snoopy82481 · snoopy82481 · Jan 10, 2025 · Dec 16, 2024
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -2,7 +2,41 @@
 
 This document provides a high-level view of the changes to the macOS Security Compliance Project.
 
-== [Sequoia, Revision 1.0] - 2024-XX-XX
+== [Sequoia, Revision 1.1] - 2024-12-16]
+* Rules
+** Added Rules
+*** os_iphone_mirroring_disable
+*** os_mail_summary_disable
+*** os_photos_enhanced_search_disable
+*** system_settings_external_intelligence_disable
+*** system_settings_external_intelligence_sign_in_disable
+** Modified Rules
+*** os_sleep_and_display_sleep_apple_silicon_enable
+*** os_sudo_log_enforce
+*** os_world_writable_library_folder_configure
+*** os_password_autofill_disable
+*** pwpolicy_alpha_numeric_enforce
+*** pwpolicy_custom_regex_enforce
+*** pwpolicy_lower_case_character_enforce.yaml
+*** pwpolicy_max_lifetime_enforce
+*** pwpolicy_minimum_lifetime_enforce
+*** pwpolicy_history_enforce
+*** pwpolicy_account_lockout_timeout_enforce
+*** pwpolicy_account_lockout_enforce
+*** pwpolicy_prevent_dictionary_words
+*** pwpolicy_simple_sequence_disable
+*** pwpolicy_special_character_enforce
+*** pwpolicy_upper_case_character_enforce.yaml
+*** system_settings_improve_assistive_voice_disable
+** Removed Rules
+*** system_settings_cd_dvd_sharing_disable
+** Bug Fixes
+* Baselines
+** Added DISA STIG v1r1
+** Added CIS Level (Draft -> Final)
+** Updated CNSSI-1253
+
+== [Sequoia, Revision 1.0] - 2024-09-12
 
 * Rules
 ** Added Rules
@@ -44,7 +78,7 @@ This document provides a high-level view of the changes to the macOS Security Co
 **** pwpolicy_minimum_length_enforce
 **** pwpolicy_simple_sequence_disable
 **** pwpolicy_special_character_enforce
-** Deleted Rules
+** Removed Rules
 *** os_firewall_log_enable
 *** os_gatekeeper_rearm
 *** os_safari_popups_disabled
@@ -59,4 +93,4 @@ This document provides a high-level view of the changes to the macOS Security Co
 ** generate_baseline
 ** generate_mappings
 ** generate_scap
-*** Added support for severity
+*** Added support for severity
diff --git a/README.adoc b/README.adoc
@@ -53,6 +53,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
 |Dan Brodjieski|NASA
 |John Mahlman IV|Leidos
 |Aaron Kegerreis|DISA
+|Henry Stamerjohann|Zentral Pro Services GmbH
 |Marco A Piñeryo II|State Department
 |Jason Blake|NIST
 |Blair Heiserman|NIST

diff --git a/VERSION.yaml b/VERSION.yaml
@@ -1,5 +1,5 @@
 os: "15.0"
 platform: macOS
-version: "Sequoia Guidance, Revision 1.0"
+version: "Sequoia Guidance, Revision 1.1"
 cpe: o:apple:macos:15.0
-date: "2024-09-12"
+date: "2024-12-16"
diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml
@@ -1,6 +1,6 @@
-title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 2"
+title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 3"
 description: |
-  This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 2 security baseline.
+  This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 3 security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -79,14 +79,16 @@ profile:
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_image_generation_disable
+      - os_iphone_mirroring_disable
       - os_ir_support_disable
       - os_loginwindow_adminhostinfo_undefined
+      - os_mail_summary_disable
       - os_mdm_require
       - os_nfsd_disable
       - os_on_device_dictation_enforce
-      - os_password_autofill_disable
       - os_password_proximity_disable
       - os_password_sharing_disable
+      - os_photos_enhanced_search_disable
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
@@ -121,14 +123,9 @@ profile:
       - pwpolicy_account_inactivity_enforce
       - pwpolicy_account_lockout_enforce
       - pwpolicy_account_lockout_timeout_enforce
-      - pwpolicy_alpha_numeric_enforce
-      - pwpolicy_custom_regex_enforce
       - pwpolicy_history_enforce
-      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
-      - pwpolicy_minimum_lifetime_enforce
       - pwpolicy_simple_sequence_disable
-      - pwpolicy_special_character_enforce
   - section: "systemsettings"
     rules:
       - system_settings_apple_watch_unlock_disable
@@ -138,6 +135,8 @@ profile:
       - system_settings_bluetooth_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_diagnostics_reports_disable
+      - system_settings_external_intelligence_disable
+      - system_settings_external_intelligence_sign_in_disable
       - system_settings_filevault_enforce
       - system_settings_find_my_disable
       - system_settings_firewall_enable

diff --git a/baselines/800-53r5_high.yaml b/baselines/800-53r5_high.yaml
@@ -86,16 +86,18 @@ profile:
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_image_generation_disable
+      - os_iphone_mirroring_disable
       - os_ir_support_disable
       - os_loginwindow_adminhostinfo_undefined
+      - os_mail_summary_disable
       - os_mdm_require
       - os_newsyslog_files_owner_group_configure
       - os_newsyslog_files_permissions_configure
       - os_nfsd_disable
       - os_on_device_dictation_enforce
-      - os_password_autofill_disable
       - os_password_proximity_disable
       - os_password_sharing_disable
+      - os_photos_enhanced_search_disable
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
@@ -133,14 +135,9 @@ profile:
       - pwpolicy_account_inactivity_enforce
       - pwpolicy_account_lockout_enforce
       - pwpolicy_account_lockout_timeout_enforce
-      - pwpolicy_alpha_numeric_enforce
-      - pwpolicy_custom_regex_enforce
       - pwpolicy_history_enforce
-      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
-      - pwpolicy_minimum_lifetime_enforce
       - pwpolicy_simple_sequence_disable
-      - pwpolicy_special_character_enforce
       - pwpolicy_temporary_or_emergency_accounts_disable
   - section: "systemsettings"
     rules:
@@ -151,10 +148,11 @@ profile:
       - system_settings_bluetooth_disable
       - system_settings_bluetooth_settings_disable
       - system_settings_bluetooth_sharing_disable
-      - system_settings_cd_dvd_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_critical_update_install_enforce
       - system_settings_diagnostics_reports_disable
+      - system_settings_external_intelligence_disable
+      - system_settings_external_intelligence_sign_in_disable
       - system_settings_filevault_enforce
       - system_settings_find_my_disable
       - system_settings_firewall_enable

diff --git a/baselines/800-53r5_low.yaml b/baselines/800-53r5_low.yaml
@@ -77,13 +77,15 @@ profile:
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_image_generation_disable
+      - os_iphone_mirroring_disable
       - os_ir_support_disable
+      - os_mail_summary_disable
       - os_mdm_require
       - os_nfsd_disable
       - os_on_device_dictation_enforce
-      - os_password_autofill_disable
       - os_password_proximity_disable
       - os_password_sharing_disable
+      - os_photos_enhanced_search_disable
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
@@ -107,25 +109,21 @@ profile:
     rules:
       - pwpolicy_account_lockout_enforce
       - pwpolicy_account_lockout_timeout_enforce
-      - pwpolicy_alpha_numeric_enforce
-      - pwpolicy_custom_regex_enforce
       - pwpolicy_history_enforce
-      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
-      - pwpolicy_minimum_lifetime_enforce
       - pwpolicy_simple_sequence_disable
-      - pwpolicy_special_character_enforce
   - section: "systemsettings"
     rules:
       - system_settings_airplay_receiver_disable
       - system_settings_automatic_login_disable
       - system_settings_bluetooth_disable
       - system_settings_bluetooth_settings_disable
       - system_settings_bluetooth_sharing_disable
-      - system_settings_cd_dvd_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_critical_update_install_enforce
       - system_settings_diagnostics_reports_disable
+      - system_settings_external_intelligence_disable
+      - system_settings_external_intelligence_sign_in_disable
       - system_settings_find_my_disable
       - system_settings_firewall_enable
       - system_settings_firewall_stealth_mode_enable

diff --git a/baselines/800-53r5_moderate.yaml b/baselines/800-53r5_moderate.yaml
@@ -84,16 +84,18 @@ profile:
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_image_generation_disable
+      - os_iphone_mirroring_disable
       - os_ir_support_disable
       - os_loginwindow_adminhostinfo_undefined
+      - os_mail_summary_disable
       - os_mdm_require
       - os_newsyslog_files_owner_group_configure
       - os_newsyslog_files_permissions_configure
       - os_nfsd_disable
       - os_on_device_dictation_enforce
-      - os_password_autofill_disable
       - os_password_proximity_disable
       - os_password_sharing_disable
+      - os_photos_enhanced_search_disable
       - os_policy_banner_loginwindow_enforce
       - os_policy_banner_ssh_configure
       - os_policy_banner_ssh_enforce
@@ -130,14 +132,9 @@ profile:
       - pwpolicy_account_inactivity_enforce
       - pwpolicy_account_lockout_enforce
       - pwpolicy_account_lockout_timeout_enforce
-      - pwpolicy_alpha_numeric_enforce
-      - pwpolicy_custom_regex_enforce
       - pwpolicy_history_enforce
-      - pwpolicy_max_lifetime_enforce
       - pwpolicy_minimum_length_enforce
-      - pwpolicy_minimum_lifetime_enforce
       - pwpolicy_simple_sequence_disable
-      - pwpolicy_special_character_enforce
       - pwpolicy_temporary_or_emergency_accounts_disable
   - section: "systemsettings"
     rules:
@@ -148,10 +145,11 @@ profile:
       - system_settings_bluetooth_disable
       - system_settings_bluetooth_settings_disable
       - system_settings_bluetooth_sharing_disable
-      - system_settings_cd_dvd_sharing_disable
       - system_settings_content_caching_disable
       - system_settings_critical_update_install_enforce
       - system_settings_diagnostics_reports_disable
+      - system_settings_external_intelligence_disable
+      - system_settings_external_intelligence_sign_in_disable
       - system_settings_filevault_enforce
       - system_settings_find_my_disable
       - system_settings_firewall_enable