os/os_firewall_default_deny_require.yaml
+++ b/config/default/rules/macos/15/os/os_firewall_default_deny_require.yaml
@@ -40,8 +40,10 @@ references:
cmmc:
- AC.L2-3.1.3
- SC.L2-3.13.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_firmware_password_require.yaml b/config/default/rules/macos/15/os/os_firmware_password_require.yaml
index 1512c6ba1..0bda94cdb 100644
--- a/config/default/rules/macos/15/os/os_firmware_password_require.yaml
+++ b/config/default/rules/macos/15/os/os_firmware_password_require.yaml
@@ -39,8 +39,10 @@ references:
cmmc:
- AC.L1-3.1.1
- AC.L2-3.1.5
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_gatekeeper_enable.yaml b/config/default/rules/macos/15/os/os_gatekeeper_enable.yaml
index ad6001090..5c375e49b 100644
--- a/config/default/rules/macos/15/os/os_gatekeeper_enable.yaml
+++ b/config/default/rules/macos/15/os/os_gatekeeper_enable.yaml
@@ -49,8 +49,10 @@ references:
- SI.L1-3.14.1
- SI.L1-3.14.2
- SI.L1-3.14.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_genmoji_disable.yaml b/config/default/rules/macos/15/os/os_genmoji_disable.yaml
index d7b26ab48..1d67a0a45 100644
--- a/config/default/rules/macos/15/os/os_genmoji_disable.yaml
+++ b/config/default/rules/macos/15/os/os_genmoji_disable.yaml
@@ -29,8 +29,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_grant_privs.yaml b/config/default/rules/macos/15/os/os_grant_privs.yaml
index 9091ada29..0756a50c8 100644
--- a/config/default/rules/macos/15/os/os_grant_privs.yaml
+++ b/config/default/rules/macos/15/os/os_grant_privs.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000312-GPOS-00124
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_guest_folder_removed.yaml b/config/default/rules/macos/15/os/os_guest_folder_removed.yaml
index a75924c62..095386dec 100644
--- a/config/default/rules/macos/15/os/os_guest_folder_removed.yaml
+++ b/config/default/rules/macos/15/os/os_guest_folder_removed.yaml
@@ -31,8 +31,10 @@ references:
- 5.9 (level 1)
controls v8:
- 4.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_handoff_disable.yaml b/config/default/rules/macos/15/os/os_handoff_disable.yaml
index 6f28b74ed..12092dedd 100644
--- a/config/default/rules/macos/15/os/os_handoff_disable.yaml
+++ b/config/default/rules/macos/15/os/os_handoff_disable.yaml
@@ -51,8 +51,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_hibernate_mode_apple_silicon_enable.yaml b/config/default/rules/macos/15/os/os_hibernate_mode_apple_silicon_enable.yaml
index dc15f4e3d..debdad07f 100644
--- a/config/default/rules/macos/15/os/os_hibernate_mode_apple_silicon_enable.yaml
+++ b/config/default/rules/macos/15/os/os_hibernate_mode_apple_silicon_enable.yaml
@@ -56,8 +56,10 @@ references:
- 2.9.1.2 (level 2)
controls v8:
- 4.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl2
- cisv8
diff --git a/config/default/rules/macos/15/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/config/default/rules/macos/15/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
index 3ec19ea3e..ed578b19a 100644
--- a/config/default/rules/macos/15/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
+++ b/config/default/rules/macos/15/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml
@@ -31,8 +31,10 @@ references:
- 2.9.1.3 (level 2)
controls v8:
- 4.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl2
- cisv8
diff --git a/config/default/rules/macos/15/os/os_hibernate_mode_intel_enable.yaml b/config/default/rules/macos/15/os/os_hibernate_mode_intel_enable.yaml
index 18c2449d4..5ee030d12 100644
--- a/config/default/rules/macos/15/os/os_hibernate_mode_intel_enable.yaml
+++ b/config/default/rules/macos/15/os/os_hibernate_mode_intel_enable.yaml
@@ -56,8 +56,10 @@ references:
- 2.9.1.1 (level 2)
controls v8:
- 4.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl2
- cisv8
diff --git a/config/default/rules/macos/15/os/os_home_folders_default.yaml b/config/default/rules/macos/15/os/os_home_folders_default.yaml
index 20ee7a509..7b2490085 100644
--- a/config/default/rules/macos/15/os/os_home_folders_default.yaml
+++ b/config/default/rules/macos/15/os/os_home_folders_default.yaml
@@ -51,8 +51,10 @@ references:
- N/A
controls v8:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- manual
severity: medium
diff --git a/config/default/rules/macos/15/os/os_home_folders_secure.yaml b/config/default/rules/macos/15/os/os_home_folders_secure.yaml
index 0ac44f4ac..2db4c9598 100644
--- a/config/default/rules/macos/15/os/os_home_folders_secure.yaml
+++ b/config/default/rules/macos/15/os/os_home_folders_secure.yaml
@@ -40,8 +40,10 @@ references:
cmmc:
- AC.L1-3.1.1
- AC.L2-3.1.5
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_httpd_disable.yaml b/config/default/rules/macos/15/os/os_httpd_disable.yaml
index 116e6b16b..53ef68a48 100644
--- a/config/default/rules/macos/15/os/os_httpd_disable.yaml
+++ b/config/default/rules/macos/15/os/os_httpd_disable.yaml
@@ -38,8 +38,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_icloud_storage_prompt_disable.yaml b/config/default/rules/macos/15/os/os_icloud_storage_prompt_disable.yaml
index dd9e2dd0f..427256bce 100644
--- a/config/default/rules/macos/15/os/os_icloud_storage_prompt_disable.yaml
+++ b/config/default/rules/macos/15/os/os_icloud_storage_prompt_disable.yaml
@@ -37,8 +37,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.20
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_identify_non-org_users.yaml b/config/default/rules/macos/15/os/os_identify_non-org_users.yaml
index 2db470ac7..54620048b 100644
--- a/config/default/rules/macos/15/os/os_identify_non-org_users.yaml
+++ b/config/default/rules/macos/15/os/os_identify_non-org_users.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_image_generation_disable.yaml b/config/default/rules/macos/15/os/os_image_generation_disable.yaml
index 672d58da0..47d6922e1 100644
--- a/config/default/rules/macos/15/os/os_image_generation_disable.yaml
+++ b/config/default/rules/macos/15/os/os_image_generation_disable.yaml
@@ -24,13 +24,15 @@ references:
- SC-7(10)
800-171r3:
- 03.01.20
- - 03.04.06
+ - 03.04.06
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -41,4 +43,4 @@ tags:
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
- allowImagePlayground: false
\ No newline at end of file
+ allowImagePlayground: false
diff --git a/config/default/rules/macos/15/os/os_implement_cryptography.yaml b/config/default/rules/macos/15/os/os_implement_cryptography.yaml
index b3fedaa11..056997a4f 100644
--- a/config/default/rules/macos/15/os/os_implement_cryptography.yaml
+++ b/config/default/rules/macos/15/os/os_implement_cryptography.yaml
@@ -34,8 +34,10 @@ references:
cmmc:
- MP.L2-3.8.6
- SC.L2-3.13.11
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_implement_memory_protection.yaml b/config/default/rules/macos/15/os/os_implement_memory_protection.yaml
index 948a00b18..a39008e0e 100644
--- a/config/default/rules/macos/15/os/os_implement_memory_protection.yaml
+++ b/config/default/rules/macos/15/os/os_implement_memory_protection.yaml
@@ -30,8 +30,10 @@ references:
srg:
- SRG-OS-000433-GPOS-00193
- SRG-OS-000433-GPOS-00192
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_information_validation.yaml b/config/default/rules/macos/15/os/os_information_validation.yaml
index d5d8f2c68..64a53ca76 100644
--- a/config/default/rules/macos/15/os/os_information_validation.yaml
+++ b/config/default/rules/macos/15/os/os_information_validation.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_install_log_retention_configure.yaml b/config/default/rules/macos/15/os/os_install_log_retention_configure.yaml
index e495d6b39..03f6c24fc 100644
--- a/config/default/rules/macos/15/os/os_install_log_retention_configure.yaml
+++ b/config/default/rules/macos/15/os/os_install_log_retention_configure.yaml
@@ -3,7 +3,7 @@ title: Configure Install.log Retention to $ODV
discussion: |
The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
check: |
- /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'
+ /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'
result:
string: 'Yes'
fix: |
@@ -38,8 +38,10 @@ references:
- 8.3
cmmc:
- AU.L2-3.3.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of days.
recommended: 365
diff --git a/config/default/rules/macos/15/os/os_iphone_mirroring_disable.yaml b/config/default/rules/macos/15/os/os_iphone_mirroring_disable.yaml
index 196fb1d61..457cc220f 100644
--- a/config/default/rules/macos/15/os/os_iphone_mirroring_disable.yaml
+++ b/config/default/rules/macos/15/os/os_iphone_mirroring_disable.yaml
@@ -18,8 +18,10 @@ references:
- N/A
800-53r5:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- none
mobileconfig: true
diff --git a/config/default/rules/macos/15/os/os_ir_support_disable.yaml b/config/default/rules/macos/15/os/os_ir_support_disable.yaml
index 32b2a9fd1..3aff4c23b 100644
--- a/config/default/rules/macos/15/os/os_ir_support_disable.yaml
+++ b/config/default/rules/macos/15/os/os_ir_support_disable.yaml
@@ -46,8 +46,10 @@ references:
- AC.L2-3.1.16
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_isolate_security_functions.yaml b/config/default/rules/macos/15/os/os_isolate_security_functions.yaml
index 9661be9f0..181d28e89 100644
--- a/config/default/rules/macos/15/os/os_isolate_security_functions.yaml
+++ b/config/default/rules/macos/15/os/os_isolate_security_functions.yaml
@@ -23,8 +23,10 @@ references:
- SRG-OS-000134-GPOS-00068
cmmc:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_library_validation_enabled.yaml b/config/default/rules/macos/15/os/os_library_validation_enabled.yaml
index 8f126f03a..6089b9e78 100644
--- a/config/default/rules/macos/15/os/os_library_validation_enabled.yaml
+++ b/config/default/rules/macos/15/os/os_library_validation_enabled.yaml
@@ -31,8 +31,10 @@ references:
controls v8:
- 2.3
- 2.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cisv8
mobileconfig: true
diff --git a/config/default/rules/macos/15/os/os_limit_auditable_events.yaml b/config/default/rules/macos/15/os/os_limit_auditable_events.yaml
index 0db9e04f3..98c89c435 100644
--- a/config/default/rules/macos/15/os/os_limit_auditable_events.yaml
+++ b/config/default/rules/macos/15/os/os_limit_auditable_events.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
mobileconfig: false
diff --git a/config/default/rules/macos/15/os/os_limit_dos_attacks.yaml b/config/default/rules/macos/15/os/os_limit_dos_attacks.yaml
index 9e1e5d4ee..574d9d88b 100644
--- a/config/default/rules/macos/15/os/os_limit_dos_attacks.yaml
+++ b/config/default/rules/macos/15/os/os_limit_dos_attacks.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000142-GPOS-00071
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- permanent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_limit_gui_sessions.yaml b/config/default/rules/macos/15/os/os_limit_gui_sessions.yaml
index 1801d9bde..9a1c2162c 100644
--- a/config/default/rules/macos/15/os/os_limit_gui_sessions.yaml
+++ b/config/default/rules/macos/15/os/os_limit_gui_sessions.yaml
@@ -21,8 +21,10 @@ references:
- N/A
srg:
- SRG-OS-000027-GPOS-00008
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_logical_access.yaml b/config/default/rules/macos/15/os/os_logical_access.yaml
index 46cd98993..ff161b61e 100644
--- a/config/default/rules/macos/15/os/os_logical_access.yaml
+++ b/config/default/rules/macos/15/os/os_logical_access.yaml
@@ -33,8 +33,10 @@ references:
- 6.7
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_loginwindow_adminhostinfo_undefined.yaml b/config/default/rules/macos/15/os/os_loginwindow_adminhostinfo_undefined.yaml
index 13ffa4d6e..d75303d3b 100644
--- a/config/default/rules/macos/15/os/os_loginwindow_adminhostinfo_undefined.yaml
+++ b/config/default/rules/macos/15/os/os_loginwindow_adminhostinfo_undefined.yaml
@@ -26,8 +26,10 @@ references:
- N/A
800-171r3:
- 03.01.10
- macOS:
- - '15.0'
+ operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_logoff_capability_and_message.yaml b/config/default/rules/macos/15/os/os_logoff_capability_and_message.yaml
index 69d63ed6e..b0ce12d96 100644
--- a/config/default/rules/macos/15/os/os_logoff_capability_and_message.yaml
+++ b/config/default/rules/macos/15/os/os_logoff_capability_and_message.yaml
@@ -23,8 +23,10 @@ references:
srg:
- SRG-OS-000280-GPOS-00110
- SRG-OS-000281-GPOS-00111
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_mail_app_disable.yaml b/config/default/rules/macos/15/os/os_mail_app_disable.yaml
index 5f97e7257..364c9c1be 100644
--- a/config/default/rules/macos/15/os/os_mail_app_disable.yaml
+++ b/config/default/rules/macos/15/os/os_mail_app_disable.yaml
@@ -63,8 +63,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_malicious_code_prevention.yaml b/config/default/rules/macos/15/os/os_malicious_code_prevention.yaml
index d88a70d03..4a996e10d 100644
--- a/config/default/rules/macos/15/os/os_malicious_code_prevention.yaml
+++ b/config/default/rules/macos/15/os/os_malicious_code_prevention.yaml
@@ -58,8 +58,10 @@ references:
- SI.L1-3.14.4
800-171r3:
- 03.14.02
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- inherent
diff --git a/config/default/rules/macos/15/os/os_managed_access_control_points.yaml b/config/default/rules/macos/15/os/os_managed_access_control_points.yaml
index d22bfac45..78d1de399 100644
--- a/config/default/rules/macos/15/os/os_managed_access_control_points.yaml
+++ b/config/default/rules/macos/15/os/os_managed_access_control_points.yaml
@@ -25,8 +25,10 @@ references:
- N/A
cmmc:
- AC.L2-3.1.14
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_map_pki_identity.yaml b/config/default/rules/macos/15/os/os_map_pki_identity.yaml
index cc92c2ea2..f8b316f69 100644
--- a/config/default/rules/macos/15/os/os_map_pki_identity.yaml
+++ b/config/default/rules/macos/15/os/os_map_pki_identity.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
mobileconfig: false
diff --git a/config/default/rules/macos/15/os/os_mdm_require.yaml b/config/default/rules/macos/15/os/os_mdm_require.yaml
index 4f363fbde..a8af05234 100644
--- a/config/default/rules/macos/15/os/os_mdm_require.yaml
+++ b/config/default/rules/macos/15/os/os_mdm_require.yaml
@@ -49,8 +49,10 @@ references:
- 5.1
cmmc:
- CM.L2-3.4.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_messages_app_disable.yaml b/config/default/rules/macos/15/os/os_messages_app_disable.yaml
index 5214f97d1..5295904e7 100644
--- a/config/default/rules/macos/15/os/os_messages_app_disable.yaml
+++ b/config/default/rules/macos/15/os/os_messages_app_disable.yaml
@@ -58,8 +58,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_mfa_network_access.yaml b/config/default/rules/macos/15/os/os_mfa_network_access.yaml
index 4da334565..6c15eb7fe 100644
--- a/config/default/rules/macos/15/os/os_mfa_network_access.yaml
+++ b/config/default/rules/macos/15/os/os_mfa_network_access.yaml
@@ -25,8 +25,10 @@ references:
- N/A
controls v8:
- 5.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cisv8
diff --git a/config/default/rules/macos/15/os/os_mfa_network_non-priv.yaml b/config/default/rules/macos/15/os/os_mfa_network_non-priv.yaml
index ede16ce35..5c5473c62 100644
--- a/config/default/rules/macos/15/os/os_mfa_network_non-priv.yaml
+++ b/config/default/rules/macos/15/os/os_mfa_network_non-priv.yaml
@@ -20,8 +20,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
mobileconfig: false
diff --git a/config/default/rules/macos/15/os/os_mobile_file_integrity_enable.yaml b/config/default/rules/macos/15/os/os_mobile_file_integrity_enable.yaml
index 4f7957789..91e0d29bd 100644
--- a/config/default/rules/macos/15/os/os_mobile_file_integrity_enable.yaml
+++ b/config/default/rules/macos/15/os/os_mobile_file_integrity_enable.yaml
@@ -31,8 +31,10 @@ references:
controls v8:
- 2.3
- 2.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_network_storage_restriction.yaml b/config/default/rules/macos/15/os/os_network_storage_restriction.yaml
index 864b54652..6f7688f5a 100644
--- a/config/default/rules/macos/15/os/os_network_storage_restriction.yaml
+++ b/config/default/rules/macos/15/os/os_network_storage_restriction.yaml
@@ -1,8 +1,8 @@
id: os_network_storage_restriction
title: Network Storage Must Be Restricted
discussion: |-
- Network Storage _MUST_ be restricted.
-
+ Network Storage _MUST_ be restricted.
+
NOTE: Apple's built in method using declative device management method only allows you to set network storage manament to Allowed, ReadOnly, and Disallowed.
check: |
/usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq '.Restrictions | .ExternalStorage'
@@ -25,8 +25,10 @@ references:
- N/A
cmmc:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- none
odv:
@@ -37,4 +39,4 @@ mobileconfig_info:
ddm_info:
declarationtype: com.apple.configuration.diskmanagement.settings
ddm_key: NetworkStorage
- ddm_value: $ODV
\ No newline at end of file
+ ddm_value: $ODV
diff --git a/config/default/rules/macos/15/os/os_newsyslog_files_owner_group_configure.yaml b/config/default/rules/macos/15/os/os_newsyslog_files_owner_group_configure.yaml
index 3fd5a4724..a83a545c5 100644
--- a/config/default/rules/macos/15/os/os_newsyslog_files_owner_group_configure.yaml
+++ b/config/default/rules/macos/15/os/os_newsyslog_files_owner_group_configure.yaml
@@ -30,8 +30,10 @@ references:
- N/A
800-171r3:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_newsyslog_files_permissions_configure.yaml b/config/default/rules/macos/15/os/os_newsyslog_files_permissions_configure.yaml
index e26af6048..a0535005b 100644
--- a/config/default/rules/macos/15/os/os_newsyslog_files_permissions_configure.yaml
+++ b/config/default/rules/macos/15/os/os_newsyslog_files_permissions_configure.yaml
@@ -28,8 +28,10 @@ references:
- N/A
800-171r3:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_nfsd_disable.yaml b/config/default/rules/macos/15/os/os_nfsd_disable.yaml
index 802bcca23..d35d065fb 100644
--- a/config/default/rules/macos/15/os/os_nfsd_disable.yaml
+++ b/config/default/rules/macos/15/os/os_nfsd_disable.yaml
@@ -37,8 +37,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_non_repudiation.yaml b/config/default/rules/macos/15/os/os_non_repudiation.yaml
index 5c5aae8b8..fcabff6e1 100644
--- a/config/default/rules/macos/15/os/os_non_repudiation.yaml
+++ b/config/default/rules/macos/15/os/os_non_repudiation.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- n_a
diff --git a/config/default/rules/macos/15/os/os_nonlocal_maintenance.yaml b/config/default/rules/macos/15/os/os_nonlocal_maintenance.yaml
index 6ea1e36d4..1155a6abb 100644
--- a/config/default/rules/macos/15/os/os_nonlocal_maintenance.yaml
+++ b/config/default/rules/macos/15/os/os_nonlocal_maintenance.yaml
@@ -23,8 +23,10 @@ references:
- N/A
cmmc:
- MA.L2-3.7.5
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_notify_account_created.yaml b/config/default/rules/macos/15/os/os_notify_account_created.yaml
index 6ce579039..bc1237ebd 100644
--- a/config/default/rules/macos/15/os/os_notify_account_created.yaml
+++ b/config/default/rules/macos/15/os/os_notify_account_created.yaml
@@ -32,8 +32,10 @@ references:
- SRG-OS-000276-GPOS-00106
- SRG-OS-000277-GPOS-00107
- SRG-OS-000303-GPOS-00120
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_notify_account_disabled.yaml b/config/default/rules/macos/15/os/os_notify_account_disabled.yaml
index 9423d13e4..69fbea6cb 100644
--- a/config/default/rules/macos/15/os/os_notify_account_disabled.yaml
+++ b/config/default/rules/macos/15/os/os_notify_account_disabled.yaml
@@ -30,8 +30,10 @@ references:
- SRG-OS-000275-GPOS-00105
- SRG-OS-000276-GPOS-00106
- SRG-OS-000277-GPOS-00107
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_notify_account_enable.yaml b/config/default/rules/macos/15/os/os_notify_account_enable.yaml
index c2857275c..511a5a55c 100644
--- a/config/default/rules/macos/15/os/os_notify_account_enable.yaml
+++ b/config/default/rules/macos/15/os/os_notify_account_enable.yaml
@@ -32,8 +32,10 @@ references:
- SRG-OS-000276-GPOS-00106
- SRG-OS-000277-GPOS-00107
- SRG-OS-000303-GPOS-00120
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_notify_account_modified.yaml b/config/default/rules/macos/15/os/os_notify_account_modified.yaml
index d7e2121ca..db2a21502 100644
--- a/config/default/rules/macos/15/os/os_notify_account_modified.yaml
+++ b/config/default/rules/macos/15/os/os_notify_account_modified.yaml
@@ -30,8 +30,10 @@ references:
- SRG-OS-000275-GPOS-00105
- SRG-OS-000276-GPOS-00106
- SRG-OS-000277-GPOS-00107
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_notify_account_removal.yaml b/config/default/rules/macos/15/os/os_notify_account_removal.yaml
index 7eef21368..1f1a72312 100644
--- a/config/default/rules/macos/15/os/os_notify_account_removal.yaml
+++ b/config/default/rules/macos/15/os/os_notify_account_removal.yaml
@@ -30,8 +30,10 @@ references:
- SRG-OS-000275-GPOS-00105
- SRG-OS-000276-GPOS-00106
- SRG-OS-000277-GPOS-00107
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r4_moderate
- 800-53r4_high
diff --git a/config/default/rules/macos/15/os/os_notify_unauthorized_baseline_change.yaml b/config/default/rules/macos/15/os/os_notify_unauthorized_baseline_change.yaml
index e577251f8..e7c9b7b8b 100644
--- a/config/default/rules/macos/15/os/os_notify_unauthorized_baseline_change.yaml
+++ b/config/default/rules/macos/15/os/os_notify_unauthorized_baseline_change.yaml
@@ -25,8 +25,10 @@ references:
- SRG-OS-000363-GPOS-00150
cmmc:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- permanent
- cnssi-1253_high
diff --git a/config/default/rules/macos/15/os/os_obscure_password.yaml b/config/default/rules/macos/15/os/os_obscure_password.yaml
index 456012596..f93464fa6 100644
--- a/config/default/rules/macos/15/os/os_obscure_password.yaml
+++ b/config/default/rules/macos/15/os/os_obscure_password.yaml
@@ -36,8 +36,10 @@ references:
- IA.L2-3.5.8
- IA.L2-3.5.9
- IA.L2-3.5.11
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_on_device_dictation_enforce.yaml b/config/default/rules/macos/15/os/os_on_device_dictation_enforce.yaml
index 03808cd8e..8b683ef44 100644
--- a/config/default/rules/macos/15/os/os_on_device_dictation_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_on_device_dictation_enforce.yaml
@@ -44,8 +44,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- arm64
- 800-53r5_low
diff --git a/config/default/rules/macos/15/os/os_parental_controls_enable.yaml b/config/default/rules/macos/15/os/os_parental_controls_enable.yaml
index a792be56e..fcbe7287c 100644
--- a/config/default/rules/macos/15/os/os_parental_controls_enable.yaml
+++ b/config/default/rules/macos/15/os/os_parental_controls_enable.yaml
@@ -35,8 +35,10 @@ references:
- N/A
controls v8:
- 4.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_password_autofill_disable.yaml b/config/default/rules/macos/15/os/os_password_autofill_disable.yaml
index 6b13b503f..44f00c6b9 100644
--- a/config/default/rules/macos/15/os/os_password_autofill_disable.yaml
+++ b/config/default/rules/macos/15/os/os_password_autofill_disable.yaml
@@ -47,8 +47,10 @@ references:
- CM.L2-3.4.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_password_hint_remove.yaml b/config/default/rules/macos/15/os/os_password_hint_remove.yaml
index 5a392c555..59e3a946a 100644
--- a/config/default/rules/macos/15/os/os_password_hint_remove.yaml
+++ b/config/default/rules/macos/15/os/os_password_hint_remove.yaml
@@ -41,8 +41,10 @@ references:
- SRG-OS-000079-GPOS-00047
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_password_proximity_disable.yaml b/config/default/rules/macos/15/os/os_password_proximity_disable.yaml
index b6db354bc..bbe2cba77 100644
--- a/config/default/rules/macos/15/os/os_password_proximity_disable.yaml
+++ b/config/default/rules/macos/15/os/os_password_proximity_disable.yaml
@@ -37,8 +37,10 @@ references:
cmmc:
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_password_sharing_disable.yaml b/config/default/rules/macos/15/os/os_password_sharing_disable.yaml
index 2fbe08143..8fcdfdbc8 100644
--- a/config/default/rules/macos/15/os/os_password_sharing_disable.yaml
+++ b/config/default/rules/macos/15/os/os_password_sharing_disable.yaml
@@ -37,8 +37,10 @@ references:
- IA.L2-3.5.9
cci:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_peripherals_identify.yaml b/config/default/rules/macos/15/os/os_peripherals_identify.yaml
index 4da79c3c1..5a9ee7026 100644
--- a/config/default/rules/macos/15/os/os_peripherals_identify.yaml
+++ b/config/default/rules/macos/15/os/os_peripherals_identify.yaml
@@ -23,8 +23,10 @@ references:
- N/A
800-171r3:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
mobileconfig: false
diff --git a/config/default/rules/macos/15/os/os_pii_deidentification.yaml b/config/default/rules/macos/15/os/os_pii_deidentification.yaml
index a78b13179..12471bcdd 100644
--- a/config/default/rules/macos/15/os/os_pii_deidentification.yaml
+++ b/config/default/rules/macos/15/os/os_pii_deidentification.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- n_a
diff --git a/config/default/rules/macos/15/os/os_pii_quality_control.yaml b/config/default/rules/macos/15/os/os_pii_quality_control.yaml
index f92ec9d17..b9eeb840c 100644
--- a/config/default/rules/macos/15/os/os_pii_quality_control.yaml
+++ b/config/default/rules/macos/15/os/os_pii_quality_control.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- n_a
diff --git a/config/default/rules/macos/15/os/os_policy_banner_loginwindow_enforce.yaml b/config/default/rules/macos/15/os/os_policy_banner_loginwindow_enforce.yaml
index 295269697..ea4ddd136 100644
--- a/config/default/rules/macos/15/os/os_policy_banner_loginwindow_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_policy_banner_loginwindow_enforce.yaml
@@ -56,8 +56,10 @@ references:
- 4.1
cmmc:
- AC.L2-3.1.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Organization's Policy Text
recommended: 'You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning.'
diff --git a/config/default/rules/macos/15/os/os_policy_banner_ssh_configure.yaml b/config/default/rules/macos/15/os/os_policy_banner_ssh_configure.yaml
index fb799229d..9ca2848fb 100644
--- a/config/default/rules/macos/15/os/os_policy_banner_ssh_configure.yaml
+++ b/config/default/rules/macos/15/os/os_policy_banner_ssh_configure.yaml
@@ -36,8 +36,10 @@ references:
- 03.01.09
cmmc:
- AC.L2-3.1.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Organization's Policy Text
recommended: |-
diff --git a/config/default/rules/macos/15/os/os_policy_banner_ssh_enforce.yaml b/config/default/rules/macos/15/os/os_policy_banner_ssh_enforce.yaml
index 356db703a..a643533f0 100644
--- a/config/default/rules/macos/15/os/os_policy_banner_ssh_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_policy_banner_ssh_enforce.yaml
@@ -52,8 +52,10 @@ references:
- 03.01.09
cmmc:
- AC.L2-3.1.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -75,4 +77,4 @@ ddm_info:
service: com.apple.sshd
config_file: sshd_config
configuration_key: Banner
- configuration_value: /etc/banner
\ No newline at end of file
+ configuration_value: /etc/banner
diff --git a/config/default/rules/macos/15/os/os_power_nap_disable.yaml b/config/default/rules/macos/15/os/os_power_nap_disable.yaml
index b7fff6be8..c53e3a46c 100644
--- a/config/default/rules/macos/15/os/os_power_nap_disable.yaml
+++ b/config/default/rules/macos/15/os/os_power_nap_disable.yaml
@@ -48,8 +48,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_power_nap_enable.yaml b/config/default/rules/macos/15/os/os_power_nap_enable.yaml
index 972d9076c..ffb99bbb9 100644
--- a/config/default/rules/macos/15/os/os_power_nap_enable.yaml
+++ b/config/default/rules/macos/15/os/os_power_nap_enable.yaml
@@ -42,8 +42,10 @@ references:
- N/A
controls v8:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- none
mobileconfig: false
diff --git a/config/default/rules/macos/15/os/os_predictable_behavior.yaml b/config/default/rules/macos/15/os/os_predictable_behavior.yaml
index 833ea858b..a8d28d6bd 100644
--- a/config/default/rules/macos/15/os/os_predictable_behavior.yaml
+++ b/config/default/rules/macos/15/os/os_predictable_behavior.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- SRG-OS-000432-GPOS-00191
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_prevent_priv_execution.yaml b/config/default/rules/macos/15/os/os_prevent_priv_execution.yaml
index 2b29ec982..cbf3e2d46 100644
--- a/config/default/rules/macos/15/os/os_prevent_priv_execution.yaml
+++ b/config/default/rules/macos/15/os/os_prevent_priv_execution.yaml
@@ -25,8 +25,10 @@ references:
- SRG-OS-000326-GPOS-00126
800-171r3:
- 03.01.07
- macOS:
- - '15.0'
+ operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_prevent_priv_functions.yaml b/config/default/rules/macos/15/os/os_prevent_priv_functions.yaml
index 8a19df039..6881627e3 100644
--- a/config/default/rules/macos/15/os/os_prevent_priv_functions.yaml
+++ b/config/default/rules/macos/15/os/os_prevent_priv_functions.yaml
@@ -29,8 +29,10 @@ references:
- 03.01.07
cmmc:
- AC.L2-3.1.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_prevent_unauthorized_disclosure.yaml b/config/default/rules/macos/15/os/os_prevent_unauthorized_disclosure.yaml
index f98497523..df83cb972 100644
--- a/config/default/rules/macos/15/os/os_prevent_unauthorized_disclosure.yaml
+++ b/config/default/rules/macos/15/os/os_prevent_unauthorized_disclosure.yaml
@@ -27,8 +27,10 @@ references:
- 03.13.04
cmmc:
- SC.L2-3.13.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_privacy_principle_minimization.yaml b/config/default/rules/macos/15/os/os_privacy_principle_minimization.yaml
index 26f36c1cf..cc42d9ac5 100644
--- a/config/default/rules/macos/15/os/os_privacy_principle_minimization.yaml
+++ b/config/default/rules/macos/15/os/os_privacy_principle_minimization.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_privacy
- n_a
diff --git a/config/default/rules/macos/15/os/os_privacy_setup_prompt_disable.yaml b/config/default/rules/macos/15/os/os_privacy_setup_prompt_disable.yaml
index 25ce18627..a6b619396 100644
--- a/config/default/rules/macos/15/os/os_privacy_setup_prompt_disable.yaml
+++ b/config/default/rules/macos/15/os/os_privacy_setup_prompt_disable.yaml
@@ -39,8 +39,10 @@ references:
- CM.L2-3.4.7
800-171r3:
- 03.04.06
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- cisv8
diff --git a/config/default/rules/macos/15/os/os_prohibit_remote_activation_collab_devices.yaml b/config/default/rules/macos/15/os/os_prohibit_remote_activation_collab_devices.yaml
index a5138f2c7..5028fa8e9 100644
--- a/config/default/rules/macos/15/os/os_prohibit_remote_activation_collab_devices.yaml
+++ b/config/default/rules/macos/15/os/os_prohibit_remote_activation_collab_devices.yaml
@@ -33,8 +33,10 @@ references:
- N/A
800-171r3:
- 03.13.12
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- inherent
diff --git a/config/default/rules/macos/15/os/os_protect_dos_attacks.yaml b/config/default/rules/macos/15/os/os_protect_dos_attacks.yaml
index 9bf080c80..d7c008380 100644
--- a/config/default/rules/macos/15/os/os_protect_dos_attacks.yaml
+++ b/config/default/rules/macos/15/os/os_protect_dos_attacks.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000420-GPOS-00186
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_provide_automated_account_management.yaml b/config/default/rules/macos/15/os/os_provide_automated_account_management.yaml
index 9432a106b..9b0893365 100644
--- a/config/default/rules/macos/15/os/os_provide_automated_account_management.yaml
+++ b/config/default/rules/macos/15/os/os_provide_automated_account_management.yaml
@@ -23,8 +23,10 @@ references:
- N/A
srg:
- SRG-OS-000001-GPOS-00001
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_provide_disconnect_remote_access.yaml b/config/default/rules/macos/15/os/os_provide_disconnect_remote_access.yaml
index 5c6158826..972a6606d 100644
--- a/config/default/rules/macos/15/os/os_provide_disconnect_remote_access.yaml
+++ b/config/default/rules/macos/15/os/os_provide_disconnect_remote_access.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- SRG-OS-000298-GPOS-00116
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_rapid_security_response_allow.yaml b/config/default/rules/macos/15/os/os_rapid_security_response_allow.yaml
index 92d7f6269..0dbdafaf3 100644
--- a/config/default/rules/macos/15/os/os_rapid_security_response_allow.yaml
+++ b/config/default/rules/macos/15/os/os_rapid_security_response_allow.yaml
@@ -36,8 +36,10 @@ references:
- SI.L1-3.14.1
- SI.L1-3.14.2
- SI.L1-3.14.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_rapid_security_response_removal_disable.yaml b/config/default/rules/macos/15/os/os_rapid_security_response_removal_disable.yaml
index 02846fa91..1ae14181b 100644
--- a/config/default/rules/macos/15/os/os_rapid_security_response_removal_disable.yaml
+++ b/config/default/rules/macos/15/os/os_rapid_security_response_removal_disable.yaml
@@ -36,8 +36,10 @@ references:
- SI.L1-3.14.1
- SI.L1-3.14.2
- SI.L1-3.14.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_reauth_devices_change_authenticators.yaml b/config/default/rules/macos/15/os/os_reauth_devices_change_authenticators.yaml
index 7c5b5d16e..c13596180 100644
--- a/config/default/rules/macos/15/os/os_reauth_devices_change_authenticators.yaml
+++ b/config/default/rules/macos/15/os/os_reauth_devices_change_authenticators.yaml
@@ -23,8 +23,10 @@ references:
- SRG-OS-000374-GPOS-00159
800-171r3:
- 03.05.01
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r5_low
diff --git a/config/default/rules/macos/15/os/os_reauth_privilege.yaml b/config/default/rules/macos/15/os/os_reauth_privilege.yaml
index 9a6b46b21..4e7a27459 100644
--- a/config/default/rules/macos/15/os/os_reauth_privilege.yaml
+++ b/config/default/rules/macos/15/os/os_reauth_privilege.yaml
@@ -22,8 +22,10 @@ references:
- SRG-OS-000373-GPOS-00156
800-171r3:
- 03.05.01
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- inherent
diff --git a/config/default/rules/macos/15/os/os_reauth_users_change_authenticators.yaml b/config/default/rules/macos/15/os/os_reauth_users_change_authenticators.yaml
index d7d751385..efa5161c2 100644
--- a/config/default/rules/macos/15/os/os_reauth_users_change_authenticators.yaml
+++ b/config/default/rules/macos/15/os/os_reauth_users_change_authenticators.yaml
@@ -21,8 +21,10 @@ references:
- SRG-OS-000373-GPOS-00158
800-171r3:
- 03.05.01
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- inherent
diff --git a/config/default/rules/macos/15/os/os_recovery_lock_enable.yaml b/config/default/rules/macos/15/os/os_recovery_lock_enable.yaml
index 7dfaf818e..d2d1d6f5a 100644
--- a/config/default/rules/macos/15/os/os_recovery_lock_enable.yaml
+++ b/config/default/rules/macos/15/os/os_recovery_lock_enable.yaml
@@ -30,8 +30,10 @@ references:
cmmc:
- AC.L1-3.1.1
- AC.L2-3.1.5
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_remote_access_methods.yaml b/config/default/rules/macos/15/os/os_remote_access_methods.yaml
index 719dc8958..5d461cca3 100644
--- a/config/default/rules/macos/15/os/os_remote_access_methods.yaml
+++ b/config/default/rules/macos/15/os/os_remote_access_methods.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
mobileconfig: false
diff --git a/config/default/rules/macos/15/os/os_removable_media_disable.yaml b/config/default/rules/macos/15/os/os_removable_media_disable.yaml
index 00769ad0b..1f75dd136 100644
--- a/config/default/rules/macos/15/os/os_removable_media_disable.yaml
+++ b/config/default/rules/macos/15/os/os_removable_media_disable.yaml
@@ -41,8 +41,10 @@ references:
cmmc:
- MP.L2-3.8.7
- MP.L2-3.8.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_remove_software_components_after_updates.yaml b/config/default/rules/macos/15/os/os_remove_software_components_after_updates.yaml
index 2942a251c..a739e07d0 100644
--- a/config/default/rules/macos/15/os/os_remove_software_components_after_updates.yaml
+++ b/config/default/rules/macos/15/os/os_remove_software_components_after_updates.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- SRG-OS-000437-GPOS-00194
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_required_crypto_module.yaml b/config/default/rules/macos/15/os/os_required_crypto_module.yaml
index 0d09eb862..8215114fa 100644
--- a/config/default/rules/macos/15/os/os_required_crypto_module.yaml
+++ b/config/default/rules/macos/15/os/os_required_crypto_module.yaml
@@ -28,8 +28,10 @@ references:
srg:
- SRG-OS-000033-GPOS-00014
- SRG-OS-000120-GPOS-00061
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_root_disable.yaml b/config/default/rules/macos/15/os/os_root_disable.yaml
index 72ff96388..16b2e874c 100644
--- a/config/default/rules/macos/15/os/os_root_disable.yaml
+++ b/config/default/rules/macos/15/os/os_root_disable.yaml
@@ -42,8 +42,10 @@ references:
- SRG-OS-000104-GPOS-00051
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_safari_advertising_privacy_protection_enable.yaml b/config/default/rules/macos/15/os/os_safari_advertising_privacy_protection_enable.yaml
index 7c1012d39..29bb61f05 100644
--- a/config/default/rules/macos/15/os/os_safari_advertising_privacy_protection_enable.yaml
+++ b/config/default/rules/macos/15/os/os_safari_advertising_privacy_protection_enable.yaml
@@ -26,8 +26,10 @@ references:
- 6.3.6 (level 1)
controls v8:
- 9.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_safari_open_safe_downloads_disable.yaml b/config/default/rules/macos/15/os/os_safari_open_safe_downloads_disable.yaml
index bf9391c50..f7e9c0a78 100644
--- a/config/default/rules/macos/15/os/os_safari_open_safe_downloads_disable.yaml
+++ b/config/default/rules/macos/15/os/os_safari_open_safe_downloads_disable.yaml
@@ -27,8 +27,10 @@ references:
controls v8:
- 9.1
- 9.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_safari_prevent_cross-site_tracking_enable.yaml b/config/default/rules/macos/15/os/os_safari_prevent_cross-site_tracking_enable.yaml
index 64944e8a4..1390ba295 100644
--- a/config/default/rules/macos/15/os/os_safari_prevent_cross-site_tracking_enable.yaml
+++ b/config/default/rules/macos/15/os/os_safari_prevent_cross-site_tracking_enable.yaml
@@ -27,8 +27,10 @@ references:
controls v8:
- 9.1
- 9.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_safari_show_full_website_address_enable.yaml b/config/default/rules/macos/15/os/os_safari_show_full_website_address_enable.yaml
index 7a97e7b24..9cad7eeed 100644
--- a/config/default/rules/macos/15/os/os_safari_show_full_website_address_enable.yaml
+++ b/config/default/rules/macos/15/os/os_safari_show_full_website_address_enable.yaml
@@ -26,8 +26,10 @@ references:
- 6.3.7 (level 1)
controls v8:
- 9.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_safari_show_status_bar_enabled.yaml b/config/default/rules/macos/15/os/os_safari_show_status_bar_enabled.yaml
index 6f83fb2f1..e62c6b621 100644
--- a/config/default/rules/macos/15/os/os_safari_show_status_bar_enabled.yaml
+++ b/config/default/rules/macos/15/os/os_safari_show_status_bar_enabled.yaml
@@ -26,8 +26,10 @@ references:
- 6.3.11 (level 1)
controls v8:
- 9.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_safari_warn_fraudulent_website_enable.yaml b/config/default/rules/macos/15/os/os_safari_warn_fraudulent_website_enable.yaml
index b3b14d851..fe607419b 100644
--- a/config/default/rules/macos/15/os/os_safari_warn_fraudulent_website_enable.yaml
+++ b/config/default/rules/macos/15/os/os_safari_warn_fraudulent_website_enable.yaml
@@ -27,8 +27,10 @@ references:
controls v8:
- 9.1
- 9.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_screensaver_loginwindow_enforce.yaml b/config/default/rules/macos/15/os/os_screensaver_loginwindow_enforce.yaml
index 9322d9fcd..3e23724eb 100644
--- a/config/default/rules/macos/15/os/os_screensaver_loginwindow_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_screensaver_loginwindow_enforce.yaml
@@ -28,8 +28,10 @@ references:
- 03.01.10
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_screensaver_timeout_loginwindow_enforce.yaml b/config/default/rules/macos/15/os/os_screensaver_timeout_loginwindow_enforce.yaml
index 3367e3920..ddbe46c36 100644
--- a/config/default/rules/macos/15/os/os_screensaver_timeout_loginwindow_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_screensaver_timeout_loginwindow_enforce.yaml
@@ -40,8 +40,10 @@ references:
- 4.3
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds.
recommended: 1200
diff --git a/config/default/rules/macos/15/os/os_secure_boot_verify.yaml b/config/default/rules/macos/15/os/os_secure_boot_verify.yaml
index 12216fc08..96340c6d0 100644
--- a/config/default/rules/macos/15/os/os_secure_boot_verify.yaml
+++ b/config/default/rules/macos/15/os/os_secure_boot_verify.yaml
@@ -32,8 +32,10 @@ references:
- SRG-OS-000446-GPOS-00200
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_secure_enclave.yaml b/config/default/rules/macos/15/os/os_secure_enclave.yaml
index 254cb4a4d..8dcec757d 100644
--- a/config/default/rules/macos/15/os/os_secure_enclave.yaml
+++ b/config/default/rules/macos/15/os/os_secure_enclave.yaml
@@ -30,8 +30,10 @@ references:
- SRG-OS-000405-GPOS-00184
cmmc:
- SC.L2-3.13.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_secure_name_resolution.yaml b/config/default/rules/macos/15/os/os_secure_name_resolution.yaml
index 5388e9c2f..5001b5dd3 100644
--- a/config/default/rules/macos/15/os/os_secure_name_resolution.yaml
+++ b/config/default/rules/macos/15/os/os_secure_name_resolution.yaml
@@ -26,8 +26,10 @@ references:
- N/A
controls v8:
- 4.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_separate_functionality.yaml b/config/default/rules/macos/15/os/os_separate_functionality.yaml
index 2721ce1d5..2698691f8 100644
--- a/config/default/rules/macos/15/os/os_separate_functionality.yaml
+++ b/config/default/rules/macos/15/os/os_separate_functionality.yaml
@@ -30,8 +30,10 @@ references:
- 3.13.3
cmmc:
- SC.L2-3.13.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_setup_assistant_filevault_enforce.yaml b/config/default/rules/macos/15/os/os_setup_assistant_filevault_enforce.yaml
index c2cd50510..7b39ceab5 100644
--- a/config/default/rules/macos/15/os/os_setup_assistant_filevault_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_setup_assistant_filevault_enforce.yaml
@@ -38,8 +38,10 @@ references:
- 3.11
cmmc:
- SC.L2-3.13.16
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_show_filename_extensions_enable.yaml b/config/default/rules/macos/15/os/os_show_filename_extensions_enable.yaml
index 8a74b0304..b60c9404b 100644
--- a/config/default/rules/macos/15/os/os_show_filename_extensions_enable.yaml
+++ b/config/default/rules/macos/15/os/os_show_filename_extensions_enable.yaml
@@ -40,8 +40,10 @@ references:
- 6.1.1 (level 1)
controls v8:
- 2.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_sip_enable.yaml b/config/default/rules/macos/15/os/os_sip_enable.yaml
index dea895b03..33eec8c6b 100644
--- a/config/default/rules/macos/15/os/os_sip_enable.yaml
+++ b/config/default/rules/macos/15/os/os_sip_enable.yaml
@@ -90,8 +90,10 @@ references:
- SC.L2-3.13.4
- SI.L1-3.14.1
- SI.L1-3.14.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_siri_prompt_disable.yaml b/config/default/rules/macos/15/os/os_siri_prompt_disable.yaml
index d8c9aa439..6ce3baa72 100644
--- a/config/default/rules/macos/15/os/os_siri_prompt_disable.yaml
+++ b/config/default/rules/macos/15/os/os_siri_prompt_disable.yaml
@@ -44,8 +44,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_skip_screen_time_prompt_enable.yaml b/config/default/rules/macos/15/os/os_skip_screen_time_prompt_enable.yaml
index 2bcc5df96..99dded5f8 100644
--- a/config/default/rules/macos/15/os/os_skip_screen_time_prompt_enable.yaml
+++ b/config/default/rules/macos/15/os/os_skip_screen_time_prompt_enable.yaml
@@ -30,8 +30,10 @@ references:
- CM.L2-3.4.7
800-171r3:
- 03.04.06
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_skip_unlock_with_watch_enable.yaml b/config/default/rules/macos/15/os/os_skip_unlock_with_watch_enable.yaml
index 3983e343e..28737fdcf 100644
--- a/config/default/rules/macos/15/os/os_skip_unlock_with_watch_enable.yaml
+++ b/config/default/rules/macos/15/os/os_skip_unlock_with_watch_enable.yaml
@@ -36,8 +36,10 @@ references:
- 4.1
cmmc:
- AC.L1-3.1.20
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_software_update_deferral.yaml b/config/default/rules/macos/15/os/os_software_update_deferral.yaml
index c4b12ee68..de07fa30d 100644
--- a/config/default/rules/macos/15/os/os_software_update_deferral.yaml
+++ b/config/default/rules/macos/15/os/os_software_update_deferral.yaml
@@ -39,8 +39,10 @@ references:
controls v8:
- 7.3
- 7.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of days.
recommended: 30
diff --git a/config/default/rules/macos/15/os/os_ssh_fips_compliant.yaml b/config/default/rules/macos/15/os/os_ssh_fips_compliant.yaml
index 1973306f4..d1463ad1a 100644
--- a/config/default/rules/macos/15/os/os_ssh_fips_compliant.yaml
+++ b/config/default/rules/macos/15/os/os_ssh_fips_compliant.yaml
@@ -67,8 +67,10 @@ references:
- MP.L2-3.8.6
- SC.L2-3.13.8
- SC.L2-3.13.11
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_ssh_server_alive_count_max_configure.yaml b/config/default/rules/macos/15/os/os_ssh_server_alive_count_max_configure.yaml
index a6e6f9c52..8d5e4cffd 100644
--- a/config/default/rules/macos/15/os/os_ssh_server_alive_count_max_configure.yaml
+++ b/config/default/rules/macos/15/os/os_ssh_server_alive_count_max_configure.yaml
@@ -47,8 +47,10 @@ references:
- 03.13.09
cmmc:
- SC.L2-3.13.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds.
recommended: 0
diff --git a/config/default/rules/macos/15/os/os_ssh_server_alive_interval_configure.yaml b/config/default/rules/macos/15/os/os_ssh_server_alive_interval_configure.yaml
index e7c052833..2f78de2f8 100644
--- a/config/default/rules/macos/15/os/os_ssh_server_alive_interval_configure.yaml
+++ b/config/default/rules/macos/15/os/os_ssh_server_alive_interval_configure.yaml
@@ -52,8 +52,10 @@ references:
cmmc:
- AC.L2-3.1.11
- SC.L2-3.13.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds.
recommended: 900
diff --git a/config/default/rules/macos/15/os/os_sshd_channel_timeout_configure.yaml b/config/default/rules/macos/15/os/os_sshd_channel_timeout_configure.yaml
index f187be1d0..bf7c4aa8d 100644
--- a/config/default/rules/macos/15/os/os_sshd_channel_timeout_configure.yaml
+++ b/config/default/rules/macos/15/os/os_sshd_channel_timeout_configure.yaml
@@ -57,8 +57,10 @@ odv:
hint: Channel type and number of seconds.
recommended: session:*=900
stig: session:*=900
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -78,4 +80,4 @@ ddm_info:
service: com.apple.sshd
config_file: sshd_config
configuration_key: ChannelTimeout
- configuration_value: $ODV
\ No newline at end of file
+ configuration_value: $ODV
diff --git a/config/default/rules/macos/15/os/os_sshd_client_alive_count_max_configure.yaml b/config/default/rules/macos/15/os/os_sshd_client_alive_count_max_configure.yaml
index 37d1c7fee..cfad0a204 100644
--- a/config/default/rules/macos/15/os/os_sshd_client_alive_count_max_configure.yaml
+++ b/config/default/rules/macos/15/os/os_sshd_client_alive_count_max_configure.yaml
@@ -50,8 +50,10 @@ references:
- 03.13.09
cmmc:
- SC.L2-3.13.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds.
recommended: 0
@@ -75,4 +77,4 @@ ddm_info:
service: com.apple.sshd
config_file: sshd_config
configuration_key: ClientAliveCountMax
- configuration_value: $ODV
\ No newline at end of file
+ configuration_value: $ODV
diff --git a/config/default/rules/macos/15/os/os_sshd_client_alive_interval_configure.yaml b/config/default/rules/macos/15/os/os_sshd_client_alive_interval_configure.yaml
index 76c08ad18..0a1f369f9 100644
--- a/config/default/rules/macos/15/os/os_sshd_client_alive_interval_configure.yaml
+++ b/config/default/rules/macos/15/os/os_sshd_client_alive_interval_configure.yaml
@@ -55,8 +55,10 @@ references:
cmmc:
- AC.L2-3.1.11
- SC.L2-3.13.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds.
recommended: 900
@@ -80,4 +82,4 @@ ddm_info:
service: com.apple.sshd
config_file: sshd_config
configuration_key: ClientAliveInterval
- configuration_value: $ODV
\ No newline at end of file
+ configuration_value: $ODV
diff --git a/config/default/rules/macos/15/os/os_sshd_fips_compliant.yaml b/config/default/rules/macos/15/os/os_sshd_fips_compliant.yaml
index aa7b31bac..845dfa1de 100644
--- a/config/default/rules/macos/15/os/os_sshd_fips_compliant.yaml
+++ b/config/default/rules/macos/15/os/os_sshd_fips_compliant.yaml
@@ -26,7 +26,7 @@ fix: |
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
-
+
fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com")
for config in $fips_sshd_config; do
@@ -53,7 +53,7 @@ references:
- CCI-002421
- CCI-002450
- CCI-002890
- - CCI-003123
+ - CCI-003123
800-53r5:
- AC-17(2)
- IA-7
@@ -84,8 +84,10 @@ references:
- MP.L2-3.8.6
- SC.L2-3.13.8
- SC.L2-3.13.11
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -114,4 +116,4 @@ ddm_info:
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
- CASignatureAlgorithms ecdsa-sha2-nistp256
\ No newline at end of file
+ CASignatureAlgorithms ecdsa-sha2-nistp256
diff --git a/config/default/rules/macos/15/os/os_sshd_login_grace_time_configure.yaml b/config/default/rules/macos/15/os/os_sshd_login_grace_time_configure.yaml
index 7d959c8ed..9b23063a9 100644
--- a/config/default/rules/macos/15/os/os_sshd_login_grace_time_configure.yaml
+++ b/config/default/rules/macos/15/os/os_sshd_login_grace_time_configure.yaml
@@ -46,8 +46,10 @@ references:
- 03.13.09
cmmc:
- SC.L2-3.13.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds.
recommended: 30
@@ -66,4 +68,4 @@ ddm_info:
service: com.apple.sshd
config_file: sshd_config
configuration_key: LoginGraceTime
- configuration_value: $ODV
\ No newline at end of file
+ configuration_value: $ODV
diff --git a/config/default/rules/macos/15/os/os_sshd_permit_root_login_configure.yaml b/config/default/rules/macos/15/os/os_sshd_permit_root_login_configure.yaml
index 6988e1551..a1dd2094a 100644
--- a/config/default/rules/macos/15/os/os_sshd_permit_root_login_configure.yaml
+++ b/config/default/rules/macos/15/os/os_sshd_permit_root_login_configure.yaml
@@ -46,8 +46,10 @@ references:
- SRG-OS-000109-GPOS-00056
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_high
- 800-53r4_high
@@ -63,4 +65,4 @@ ddm_info:
service: com.apple.sshd
config_file: sshd_config
configuration_key: PermitRootLogin
- configuration_value: no
\ No newline at end of file
+ configuration_value: no
diff --git a/config/default/rules/macos/15/os/os_sshd_unused_connection_timeout_configure.yaml b/config/default/rules/macos/15/os/os_sshd_unused_connection_timeout_configure.yaml
index 8b30f215b..dbee3356c 100644
--- a/config/default/rules/macos/15/os/os_sshd_unused_connection_timeout_configure.yaml
+++ b/config/default/rules/macos/15/os/os_sshd_unused_connection_timeout_configure.yaml
@@ -57,8 +57,10 @@ odv:
hint: Number of seconds.
recommended: 900
stig: 900
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -78,4 +80,4 @@ ddm_info:
service: com.apple.sshd
config_file: sshd_config
configuration_key: UnusedConnectionTimeout
- configuration_value: $ODV
\ No newline at end of file
+ configuration_value: $ODV
diff --git a/config/default/rules/macos/15/os/os_store_encrypted_passwords.yaml b/config/default/rules/macos/15/os/os_store_encrypted_passwords.yaml
index 722ee3d53..804a89c78 100644
--- a/config/default/rules/macos/15/os/os_store_encrypted_passwords.yaml
+++ b/config/default/rules/macos/15/os/os_store_encrypted_passwords.yaml
@@ -36,8 +36,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_sudo_log_enforce.yaml b/config/default/rules/macos/15/os/os_sudo_log_enforce.yaml
index 3c7045419..917f35cb4 100644
--- a/config/default/rules/macos/15/os/os_sudo_log_enforce.yaml
+++ b/config/default/rules/macos/15/os/os_sudo_log_enforce.yaml
@@ -36,8 +36,10 @@ references:
- AU.L2-3.3.3
- AU.L2-3.3.6
- SI.L2-3.14.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -55,4 +57,4 @@ ddm_info:
service: com.apple.sudo
config_file: sudoers
configuration_key: Defaults
- configuration_value: log_allowed
\ No newline at end of file
+ configuration_value: log_allowed
diff --git a/config/default/rules/macos/15/os/os_sudo_timeout_configure.yaml b/config/default/rules/macos/15/os/os_sudo_timeout_configure.yaml
index 023d5ee67..d58606524 100644
--- a/config/default/rules/macos/15/os/os_sudo_timeout_configure.yaml
+++ b/config/default/rules/macos/15/os/os_sudo_timeout_configure.yaml
@@ -30,8 +30,10 @@ references:
- 5.4 (level 1)
controls v8:
- 4.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of minutes.
recommended: 0
@@ -54,4 +56,4 @@ ddm_info:
service: com.apple.sudo
config_file: sudoers
configuration_key: Defaults timestamp_timeout=
- configuration_value: $ODV
\ No newline at end of file
+ configuration_value: $ODV
diff --git a/config/default/rules/macos/15/os/os_sudoers_timestamp_type_configure.yaml b/config/default/rules/macos/15/os/os_sudoers_timestamp_type_configure.yaml
index c9598084c..715e05389 100644
--- a/config/default/rules/macos/15/os/os_sudoers_timestamp_type_configure.yaml
+++ b/config/default/rules/macos/15/os/os_sudoers_timestamp_type_configure.yaml
@@ -35,8 +35,10 @@ references:
- 4.3
800-171r3:
- 03.05.01
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r5_low
diff --git a/config/default/rules/macos/15/os/os_system_read_only.yaml b/config/default/rules/macos/15/os/os_system_read_only.yaml
index 28707d5e6..fd0a20255 100644
--- a/config/default/rules/macos/15/os/os_system_read_only.yaml
+++ b/config/default/rules/macos/15/os/os_system_read_only.yaml
@@ -26,8 +26,10 @@ references:
- N/A
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
diff --git a/config/default/rules/macos/15/os/os_system_wide_applications_configure.yaml b/config/default/rules/macos/15/os/os_system_wide_applications_configure.yaml
index ea2726ab8..3a31218b6 100644
--- a/config/default/rules/macos/15/os/os_system_wide_applications_configure.yaml
+++ b/config/default/rules/macos/15/os/os_system_wide_applications_configure.yaml
@@ -34,8 +34,10 @@ references:
- 5.1.5 (level 1)
controls v8:
- 3.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_terminal_secure_keyboard_enable.yaml b/config/default/rules/macos/15/os/os_terminal_secure_keyboard_enable.yaml
index 2fcc57a17..affa9eaee 100644
--- a/config/default/rules/macos/15/os/os_terminal_secure_keyboard_enable.yaml
+++ b/config/default/rules/macos/15/os/os_terminal_secure_keyboard_enable.yaml
@@ -31,8 +31,10 @@ references:
- 6.4.1 (level 1)
controls v8:
- 4.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_terminate_session.yaml b/config/default/rules/macos/15/os/os_terminate_session.yaml
index 37bc97c7e..02e5bdfb7 100644
--- a/config/default/rules/macos/15/os/os_terminate_session.yaml
+++ b/config/default/rules/macos/15/os/os_terminate_session.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
mobileconfig: false
diff --git a/config/default/rules/macos/15/os/os_tftpd_disable.yaml b/config/default/rules/macos/15/os/os_tftpd_disable.yaml
index b659bcd7f..fc9c5edbb 100644
--- a/config/default/rules/macos/15/os/os_tftpd_disable.yaml
+++ b/config/default/rules/macos/15/os/os_tftpd_disable.yaml
@@ -50,8 +50,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_time_offset_limit_configure.yaml b/config/default/rules/macos/15/os/os_time_offset_limit_configure.yaml
index 89184051e..40b728117 100644
--- a/config/default/rules/macos/15/os/os_time_offset_limit_configure.yaml
+++ b/config/default/rules/macos/15/os/os_time_offset_limit_configure.yaml
@@ -31,8 +31,10 @@ references:
- 2.3.2.2 (level 1)
controls v8:
- 8.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_time_server_enabled.yaml b/config/default/rules/macos/15/os/os_time_server_enabled.yaml
index 17824f79c..77c6d22e7 100644
--- a/config/default/rules/macos/15/os/os_time_server_enabled.yaml
+++ b/config/default/rules/macos/15/os/os_time_server_enabled.yaml
@@ -40,8 +40,10 @@ references:
- 8.4
cmmc:
- AU.L2-3.3.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r5_low
diff --git a/config/default/rules/macos/15/os/os_touchid_prompt_disable.yaml b/config/default/rules/macos/15/os/os_touchid_prompt_disable.yaml
index 8929ca7c8..71baa3b26 100644
--- a/config/default/rules/macos/15/os/os_touchid_prompt_disable.yaml
+++ b/config/default/rules/macos/15/os/os_touchid_prompt_disable.yaml
@@ -35,8 +35,10 @@ references:
- 4.1
cmmc:
- CM.L2-3.4.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_unique_identification.yaml b/config/default/rules/macos/15/os/os_unique_identification.yaml
index 758ca2471..74e815ac4 100644
--- a/config/default/rules/macos/15/os/os_unique_identification.yaml
+++ b/config/default/rules/macos/15/os/os_unique_identification.yaml
@@ -29,8 +29,10 @@ references:
- IA.L2-3.5.5
800-171r3:
- 03.05.05
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r5_low
diff --git a/config/default/rules/macos/15/os/os_unlock_active_user_session_disable.yaml b/config/default/rules/macos/15/os/os_unlock_active_user_session_disable.yaml
index d0767bdaf..b3cf315e4 100644
--- a/config/default/rules/macos/15/os/os_unlock_active_user_session_disable.yaml
+++ b/config/default/rules/macos/15/os/os_unlock_active_user_session_disable.yaml
@@ -4,7 +4,7 @@ discussion: |
The ability to log in to another user's active or locked session _MUST_ be disabled.
macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
-
+
NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. To restore the user experience and allow TouchID to unlock the screensaver, you can run `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`. This setting can also be deployed with a configuration profile.
check: |
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '$ODV'
@@ -42,8 +42,10 @@ references:
cmmc:
- IA.L1-3.5.1
- IA.L1-3.5.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: "Review the /System/Library/Security/authorization.plist file for more information."
recommended: "authenticate-session-owner"
diff --git a/config/default/rules/macos/15/os/os_user_app_installation_prohibit.yaml b/config/default/rules/macos/15/os/os_user_app_installation_prohibit.yaml
index 16795cec6..aebe9bb5f 100644
--- a/config/default/rules/macos/15/os/os_user_app_installation_prohibit.yaml
+++ b/config/default/rules/macos/15/os/os_user_app_installation_prohibit.yaml
@@ -43,8 +43,10 @@ references:
- N/A
cmmc:
- CM.L2-3.4.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cnssi-1253_moderate
- cnssi-1253_low
diff --git a/config/default/rules/macos/15/os/os_uucp_disable.yaml b/config/default/rules/macos/15/os/os_uucp_disable.yaml
index c51ff04ef..4b44837bf 100644
--- a/config/default/rules/macos/15/os/os_uucp_disable.yaml
+++ b/config/default/rules/macos/15/os/os_uucp_disable.yaml
@@ -42,8 +42,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/os/os_verify_remote_disconnection.yaml b/config/default/rules/macos/15/os/os_verify_remote_disconnection.yaml
index 1c9eec31d..5f7835777 100644
--- a/config/default/rules/macos/15/os/os_verify_remote_disconnection.yaml
+++ b/config/default/rules/macos/15/os/os_verify_remote_disconnection.yaml
@@ -19,8 +19,10 @@ references:
- N/A
srg:
- SRG-OS-000395-GPOS-00175
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- inherent
- cnssi-1253_moderate
diff --git a/config/default/rules/macos/15/os/os_world_writable_library_folder_configure.yaml b/config/default/rules/macos/15/os/os_world_writable_library_folder_configure.yaml
index efde86cc8..2f4a492f4 100644
--- a/config/default/rules/macos/15/os/os_world_writable_library_folder_configure.yaml
+++ b/config/default/rules/macos/15/os/os_world_writable_library_folder_configure.yaml
@@ -36,8 +36,10 @@ references:
- 5.1.7 (level 2)
controls v8:
- 3.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl2
- cisv8
diff --git a/config/default/rules/macos/15/os/os_world_writable_system_folder_configure.yaml b/config/default/rules/macos/15/os/os_world_writable_system_folder_configure.yaml
index a8bacf8a9..ac750ef08 100644
--- a/config/default/rules/macos/15/os/os_world_writable_system_folder_configure.yaml
+++ b/config/default/rules/macos/15/os/os_world_writable_system_folder_configure.yaml
@@ -34,8 +34,10 @@ references:
- 5.1.6 (level 1)
controls v8:
- 3.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
diff --git a/config/default/rules/macos/15/os/os_writing_tools_disable.yaml b/config/default/rules/macos/15/os/os_writing_tools_disable.yaml
index 301d85c12..53470b91b 100644
--- a/config/default/rules/macos/15/os/os_writing_tools_disable.yaml
+++ b/config/default/rules/macos/15/os/os_writing_tools_disable.yaml
@@ -24,13 +24,15 @@ references:
- SC-7(10)
800-171r3:
- 03.01.20
- - 03.04.06
+ - 03.04.06
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_50_percent.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_50_percent.yaml
index 59f5da0ee..4ba42ad5c 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_50_percent.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_50_percent.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_50_percent
title: Require a Minimum of Fifty Percent Character Change in New Passwords
discussion: |
@@ -27,8 +29,10 @@ references:
- SRG-OS-000072-GPOS-00040
800-171r3:
- 03.05.07
- macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_low
@@ -37,4 +41,3 @@ tags:
- permanent
- srg
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
index ff83692ab..2278109fd 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_account_inactivity_enforce
title: Disable Accounts after $ODV Days of Inactivity
discussion: |
@@ -56,8 +58,10 @@ references:
- 5.3
cmmc:
- IA.L2-3.5.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of days.
recommended: 35
@@ -76,4 +80,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_account_lockout_enforce.yaml
index 80453e508..68657d323 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_account_lockout_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_account_lockout_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_account_lockout_enforce
title: Limit Consecutive Failed Login Attempts to $ODV
discussion: |
@@ -34,8 +36,10 @@ references:
- 6.2
cmmc:
- AC.L2-3.1.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of failed attempts.
recommended: 3
@@ -61,9 +65,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- maxFailedAttempts: $ODV
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ maxFailedAttempts: $ODV
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: MaximumFailedAttempts
- ddm_value: $ODV
\ No newline at end of file
+ ddm_value: $ODV
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
index 09ea301b6..b68b6a972 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_account_lockout_timeout_enforce
title: Set Account Lockout Time to $ODV Minutes
discussion: |
@@ -34,8 +36,10 @@ references:
- 6.2
cmmc:
- AC.L2-3.1.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of minutes.
recommended: 15
@@ -61,9 +65,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- minutesUntilFailedLoginReset: $ODV
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ minutesUntilFailedLoginReset: $ODV
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: MaximumGracePeriodInMinutes
- ddm_value: $ODV
\ No newline at end of file
+ ddm_value: $ODV
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
index dc812c266..0a3523f6c 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_alpha_numeric_enforce
title: Require Passwords Contain a Minimum of One Numeric Character
discussion: |
@@ -38,8 +40,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_low
@@ -58,9 +62,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- requireAlphanumeric: true
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ requireAlphanumeric: true
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: RequireAlphanumericPasscode
- ddm_value: true
\ No newline at end of file
+ ddm_value: true
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_custom_regex_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_custom_regex_enforce.yaml
index 9435e8cd2..f08cce78a 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_custom_regex_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_custom_regex_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_custom_regex_enforce
title: Require Passwords to Match the Defined Custom Regular Expression
discussion: |
@@ -41,8 +43,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Custom regex (recommended is 1 upper and 1 lowercase)
recommended: ^(?=.*[A-Z])(?=.*[a-z]).*$
@@ -66,11 +70,12 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- customRegex:
- passwordContentRegex: $ODV
- passwordContentDescription:
- default: Password must match custom regex.
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ customRegex:
+ passwordContentRegex: $ODV
+ passwordContentDescription:
+ default: Password must match custom regex.
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: CustomRegex
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
index b91006e07..2aaca749b 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_emergency_accounts_disable
title: Automatically Remove or Disable Emergency Accounts within 72 Hours
discussion: |
@@ -28,8 +30,10 @@ references:
- SRG-OS-000123-GPOS-00064
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -40,4 +44,3 @@ tags:
- cnssi-1253_high
- srg
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_force_password_change.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_force_password_change.yaml
index d9fac7943..d386cb589 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_force_password_change.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_force_password_change.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_force_password_change
title: Force Password Change at Next Logon
discussion: |
@@ -40,8 +42,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_low
@@ -58,4 +62,3 @@ tags:
- cmmc_lvl2
- srg
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_history_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_history_enforce.yaml
index 4f9189975..c544b9f74 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_history_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_history_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_history_enforce
title: Prohibit Password Reuse for a Minimum of $ODV Generations
discussion: |
@@ -38,8 +40,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of previous passwords.
recommended: 5
@@ -65,9 +69,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- pinHistory: $ODV
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ pinHistory: $ODV
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: PasscodeReuseLimit
- ddm_value: $ODV
\ No newline at end of file
+ ddm_value: $ODV
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
index da54c9d45..7cebcbb4d 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_lower_case_character_enforce
title: Require Passwords Contain a Minimum of One Lowercase Character
discussion: |
@@ -63,12 +65,13 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of lowercase characters.
recommended: 1
tags:
- none
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_max_lifetime_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_max_lifetime_enforce.yaml
index 39c0dc10c..5b1d57541 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_max_lifetime_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_max_lifetime_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_max_lifetime_enforce
title: Restrict Maximum Password Lifetime to $ODV Days
discussion: |
@@ -38,8 +40,10 @@ references:
cmmc:
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of days.
recommended: 60
@@ -65,9 +69,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- maxPINAgeInDays: $ODV
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ maxPINAgeInDays: $ODV
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: MaximumPasscodeAgeInDays
- ddm_value: $ODV
\ No newline at end of file
+ ddm_value: $ODV
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_minimum_length_enforce.yaml
index ae0de6f03..a8c31b800 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_minimum_length_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_minimum_length_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_minimum_length_enforce
title: Require a Minimum Password Length of $ODV Characters
discussion: |
@@ -37,8 +39,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Minimum password length.
recommended: 15
@@ -64,9 +68,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- minLength: $ODV
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ minLength: $ODV
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: MinimumLength
- ddm_value: $ODV
\ No newline at end of file
+ ddm_value: $ODV
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
index dea2b05e3..2ac788dac 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_minimum_lifetime_enforce
title: Set Minimum Password Lifetime to $ODV Hours
discussion: |
@@ -59,8 +61,10 @@ references:
cmmc:
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of hours.
recommended: 24
@@ -81,4 +85,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
index 9c8810009..225bd937b 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_prevent_dictionary_words.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_prevent_dictionary_words
title: Prevent the Use of Dictionary Words for Passwords
discussion: |
@@ -23,10 +25,11 @@ references:
- N/A
srg:
- SRG-OS-000480-GPOS-00225
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- permanent
- srg
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_simple_sequence_disable.yaml
index ae699c5d2..e3688b783 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_simple_sequence_disable.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_simple_sequence_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_simple_sequence_disable
title: Prohibit Repeating, Ascending, and Descending Character Sequences
discussion: |
@@ -37,8 +39,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_low
@@ -54,9 +58,10 @@ tags:
- cmmc_lvl2
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- allowSimple: false
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ allowSimple: false
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: RequireComplexPasscode
- ddm_value: true
\ No newline at end of file
+ ddm_value: true
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_special_character_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_special_character_enforce.yaml
index 4195600c7..b9c3b429a 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_special_character_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_special_character_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_special_character_enforce
title: Require Passwords Contain a Minimum of One Special Character
discussion: |
@@ -41,8 +43,10 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of special characters.
recommended: 1
@@ -66,9 +70,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.mobiledevice.passwordpolicy:
- minComplexChars: $ODV
+ - PayloadType: com.apple.mobiledevice.passwordpolicy
+ PayloadContent:
+ minComplexChars: $ODV
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: MinimumComplexCharacters
- ddm_value: $ODV
\ No newline at end of file
+ ddm_value: $ODV
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
index a74d3dadd..1a05cb596 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_temporary_accounts_disable
title: Automatically Remove or Disable Temporary User Accounts within 72 Hours
discussion: |
@@ -26,8 +28,10 @@ references:
- SRG-OS-000123-GPOS-00064
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -38,4 +42,3 @@ tags:
- cnssi-1253_high
- srg
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
index 9d09fb156..1bcb3b227 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_temporary_or_emergency_accounts_disable
title: Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours
discussion: |
@@ -69,8 +71,10 @@ references:
- SRG-OS-000123-GPOS-00064
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -82,4 +86,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/config/default/rules/macos/15/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
index 5ff6c1421..122ca7bc5 100644
--- a/config/default/rules/macos/15/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
+++ b/config/default/rules/macos/15/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: pwpolicy_upper_case_character_enforce
title: Require Passwords Contain a Minimum of One Uppercase Character
discussion: |
@@ -7,7 +9,7 @@ discussion: |
NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
- NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*.
+ NOTE: macOS 14 supports password policy complexity with custom regex deployed with a mobileconfig file. To use a mobileconfig file use *pwpolicy_custom_regex_enforce*.
check: |
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="minimumAlphaCharactersUpperCase"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "yes"} else {print "no"}}'
result:
@@ -63,12 +65,13 @@ references:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of special characters.
recommended: 1
tags:
- none
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/supplemental/supplemental_cis_manual.yaml b/config/default/rules/macos/15/supplemental/supplemental_cis_manual.yaml
index b87f61bf4..ce5fead04 100644
--- a/config/default/rules/macos/15/supplemental/supplemental_cis_manual.yaml
+++ b/config/default/rules/macos/15/supplemental/supplemental_cis_manual.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: supplemental_cis_manual
title: "CIS Manual Recommendations"
discussion: |
@@ -77,12 +79,13 @@ references:
- N/A
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
- supplemental
mobileconfig: false
-mobileconfig_info:
\ No newline at end of file
diff --git a/config/default/rules/macos/15/supplemental/supplemental_controls.yaml b/config/default/rules/macos/15/supplemental/supplemental_controls.yaml
index f67ad7031..ce8bad705 100644
--- a/config/default/rules/macos/15/supplemental/supplemental_controls.yaml
+++ b/config/default/rules/macos/15/supplemental/supplemental_controls.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: supplemental_controls
title: "Out of Scope Supplemental"
discussion: |
@@ -191,8 +193,10 @@ references:
- N/A
cmmc:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_high
@@ -210,4 +214,3 @@ tags:
- stig
- supplemental
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/supplemental/supplemental_filevault.yaml b/config/default/rules/macos/15/supplemental/supplemental_filevault.yaml
index db149ef99..1c84b6ce0 100644
--- a/config/default/rules/macos/15/supplemental/supplemental_filevault.yaml
+++ b/config/default/rules/macos/15/supplemental/supplemental_filevault.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: supplemental_filevault
title: "FileVault Supplemental"
discussion: |
@@ -67,8 +69,10 @@ references:
- N/A
cmmc:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_high
@@ -89,4 +93,3 @@ tags:
- stig
- supplemental
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/supplemental/supplemental_firewall_pf.yaml b/config/default/rules/macos/15/supplemental/supplemental_firewall_pf.yaml
index 66faaca28..77cb39e7d 100644
--- a/config/default/rules/macos/15/supplemental/supplemental_firewall_pf.yaml
+++ b/config/default/rules/macos/15/supplemental/supplemental_firewall_pf.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: supplemental_firewall_pf
title: "Packet Filter (pf) Supplemental"
discussion: |
@@ -116,8 +118,10 @@ references:
- N/A
cmmc:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_high
@@ -135,4 +139,3 @@ tags:
- stig
- supplemental
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/supplemental/supplemental_password_policy.yaml b/config/default/rules/macos/15/supplemental/supplemental_password_policy.yaml
index c3842d0c9..12b4023d0 100644
--- a/config/default/rules/macos/15/supplemental/supplemental_password_policy.yaml
+++ b/config/default/rules/macos/15/supplemental/supplemental_password_policy.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: supplemental_password_policy
title: "Password Policy Supplemental"
discussion: |
@@ -48,8 +50,10 @@ references:
- N/A
cmmc:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_high
@@ -70,4 +74,3 @@ tags:
- stig
- supplemental
mobileconfig: false
-mobileconfig_info:
\ No newline at end of file
diff --git a/config/default/rules/macos/15/supplemental/supplemental_smartcard.yaml b/config/default/rules/macos/15/supplemental/supplemental_smartcard.yaml
index c1cdea902..67d457f6c 100644
--- a/config/default/rules/macos/15/supplemental/supplemental_smartcard.yaml
+++ b/config/default/rules/macos/15/supplemental/supplemental_smartcard.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: supplemental_smartcard
title: "Smartcard Supplemental"
discussion: |
@@ -301,8 +303,10 @@ references:
- N/A
cmmc:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r4_high
@@ -320,4 +324,3 @@ tags:
- stig
- supplemental
mobileconfig: false
-mobileconfig_info:
\ No newline at end of file
diff --git a/config/default/rules/macos/15/system_settings/system_settings_airplay_receiver_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_airplay_receiver_disable.yaml
index 801174d04..a2ca37ba1 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_airplay_receiver_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_airplay_receiver_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_airplay_receiver_disable
title: Disable Airplay Receiver
discussion: |
@@ -12,7 +14,7 @@ check: |
.objectForKey('allowAirPlayIncomingRequests').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -42,8 +44,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -59,5 +63,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowAirPlayIncomingRequests: false
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowAirPlayIncomingRequests: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_apple_watch_unlock_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_apple_watch_unlock_disable.yaml
index 1812362e7..2b02361b8 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_apple_watch_unlock_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_apple_watch_unlock_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_apple_watch_unlock_disable
title: Prevent Apple Watch from Terminating a Session Lock
discussion: |
@@ -12,7 +14,7 @@ check: |
.objectForKey('allowAutoUnlock').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -32,8 +34,10 @@ references:
- 03.05.12
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -48,5 +52,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowAutoUnlock: false
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowAutoUnlock: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_automatic_login_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_automatic_login_disable.yaml
index 12f867d6e..38c5aa11c 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_automatic_login_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_automatic_login_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_automatic_login_disable
title: Disable Unattended or Automatic Logon to the System
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -39,8 +41,10 @@ references:
cmmc:
- IA.L1-3.5.1
- IA.L1-3.5.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -61,5 +65,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.loginwindow:
- com.apple.login.mcx.DisableAutoLoginClient: true
+ - PayloadType: com.apple.loginwindow
+ PayloadContent:
+ com.apple.login.mcx.DisableAutoLoginClient: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_automatic_logout_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_automatic_logout_enforce.yaml
index 230476bf8..0ef1aa4b0 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_automatic_logout_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_automatic_logout_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_automatic_logout_enforce
title: Enforce Auto Logout After $ODV Seconds of Inactivity
discussion: |
@@ -38,8 +40,10 @@ references:
cmmc:
- AC.L2-3.1.10
- AC.L2-3.1.11
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds
recommended: 86400
@@ -58,5 +62,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- .GlobalPreferences:
- com.apple.autologout.AutoLogOutDelay: $ODV
+ - PayloadType: .GlobalPreferences
+ PayloadContent:
+ com.apple.autologout.AutoLogOutDelay: $ODV
diff --git a/config/default/rules/macos/15/system_settings/system_settings_bluetooth_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_bluetooth_disable.yaml
index addf18d6f..d47ff0ba8 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_bluetooth_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_bluetooth_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_bluetooth_disable
title: Disable Bluetooth When no Approved Device is Connected
discussion: |
@@ -13,7 +15,7 @@ check: |
.objectForKey('DisableBluetooth').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -46,8 +48,10 @@ references:
- 13.9
cmmc:
- AC.L2-3.1.16
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r4_moderate
@@ -64,6 +68,7 @@ tags:
severity: high
mobileconfig: true
mobileconfig_info:
- com.apple.ManagedClient.preferences:
- com.apple.MCXBluetooth:
- DisableBluetooth: true
+ - PayloadType: com.apple.ManagedClient.preferences
+ PayloadContent:
+ com.apple.MCXBluetooth:
+ DisableBluetooth: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_bluetooth_menu_enable.yaml b/config/default/rules/macos/15/system_settings/system_settings_bluetooth_menu_enable.yaml
index f6109c011..a6abc7ed5 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_bluetooth_menu_enable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_bluetooth_menu_enable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_bluetooth_menu_enable
title: Enable Bluetooth Menu
discussion: |
@@ -32,13 +34,16 @@ references:
controls v8:
- 4.8
- 13.9
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.controlcenter:
- Bluetooth: 18
+ - PayloadType: com.apple.controlcenter
+ PayloadContent:
+ Bluetooth: 18
diff --git a/config/default/rules/macos/15/system_settings/system_settings_bluetooth_settings_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_bluetooth_settings_disable.yaml
index 5e049191e..1343e0df8 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_bluetooth_settings_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_bluetooth_settings_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_bluetooth_settings_disable
title: Disable the Bluetooth System Settings Pane
discussion: |
@@ -33,8 +35,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -45,6 +49,7 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.systempreferences:
- DisabledSystemSettings:
- - com.apple.BluetoothSettings
+ - PayloadType: com.apple.systempreferences
+ PayloadContent:
+ DisabledSystemSettings:
+ - com.apple.BluetoothSettings
diff --git a/config/default/rules/macos/15/system_settings/system_settings_bluetooth_sharing_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_bluetooth_sharing_disable.yaml
index 17820d28a..f0a26a4b1 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_bluetooth_sharing_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_bluetooth_sharing_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_bluetooth_sharing_disable
title: Disable Bluetooth Sharing
discussion: |
@@ -16,7 +18,7 @@ discussion: |
check: |
/usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled
result:
- boolean: 0
+ boolean: false
fix: |
[source,bash]
----
@@ -55,8 +57,10 @@ references:
- AC.L1-3.1.1
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -76,4 +80,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_cd_dvd_sharing_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_cd_dvd_sharing_disable.yaml
index 0e65bcc7c..a0c5d5ecc 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_cd_dvd_sharing_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_cd_dvd_sharing_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_cd_dvd_sharing_disable
title: Disable CD/DVD Sharing
discussion: |
@@ -37,8 +39,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -56,4 +60,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_content_caching_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_content_caching_disable.yaml
index f9275de0e..9fae73e9d 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_content_caching_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_content_caching_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_content_caching_disable
title: Disable Content Caching Service
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('allowContentCaching').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -38,8 +40,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -58,5 +62,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowContentCaching: false
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowContentCaching: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_critical_update_install_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_critical_update_install_enforce.yaml
index 2239979ea..20dda5677 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_critical_update_install_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_critical_update_install_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_critical_update_install_enforce
title: Enforce Critical Security Updates to be Installed
discussion: |
@@ -8,7 +10,7 @@ check: |
.objectForKey('CriticalUpdateInstall').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -36,8 +38,10 @@ references:
cmmc:
- SI.L1-3.14.1
- SI.L1-3.14.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -52,5 +56,6 @@ tags:
- cmmc_lvl1
mobileconfig: true
mobileconfig_info:
- com.apple.SoftwareUpdate:
- CriticalUpdateInstall: true
+ - PayloadType: com.apple.SoftwareUpdate
+ PayloadContent:
+ CriticalUpdateInstall: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_diagnostics_reports_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_diagnostics_reports_disable.yaml
index f2a619c7b..d47fdf757 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_diagnostics_reports_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_diagnostics_reports_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_diagnostics_reports_disable
title: Disable Sending Diagnostic and Usage Data to Apple
discussion: |
@@ -19,7 +21,7 @@ check: |
}
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -51,8 +53,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.20
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r4_low
@@ -72,7 +76,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.SubmitDiagInfo:
- AutoSubmit: false
- com.apple.applicationaccess:
- allowDiagnosticSubmission: false
+ - PayloadType: com.apple.SubmitDiagInfo
+ PayloadContent:
+ AutoSubmit: false
+
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowDiagnosticSubmission: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_filevault_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_filevault_enforce.yaml
index 2b7c1d280..2cc3f76c3 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_filevault_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_filevault_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_filevault_enforce
title: Enforce FileVault
discussion: |
@@ -49,8 +51,10 @@ references:
- 3.11
cmmc:
- SC.L2-3.13.16
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -68,5 +72,6 @@ tags:
severity: high
mobileconfig: true
mobileconfig_info:
- com.apple.MCX:
- dontAllowFDEDisable: true
+ - PayloadType: com.apple.MCX
+ PayloadContent:
+ dontAllowFDEDisable: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_find_my_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_find_my_disable.yaml
index 06837dd02..e455b2e36 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_find_my_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_find_my_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_find_my_disable
title: Disable Find My Service
discussion: |
@@ -23,7 +25,7 @@ check: |
}
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -57,8 +59,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -77,8 +81,11 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowFindMyDevice: false
- allowFindMyFriends: false
- com.apple.icloud.managed:
- DisableFMMiCloudSetting: true
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowFindMyDevice: false
+ allowFindMyFriends: false
+
+ - PayloadType: com.apple.icloud.managed
+ PayloadContent:
+ DisableFMMiCloudSetting: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_firewall_enable.yaml b/config/default/rules/macos/15/system_settings/system_settings_firewall_enable.yaml
index 7a61c0cda..aaa48546c 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_firewall_enable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_firewall_enable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_firewall_enable
title: Enable macOS Application Firewall
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('EnableFirewall').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -52,8 +54,10 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
- SC.L1-3.13.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r4_low
@@ -74,5 +78,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.security.firewall:
- EnableFirewall: true
+ - PayloadType: com.apple.security.firewall
+ PayloadContent:
+ EnableFirewall: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/config/default/rules/macos/15/system_settings/system_settings_firewall_stealth_mode_enable.yaml
index dbf5bccc4..e5f470c8c 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_firewall_stealth_mode_enable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_firewall_stealth_mode_enable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_firewall_stealth_mode_enable
title: Enable Firewall Stealth Mode
discussion: |
@@ -15,7 +17,7 @@ check: |
.objectForKey('EnableStealthMode').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -51,8 +53,10 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
- SC.L1-3.13.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -72,6 +76,7 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.security.firewall:
- EnableStealthMode: true
- EnableFirewall: true
+ - PayloadType: com.apple.security.firewall
+ PayloadContent:
+ EnableStealthMode: true
+ EnableFirewall: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml b/config/default/rules/macos/15/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml
index e247c4892..b1e1e3973 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_gatekeeper_identified_developers_allowed
title: Apply Gatekeeper Settings to Block Applications from Unidentified Developers
discussion: |
@@ -19,7 +21,7 @@ check: |
}
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -44,8 +46,10 @@ references:
- 03.14.02
cmmc:
- CM.L2-3.4.5
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -61,6 +65,7 @@ tags:
severity: high
mobileconfig: true
mobileconfig_info:
- com.apple.systempolicy.control:
- AllowIdentifiedDevelopers: true
- EnableAssessment: true
+ - PayloadType: com.apple.systempolicy.control
+ PayloadContent:
+ AllowIdentifiedDevelopers: true
+ EnableAssessment: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_gatekeeper_override_disallow.yaml b/config/default/rules/macos/15/system_settings/system_settings_gatekeeper_override_disallow.yaml
index 4d02c28be..3fac09840 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_gatekeeper_override_disallow.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_gatekeeper_override_disallow.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_gatekeeper_override_disallow
title: Configure Gatekeeper to Disallow End User Override
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('DisableOverride').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -32,8 +34,10 @@ references:
- 03.14.02
cmmc:
- CM.L2-3.4.5
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -48,5 +52,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.systempolicy.managed:
- DisableOverride: true
+ - PayloadType: com.apple.systempolicy.managed
+ PayloadContent:
+ DisableOverride: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_guest_access_smb_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_guest_access_smb_disable.yaml
index 74c6aa9a0..4cc88c110 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_guest_access_smb_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_guest_access_smb_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_guest_access_smb_disable
title: Disable Guest Access to Shared SMB Folders
discussion: |
@@ -7,7 +9,7 @@ discussion: |
check: |
/usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess
result:
- boolean: 0
+ boolean: false
fix: |
[source,bash]
----
@@ -37,8 +39,10 @@ references:
- 3.3
cmmc:
- AC.L1-3.1.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -56,4 +60,3 @@ tags:
- cmmc_lvl2
- cmmc_lvl1
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_guest_account_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_guest_account_disable.yaml
index 47c4dd660..8078188f0 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_guest_account_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_guest_account_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_guest_account_disable
title: Disable the Guest Account
discussion: |
@@ -19,7 +21,7 @@ check: |
}
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -48,8 +50,10 @@ references:
- 6.8
cmmc:
- AC.L1-3.1.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -70,6 +74,7 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.MCX:
- DisableGuestAccount: true
- EnableGuestAccount: false
+ - PayloadType: com.apple.MCX
+ PayloadContent:
+ DisableGuestAccount: true
+ EnableGuestAccount: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_hot_corners_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_hot_corners_disable.yaml
index 9829aa4b6..49d7d5e2b 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_hot_corners_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_hot_corners_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_hot_corners_disable
title: Disable Hot Corners
discussion: |
@@ -27,8 +29,10 @@ references:
- 03.01.10
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -43,9 +47,10 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.ManagedClient.preferences:
- com.apple.dock:
- wvous-bl-corner: 0
- wvous-br-corner: 0
- wvous-tr-corner: 0
- wvous-tl-corner: 0
+ - PayloadType: com.apple.ManagedClient.preferences
+ PayloadContent:
+ com.apple.dock:
+ wvous-bl-corner: 0
+ wvous-br-corner: 0
+ wvous-tr-corner: 0
+ wvous-tl-corner: 0
diff --git a/config/default/rules/macos/15/system_settings/system_settings_hot_corners_secure.yaml b/config/default/rules/macos/15/system_settings/system_settings_hot_corners_secure.yaml
index d4c1dcffc..c69034a51 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_hot_corners_secure.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_hot_corners_secure.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_hot_corners_secure
title: Secure Hot Corners
discussion: |
@@ -45,8 +47,10 @@ references:
- 4.3
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl2
- cisv8
@@ -55,4 +59,3 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_improve_assistive_voice_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_improve_assistive_voice_disable.yaml
index 97f262db4..ebc14fe6b 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_improve_assistive_voice_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_improve_assistive_voice_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_improve_assistive_voice_disable
title: Disable Sending Audio Recordings and Transcripts to Apple
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('AXSAudioDonationSiriImprovementEnabled').js
EOS
result:
- string: "false"
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -45,8 +47,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,5 +69,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.Accessibility:
- AXSAudioDonationSiriImprovementEnabled: false
+ - PayloadType: com.apple.Accessibility
+ PayloadContent:
+ AXSAudioDonationSiriImprovementEnabled: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_improve_search_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_improve_search_disable.yaml
index 920ba3c8f..7529d22c2 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_improve_search_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_improve_search_disable.yaml
@@ -1,8 +1,10 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_improve_search_disable
title: Disable Sending Spotlight Search Information to Apple
discussion: |
Sending data to Apple to help improve search _MUST_ be disabled.
-
+
The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of search data will mitigate the risk of unwanted data being sent to Apple.
check: |
/usr/bin/osascript -l JavaScript << EOS
@@ -45,8 +47,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -66,5 +70,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.assistant.support:
- Search Queries Data Sharing Status: 2
+ - PayloadType: com.apple.support
+ PayloadContent:
+ Search Queries Data Sharing Status: 2
diff --git a/config/default/rules/macos/15/system_settings/system_settings_improve_siri_dictation_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_improve_siri_dictation_disable.yaml
index c0074f499..323efb1d0 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_improve_siri_dictation_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_improve_siri_dictation_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_improve_siri_dictation_disable
title: Disable Sending Siri and Dictation Information to Apple
discussion: |
@@ -45,8 +47,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -66,5 +70,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.assistant.support:
- Siri Data Sharing Opt-In Status: 2
+ - PayloadType: com.apple.support
+ PayloadContent:
+ Siri Data Sharing Opt-In Status: 2
diff --git a/config/default/rules/macos/15/system_settings/system_settings_install_macos_updates_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_install_macos_updates_enforce.yaml
index bb86cce26..49e398c10 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_install_macos_updates_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_install_macos_updates_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_install_macos_updates_enforce
title: Enforce macOS Updates are Automatically Installed
discussion: |
@@ -8,7 +10,7 @@ check: |
.objectForKey('AutomaticallyInstallMacOSUpdates').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -32,13 +34,16 @@ references:
controls v8:
- 7.3
- 7.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.SoftwareUpdate:
- AutomaticallyInstallMacOSUpdates: true
+ - PayloadType: com.apple.SoftwareUpdate
+ PayloadContent:
+ AutomaticallyInstallMacOSUpdates: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_internet_accounts_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_internet_accounts_disable.yaml
index e76d66e5d..2c75c825a 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_internet_accounts_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_internet_accounts_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_internet_accounts_disable
title: Disable the Internet Accounts System Preference Pane
discussion: |
@@ -43,8 +45,10 @@ references:
cmmc:
- AC.L1-3.1.20
- CM.L2-3.4.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r4_low
@@ -62,6 +66,7 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.systempreferences:
- DisabledSystemSettings:
- - com.apple.Internet-Accounts-Settings.extension
+ - PayloadType: com.apple.systempreferences
+ PayloadContent:
+ DisabledSystemSettings:
+ - com.apple.Internet-Accounts-Settings.extension
diff --git a/config/default/rules/macos/15/system_settings/system_settings_internet_sharing_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_internet_sharing_disable.yaml
index d46318601..c5d32cd80 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_internet_sharing_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_internet_sharing_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_internet_sharing_disable
title: Disable Internet Sharing
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('forceInternetSharingOff').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -40,8 +42,10 @@ references:
cmmc:
- AC.L1-3.1.20
- AC.L2-3.1.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r4_low
@@ -62,5 +66,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.MCX:
- forceInternetSharingOff: true
+ - PayloadType: com.apple.MCX
+ PayloadContent:
+ forceInternetSharingOff: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_location_services_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_location_services_disable.yaml
index 801497e77..6ba8eb6e9 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_location_services_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_location_services_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_location_services_disable
title: Disable Location Services
discussion: |
@@ -10,11 +12,11 @@ check: |
.objectForKey('LocationServicesEnabled').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
[source,bash]
----
- /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false;
+ /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false;
pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }')
kill -9 $pid
----
@@ -39,8 +41,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -56,4 +60,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_location_services_enable.yaml b/config/default/rules/macos/15/system_settings/system_settings_location_services_enable.yaml
index 2e8f15487..4e18dc2cd 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_location_services_enable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_location_services_enable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_location_services_enable
title: Enable Location Services
discussion: |
@@ -8,11 +10,11 @@ check: |
.objectForKey('LocationServicesEnabled').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
[source,bash]
----
- /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true;
+ /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true;
pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }')
kill -9 $pid
----
@@ -37,10 +39,11 @@ references:
controls v8:
- 4.1
- 4.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl2
- cisv8
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_location_services_menu_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_location_services_menu_enforce.yaml
index e6faf93ff..8d54b7388 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_location_services_menu_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_location_services_menu_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_location_services_menu_enforce
title: Ensure Location Services Is In the Menu Bar
discussion: |
@@ -5,7 +7,7 @@ discussion: |
check: |
/usr/bin/defaults read /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices
result:
- boolean: 1
+ boolean: true
fix: |
[source,bash]
----
@@ -32,9 +34,10 @@ references:
controls v8:
- 4.1
- 4.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl2
mobileconfig: false
-mobileconfig_info:
\ No newline at end of file
diff --git a/config/default/rules/macos/15/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml b/config/default/rules/macos/15/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml
index bd62f52b2..92e3e83f9 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_loginwindow_loginwindowtext_enable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_loginwindow_loginwindowtext_enable
title: Configure Login Window to Show A Custom Message
discussion: |
@@ -31,8 +33,10 @@ references:
- 2.10.3 (level 1)
controls v8:
- 4.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Organization's approved message.
recommended: Center for Internet Security Test Message
@@ -44,5 +48,6 @@ tags:
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.loginwindow:
- LoginwindowText: $ODV
+ - PayloadType: com.apple.loginwindow
+ PayloadContent:
+ LoginwindowText: $ODV
diff --git a/config/default/rules/macos/15/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml
index c0db3c5f6..3718a41b7 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_loginwindow_prompt_username_password_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_loginwindow_prompt_username_password_enforce
title: Configure Login Window to Prompt for Username and Password
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('SHOWFULLNAME').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -36,8 +38,10 @@ references:
cmmc:
- IA.L1-3.5.1
- IA.L1-3.5.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -58,5 +62,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.loginwindow:
- SHOWFULLNAME: true
+ - PayloadType: com.apple.loginwindow
+ PayloadContent:
+ SHOWFULLNAME: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_media_sharing_disabled.yaml b/config/default/rules/macos/15/system_settings/system_settings_media_sharing_disabled.yaml
index bae8031a5..7cc345bd6 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_media_sharing_disabled.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_media_sharing_disabled.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_media_sharing_disabled
title: Disable Media Sharing
discussion: |
@@ -14,7 +16,7 @@ check: |
.objectForKey('allowMediaSharing').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -42,8 +44,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -63,5 +67,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowMediaSharing: false
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowMediaSharing: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_password_hints_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_password_hints_disable.yaml
index 9d1bbd509..1b349af11 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_password_hints_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_password_hints_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_password_hints_disable
title: Disable Password Hints
discussion: |
@@ -35,8 +37,10 @@ references:
- 4.1
cmmc:
- IA.L2-3.5.11
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -56,5 +60,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.loginwindow:
- RetriesUntilHint: 0
+ - PayloadType: com.apple.loginwindow
+ PayloadContent:
+ RetriesUntilHint: 0
diff --git a/config/default/rules/macos/15/system_settings/system_settings_personalized_advertising_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_personalized_advertising_disable.yaml
index 71ffe62ba..f538d7f26 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_personalized_advertising_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_personalized_advertising_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_personalized_advertising_disable
title: Disable Personalized Advertising
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('allowApplePersonalizedAdvertising').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -43,8 +45,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -65,5 +69,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowApplePersonalizedAdvertising: false
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowApplePersonalizedAdvertising: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_printer_sharing_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_printer_sharing_disable.yaml
index 272193b91..441e6fccc 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_printer_sharing_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_printer_sharing_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_printer_sharing_disable
title: Disable Printer Sharing
discussion: |
@@ -5,7 +7,7 @@ discussion: |
check: |
/usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0"
result:
- boolean: 1
+ integer: 1
fix: |
[source,bash]
----
@@ -38,8 +40,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -57,4 +61,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_rae_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_rae_disable.yaml
index 7baaae95c..d7175c979 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_rae_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_rae_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_rae_disable
title: Disable Remote Apple Events
discussion: |
@@ -42,8 +44,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -63,4 +67,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_remote_management_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_remote_management_disable.yaml
index e1f029d44..c65b6b4cd 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_remote_management_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_remote_management_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_remote_management_disable
title: Disable Remote Management
discussion: |
@@ -39,8 +41,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -58,4 +62,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_screen_sharing_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_screen_sharing_disable.yaml
index 52f51776c..076d202c5 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_screen_sharing_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_screen_sharing_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_screen_sharing_disable
title: Disable Screen Sharing and Apple Remote Desktop
discussion: |
@@ -40,8 +42,10 @@ references:
- 4.8
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -61,4 +65,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml
index 1cde1489e..eb707b774 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_screensaver_ask_for_password_delay_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_screensaver_ask_for_password_delay_enforce
title: Enforce Session Lock After Screen Saver is Started
discussion: |
@@ -17,7 +19,7 @@ check: |
}
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -42,8 +44,10 @@ references:
- 4.7
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds.
recommended: 5
@@ -67,5 +71,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.screensaver:
- askForPasswordDelay: $ODV
+ - PayloadType: com.apple.screensaver
+ PayloadContent:
+ askForPasswordDelay: $ODV
diff --git a/config/default/rules/macos/15/system_settings/system_settings_screensaver_password_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_screensaver_password_enforce.yaml
index b07b15b14..091f50856 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_screensaver_password_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_screensaver_password_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_screensaver_password_enforce
title: Enforce Screen Saver Password
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('askForPassword').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -31,8 +33,10 @@ references:
- 03.05.01
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -47,5 +51,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.screensaver:
- askForPassword: true
+ - PayloadType: com.apple.screensaver
+ PayloadContent:
+ askForPassword: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_screensaver_timeout_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_screensaver_timeout_enforce.yaml
index dc9cb34cc..be23991ae 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_screensaver_timeout_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_screensaver_timeout_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_screensaver_timeout_enforce
title: Enforce Screen Saver Timeout
discussion: |
@@ -17,7 +19,7 @@ check: |
}
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -44,8 +46,10 @@ references:
- 4.3
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Number of seconds.
recommended: 1200
@@ -70,5 +74,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.screensaver:
- idleTime: $ODV
+ - PayloadType: com.apple.screensaver
+ PayloadContent:
+ idleTime: $ODV
diff --git a/config/default/rules/macos/15/system_settings/system_settings_siri_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_siri_disable.yaml
index 67eb4c0d9..8126fcee2 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_siri_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_siri_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_siri_disable
title: Disable Siri
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('allowAssistant').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -46,8 +48,10 @@ references:
- AC.L1-3.1.20
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -66,5 +70,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowAssistant: false
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowAssistant: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_siri_listen_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_siri_listen_disable.yaml
index 9fd2fec27..d83bebf32 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_siri_listen_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_siri_listen_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_siri_listen_disable
title: "Ensure Siri Listen For is Disabled"
discussion: |
@@ -8,7 +10,7 @@ check: |
.objectForKey('VoiceTriggerUserEnabled').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -30,13 +32,16 @@ references:
controls v8:
- 4.1
- 4.8
-macOS:
- - "15.0"
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.Siri:
- VoiceTriggerUserEnabled: false
+ - PayloadType: com.apple.Siri
+ PayloadContent:
+ VoiceTriggerUserEnabled: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_siri_settings_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_siri_settings_disable.yaml
index e797768b4..0ad27d0b1 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_siri_settings_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_siri_settings_disable.yaml
@@ -1,11 +1,13 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_siri_settings_disable
title: Disable the System Settings Pane for Siri
discussion: |
The System Settings pane for Siri _MUST_ be hidden.
-
+
Hiding the System Settings pane prevents the users from configuring Siri.
- NOTE: Disabling the Siri System Settings pane blocks the user from opting into Apple Intelligence.
+ NOTE: Disabling the Siri System Settings pane blocks the user from opting into Apple Intelligence.
check: |
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c com.apple.Siri-Settings.extension
result:
@@ -40,8 +42,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -52,6 +56,7 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.systempreferences:
- DisabledSystemSettings:
- - com.apple.Siri-Settings.extension
+ - PayloadType: com.apple.systempreferences
+ PayloadContent:
+ DisabledSystemSettings:
+ - com.apple.Siri-Settings.extension
diff --git a/config/default/rules/macos/15/system_settings/system_settings_smbd_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_smbd_disable.yaml
index 34a829a86..fa1606c3a 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_smbd_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_smbd_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_smbd_disable
title: Disable Server Message Block Sharing
discussion: |
@@ -40,8 +42,10 @@ references:
- 5.4
cmmc:
- AC.L1-3.1.1
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -61,4 +65,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_software_update_app_update_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_software_update_app_update_enforce.yaml
index 8eb241a81..0342aec6c 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_software_update_app_update_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_software_update_app_update_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_software_update_app_update_enforce
title: Enforce Software Update App Update Updates Automatically
discussion: |
@@ -8,7 +10,7 @@ check: |
.objectForKey('AutomaticallyInstallAppUpdates').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -32,13 +34,16 @@ references:
controls v8:
- 7.3
- 7.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.SoftwareUpdate:
- AutomaticallyInstallAppUpdates: true
+ - PayloadType: com.apple.SoftwareUpdate
+ PayloadContent:
+ AutomaticallyInstallAppUpdates: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_software_update_download_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_software_update_download_enforce.yaml
index dbc9109e5..990843ea8 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_software_update_download_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_software_update_download_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_software_update_download_enforce
title: Enforce Software Update Downloads Updates Automatically
discussion: |
@@ -8,7 +10,7 @@ check: |
.objectForKey('AutomaticDownload').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -32,13 +34,16 @@ references:
controls v8:
- 7.3
- 7.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.SoftwareUpdate:
- AutomaticDownload: true
+ - PayloadType: com.apple.SoftwareUpdate
+ PayloadContent:
+ AutomaticDownload: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_software_update_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_software_update_enforce.yaml
index acffb4d38..2e6081f46 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_software_update_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_software_update_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_software_update_enforce
title: Enforce Software Update Automatically
discussion: |
@@ -8,7 +10,7 @@ check: |
.objectForKey('AutomaticCheckEnabled').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -34,13 +36,16 @@ references:
controls v8:
- 7.3
- 7.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.SoftwareUpdate:
- AutomaticCheckEnabled: true
+ - PayloadType: com.apple.SoftwareUpdate
+ PayloadContent:
+ AutomaticCheckEnabled: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_softwareupdate_current.yaml b/config/default/rules/macos/15/system_settings/system_settings_softwareupdate_current.yaml
index 67b88610c..0fed2891e 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_softwareupdate_current.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_softwareupdate_current.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_softwareupdate_current
title: Ensure Software Update is Updated and Current
discussion: |
@@ -41,12 +43,13 @@ references:
controls v8:
- 7.3
- 7.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_ssh_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_ssh_disable.yaml
index 1df810fbb..1875c5859 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_ssh_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_ssh_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_ssh_disable
title: Disable SSH Server for Remote Access Sessions
discussion: |
@@ -43,8 +45,10 @@ references:
- AC.L1-3.1.1
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
@@ -56,4 +60,3 @@ tags:
- cmmc_lvl1
severity: high
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_ssh_enable.yaml b/config/default/rules/macos/15/system_settings/system_settings_ssh_enable.yaml
index 9f2b7f647..b322cc7e2 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_ssh_enable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_ssh_enable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_ssh_enable
title: Enable SSH Server for Remote Access Sessions
discussion: |
@@ -46,8 +48,10 @@ references:
- CM.L2-3.4.6
- CM.L2-3.4.7
- IA.L2-3.5.4
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -64,4 +68,3 @@ tags:
- stig
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_system_wide_preferences_configure.yaml b/config/default/rules/macos/15/system_settings/system_settings_system_wide_preferences_configure.yaml
index a4c1fd0c6..e12658693 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_system_wide_preferences_configure.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_system_wide_preferences_configure.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_system_wide_preferences_configure
title: Require Administrator Password to Modify System-Wide Preferences
discussion: |
@@ -24,7 +26,7 @@ check: |
echo $result
result:
integer: 1
-fix: |
+fix: |
[source,bash]
----
authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine")
@@ -39,21 +41,21 @@ fix: |
/usr/libexec/PlistBuddy -c "Set :class user" "/tmp/$section.plist"
fi
- key_value=$(/usr/libexec/PlistBuddy -c "Print :shared" "/tmp/$section.plist" 2>&1)
+ key_value=$(/usr/libexec/PlistBuddy -c "Print :shared" "/tmp/$section.plist" 2>&1)
if [[ "$key_value" == *"Does Not Exist"* ]]; then
/usr/libexec/PlistBuddy -c "Add :shared bool false" "/tmp/$section.plist"
else
/usr/libexec/PlistBuddy -c "Set :shared false" "/tmp/$section.plist"
fi
- auth_user_key=$(/usr/libexec/PlistBuddy -c "Print :authenticate-user" "/tmp/$section.plist" 2>&1)
+ auth_user_key=$(/usr/libexec/PlistBuddy -c "Print :authenticate-user" "/tmp/$section.plist" 2>&1)
if [[ "$auth_user_key" == *"Does Not Exist"* ]]; then
/usr/libexec/PlistBuddy -c "Add :authenticate-user bool true" "/tmp/$section.plist"
else
/usr/libexec/PlistBuddy -c "Set :authenticate-user true" "/tmp/$section.plist"
fi
- session_owner_key=$(/usr/libexec/PlistBuddy -c "Print :session-owner" "/tmp/$section.plist" 2>&1)
+ session_owner_key=$(/usr/libexec/PlistBuddy -c "Print :session-owner" "/tmp/$section.plist" 2>&1)
if [[ "$session_owner_key" == *"Does Not Exist"* ]]; then
/usr/libexec/PlistBuddy -c "Add :session-owner bool false" "/tmp/$section.plist"
else
@@ -98,8 +100,10 @@ references:
- AC.L1-3.1.1
- AC.L2-3.1.5
- AC.L2-3.1.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -117,4 +121,3 @@ tags:
- stig
severity: high
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_time_machine_auto_backup_enable.yaml b/config/default/rules/macos/15/system_settings/system_settings_time_machine_auto_backup_enable.yaml
index f9dd0e4a5..40f8a39be 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_time_machine_auto_backup_enable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_time_machine_auto_backup_enable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_time_machine_auto_backup_enable
title: Configure Time Machine for Automatic Backups
discussion: |
@@ -8,7 +10,7 @@ check: |
.objectForKey('AutoBackup').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -31,12 +33,15 @@ references:
- 2.3.4.1 (level 2)
controls v8:
- 11.2
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.TimeMachine:
- AutoBackup: true
+ - PayloadType: com.apple.TimeMachine
+ PayloadContent:
+ AutoBackup: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_time_machine_encrypted_configure.yaml b/config/default/rules/macos/15/system_settings/system_settings_time_machine_encrypted_configure.yaml
index 11408ef9d..2a0507c60 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_time_machine_encrypted_configure.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_time_machine_encrypted_configure.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_time_machine_encrypted_configure
title: Ensure Time Machine Volumes are Encrypted
discussion: |
@@ -42,11 +44,12 @@ references:
- 3.6
- 3.11
- 11.3
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_time_server_configure.yaml b/config/default/rules/macos/15/system_settings/system_settings_time_server_configure.yaml
index 9c2a2e02a..223ad045e 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_time_server_configure.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_time_server_configure.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_time_server_configure
title: Configure macOS to Use an Authorized Time Server
discussion: |
@@ -38,8 +40,10 @@ references:
- 8.4
cmmc:
- AU.L2-3.3.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
odv:
hint: Name of timeserver. As of macOS 10.13 only one time server is supported.
recommended: time.nist.gov
@@ -64,5 +68,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.MCX:
- timeServer: $ODV
+ - PayloadType: com.apple.MCX
+ PayloadContent:
+ timeServer: $ODV
diff --git a/config/default/rules/macos/15/system_settings/system_settings_time_server_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_time_server_enforce.yaml
index 862d38b80..351e7b988 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_time_server_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_time_server_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_time_server_enforce
title: Enforce macOS Time Synchronization
discussion: |
@@ -10,7 +12,7 @@ check: |
.objectForKey('TMAutomaticTimeOnlyEnabled').js
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -38,8 +40,10 @@ references:
- 8.4
cmmc:
- AU.L2-3.3.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-171
- 800-53r5_low
@@ -58,6 +62,7 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.ManagedClient.preferences:
- com.apple.timed:
- TMAutomaticTimeOnlyEnabled: true
+ - PayloadType: com.apple.ManagedClient.preferences
+ PayloadContent:
+ com.apple.timed:
+ TMAutomaticTimeOnlyEnabled: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_token_removal_enforce.yaml b/config/default/rules/macos/15/system_settings/system_settings_token_removal_enforce.yaml
index 6d85daab3..4a87086c9 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_token_removal_enforce.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_token_removal_enforce.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_token_removal_enforce
title: Configure User Session Lock When a Smart Token is Removed
discussion: |
@@ -34,8 +36,10 @@ references:
- 03.01.10
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -50,5 +54,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.security.smartcard:
- tokenRemovalAction: 1
+ - PayloadType: com.apple.security.smartcard
+ PayloadContent:
+ tokenRemovalAction: 1
diff --git a/config/default/rules/macos/15/system_settings/system_settings_touch_id_settings_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_touch_id_settings_disable.yaml
index 72eb87947..663d8de01 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_touch_id_settings_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_touch_id_settings_disable.yaml
@@ -1,8 +1,10 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_touch_id_settings_disable
title: Disable the Touch ID System Settings Pane
discussion: |
The System Settings pane for Touch ID _MUST_ be disabled.
-
+
Disabling the System Settings pane prevents the users from configuring Touch ID.
check: |
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.Touch-ID-Settings.extension"
@@ -38,8 +40,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -50,6 +54,7 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.systempreferences:
- DisabledSystemSettings:
- - com.apple.Touch-ID-Settings.extension
+ - PayloadType: com.apple.systempreferences
+ PayloadContent:
+ DisabledSystemSettings:
+ - com.apple.Touch-ID-Settings.extension
diff --git a/config/default/rules/macos/15/system_settings/system_settings_touchid_unlock_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_touchid_unlock_disable.yaml
index 38f13977c..d852eae74 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_touchid_unlock_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_touchid_unlock_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_touchid_unlock_disable
title: Disable TouchID for Unlocking the Device
discussion: |
@@ -14,7 +16,7 @@ check: |
.objectForKey('allowFingerprintForUnlock').js
EOS
result:
- string: 'false'
+ boolean: false
fix: |
This is implemented by a Configuration Profile.
references:
@@ -34,8 +36,10 @@ references:
- 03.05.12
cmmc:
- AC.L2-3.1.10
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -50,5 +54,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowFingerprintForUnlock: false
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowFingerprintForUnlock: false
diff --git a/config/default/rules/macos/15/system_settings/system_settings_usb_restricted_mode.yaml b/config/default/rules/macos/15/system_settings/system_settings_usb_restricted_mode.yaml
index ccc89d90f..0188159f0 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_usb_restricted_mode.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_usb_restricted_mode.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_usb_restricted_mode
title: USB Devices Must be Authorized Before Allowing
discussion: |
@@ -20,7 +22,7 @@ check: |
}
EOS
result:
- string: 'true'
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
@@ -45,8 +47,10 @@ references:
- SRG-OS-000378-GPOS-00163
disa_stig:
- N/A
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -59,5 +63,6 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.applicationaccess:
- allowUSBRestrictedMode: true
+ - PayloadType: com.apple.applicationaccess
+ PayloadContent:
+ allowUSBRestrictedMode: true
diff --git a/config/default/rules/macos/15/system_settings/system_settings_wake_network_access_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_wake_network_access_disable.yaml
index fd558d725..5fadc940c 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_wake_network_access_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_wake_network_access_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_wake_network_access_disable
title: Ensure Wake for Network Access Is Disabled
discussion: |
@@ -31,11 +33,12 @@ references:
- 2.9.3 (level 1)
controls v8:
- 4.8
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_wallet_applepay_settings_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_wallet_applepay_settings_disable.yaml
index e1da2119f..a78976c10 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_wallet_applepay_settings_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_wallet_applepay_settings_disable.yaml
@@ -1,8 +1,10 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_wallet_applepay_settings_disable
title: Disable the System Settings Pane for Wallet and Apple Pay
discussion: |
The System Settings pane for Wallet and Apple Pay _MUST_ be disabled.
-
+
Disabling the System Settings pane prevents the users from configuring Wallet and Apple Pay.
check: |
/usr/bin/profiles show -output stdout-xml | /usr/bin/xmllint --xpath '//key[text()="DisabledSystemSettings"]/following-sibling::*[1]' - | /usr/bin/grep -c "com.apple.WalletSettingsExtension"
@@ -38,8 +40,10 @@ references:
cmmc:
- CM.L2-3.4.6
- CM.L2-3.4.7
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_low
- 800-53r5_moderate
@@ -50,6 +54,7 @@ tags:
severity: medium
mobileconfig: true
mobileconfig_info:
- com.apple.systempreferences:
- DisabledSystemSettings:
- - com.apple.WalletSettingsExtension
+ - PayloadType: com.apple.systempreferences
+ PayloadContent:
+ DisabledSystemSettings:
+ - com.apple.WalletSettingsExtension
diff --git a/config/default/rules/macos/15/system_settings/system_settings_wifi_disable.yaml b/config/default/rules/macos/15/system_settings/system_settings_wifi_disable.yaml
index a0cd0e8b2..c0ed708ef 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_wifi_disable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_wifi_disable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_wifi_disable
title: Disable Wi-Fi Interface
discussion: |
@@ -47,8 +49,10 @@ references:
- AC.L2-3.1.3
- AC.L2-3.1.16
- AC.L2-3.1.17
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- manual
- 800-53r4_low
@@ -64,4 +68,3 @@ tags:
- cmmc_lvl2
severity: medium
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml b/config/default/rules/macos/15/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml
index 1fd3474ed..c71a16233 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_wifi_disable_when_connected_to_ethernet.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_wifi_disable_when_connected_to_ethernet
title: Disable Wi-Fi When Connected to Ethernet
discussion: |
@@ -33,8 +35,10 @@ references:
cmmc:
- AC.L2-3.1.3
- AC.L2-3.1.17
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- 800-53r5_moderate
- 800-53r5_high
@@ -47,4 +51,3 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
mobileconfig: false
-mobileconfig_info:
diff --git a/config/default/rules/macos/15/system_settings/system_settings_wifi_menu_enable.yaml b/config/default/rules/macos/15/system_settings/system_settings_wifi_menu_enable.yaml
index 2687343e3..77d131409 100644
--- a/config/default/rules/macos/15/system_settings/system_settings_wifi_menu_enable.yaml
+++ b/config/default/rules/macos/15/system_settings/system_settings_wifi_menu_enable.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=../../../../../../schemas/rules.json
id: system_settings_wifi_menu_enable
title: Enable Wifi Menu
discussion: |
@@ -32,13 +34,16 @@ references:
controls v8:
- 4.8
- 12.6
-macOS:
- - '15.0'
+operating_system:
+ - name: macos
+ version:
+ - 15.0
tags:
- cis_lvl1
- cis_lvl2
- cisv8
mobileconfig: true
mobileconfig_info:
- com.apple.controlcenter:
- WiFi: 18
+ - PayloadType: com.apple.controlcenter
+ PayloadContent:
+ WiFi: 18
diff --git a/config/default/templates/asciidoctor/rule.adoc.jinja b/config/default/templates/asciidoctor/rule.adoc.jinja
index e6cf5477d..fa9013a16 100644
--- a/config/default/templates/asciidoctor/rule.adoc.jinja
+++ b/config/default/templates/asciidoctor/rule.adoc.jinja
@@ -29,11 +29,11 @@ If the result is not *{{ rule.result_value }}*, this is a finding.
**Remediation Description**
Perform the following to configure the system to meet the requirements:
-{% if rule.mobileconfig == true %}
+{# {% if rule.mobileconfig == true %}
{{ rule.mobileconfig_info | mobileconfig_fix }}
-{% else %}
+{% else %} #}
{{ rule.fix | replace("\|", "|") }}
-{% endif %}
+{# {% endif %} #}
====
{% endif %}
[cols="15%h, 85%a"]
@@ -59,14 +59,14 @@ Perform the following to configure the system to meet the requirements:
ifdef::show_171[]
!800-171r3
!
-{{ render_rules(rule.nist_171) if rule.nist_171 is not none else "* N/A" -}}
+{{ render_rules(rule.nist_171) if rule.nist_171 is not none else "* N/A" }}
endif::[]
ifdef::show_STIG[]
!DISA STIG(s)
!
-{{ render_rules(rule.disa_stig) if rule.disa_stig is not none else "* N/A" -}}
+{{ render_rules(rule.disa_stig) if rule.disa_stig is not none else "* N/A" }}
!SFR
!
@@ -93,7 +93,7 @@ endif::[]
ifdef::show_CMMC[]
!CMMC
!
-{{ render_rules(rule.cmmc) if rule.cmmc is not none -}}
+{{ render_rules(rule.cmmc) if rule.cmmc is not none }}
endif::[]
@@ -104,13 +104,13 @@ endif::[]
{%- if custom %}
! Custom References
!
-{{ render_rules(rule.custom_refs) if rule.custom_refs is not none -}}
+{{ render_rules(rule.custom_refs) if rule.custom_refs is not none }}
{% endif -%}
ifdef::show_tags[]
!TAGS
!
-{{ render_rules(rule.tags) if rule.tags is not none else "* N/A" -}}
+{{ render_rules(rule.tags) if rule.tags is not none else "* N/A" }}
endif::[]
diff --git a/config/logging_config.yaml b/config/logging_config.yaml
index 463e9e6ac..02935b69e 100644
--- a/config/logging_config.yaml
+++ b/config/logging_config.yaml
@@ -1,3 +1,4 @@
+---
version: 1
disable_existing_loggers: False
@@ -20,10 +21,17 @@ handlers:
filename: mscp.log
mode: a
+ debug_file:
+ class: logging.FileHandler
+ level: DEBUG
+ formatter: simple
+ filename: mscp.log
+ mode: a
+
loggers:
development:
level: DEBUG
- handlers: [console]
+ handlers: [console, debug_file]
propagate: no
staging:
@@ -38,4 +46,4 @@ loggers:
root:
level: DEBUG
- handlers: [console, file]
+ handlers: [console, debug_file]
diff --git a/mscp.py b/mscp.py
index 67d53f173..0d887f068 100755
--- a/mscp.py
+++ b/mscp.py
@@ -7,12 +7,30 @@
from src.mscp.cli import main
from src.mscp.common_utils.config import config
-from src.mscp.common_utils.file_handling import open_yaml
+from src.mscp.common_utils.file_handling import open_yaml, remove_file
# Initialize logger
-logging_config = open_yaml(Path(config.get("logging_config", "")))
-logging.config.dictConfig(logging_config)
-logger = logging.getLogger('staging')
+def setup_logging(environment: str = "development", update_log=False) -> None:
+ config_file: Path = Path(config.get("logging_config", ""))
+ logging_config = open_yaml(config_file)
+ log_file: Path = Path(logging_config.get("handlers", {}).get("file", {}).get("filename", None))
+
+ if log_file.exists() and not update_log:
+ remove_file(log_file)
+
+ logging.config.dictConfig(logging_config)
+
+ log_level_str: str = logging_config.get("loggers", {}).get(environment, {}).get("level", None)
+
+ if log_level_str == None:
+ raise("Unable to initialize logging")
+
+ logger = logging.getLogger(environment)
+ logger.info("Logging Initialized")
+ logger.info(f"LOGGING LEVEL: {log_level_str}")
+ logger.info(f"LOGGING ENVIRONMENT: {environment}")
+
if __name__ == "__main__":
+ setup_logging(config.get("environment", ""))
main()
diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
index 42c8c1bc3..9a0a1b2a0 100644
--- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
@@ -14,7 +14,8 @@ discussion: |
NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require use of special characters or regular rotation.
check: |
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''(.*[^a-zA-Z0-9].*){$ODV,}'\''")])' -
-result: true
+result:
+ boolean: true
fix: |
This is implemented by a Configuration Profile.
references:
diff --git a/schemas/rules.json b/schemas/rules.json
index d5af9df00..e49dfd753 100644
--- a/schemas/rules.json
+++ b/schemas/rules.json
@@ -21,25 +21,22 @@
"description": "Command or method to verify compliance."
},
"result": {
- "oneOf": [
- {
- "type": "string",
- "description": "Expected result as a string."
+ "type": "object",
+ "properties": {
+ "string": {
+ "type": "string"
},
- {
- "type": "integer",
- "description": "Expected result as an integer."
+ "integer": {
+ "type": "integer"
},
- {
- "type": "boolean",
- "description": "Expected result as a boolean."
+ "boolean": {
+ "type": "boolean"
},
- {
+ "base64": {
"type": "string",
- "format": "base64",
- "description": "Expected result as a base64-encoded string."
+ "contentEncoding": "base64"
}
- ]
+ }
},
"fix": {
"type": "string",
@@ -112,22 +109,49 @@
"items": {
"type": "string"
}
+ },
+ "indigo": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "sfr": {
+ "type": "array",
+ "items":{
+ "type": "string"
+ }
+ },
+ "custom": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
}
},
"operating_system": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string",
- "description": "Name of the operating system",
- "enum": ["macos", "ios", "visionos"]
- },
- "version": {
- "type": "number",
- "description": "Version number of the OS."
+ "type": "array",
+ "description": "Array of operating systems the Rule applies to.",
+ "items": {
+ "type": "object",
+ "description": "Operating System's this rule applies to.",
+ "properties": {
+ "name": {
+ "type": "string",
+ "description": "Name of the operating system",
+ "enum": ["macos", "ios", "visionos"]
+ },
+ "version": {
+ "type": "array",
+ "description": "Version number of the OS.",
+ "items": {
+ "type": "number"
+ }
+ }
}
}
+
},
"tags": {
"type": "array",
@@ -145,28 +169,32 @@
"description": "Indicates if the rule can be implemented using a mobile configuration profile."
},
"mobileconfig_info": {
- "type": "object",
- "description": "Apple MDM configuration settings specific to the rule.",
- "properties": {
- "PayloadType": {
- "type": "string",
- "description": "The type of configuration payload (e.g., 'com.apple.security.smartcard')."
- },
- "PayloadContent": {
- "type": "object",
- "description": "Key-value pairs of MDM controls for this payload.",
- "additionalProperties": {
- "anyOf": [
- { "type": "string" },
- { "type": "integer" },
- { "type": "boolean" },
- { "type": "array", "items": { "type": "string" } },
- { "type": "object", "additionalProperties": true }
- ]
+ "type": "array",
+ "description": "Array of Apple MDM configuration settings specific to the rule.",
+ "items": {
+ "type": "object",
+ "description": "Apple MDM configuration settings specific to the rule.",
+ "properties": {
+ "PayloadType": {
+ "type": "string",
+ "description": "The type of configuration payload (e.g., 'com.apple.security.smartcard')."
+ },
+ "PayloadContent": {
+ "type": "object",
+ "description": "Key-value pairs of MDM controls for this payload.",
+ "additionalProperties": {
+ "anyOf": [
+ { "type": "string" },
+ { "type": "integer" },
+ { "type": "boolean" },
+ { "type": "array", "items": { "type": "string" } },
+ { "type": "object", "additionalProperties": true }
+ ]
+ }
}
- }
- },
- "required": ["PayloadType", "PayloadContent"]
+ },
+ "required": ["PayloadType", "PayloadContent"]
+ }
},
"ddm_info": {
"type": "object",
@@ -214,5 +242,29 @@
"$ref": "https://raw.githubusercontent.com/apple/device-management/refs/heads/release/docs/schema.yaml"
}
},
- "required": ["id", "title", "discussion", "check", "result", "fix", "severity", "operating_system"]
+ "anyOf": [
+ {
+ "not": {
+ "properties": {
+ "tags": {
+ "pattern": "\\b(permanent|supplemental|inherent|not_applicable)\\b"
+ }
+ }
+ },
+ "then": {
+ "required": ["result"]
+ }
+ },
+ {
+ "if": {
+ "properties": {
+ "mobileconfig": { "const": true }
+ }
+ },
+ "then": {
+ "required": ["mobileconfig_info"]
+ }
+ }
+ ],
+ "required": ["id", "title", "discussion", "check", "fix", "operating_system", "references"]
}
diff --git a/src/mscp/classes/baseline.py b/src/mscp/classes/baseline.py
index 567df801e..277651fa7 100644
--- a/src/mscp/classes/baseline.py
+++ b/src/mscp/classes/baseline.py
@@ -38,6 +38,7 @@ class Baseline:
description: str = field(default="")
parent_values: str = ""
+
@classmethod
def from_yaml(cls, file_path: Path, os_name: str, os_version: int, custom: bool = False) -> "Baseline":
"""
@@ -82,6 +83,7 @@ def from_yaml(cls, file_path: Path, os_name: str, os_version: int, custom: bool
return baseline
+
def to_dataframe(self) -> pd.DataFrame:
"""
Convert the profiles and rules from the Baseline object into a Pandas DataFrame.
@@ -98,3 +100,7 @@ def to_dataframe(self) -> pd.DataFrame:
rules.append(rule_dict)
return pd.DataFrame(rules)
+
+
+ def get(self, attr, default=None):
+ return getattr(self, attr, default)
diff --git a/src/mscp/classes/macsecurityrule.py b/src/mscp/classes/macsecurityrule.py
index b829cd4aa..481d75311 100644
--- a/src/mscp/classes/macsecurityrule.py
+++ b/src/mscp/classes/macsecurityrule.py
@@ -7,11 +7,17 @@
from dataclasses import dataclass
from typing import List, Dict, Any
from pathlib import Path
+from icecream import ic
+from collections import defaultdict
+
+# Additional python modules
+from lxml import etree
# Local python modules
from src.mscp.common_utils.config import config
from src.mscp.common_utils.file_handling import open_yaml
-from src.mscp.common_utils.odv import fill_in_odv
+# from src.mscp.common_utils.odv import fill_in_odv
+# from src.mscp.common_utils.mobile_config_fix import format_mobileconfig_fix
# Initialize logger
logger = logging.getLogger(__name__)
@@ -22,6 +28,12 @@ class Cis:
controls_v8: List[float] | None
+@dataclass
+class Mobileconfigpayload:
+ payload_type: str
+ payload_content: Dict[str, Any]
+
+
@dataclass(slots=True)
class MacSecurityRule:
title: str
@@ -46,7 +58,7 @@ class MacSecurityRule:
result: Any
result_value: str
mobileconfig: bool
- mobileconfig_info: dict
+ mobileconfig_info: List[Mobileconfigpayload]
ddm_info: dict
customized: bool
mechanism: str = ""
@@ -67,15 +79,18 @@ def load_rules(cls, rule_ids: List[str], os_name: str, os_version: int, parent_v
"""
rules_dir: List[Path] = []
- rules = []
+ rules: List[MacSecurityRule] = []
+ mobileconfig_info: List = []
+ mechanism: str = "Manual"
+ os_version_str: str = str(os_version)
if custom:
rules_dirs = [
- Path(config["custom"]["rules_dir"], os_name, f"{os_version}"),
- Path(config["defaults"]["rules_dir"], os_name, f"{os_version}")
+ Path(config["custom"]["rules_dir"], os_name, os_version_str),
+ Path(config["defaults"]["rules_dir"], os_name, os_version_str)
]
else:
- rules_dirs = [Path(config["defaults"]["rules_dir"], os_name, f"{os_version}")]
+ rules_dirs = [Path(config["defaults"]["rules_dir"], os_name, os_version_str)]
for rule_id in rule_ids:
rule_file = next((file for rules_dir in rules_dirs if rules_dir.exists()
@@ -85,9 +100,11 @@ def load_rules(cls, rule_ids: List[str], os_name: str, os_version: int, parent_v
continue
rule_yaml: dict = open_yaml(rule_file)
- fill_in_odv(rule_yaml, parent_values)
+ # fill_in_odv(rule_yaml, parent_values)
+ payloads: List[Mobileconfigpayload] = []
result = rule_yaml.get("result", "N/A")
+ mobileconfig = rule_yaml.get("mobileconfig", False)
if isinstance(result, dict):
for result_type in ["integer", "boolean", "string", "base64"]:
@@ -99,11 +116,22 @@ def load_rules(cls, rule_ids: List[str], os_name: str, os_version: int, parent_v
else:
result_value = result
- mechanism = "Manual"
+ if mobileconfig:
+ mechanism = "Configuration Profile"
+
+ mobileconfig_info = rule_yaml.get("mobileconfig_info", {})
+
+ if isinstance(mobileconfig_info, dict):
+ for payload_type, payload_content in mobileconfig_info.items():
+ payloads.append(Mobileconfigpayload(payload_type, payload_content))
+ elif isinstance(mobileconfig_info, list):
+ for entry in mobileconfig_info:
+ payload_type = entry.get("PayloadType")
+ payload_content = entry.get("PayloadContent", {})
+ payloads.append(Mobileconfigpayload(payload_type, payload_content))
+
if "[source,bash]" in rule_yaml["fix"]:
mechanism = "Script"
- if "This is implemented by a Configuration Profile." in rule_yaml["fix"]:
- mechanism = "Configuration Profile"
match rule_yaml["tags"]:
case "inherent":
@@ -113,13 +141,13 @@ def load_rules(cls, rule_ids: List[str], os_name: str, os_version: int, parent_v
case "not_applicable":
mechanism = "The control is not applicable when configuring a macOS system."
- rules.append(cls(
+ rule = cls(
title=rule_yaml.get("title", "missing").replace('|', '\\|'),
rule_id=rule_yaml.get("id", "missing").replace('|', '\\|'),
severity=rule_yaml.get("severity", None),
discussion=rule_yaml.get("discussion", "missing").replace('|', '\\|'),
check=rule_yaml.get("check", "missing").replace('|', '\\|'),
- fix=rule_yaml.get("fix", "missing").replace('|', '\\|'),
+ fix=rule_yaml.get("fix", "").replace('|', '\\|'),
cci=rule_yaml.get("references", {}).get("cci", None),
cce=rule_yaml.get("references", {}).get("cce", None),
nist_171=rule_yaml.get("references", {}).get("800-171r3", None),
@@ -136,14 +164,229 @@ def load_rules(cls, rule_ids: List[str], os_name: str, os_version: int, parent_v
result=rule_yaml.get("result", {}),
result_value=result_value,
mobileconfig=rule_yaml.get("mobileconfig", False),
- mobileconfig_info=rule_yaml.get("mobileconfig_info", {}),
+ mobileconfig_info=payloads,
customized=rule_yaml.get("references", {}).get("customized", False),
section=section,
mechanism=mechanism,
ddm_info=rule_yaml.get("ddm_info", {})
- ))
+ )
+
+ if mobileconfig:
+ logger.debug(f"Formatting mobileconfig_info for rule: {rule.rule_id}")
+ formatted_mobileconfig = rule.format_mobileconfig_fix()
+ rule.fix = formatted_mobileconfig
+ logger.debug(formatted_mobileconfig)
+
+ if not rule.odv == None:
+ rule._fill_in_odv(parent_values)
+
+ rules.append(rule)
return rules
+
+ def format_mobileconfig_fix(self) -> str:
+ """
+ Generate a formatted XML-like string for the `mobileconfig_info` field.
+
+ Handles special cases such as `com.apple.ManagedClient.preferences`.
+
+ Returns:
+ str: A formatted string representing the mobileconfig payloads.
+ """
+ if not self.mobileconfig_info:
+ return "No mobileconfig info available for this rule.\n"
+
+ rulefix = ""
+
+ for payload in self.mobileconfig_info:
+ if payload.payload_type == "com.apple.ManagedClient.preferences":
+ rulefix += (
+ f"NOTE: The following settings are in the ({payload.payload_type}) payload. "
+ "This payload requires the additional settings to be sub-payloads within, "
+ "containing their defined payload types.\n\n"
+ )
+ # Recursively process nested payloads
+ for nested_payload_type, nested_payload_content in payload.payload_content.items():
+ nested_fix = self._format_payload(nested_payload_type, nested_payload_content)
+ rulefix += nested_fix
+ else:
+ rulefix += self._format_payload(payload.payload_type, payload.payload_content)
+
+ return rulefix
+
+
+ def _fill_in_odv(self, parent_values: str) -> None:
+ """
+ Replaces placeholders ('$ODV') in the instance attributes with the appropriate override value
+ based on the parent_values key.
+
+ Args:
+ parent_values (str): The key to look up in the 'odv' dictionary.
+
+ Returns:
+ None: Modifies the instance attributes in place.
+ """
+ _has_odv = False
+ odv_value = None
+
+ # Ensure odv is a dictionary-like structure
+ if isinstance(self.odv, dict):
+ odv_lookup = self.odv
+ elif isinstance(self.odv, list) and all(isinstance(item, str) for item in self.odv):
+ odv_lookup = {str(i): v for i, v in enumerate(self.odv)} # Map indices to values
+ else:
+ odv_lookup = {}
+
+ # Extract ODV value
+ for key in [parent_values, "custom", "recommended"]:
+ if key in odv_lookup:
+ odv_value = odv_lookup[key]
+ odv_value = str(odv_value) if not isinstance(odv_value, int) else odv_value
+ _has_odv = True
+ break
+
+ if not _has_odv:
+ return
+
+ # Replace $ODV in text fields
+ fields_to_process = ["title", "discussion", "check", "fix"]
+ for field in fields_to_process:
+ if hasattr(self, field) and "$ODV" in getattr(self, field, ""):
+ updated_value = getattr(self, field).replace("$ODV", str(odv_value))
+ setattr(self, field, updated_value)
+
+ # Replace $ODV in result
+ if isinstance(self.result, dict):
+ for key, value in self.result.items():
+ if isinstance(value, str) and "$ODV" in value:
+ self.result[key] = value.replace("$ODV", str(odv_value))
+
+ # Replace $ODV in mobileconfig_info
+ for payload in self.mobileconfig_info:
+ for key, value in payload.payload_content.items():
+ if isinstance(value, str) and "$ODV" in value:
+ payload.payload_content[key] = value.replace("$ODV", str(odv_value))
+ elif isinstance(value, dict):
+ for subkey, subvalue in value.items():
+ if isinstance(subvalue, str) and "$ODV" in subvalue:
+ value[subkey] = subvalue.replace("$ODV", str(odv_value))
+
+ # Replace $ODV in ddm_info
+ for key, value in self.ddm_info.items():
+ if isinstance(value, str) and "$ODV" in value:
+ self.ddm_info[key] = value.replace("$ODV", str(odv_value))
+ elif isinstance(value, dict):
+ for subkey, subvalue in value.items():
+ if isinstance(subvalue, str) and "$ODV" in subvalue:
+ value[subkey] = subvalue.replace("$ODV", str(odv_value))
+
+
+ def _format_payload(self, payload_type: str, payload_content: dict) -> str:
+ """
+ Format a single payload type and its content.
+
+ Args:
+ payload_type (str): The type of the payload.
+ payload_content (dict): The content of the payload.
+
+ Returns:
+ str: A formatted string representing the payload.
+ """
+ output = (
+ f"Create a configuration profile containing the following keys in the ({payload_type}) payload type:\n\n"
+ )
+ output += "[source,xml]\n----\n"
+
+ # Generate XML for the payload content
+ root = etree.Element("Payload")
+ self._add_payload_content(root, payload_content)
+
+ elements = []
+ for key, value in payload_content.items():
+ # Create a element
+ key_element = etree.Element("key")
+ key_element.text = key
+ elements.append(key_element)
+
+ # Create the corresponding value element
+ value_element = self._create_value_element(value)
+ elements.append(value_element)
+
+ # Pretty-print each element individually
+ for element in elements:
+ output += etree.tostring(element, encoding="unicode", pretty_print=True).strip() + "\n"
+
+ output += "----\n\n"
+ return output
+
+
+ @staticmethod
+ def _add_payload_content(parent: etree.Element, content: dict) -> None:
+ """
+ Add payload content as XML elements to the parent node.
+
+ Args:
+ parent (etree.Element): The parent XML element.
+ content (dict): The dictionary of key-value pairs to process.
+ """
+ for key, value in content.items():
+ key_element = etree.SubElement(parent, "key")
+ key_element.text = key
+
+ match value:
+ case bool():
+ etree.SubElement(parent, "true" if value else "false")
+ case int():
+ int_element = etree.SubElement(parent, "integer")
+ int_element.text = str(value)
+ case str():
+ str_element = etree.SubElement(parent, "string")
+ str_element.text = value
+ case list():
+ array_element = etree.SubElement(parent, "array")
+ for item in value:
+ item_element = etree.SubElement(array_element, "string")
+ item_element.text = item
+ case dict():
+ dict_element = etree.SubElement(parent, "dict")
+ MacSecurityRule._add_payload_content(dict_element, value)
+ case _:
+ raise ValueError(f"Unsupported value type: {type(value)} for key: {key}")
+
+
+ def _create_value_element(self, value):
+ """
+ Create an XML element for a value based on its type.
+
+ Args:
+ value (Any): The value to convert into an XML element.
+
+ Returns:
+ etree.Element: The created XML element.
+ """
+ if isinstance(value, bool):
+ return etree.Element("true" if value else "false")
+ elif isinstance(value, int):
+ int_element = etree.Element("integer")
+ int_element.text = str(value)
+ return int_element
+ elif isinstance(value, str):
+ str_element = etree.Element("string")
+ str_element.text = value
+ return str_element
+ elif isinstance(value, list):
+ array_element = etree.Element("array")
+ for item in value:
+ item_element = etree.SubElement(array_element, "string")
+ item_element.text = item
+ return array_element
+ elif isinstance(value, dict):
+ dict_element = etree.Element("dict")
+ self._add_payload_content(dict_element, value)
+ return dict_element
+ else:
+ raise ValueError(f"Unsupported value type: {type(value)}")
+
def get(self, attr, default=None):
return getattr(self, attr, default)
diff --git a/src/mscp/classes/payload.py b/src/mscp/classes/payload.py
index 2460e7faf..0b30411d0 100644
--- a/src/mscp/classes/payload.py
+++ b/src/mscp/classes/payload.py
@@ -6,205 +6,113 @@
from uuid import uuid4
from pathlib import Path
-from typing import List, Dict, Optional, Union
+from typing import List, Dict, Optional, Any
from dataclasses import dataclass, field
-from .macsecurityrule import MacSecurityRule
-
+# Initialize local logger
logger = logging.getLogger(__name__)
-class PayloadDict:
- """Class to create and manipulate Configuration Profiles.
- The actual plist content can be accessed as a dictionary via the 'data' attribute.
- """
-
- def __init__(self, identifier, uuid=False, description='', organization='', displayname=''):
- self.data = {}
- self.data["PayloadVersion"] = 1
- self.data["PayloadOrganization"] = organization
- if uuid:
- self.data["PayloadUUID"] = uuid
- else:
- self.data['PayloadUUID'] = makeNewUUID()
- self.data['PayloadType'] = 'Configuration'
- self.data['PayloadScope'] = 'System'
- self.data['PayloadDescription'] = description
- self.data['PayloadDisplayName'] = displayname
- self.data['PayloadIdentifier'] = identifier
- self.data['ConsentText'] = {"default": "THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER."}
-
- # An empty list for 'sub payloads' that we'll fill later
- self.data["PayloadContent"] = []
-
- def _updatePayload(self, payload_content_dict, baseline_name):
- """Update the profile with the payload settings. Takes the settings dictionary which will be the
- PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive
- elements.
- """
- # description = "Configuration settings for the {} preference domain.".format(payload_type)
- payload_dict = {}
-
- # Boilerplate
- payload_dict['PayloadVersion'] = 1
- payload_dict['PayloadUUID'] = makeNewUUID()
- payload_dict['PayloadType'] = payload_content_dict['PayloadType']
- payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}"
-
- payload_dict["PayloadContent"] = payload_content_dict
- # Add the payload to the profile
- self.data.update(payload_dict)
-
- def _addPayload(self, payload_content_dict, baseline_name):
- """Add a payload to the profile. Takes the settings dictionary which will be the
- PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive
- elements.
- """
- # description = "Configuration settings for the {} preference domain.".format(payload_type)
- payload_dict = {}
-
- # Boilerplate
- payload_dict['PayloadVersion'] = 1
- payload_dict['PayloadUUID'] = makeNewUUID()
- payload_dict['PayloadType'] = payload_content_dict['PayloadType']
- payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}"
-
- payload_dict["PayloadContent"] = payload_content_dict
- # Add the payload to the profile
- # print payload_dict
- del payload_dict["PayloadContent"]["PayloadType"]
- self.data["PayloadContent"].append(payload_dict)
-
- def addNewPayload(self, payload_type, settings, baseline_name):
- """Add a payload to the profile. Takes the settings dictionary which will be the
- PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive
- elements.
- """
- # description = "Configuration settings for the {} preference domain.".format(payload_type)
- payload_dict = {}
-
- # Boilerplate
- payload_dict['PayloadVersion'] = 1
- payload_dict['PayloadUUID'] = makeNewUUID()
- payload_dict['PayloadType'] = payload_type
- payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}"
-
- # Add the settings to the payload
- for setting in settings:
- for k, v in setting.items():
- payload_dict[k] = v
-
- # Add the payload to the profile
- self.data["PayloadContent"].append(payload_dict)
-
- def addMCXPayload(self, settings, baseline_name):
- """Add a payload to the profile. Takes the settings dictionary which will be the
- PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive
- elements.
- """
- keys = settings[1]
- plist_dict = {}
- for key in keys.split():
- plist_dict[key] = settings[2]
- # description = "Configuration settings for the {} preference domain.".format(payload_type)
- payload_dict = {}
+def make_new_uuid() -> str:
+ return str(uuid4())
- state = "Forced"
- domain = settings[0]
- # Boilerplate
- payload_dict[domain] = {}
- payload_dict[domain][state] = []
- payload_dict[domain][state].append({})
- payload_dict[domain][state][0]["mcx_preference_settings"] = plist_dict
- payload_dict["PayloadType"] = "com.apple.ManagedClient.preferences"
-
- self._addPayload(payload_dict, baseline_name)
-
- def finalizeAndSave(self, output_path):
- """Perform last modifications and save to configuration profile."""
- plistlib.dump(self.data, output_path)
- print(f"Configuration profile written to {output_path.name}")
-
- def finalizeAndSavePlist(self, output_path):
- """Perform last modifications and save to an output plist."""
- output_file_path = output_path.name
- preferences_path = os.path.dirname(output_file_path)
-
- settings_dict = {}
- for i in self.data["PayloadContent"]:
- if i["PayloadType"] == "com.apple.ManagedClient.preferences":
- for key, value in i["PayloadContent"].items():
- domain = key
- preferences_output_file = os.path.join(
- preferences_path, domain + ".plist"
- )
- if not os.path.exists(preferences_output_file):
- with open(preferences_output_file, "w"):
- pass
- with open(preferences_output_file, "rb") as fp:
- try:
- settings_dict = plistlib.load(fp)
- except:
- settings_dict = {}
- with open(preferences_output_file, "wb") as fp:
- for setting in value["Forced"]:
- for key, value in setting[
- "mcx_preference_settings"
- ].items():
- settings_dict[key] = value
-
- # preferences_output_path = open(preferences_output_file, 'wb')
- plistlib.dump(settings_dict, fp)
- print(f"Settings plist written to {preferences_output_file}")
- settings_dict.clear()
- try:
- os.unlink(output_file_path)
- except:
- continue
- else:
- if os.path.exists(output_file_path):
- with open(output_file_path, "rb") as fp:
- try:
- settings_dict = plistlib.load(fp)
- except:
- settings_dict = {}
- for key, value in i.items():
- if not key.startswith("Payload"):
- settings_dict[key] = value
+@dataclass
+class Payload:
+ """Dataclass to create and manipulate Configuration Profiles."""
+ identifier: str
+ organization: str = ""
+ description: str = ""
+ displayname: str = ""
+ uuid: Optional[str] = field(default_factory=make_new_uuid)
+ payload_version: int = 1
+ payload_scope: str = "System"
+ payload_type: str = "Configuration"
+ consent_text: Dict[str, str] = field(default_factory=lambda: {
+ "default": (
+ "THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, "
+ "EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, "
+ "ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED "
+ "WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM "
+ "FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE "
+ "SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL "
+ "NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, "
+ "SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY "
+ "CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, "
+ "WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS "
+ "SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER."
+ )
+ })
+ payload_content: List[Dict[str, Any]] = field(default_factory=list)
+
+ def add_payload(self, payload_type: str, settings: Dict[str, Any], baseline_name: str) -> None:
+ """Add a payload to the profile."""
+ payload = {
+ "PayloadVersion": self.payload_version,
+ "PayloadUUID": make_new_uuid(),
+ "PayloadType": payload_type,
+ "PayloadIdentifier": f"alacarte.macOS.{baseline_name}.{make_new_uuid()}",
+ }
+ # Merge settings directly into the payload dictionary
+ payload.update(settings)
+ self.payload_content.append(payload)
- plistlib.dump(settings_dict, output_path)
- print(f"Settings plist written to {output_path.name}")
-def makeNewUUID() -> str:
- return str(uuid4())
+ def add_mcx_payload(self, settings: List[Any], baseline_name: str) -> None:
+ """Add a Managed Client preferences payload."""
+ keys = settings[1]
+ plist_dict = {key: settings[2] for key in keys.split()}
+ uuid = make_new_uuid()
-@dataclass
-class Payload:
- """
- Class to create and manipulate ConfigurationProfiles.
- The actual plist content can be accessed as a dictionary via the 'data' attribute.
- """
+ domain = settings[0]
+ payload = {
+ "PayloadVersion": self.payload_version,
+ "PayloadUUID": uuid,
+ "PayloadType": "com.apple.ManagedClient.preferences",
+ "PayloadIdentifier": f"alacarte.macOS.{baseline_name}.{uuid}",
+ "PayloadContent": {}
+ }
- identifier: str
- uuid: Optional[str] = None
- description: str = ''
- organization: str = ''
- displayname: str = ''
- PayloadVersion: int = 1
- PayloadType: str = 'Configuration'
- PayloadScope: str = 'System'
- data: Dict[str, Union[str, int, Dict[str, str], List[Dict[str, Union[str, int]]]]] = field(init=False)
-
- def __post_init__(self):
- self.data = {
- "PayloadVersion": self.PayloadVersion,
+ # Add the MCX settings directly to the payload
+ payload.get("PayloadContent", {}).update({domain: {"Forced": [{"mcx_preference_settings": plist_dict}]}})
+ self.payload_content.append(payload)
+
+
+ def save_to_plist(self, output_path: Path) -> None:
+ """Save the profile to a plist file."""
+ data = {
+ "PayloadVersion": self.payload_version,
"PayloadOrganization": self.organization,
- "PayloadUUID": self.uuid or makeNewUUID(),
- "PayloadType": self.PayloadType,
- "PayloadScope": self.PayloadScope,
+ "PayloadUUID": self.uuid,
+ "PayloadType": self.payload_type,
+ "PayloadScope": self.payload_scope,
"PayloadDescription": self.description,
"PayloadDisplayName": self.displayname,
"PayloadIdentifier": self.identifier,
- "PayloadContent": []
+ "ConsentText": self.consent_text,
+ "PayloadContent": self.payload_content
}
+
+ with output_path.open("wb") as plist_file:
+ plistlib.dump(data, plist_file)
+ print(f"Configuration profile written to {output_path}")
+
+ def finalize_and_save_plist(self, output_path: Path) -> None:
+ """Save a final plist with additional processing for MCX settings."""
+ for payload in self.payload_content:
+ if payload.get("PayloadType") == "com.apple.ManagedClient.preferences":
+ for domain, value in payload["PayloadContent"].items():
+ preferences_file = output_path.parent / f"{domain}.plist"
+ preferences_file.touch(exist_ok=True)
+ with preferences_file.open("rb") as f:
+ try:
+ settings_dict = plistlib.load(f)
+ except Exception:
+ settings_dict = {}
+ with preferences_file.open("wb") as f:
+ for forced_setting in value["Forced"]:
+ settings_dict.update(forced_setting["mcx_preference_settings"])
+ plistlib.dump(settings_dict, f)
+ print(f"Settings plist written to {preferences_file}")
+
+ self.save_to_plist(output_path)
diff --git a/src/mscp/common_utils/file_handling.py b/src/mscp/common_utils/file_handling.py
index a723fc625..703846d62 100644
--- a/src/mscp/common_utils/file_handling.py
+++ b/src/mscp/common_utils/file_handling.py
@@ -68,7 +68,7 @@ def make_dir(folder_path: Path) -> None:
logger.info(f"Created folder: {folder_path}")
except OSError as e:
logger.error(f"Creation of {folder_path} failed.")
- logging.debug(f"Error message: {str(e)}")
+ logger.debug(f"Error message: {str(e)}")
def append_text(path: Path, text: str, encoding: str = "UTF-8", errors=None, newline=None) -> None:
@@ -87,7 +87,7 @@ def append_text(path: Path, text: str, encoding: str = "UTF-8", errors=None, new
"""
try:
with path.open(mode='a', encoding=encoding, errors=errors, newline=newline) as f:
- logging.info(f"Appending to file: {path}")
+ logger.info(f"Appending to file: {path}")
f.write(f"{text}\n")
except Exception as e:
@@ -108,4 +108,14 @@ def remove_dir(folder_path: Path) -> None:
except OSError as e:
logger.error(f"Removal of {folder_path} failed.")
- logging.debug(f"Error message: {str(e)}")
+ logger.debug(f"Error message: {str(e)}")
+
+def remove_file(file_path: Path) -> None:
+ if file_path.exists():
+ try:
+ file_path.unlink()
+ logger.info(f"Removed file: {file_path}")
+
+ except (OSError, FileNotFoundError) as e:
+ logger.error(f"An error occurred while removing the file: {file_path}. Error: {e}")
+ logger.debug(f"Error message: {str(e)}")
diff --git a/src/mscp/common_utils/mobile_config_fix.py b/src/mscp/common_utils/mobile_config_fix.py
index 05abcfac6..4b4f23660 100644
--- a/src/mscp/common_utils/mobile_config_fix.py
+++ b/src/mscp/common_utils/mobile_config_fix.py
@@ -2,9 +2,13 @@
import logging
+from typing import List
+
+from src.mscp.classes.macsecurityrule import Mobileconfigpayload
+
logger = logging.getLogger(__name__)
-def format_mobileconfig_fix(mobileconfig: dict) -> str:
+def format_mobileconfig_fix(mobileconfig: List) -> str:
"""
Generate a formatted string representing a configuration profile in XML format
based on the provided mobileconfig dictionary.
@@ -16,7 +20,7 @@ def format_mobileconfig_fix(mobileconfig: dict) -> str:
which requires sub-payloads within its payload type.
Args:
- mobileconfig (dict): A dictionary representing the configuration settings.
+ mobileconfig (List[Mobileconfigprofile]): A list of Mobileconfigprofile instances.
Keys are domains or payload types, and values are configuration settings,
which can include nested dictionaries, lists, or scalar values.
@@ -60,61 +64,59 @@ def format_mobileconfig_fix(mobileconfig: dict) -> str:
"""
rulefix = ""
- for domain, settings in mobileconfig.items():
- if domain == "com.apple.ManagedClient.preferences":
- rulefix = rulefix + (
- f"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their defined payload types.\n\n"
+
+ for profile in mobileconfig:
+ payload_type = profile.payload_type
+ payload_content = profile.payload_content
+
+ if payload_type == "com.apple.ManagedClient.preferences":
+ rulefix += (
+ f"NOTE: The following settings are in the ({payload_type}) payload. "
+ "This payload requires the additional settings to be sub-payloads within, "
+ "containing their defined payload types.\n\n"
)
- rulefix = rulefix + format_mobileconfig_fix(settings)
+ # Recursively handle nested payloads if needed
+ nested_fix = format_mobileconfig_fix(
+ [Mobileconfigpayload(k, v) for k, v in payload_content.items()]
+ )
+ rulefix += nested_fix
else:
- rulefix = rulefix + (
- f"Create a configuration profile containing the following keys in the ({domain}) payload type:\n\n"
+ rulefix += (
+ f"Create a configuration profile containing the following keys in the ({payload_type}) payload type:\n\n"
)
- rulefix = rulefix + "[source,xml]\n----\n"
- for item in settings.items():
- rulefix = rulefix + (f"{item[0]}\n")
-
- if type(item[1]) == bool:
- rulefix = rulefix + (f"<{str(item[1]).lower()}/>\n")
- elif type(item[1]) == list:
- rulefix = rulefix + "\n"
- for setting in item[1]:
- rulefix = rulefix + (f" {setting}\n")
- rulefix = rulefix + "\n"
- elif type(item[1]) == int:
- rulefix = rulefix + (f"{item[1]}\n")
- elif type(item[1]) == str:
- rulefix = rulefix + (f"{item[1]}\n")
- elif type(item[1]) == dict:
- rulefix = rulefix + "\n"
- for k,v in item[1].items():
- if type(v) == dict:
- rulefix = rulefix + \
- (f" {k}\n")
- rulefix = rulefix + \
- (f" \n")
- for x,y in v.items():
- rulefix = rulefix + \
- (f" {x}\n")
- rulefix = rulefix + \
- (f" {y}\n")
- rulefix = rulefix + \
- (f" \n")
- break
- if isinstance(v, list):
- rulefix = rulefix + " \n"
- for setting in v:
- rulefix = rulefix + \
- (f" {setting}\n")
- rulefix = rulefix + " \n"
- else:
- rulefix = rulefix + \
- (f" {k}\n")
- rulefix = rulefix + \
- (f" {v}\n")
- rulefix = rulefix + "\n"
-
-
- rulefix = rulefix + "----\n\n"
+ rulefix += "[source,xml]\n----\n"
+
+ for key, value in payload_content.items():
+ rulefix += f"{key}\n"
+
+ if isinstance(value, bool):
+ rulefix += f"<{str(value).lower()}/>\n"
+ elif isinstance(value, list):
+ rulefix += "\n"
+ for item in value:
+ rulefix += f" {item}\n"
+ rulefix += "\n"
+ elif isinstance(value, int):
+ rulefix += f"{value}\n"
+ elif isinstance(value, str):
+ rulefix += f"{value}\n"
+ elif isinstance(value, dict):
+ rulefix += "\n"
+ for sub_key, sub_value in value.items():
+ rulefix += f" {sub_key}\n"
+ if isinstance(sub_value, str):
+ rulefix += f" {sub_value}\n"
+ elif isinstance(sub_value, bool):
+ rulefix += f" <{str(sub_value).lower()}/>\n"
+ elif isinstance(sub_value, list):
+ rulefix += " \n"
+ for sub_item in sub_value:
+ rulefix += f" {sub_item}\n"
+ rulefix += " \n"
+ elif isinstance(sub_value, int):
+ rulefix += f" {sub_value}\n"
+ rulefix += "\n"
+
+ rulefix += "----\n\n"
return rulefix
diff --git a/src/mscp/generate/ddm.py b/src/mscp/generate/ddm.py
index c412f88c1..e26de5d9a 100644
--- a/src/mscp/generate/ddm.py
+++ b/src/mscp/generate/ddm.py
@@ -8,6 +8,7 @@
from pathlib import Path
from typing import List
+from collections import defaultdict
# Local python modules
from src.mscp.classes.baseline import Baseline
@@ -33,13 +34,53 @@ def generate_ddm_activation(output_path: Path, identifier: str) -> None:
def generate_ddm(build_path: Path, baseline: Baseline, baseline_name: str) -> None:
-
- mscp_data: dict = open_yaml(Path(config["global"]["mspc_data"]))
+ """
+ Generate Declarative Device Management (DDM) profiles for a given baseline.
+
+ This function creates and organizes DDM files such as configurations, assets, and activations
+ based on the rules in the provided baseline. It processes `ddm_info` from the rules to generate
+ JSON files and zip archives required for DDM operations.
+
+ Args:
+ build_path (Path): The base directory where DDM output files will be stored.
+ baseline (Baseline): The Baseline object containing profiles and rules to process.
+ baseline_name (str): The name of the baseline for identifying the output files.
+
+ Returns:
+ None
+
+ Raises:
+ Various exceptions for file handling, such as IOError for archive creation errors.
+
+ Key Steps:
+ 1. Parse `ddm_info` from rules in the baseline to identify supported declaration types.
+ 2. Create required output directories if they don't exist.
+ 3. Process configuration files (`com.apple.configuration.services.configuration-files`):
+ - Generate configuration directories and files.
+ - Append configuration settings based on `ddm_info`.
+ 4. Generate and zip configuration files for supported services.
+ 5. Create JSON assets, configurations, and activations for each DDM declaration type.
+
+ Notes:
+ - The `assets`, `activations`, and `configurations` folders are created in the `declarative`
+ directory under the `build_path`.
+ - Services not found in `mscp_data` are skipped with a logged error message.
+ - Unsupported DDM types are logged as errors and skipped.
+
+ Example:
+ generate_ddm(
+ build_path=Path("/path/to/build"),
+ baseline=my_baseline_object,
+ baseline_name="example_baseline"
+ )
+ """
+
+ mscp_data: dict = open_yaml(Path(config.get("mspc_data", "")))
ddm_output_path: Path = Path(build_path, "declarative")
activations_output_path: Path = Path(ddm_output_path, "activations")
assets_output_path: Path = Path(ddm_output_path, "assets")
configurations_output_path: Path = Path(ddm_output_path, "configurations")
- ddm_dict: dict = {}
+ ddm_dict:dict = defaultdict(dict)
logging.debug(f"Output Directory name: {ddm_output_path}")
@@ -56,37 +97,46 @@ def generate_ddm(build_path: Path, baseline: Baseline, baseline_name: str) -> No
]
for ddm_rule in ddm_rules:
- if ddm_rule.get("ddm_info", {}).get("declarationtype", "") == "com.apple.configuration.services.configuration-files":
- if not mscp_data.get("ddm", {}).get("services", {}).get(ddm_rule.get("ddm_info", {}).get("service")):
- logger.error(f"{ddm_rule.get("ddm_info", {}).get("service", "")} service NOT found")
+ ddm_info = ddm_rule.get("ddm_info", {})
+ declaration_type = ddm_info.get("declarationtype", "")
+
+ if declaration_type == "com.apple.configuration.services.configuration-files":
+ service_name = ddm_info.get("service", "")
+ if not mscp_data.get("ddm", {}).get("services", {}).get(service_name):
+ logger.error(f"{service_name} service NOT found")
continue
- service_name = ddm_rule.get("ddm_info", {}).get("service", "")
logger.debug(f"Service name: {service_name}")
-
service_path = mscp_data.get("ddm", {}).get("services", {}).get(service_name, "")
logger.debug(f"Service path: {service_path}")
- # ! Need to strip the trailing "/" so that pathlib does not treat it as an absolute path.
- service_config_dir: Path = Path(ddm_output_path, ddm_rule.get("ddm_info", {}).get("service", ""), str(mscp_data["ddm"]["services"][ddm_rule.get("ddm_info", {}).get("service")]).lstrip("/"))
- service_config_file: Path = service_config_dir / ddm_rule.get("ddm_info", {}).get("config_file")
+ # Handle the configuration directory and file
+ service_config_dir: Path = Path(
+ ddm_output_path,
+ service_name,
+ str(mscp_data["ddm"]["services"][service_name]).lstrip("/")
+ )
+ service_config_file: Path = service_config_dir / ddm_info.get("config_file", "")
- logging.debug(f"Configuration Directory name: {service_config_dir}")
- logging.debug(f"Configuration File name: {service_config_file}")
+ logger.debug(f"Configuration Directory: {service_config_dir}")
+ logger.debug(f"Configuration File: {service_config_file}")
if not service_config_dir.exists():
make_dir(service_config_dir)
- if ddm_rule.get("ddm_info", {}).get("configuration_key", "") == "file":
- append_text(service_config_file, ddm_rule.get("ddm_info", {}).get("configuration_value", ""), encoding='UTF-8', newline='\n')
+ config_key = ddm_info.get("configuration_key", "")
+ config_value = ddm_info.get("configuration_value", "")
+
+ if config_key == "file":
+ append_text(service_config_file, config_value, encoding="UTF-8", newline="\n")
else:
- append_text(service_config_file, f"{ddm_rule.get("ddm_info", {}).get("configuration_key", "")} {ddm_rule.get("ddm_info", {}).get("configuration_value", "")}", encoding='UTF-8', newline='\n')
+ append_text(service_config_file, f"{config_key} {config_value}", encoding="UTF-8", newline="\n")
- ddm_dict.setdefault(ddm_rule.get("ddm_info", {}).get("declarationtype", ""), {}).update({})
+ ddm_dict[declaration_type].update({})
else:
- ddm_dict.setdefault(ddm_rule.get("ddm_info", {}).get("declarationtype", ""), {}).update(
- {ddm_rule.get("ddm_info", {}).get("ddm_key", ""): ddm_rule.get("ddm_info", {}).get("ddm_value", "")}
- )
+ ddm_key = ddm_info.get("ddm_key", "")
+ ddm_value = ddm_info.get("ddm_value", "")
+ ddm_dict[declaration_type][ddm_key] = ddm_value
for ddm_type in mscp_data.get("ddm", {}).get("supported_types", []):
if ddm_type not in ddm_dict.keys():
diff --git a/src/mscp/generate/excel.py b/src/mscp/generate/excel.py
index 965cb3205..19d0c7315 100644
--- a/src/mscp/generate/excel.py
+++ b/src/mscp/generate/excel.py
@@ -12,13 +12,13 @@
from openpyxl.styles import Alignment, Font
from openpyxl.utils import get_column_letter
-# Local python modules
-from src.mscp.common_utils.mobile_config_fix import format_mobileconfig_fix
+from src.mscp.classes.baseline import Baseline
# Initialize local logger
logger = logging.getLogger(__name__)
-def generate_excel(file_out: Path, dataframe: pd.DataFrame) -> None:
+
+def generate_excel(file_out: Path, baseline: Baseline) -> None:
"""
Generate a formatted Excel file from a given DataFrame.
@@ -67,18 +67,6 @@ def generate_excel(file_out: Path, dataframe: pd.DataFrame) -> None:
Returns:
None: The function saves the output directly to the specified `file_out` path.
"""
-
- def __replace_fix(row):
- if row["mobileconfig_info"]:
- try:
- return format_mobileconfig_fix(row["mobileconfig_info"])
- except Exception as e:
- logger.error(f"Error formatting mobileconfig_info: {e}")
- return row["fix"]
-
- else:
- return row["fix"]
-
rename_mapping = {
"title": "Title",
"rule_id": "Rule ID",
@@ -144,6 +132,7 @@ def __replace_fix(row):
"Modified Rule"
]
+ dataframe = baseline.to_dataframe()
# Make a copy of the dataframe so as not to modify the original dataset
df_copy: pd.DataFrame = dataframe.copy()
@@ -153,7 +142,6 @@ def __replace_fix(row):
df_details= df_copy['cis'].apply(lambda x: {} if pd.isna(x) else x).apply(pd.Series)[["benchmark","controls_v8"]]
df_copy = pd.concat([df_copy, df_details], axis=1)
df_copy["check"] = df_copy["check"].apply(lambda x: {} if pd.isna(x) else x).apply(pd.Series)
- df_copy["fix"] = df_copy.apply(__replace_fix, axis=1)
df_copy.columns = (
df_copy.columns.str.strip()
diff --git a/src/mscp/generate/guidance.py b/src/mscp/generate/guidance.py
index b3a38ae70..c5f0d8b10 100644
--- a/src/mscp/generate/guidance.py
+++ b/src/mscp/generate/guidance.py
@@ -5,28 +5,19 @@
import tempfile
import argparse
import sys
-import json
-import re
from pathlib import Path
from icecream import ic
from base64 import b64encode
-from typing import Optional, Dict, List
-from dataclasses import asdict
# Additional python modules
import pandas as pd
-from openpyxl import Workbook
-from openpyxl.styles import Alignment, Font
-from openpyxl.utils import get_column_letter
-
# Local python modules
from src.mscp.classes.baseline import Baseline
from src.mscp.common_utils.run_command import run_command
from src.mscp.common_utils.config import config
-from src.mscp.common_utils.file_handling import open_file, open_yaml, make_dir
-from src.mscp.common_utils.mobile_config_fix import format_mobileconfig_fix
+from src.mscp.common_utils.file_handling import open_yaml, make_dir
from src.mscp.generate.documents import generate_documents
from src.mscp.generate.script import generate_script
from src.mscp.generate.ddm import generate_ddm
@@ -67,24 +58,6 @@ def verify_signing_hash(cert_hash: str) -> bool:
return True
-def sign_config_profile(in_file: Path, out_file: Path, cert_hash: str) -> None:
- """
- Signs the configuration profile using the identity associated with the provided hash
-
- Args:
- in_file (Path): The file being signed.
- out_file (Path): The file being written to.
- hash (str): The hash string to use for signing.
- """
-
- cmd = f"security cms -SZ {cert_hash} -i {in_file} -o {out_file}"
- output, error = run_command(cmd)
-
- if output:
- logger.info(f"Signed Configuration profile written to {out_file}")
-
-
-# Entry point for the script to call
def guidance(args: argparse.Namespace) -> None:
logo_path: str = f"{config["defaults"]["images_dir"]}/mscp_banner.png"
signing: bool = False
@@ -163,9 +136,10 @@ def guidance(args: argparse.Namespace) -> None:
if args.xlsx:
logger.info("Generating Excel document")
- generate_excel(spreadsheet_output_file, df)
+ generate_excel(spreadsheet_output_file, baseline)
if args.gary:
show_all_tags = True
+ # df.to_excel(spreadsheet_output_file)
# generate_documents(adoc_output_file, baseline, b64logo, pdf_theme, logo_path, args.os_name, current_version_data, show_all_tags, custom)
diff --git a/src/mscp/generate/profiles.py b/src/mscp/generate/profiles.py
index 0ad08cee6..096468b78 100644
--- a/src/mscp/generate/profiles.py
+++ b/src/mscp/generate/profiles.py
@@ -4,16 +4,165 @@
import logging
from pathlib import Path
+from typing import List, Dict, Any
+from collections import defaultdict
+from datetime import date
from icecream import ic
+
# Local python modules
from src.mscp.common_utils.config import config
from src.mscp.classes.baseline import Baseline
+from src.mscp.classes.macsecurityrule import MacSecurityRule
+from src.mscp.classes.payload import Payload
from src.mscp.common_utils.file_handling import open_file, open_yaml, make_dir
+from src.mscp.common_utils.run_command import run_command
+
# Initialize local logger
logger = logging.getLogger(__name__)
+
+def get_payload_content_by_type(rules: List[MacSecurityRule]) -> Dict[str, List[Dict[str, Any]]]:
+ """
+ Group the payload_content of Mobileconfigpayloads by their payload_type across a list of MacSecurityRule objects.
+
+ Args:
+ rules (List[MacSecurityRule]): A list of MacSecurityRule objects.
+
+ Returns:
+ Dict[str, List[Dict[str, Any]]]: A dictionary where the keys are payload_types and the values
+ are lists of payload_content dictionaries.
+ """
+ grouped_content = defaultdict(list)
+
+ for rule in rules:
+ if rule.mobileconfig:
+ for payload in rule.mobileconfig_info:
+ payload_type = payload.payload_type
+ payload_content = payload.payload_content
+
+ # Merge settings for the same payload_type if needed
+ existing_content = next((item for item in grouped_content[payload_type] if item == payload_content), None)
+ if not existing_content:
+ grouped_content[payload_type].append(payload_content)
+ else:
+ # Merge list values for the same key
+ for key, value in payload_content.items():
+ if isinstance(value, list):
+ existing_content.setdefault(key, []).extend(value)
+ else:
+ existing_content[key] = value
+
+ return dict(grouped_content)
+
+
+def sign_config_profile(in_file: Path, out_file: Path, cert_hash: str) -> None:
+ """
+ Signs the configuration profile using the identity associated with the provided hash
+
+ Args:
+ in_file (Path): The file being signed.
+ out_file (Path): The file being written to.
+ hash (str): The hash string to use for signing.
+ """
+
+ cmd = f"security cms -SZ {cert_hash} -i {in_file} -o {out_file}"
+ output, error = run_command(cmd)
+
+ if output:
+ logger.info(f"Signed Configuration profile written to {out_file}")
+
+
def generate_profiles(build_path: Path, baseline_name: str, baseline: Baseline, hash: str = "", signing: bool = False) -> None:
+ unsigned_mobileconfig_output_path: Path = Path(build_path, "mobileconfigs", "unsigned")
+ signed_mobileconfig_output_path: Path = Path(build_path, "mobileconfigs", "signed")
+ settings_plist_output_path: Path = Path(build_path, "mobileconfigs", "preferences")
+ create_date: date = date.today()
+
manifests_file: dict = open_yaml(Path(config.get("includes_dir", ""), "supported_payloads.yaml"))
- ic(manifests_file)
+
+ make_dir(unsigned_mobileconfig_output_path)
+ make_dir(settings_plist_output_path)
+
+ if signing:
+ make_dir(signed_mobileconfig_output_path)
+
+ profile_errors: List = [
+ rule for profile in baseline.profile
+ for rule in profile.rules
+ if rule.mobileconfig and any(
+ payload.payload_type not in manifests_file.get("payloads_types", [])
+ for payload in rule.mobileconfig_info
+ )
+ ]
+
+ valid_rules: List = [
+ rule for profile in baseline.profile
+ for rule in profile.rules
+ if rule.mobileconfig and any(
+ payload.payload_type in manifests_file.get("payloads_types", [])
+ for payload in rule.mobileconfig_info
+ )
+ ]
+
+ grouped_payloads: dict = get_payload_content_by_type(valid_rules)
+
+ if len(profile_errors) != 0:
+ logger.info(f"There were errors found in {len(profile_errors)} rules")
+ for error in profile_errors:
+ logger.info(f"Correct the following rule: {error.rule_id}")
+
+ for payload_type, settings_list in grouped_payloads.items():
+ logger.debug(f"Payload Type: {payload_type}")
+ logger.debug(f"Settings List: {settings_list}")
+ payload_base_name = f"com.apple{payload_type}" if payload_type.startswith(".") else payload_type
+ unsigned_mobileconfig_file_path = unsigned_mobileconfig_output_path / f"{payload_base_name}.mobileconfig"
+ settings_plist_file_path = settings_plist_output_path / f"{payload_base_name}.plist"
+
+ if signing:
+ signed_mobileconfig_file_path = signed_mobileconfig_output_path / f"{payload_base_name}.mobileconfig"
+
+ identifier = f"{payload_type}.{baseline_name}"
+ description = (
+ f"Created: {create_date}\n"
+ f"Configuration settings for the {payload_type} preference domain."
+ )
+ organization = "macOS Security Compliance Project"
+ displayname = f"[{baseline_name}] {payload_type} settings"
+
+ new_profile = Payload(
+ identifier=identifier,
+ organization=organization,
+ description=description,
+ displayname=displayname,
+ )
+
+ if payload_type == "com.apple.ManagedClient.preferences":
+ for settings in settings_list:
+ for domain, payload_content in settings.items():
+ new_profile.add_mcx_payload([domain, "Forced", payload_content], baseline_name)
+ ic(new_profile)
+ else:
+ settings: dict = {k: v for d in settings_list for k, v in d.items()}
+ new_profile.add_payload(payload_type, settings, baseline_name)
+
+ new_profile.save_to_plist(unsigned_mobileconfig_file_path)
+
+ if signing:
+ sign_config_profile(unsigned_mobileconfig_file_path, signed_mobileconfig_file_path, hash)
+
+ new_profile.finalize_and_save_plist(settings_plist_file_path)
+
+ # Final message
+ print(
+ f"""
+ CAUTION: These configuration profiles are intended for evaluation in a TEST
+ environment. Certain configuration profiles (Smartcards), when applied could
+ leave a system in a state where a user can no longer login with a password.
+ Please use caution when applying configuration settings to a system.
+
+ NOTE: If an MDM is already being leveraged, many of these profile settings may
+ be available through the vendor.
+ """
+ )