# (C) 2016-2017 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.2 $ # $Date: 2017/01/12 $ # # description : This .audit file is written against the Center for Internet # Security benchmark for Apple MacOS 10.12 Sierra, version 1.0.0. # https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf # type : CMD_EXEC description : "MacOS 10.12 Sierra is installed" cmd : "/usr/bin/sw_vers | /usr/bin/grep 'ProductVersion'" expect : "^ProductVersion[\\s]*:[\\s]*10\.12" description : "Apple MacOS 10.12 Sierra Level 1, version 1.0.0" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" type : MACOSX_DEFAULTS_READ description : "1.2 Enable Auto Update" info : "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." reference : "800-53|SI-2,800-171|3.14.1,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" plist_name : "/Library/Preferences/com.apple.SoftwareUpdate" plist_item : "AutomaticCheckEnabled" regex : "1" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "1.3 Enable app update installs" info : "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" reference : "800-53|SI-2,800-171|3.14.1,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." plist_name : "/Library/Preferences/com.apple.commerce" plist_item : "AutoUpdate" regex : "1" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "1.4 Enable system data files and security update installs - 'ConfigDataInstall'" info : "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" reference : "800-53|SI-2,800-171|3.14.1,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true" plist_name : "/Library/Preferences/com.apple.SoftwareUpdate" plist_item : "ConfigDataInstall" regex : "1" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "1.4 Enable system data files and security update installs - 'CriticalUpdateInstall'" info : "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" reference : "800-53|SI-2,800-171|3.14.1,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" plist_name : "/Library/Preferences/com.apple.SoftwareUpdate" plist_item : "CriticalUpdateInstall" regex : "1" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "1.5 Enable OS X update installs" info : "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" reference : "800-53|SI-2,800-171|3.14.1,CSF|ID.RA-1,CSF|PR.IP-12,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" plist_name : "/Library/Preferences/com.apple.commerce" plist_item : "AutoUpdateRestartRequired" regex : "1" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "2.1.1 Disable Bluetooth, if no paired devices exist - Bluetooth is disabled" plist_name : "/Library/Preferences/com.apple.Bluetooth" plist_item : "ControllerPowerState" regex : "0" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "2.1.1 Disable Bluetooth, if no paired devices exist - Bluetooth is disabled" info : "Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access." reference : "LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. In Terminal, run the following commands: sudo /usr/bin/defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 sudo killall -HUP blued" plist_name : "/Library/Preferences/com.apple.Bluetooth" plist_item : "ControllerPowerState" regex : "0" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "2.1.1 Disable Bluetooth, if no paired devices exist - Bluetooth is paired" info : "Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access." reference : "LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. In Terminal, run the following commands: sudo /usr/bin/defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 sudo killall -HUP blued" cmd : "/usr/sbin/system_profiler | /usr/bin/grep 'Bluetooth:' -A 20 | /usr/bin/grep Connectable" expect : "Connectable: Yes" type : CMD_EXEC description : "2.1.2 Disable Bluetooth 'Discoverable' mode when not pairing devices" info : "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Bluetooth 3. Turn Bluetooth Off" cmd : "/usr/sbin/system_profiler SPBluetoothDataType | /usr/bin/grep -i discoverable" expect : "Discoverable:[\\s]*Off" type : CMD_EXEC description : "2.1.3 Show Bluetooth status in menu bar" info : "Enabling 'Show Bluetooth status in menu bar' is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, Discoverable, what paired devices exist and are currently active." reference : "800-53|CM-7,CSF|PR.IP-1,CSF|PR.PT-3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "In System Preferences: Bluetooth, turn Show Bluetooth Status In Menu Bar on. Alternatively run the following in the command line: /usr/bin/defaults write com.apple.systemuiserver menuExtras -array-add '/System/Library/CoreServices/Menu Extras/Bluetooth.menu'" cmd : "/usr/bin/defaults read com.apple.systemuiserver menuExtras | /usr/bin/grep Bluetooth.menu" expect : "/System/Library/CoreServices/Menu Extras/Bluetooth\\.menu" type : CMD_EXEC description : "2.2.3 Restrict NTP server to loopback interface - restrict lo" info : "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." solution : "Perform the following to implement the prescribed state - 1. Run the following command in Terminal-sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the filerestrict lo interface ignore wildcard interface listen lo" reference : "LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" cmd : "/bin/cat /etc/ntp-restrict.conf | /usr/bin/grep 'restrict lo'" expect : "restrict[\\s]*lo" type : CMD_EXEC description : "2.2.3 Restrict NTP server to loopback interface - interface ignore wildcard" info : "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." solution : "Perform the following to implement the prescribed state - 1. Run the following command in Terminal-sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the filerestrict lo interface ignore wildcard interface listen lo" reference : "LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" cmd : "/bin/cat /etc/ntp-restrict.conf | /usr/bin/grep 'interface ignore wildcard'" expect : "interface[\\s]*ignore[\\s]*wildcard" type : CMD_EXEC description : "2.2.3 Restrict NTP server to loopback interface - interface listen lo" info : "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." solution : "Perform the following to implement the prescribed state - 1. Run the following command in Terminal-sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the filerestrict lo interface ignore wildcard interface listen lo" reference : "LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" cmd : "/bin/cat /etc/ntp-restrict.conf | /usr/bin/grep 'interface listen lo'" expect : "interface[\\s]*listen[\\s]*lo" type : MACOSX_DEFAULTS_READ description : "2.3.1 Set an inactivity interval of 10 minutes or less for the screen saver" info : "Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time." reference : "800-53|AC-11,CSCv6|16.5,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Open System Preferences Select Desktop & Screen Saver Select Screen Saver Set Start after to 10 minutes or less Alternatively: In Terminal, run one of the the following commands: /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 900 There are anomalies if the command line is used make the setting something other than what is available in the GUI Menu. Choose 15 minutes" plist_name : "com.apple.screensaver" plist_item : "idleTime" plist_user : "all" byhost : YES regex : ".* = ([1-9]|[1-8][0-9]|9[0-9]|[1-8][0-9]{2}|900)$" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver" info : "Users of the system can easily assume that the computer is protected when the display goes to sleep. The computer should be configured so that the screen is locked whenever the display turns off automatically. NOTE : CIS recommends this value be 'longer than the Screen Saver'. An assumed value of '10' is used here." reference : "800-53|AC-11,CSCv6|16.5,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1NS" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "In System Preferences: Energy Saver, drag the slider for 'Put the display(s) to sleep...' to a reasonable number, but longer than the screen saver setting. The Mac will display a warning if the number is too short. Alternatively, use the following command: sudo /usr/bin/pmset -c displaysleep 0 Note: The -c flag means 'wall power.' Different settings must be used for other power sources" cmd : "/usr/bin/pmset -g | /usr/bin/grep displaysleep" expect : "^[\\s]*displaysleep[\\s]+(0|[1-9]\\d{1,})[\\s]*$" type : CMD_EXEC description : "2.3.4 Set a screen corner to Start Screen Saver" info : "Ensuring the user has a quick method to lock their screen may reduce opportunity for individuals in close physical proximity of the device to see screen contents." reference : "800-53|AC-11,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "In System Preferences: Desktop & Screen Saver: Screen Saver: Hot Corners, make sure at least one Active Screen Corner is set to Start Screen Saver. Make sure the user knows about this feature. The screen corners can be set using the defaults command, but the permutations of combinations are many. The plist file to check is ~/Library/Preferences/com.apple.dock and the keys are: wvous-bl-corner wvous-br-corner wvous-tl-corner wvous-tr-corner There are also modifier keys to check and various values for each of these keys. A value of 5 means the corner will start the screen saver. The corresponding wvous-xx-modifier key should be set to 0." cmd : "/usr/bin/defaults read ~/Library/Preferences/com.apple.dock | /usr/bin/grep -i corner" expect : "\".*-corner\"[\\s]*=[\\s]*5;$" type : CMD_EXEC description : "2.4.1 Disable Remote Apple Events" info : "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Run the following command in Terminal: sudo /usr/sbin/systemsetup -setremoteappleevents off" cmd : "/usr/sbin/systemsetup -getremoteappleevents" expect : "^Remote Apple Events:[\\s]*Off" type : CMD_EXEC description : "2.4.2 Disable Internet Sharing" info : "Disabling Internet Sharing reduces the remote attack surface of the system." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Open System Preferences Select Sharing Uncheck Internet Sharing" cmd : "/usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.nat | /usr/bin/grep -i Enabled | /usr/bin/grep -v 0 | /usr/bin/awk '{print} END {if (NR == 0) print\"pass\"}'" expect : "pass" type : CMD_EXEC description : "2.4.3 Disable Screen Sharing" info : "Disabling screen sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Open System Preferences Select Sharing Uncheck Screen Sharing" cmd : "/bin/launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist" expect : "Service[\\s]+is[\\s]+disabled" type : CMD_EXEC description : "2.4.4 Disable Printer Sharing" info : "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Open System Preferences Select Sharing Uncheck Printer Sharing" cmd : "/usr/sbin/system_profiler SPPrintersDataType" expect : "(The[\\s]*printers[\\s]*list[\\s]*is[\\s]*empty|Shared:[\\s]+No)" type : CMD_EXEC description : "2.4.5 Disable Remote Login" info : "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers. OS X does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. OS X no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Most OS X computers are mobile workstations, managing IP based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server." reference : "800-53|AC-17,CIP|005-5-R2,800-171|3.1.1,800-171|3.1.2,CSF|PR.AC-3,CSF|PR.PT-4,ITSG-33|AC-17,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Run the following command in Terminal: sudo systemsetup -setremotelogin off" cmd : "/usr/sbin/systemsetup -getremotelogin" expect : "^Remote[\\s]*Login:[\\s]Off$" type : CMD_EXEC description : "2.4.6 Disable DVD or CD Sharing" info : "Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck DVD or CD Sharing" cmd : "/bin/launchctl list | /usr/bin/egrep ODSAgent | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "2.4.7 Disable Bluetooth Sharing" info : "Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system. NOTE : Nessus has not performed this query, and this check is only provided for informational purposes." reference : "LEVEL|1NS" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Open System Preferences Select Sharing Uncheck Bluetooth Sharing" cmd : "system_profiler SPBluetoothDataType | grep State | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "(none|State:[\\s]*Disabled)" type : CMD_EXEC description : "2.4.8 Disable File Sharing - AppleFileServer" info : "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Run the following command in Terminal to turn off AFP from the command line: sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist Run the following command in Terminal to turn off SMB sharing from the CLI: sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.smb.server EnabledServices sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/nmbd.plist sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/smbd.plist" cmd : "/bin/launchctl list | /usr/bin/grep AppleFileServer | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "2.4.8 Disable File Sharing - SMB" info : "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Run the following command in Terminal to turn off AFP from the command line: sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist Run the following command in Terminal to turn off SMB sharing from the CLI: sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.smb.server EnabledServices sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" cmd : "/bin/launchctl list | /usr/bin/grep smbd | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "2.4.9 Disable Remote Management - 'ARDAgent is not running'" info : "Remote management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "In System Preferences: Sharing, turn off Remote Management." cmd : "/bin/ps -ef | /usr/bin/egrep ARDAgent | /usr/bin/grep -v egrep | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : FILE_CHECK_NOT description : "2.4.9 Disable Remote Management - 'ARDAgent file does not exist'" info : "Remote management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "In System Preferences: Sharing, turn off Remote Management." file : "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent" type : CMD_EXEC description : "2.6.1 Enable FileVault - Encryption Status" info : "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." reference : "800-53|SC-13,800-171|3.13.11,CSF|PR.DS-5,ITSG-33|SC-13,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" cmd : "/usr/sbin/diskutil cs list | /usr/bin/grep -i encryption" expect : "Encryption Status:[\\s]*Unlocked" type : CMD_EXEC description : "2.6.1 Enable FileVault - Encryption Type" info : "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." reference : "800-53|SC-13,800-171|3.13.11,CSF|PR.DS-5,ITSG-33|SC-13,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" cmd : "/usr/sbin/diskutil cs list | /usr/bin/grep -i encryption" expect : "Encryption Type:[\\s]*AES-XTS" type : CMD_EXEC description : "2.6.2 Enable Gatekeeper" info : "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." reference : "800-53|CM-7,800-171|3.4.8,CSF|PR.IP-1,CSF|PR.PT-3,ISO/IEC-27001|A.12.6.2,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select General 4. Select Allow applications downloaded from: Mac App Store and identified developers Alternatively, perform the following to ensure the system is configured as: 1. Run the following command in Terminal: sudo spctl --master-enable" cmd : "/usr/sbin/spctl --status" expect : "assessments[\\s]*enabled" type : MACOSX_DEFAULTS_READ description : "2.6.3 Enable Firewall" info : "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." reference : "800-53|SC-7,CSCv6|9.2,800-171|3.13.1,ITSG-33|SC-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select Firewall 4. Select Turn On Firewall Alternatively: 1. Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int 2. Where is: 1 = on for specific services 2 = on for essential services" plist_name : "/Library/Preferences/com.apple.alf" plist_item : "globalstate" regex : "[12]" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "2.6.4 Enable Firewall Stealth Mode" info : "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." reference : "800-53|SC-7,CSCv6|9.2,800-171|3.13.1,ITSG-33|SC-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select Firewall Options 4. Select Enable stealth mode Alternatively: 1. Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw `--setstealthmode on" cmd : "/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode" expect : "Stealth mode enabled" type : CMD_EXEC description : "2.6.5 Review Application Firewall Rules" info : "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet. Which applications are allowed access to accept incoming connections through the firewall is important to understand." reference : "800-53|SC-7,CSCv6|9.2,800-171|3.13.1,ITSG-33|SC-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select Firewall Options 4. Select unneeded rules 5. Select the minus sign below to delete them Alternatively: 1. Edit and run the following command in Terminal to remove specific applications: /usr/libexec/ApplicationFirewall/socketfilterfw --remove 2. Where is the one to be removed" cmd : "/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | /usr/bin/grep Allow | /usr/bin/wc -l" expect : "^[\\s]*([0-9]|10)[\\s]*$" type : MACOSX_DEFAULTS_READ description : "2.9 Pair the remote control infrared receiver if enabled" plist_name : "/Library/Preferences/com.apple.driver.AppleIRController" plist_item : "DeviceEnabled" regex : "0" plist_option : CANNOT_BE_NULL description : "2.9 Pair the remote control infrared receiver if enabled" info : "An infrared remote can be used from a distance to circumvent physical security controls. A remote could also be used to page through a document or presentation, thus revealing sensitive information." reference : "LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform one of the following to implement the prescribed state: Disable the remote control infrared receiver: 1. Open System Preferences 2. Select Security & Privacy 3. Select the General tab 4. Select Advanced 5. Check Disable remote control infrared receiver Pair a remote control infrared receiver 1. Holding the remote close to the computer, point the remote at the front of the computer. 2. Pair the Apple Remote. - If you have an Apple Remote with seven buttons, press and hold both the Right and Menu buttons on the remote until the paired-remote icon appears on your screen - If you have an Apple Remote with six buttons, press and hold both the Next and Menu buttons on the remote until the paired-remote icon appears on your screen" type : MACOSX_DEFAULTS_READ description : "2.9 Pair the remote control infrared receiver if enabled - 'DeviceEnabled = 1'" info : "An infrared remote can be used from a distance to circumvent physical security controls. A remote could also be used to page through a document or presentation, thus revealing sensitive information." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform one of the following to implement the prescribed state: Disable the remote control infrared receiver: 1. Open System Preferences 2. Select Security & Privacy 3. Select the General tab 4. Select Advanced 5. Check Disable remote control infrared receiver Pair a remote control infrared receiver 1. Holding the remote close to the computer, point the remote at the front of the computer. 2. Pair the Apple Remote. - If you have an Apple Remote with seven buttons, press and hold both the Right and Menu buttons on the remote until the paired-remote icon appears on your screen - If you have an Apple Remote with six buttons, press and hold both the Next and Menu buttons on the remote until the paired-remote icon appears on your screen" plist_name : "/Library/Preferences/com.apple.driver.AppleIRController" plist_item : "DeviceEnabled" regex : "1" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "2.9 Pair the remote control infrared receiver if enabled - 'UIDFilter != none'" info : "An infrared remote can be used from a distance to circumvent physical security controls. A remote could also be used to page through a document or presentation, thus revealing sensitive information." reference : "800-53|AC-19,800-171|3.1.18,CSF|PR.AC-3,ISO/IEC-27001|A.6.2.1,ITSG-33|AC-19,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform one of the following to implement the prescribed state: Disable the remote control infrared receiver: 1. Open System Preferences 2. Select Security & Privacy 3. Select the General tab 4. Select Advanced 5. Check Disable remote control infrared receiver Pair a remote control infrared receiver 1. Holding the remote close to the computer, point the remote at the front of the computer. 2. Pair the Apple Remote. - If you have an Apple Remote with seven buttons, press and hold both the Right and Menu buttons on the remote until the paired-remote icon appears on your screen - If you have an Apple Remote with six buttons, press and hold both the Next and Menu buttons on the remote until the paired-remote icon appears on your screen" cmd : "/usr/bin/defaults read /Library/Preferences/com.apple.driver.AppleIRController | /usr/bin/grep UIDFilter | /usr/bin/grep none | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "^[\\s]*none[\\s]*$" type : MACOSX_DEFAULTS_READ description : "2.10 Enable Secure Keyboard Entry in terminal.app" info : "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." reference : "800-53|CM-6,CSF|PR.IP-1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" plist_name : "com.apple.Terminal" plist_item : "SecureKeyboardEntry" plist_user : "all" regex : "1" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "3.2 Enable security auditing" info : "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Run the following command in Terminal: sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" cmd : "/bin/launchctl list | /usr/bin/grep -i auditd" expect : "com.apple.auditd" type : CMD_EXEC description : "4.2 Enable 'Show Wi-Fi status in menu bar'" info : "Enabling 'Show Wi-Fi status in menu bar' is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Network 3. Check Show Wi-Fi status in menu bar" cmd : "/usr/bin/defaults read com.apple.systemuiserver menuExtras | /usr/bin/grep AirPort\\.menu" expect : "/System/Library/CoreServices/Menu Extras/Airport.\\.menu" type : CMD_EXEC description : "4.4 Ensure http server is not running" info : "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" cmd : "/bin/ps -ef | /usr/bin/grep -i httpd | /usr/bin/grep -v grep" expect : "" dont_echo_cmd : YES type : CMD_EXEC description : "4.5 Ensure ftp server is not running" info : "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Ensure that the FTP Server is not running and is not set to start at boot Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" cmd : "/bin/launchctl list | /usr/bin/egrep ftpd | /usr/bin/cut -d'.' -f3 | /usr/bin/egrep '^ftpd'" expect : "" type : CMD_EXEC description : "4.6 Ensure nfs server is not running" info : "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" cmd : "/bin/ps -ef | /usr/bin/grep -i nfsd | /usr/bin/grep -v grep | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"}'" expect : "pass" type : CMD_EXEC description : "5.1.1 Secure Home Folders" info : "Allowing all users to view the top level of all networked user's home folder may not be desirable since it may lead to the revelation of sensitive information." reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Run one of the following commands in Terminal: sudo chmod -R og-rwx /Users/<username> sudo chmod -R og-rw /Users/<username> Substitute user name in <username>. This command has to be run for each user account with a local home folder. Impact: If implemented, users will not be able to use the 'Public' folders in other users' home folders. 'Public' folders with appropriate permissions would need to be set up in the /Shared folder." cmd : "/usr/bin/find /Users -type d ! -perm -1000 -maxdepth 1 -a -perm +0066 | /usr/bin/egrep -v '^/Users$' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "5.1.2 Check System Wide Applications for appropriate permissions" info : "Unauthorized modifications of applications could lead to the execution of malicious code." reference : "800-53|AC-6,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.5,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Change permissions so that 'Others' can only execute. (Example Below) sudo chmod -R o-w /Applications/Bad\ Permissions.app/" cmd : "/usr/bin/find /Applications -iname '*\.app' -type d -perm -2 -ls | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "5.1.3 Check System folder for world writable files" info : "Folders in /System should not be world writable. The audit check excludes the 'Drop Box' folder that is part of Apple's default user template." reference : "800-53|AC-6,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Change permissions so that 'Others' can only execute. (Example Below) sudo chmod -R o-w /Bad/Directory" cmd : "/usr/bin/find /System -type d -perm -2 -ls | /usr/bin/grep -v 'Public/Drop Box' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : CMD_EXEC description : "5.2.1 Configure account lockout threshold" info : "The account lockout feature mitigates brute-force password attacks on the system." reference : "800-53|AC-7,CSCv6|16.7,800-171|3.1.8,ITSG-33|AC-7,TBA-FIISB|45.1.2,TBA-FIISB|45.2.1,TBA-FIISB|45.2.2,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/grep -A 1 'policyAttributeMaximumFailedAuthentications' | /usr/bin/tail -1 | /usr/bin/cut -d'>' -f2 | /usr/bin/cut -d '<' -f1" expect : "[1-3]" type : CMD_EXEC description : "5.2.2 Set a minimum password length" info : "Information systems not protected with strong password schemes including passwords of minimum length provide the opportunity for anyone to crack the password and gain access to the system, and cause the device, information, or the local network to be compromised or a Denial of Service." reference : "800-53|IA-5,CSF|PR.AC-1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep 'Must be a minimum of'" expect : "must[\\s]+be[\\s]+a[\\s]+minimum[\\s]+of[\\s]+([8-9]|1[0-9]|2[0-9])[\\s]+characters" type : CMD_EXEC description : "5.2.3 Complex passwords must contain an Alphabetic Character - 'Policy Check'" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep Alpha" expect : "RequiresAlpha" type : CMD_EXEC description : "5.2.3 Complex passwords must contain an Alphabetic Character - 'RequiresAlpha'" info : "The more complex a password the more resistant it will be against persons seeking unauthorized access to a system." reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,800-171|3.5.10,800-171|3.5.8,800-171|3.5.9,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep Alpha" expect : "RequiresAlpha" type : CMD_EXEC description : "5.2.3 Complex passwords must contain an Alphabetic Character - '1 letter'" info : "The more complex a password the more resistant it will be against persons seeking unauthorized access to a system." reference : "800-53|IA-5,CSF|PR.AC-1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep 'Must contain at least.*letter'" expect : ".*Must[\\s]+contain[\\s]+at[\\s]+least[\\s]+[1-9][\\s]+letter.*" type : CMD_EXEC description : "5.2.4 Complex passwords must contain a Numeric Character - 'Policy Check'" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep Numeric" expect : "RequiresNumeric" type : CMD_EXEC description : "5.2.4 Complex passwords must contain a Numeric Character - 'Numeric'" info : "The more complex a password the more resistant it will be against persons seeking unauthorized access to a system." reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,800-171|3.5.10,800-171|3.5.8,800-171|3.5.9,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep Numeric" expect : "RequiresNumeric" type : CMD_EXEC description : "5.2.4 Complex passwords must contain a Numeric Character - '1 number'" info : "The more complex a password the more resistant it will be against persons seeking unauthorized access to a system." reference : "800-53|IA-5,CSF|PR.AC-1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep 'number'" expect : ".*Must[\\s]+contain[\\s]+at[\\s]+least[\\s]+[1-9][\\s]+number.*" type : CMD_EXEC description : "5.2.5 Complex passwords must contain a Special Character" info : "The more complex a password the more resistant it will be against persons seeking unauthorized access to a system." reference : "800-53|IA-5,CSF|PR.AC-1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep 'Must contain at least.*special'" expect : "Must[\\s]+contain[\\s]+at[\\s]+least[\\s]+[1-9][\\s]+special" type : CMD_EXEC description : "5.2.6 Complex passwords must contain uppercase and lowercase letters" info : "The more complex a password the more resistant it will be against persons seeking unauthorized access to a system." reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,800-171|3.5.10,800-171|3.5.8,800-171|3.5.9,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep com\\.apple\\.uppercaseAndLowercase | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "com\\.apple\\.uppercaseAndLowercase" type : CMD_EXEC description : "5.2.8 Password History" info : "Old passwords should not be reused" reference : "800-53|IA-5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.5,PCI-DSSv3.2|8.2.5,800-171|3.5.8,CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,TBA-FIISB|26.2.3,800-171|3.5.10,800-171|3.5.7,800-171|3.5.9,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state for all pwpolicy controls 1. Run the following command in Terminal: pwpolicy -setaccountpolicies Examples in pwpolicy man page and in the back of the Benchmark" cmd : "/usr/bin/pwpolicy -getaccountpolicies | /usr/bin/egrep 'differ from past'" expect : "differ[\\s]+from[\\s]+past[\\s]+(24|2[5-9]|[3-9][0-9])" type : CMD_EXEC description : "5.3 Reduce the sudo timeout period" info : "The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user." reference : "800-53|AC-3,HIPAA|164.310(a)(2)(iii),800-171|3.1.1,CN-L3|7.1.2.2(g),CN-L3|7.1.3.2(c),CSF|PR.AC-4,CSF|PR.PT-3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Run the following command in Terminal: sudo visudo 2. In the '# Defaults specification' section, add the line: Defaults timestamp_timeout=0" cmd : "/bin/cat /etc/sudoers | /usr/bin/grep -v '#[\\s]*Defaults' | /usr/bin/grep timestamp" expect : "Defaults[\\s]*timestamp_timeout[\\s]*=[\\s]*0" type : CMD_EXEC description : "5.7 Do not enable the 'root' account" info : "Enabling the root account puts the system at risk since any exploit would have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." reference : "800-53|AC-6,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Open System Preferences, Users & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." cmd : "/usr/bin/dscl . -read /Users/root AuthenticationAuthority" expect : "(No such key: AuthenticationAuthority|Disabled)" type : CMD_EXEC description : "5.8 Disable automatic login" info : "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." reference : "800-53|AC-14,ITSG-33|AC-14,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" cmd : "/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow | /usr/bin/grep autoLoginUser | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : MACOSX_DEFAULTS_READ description : "5.9 Require a password to wake the computer from sleep or screen saver" info : "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." reference : "800-53|AC-11,CSCv6|16.5,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 The current user will need to log off and on for changes to take effect." plist_user : "all" plist_name : "com.apple.screensaver" plist_item : "askForPassword" regex : "1" plist_option : CANNOT_BE_NULL type : CMD_EXEC description : "5.10 Require an administrator password to access system-wide preferences" info : "By requiring a password to unlock System-wide System Preferences the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "In System Preferences: Security, General tab under Advanced, check 'Require an administrator password to access system-wide preferences'" cmd : "/usr/bin/security authorizationdb read system.preferences | /usr/bin/grep 'shared' -A1" expect : "" type : CMD_EXEC description : "5.11 Disable ability to login to another user's active and locked session" info : "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." reference : "800-53|AC-10,ITSG-33|AC-10,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: sudo vi /etc/pam.d/screensaver Locate 'account required pam_group.so no_warn group=admin,wheel fail_safe' Remove 'admin,' Save" cmd : "/usr/bin/grep -i 'group=admin,wheel fail_safe' /etc/pam.d/screensaver | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "none" type : MACOSX_DEFAULTS_READ description : "5.14 Do not enter a password-related hint" info : "Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks" reference : "800-53|IA-6,800-171|3.5.11,ITSG-33|IA-6,LEVEL|1NS" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "1. Open System Preferences 2. Select Users & Groups 3. Highlight the user 4. Select Change Password 5. Verify that no text is entered in the Password hint box" plist_name : "/Library/Preferences/com.apple.loginwindow" plist_item : "RetriesUntilHint" regex : "0" plist_option : CAN_BE_NULL type : CMD_EXEC description : "5.18 System Integrity Protection status" info : "Running with System Integrity Protection on a production system runs the risk of modification system binaries or code injection of system processes." reference : "LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following while booted in OS X Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot. If a change is to the status is attempted from the booted Operating System rather than the recovery partition an error will be generated. csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS." cmd : "/usr/bin/csrutil status" expect : "System Integrity Protection status: enabled" type : MACOSX_DEFAULTS_READ description : "6.1.1 Display login window as name and password" info : "Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes." reference : "800-53|AC-6,800-171|3.1.7,CSF|PR.AC-4,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users and Groups 3. Select Login Options 4. Select Name and Password Alternatively: 1. Run the following command in Terminal sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes" plist_name : "/Library/Preferences/com.apple.loginwindow" plist_item : "SHOWFULLNAME" regex : "1" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "6.1.2 Disable 'Show password hints'" info : "Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user." reference : "800-53|IA-6,800-171|3.5.11,ITSG-33|IA-6,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users & Groups 3. Select Login Options 4. Uncheck Show password hints Alternatively: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0" plist_name : "/Library/Preferences/com.apple.loginwindow" plist_item : "RetriesUntilHint" regex : "0" plist_option : CAN_BE_NULL type : MACOSX_DEFAULTS_READ description : "6.1.3 Disable guest account login" info : "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ITSG-33|AC-3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users & Groups 3. Select Guest User 4. Uncheck Allow guests to log in to this computer Alternatively: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO" plist_name : "/Library/Preferences/com.apple.loginwindow.plist" plist_item : "GuestEnabled" regex : "0" plist_option : CANNOT_BE_NULL type : MACOSX_DEFAULTS_READ description : "6.1.4 Disable 'Allow guests to connect to shared folders' - AFP Sharing" info : "Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system." reference : "800-53|AC-2,800-171|3.1.1,CN-L3|7.1.3.2(d),CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ITSG-33|AC-2,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users & Groups 3. Select Guest User 4. Uncheck Allow guests to connect to shared folders Alternatively: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no" plist_name : "/Library/Preferences/com.apple.AppleFileServer" plist_item : "guestAccess" regex : "0" plist_option : CAN_BE_NULL type : MACOSX_DEFAULTS_READ description : "6.1.4 Disable 'Allow guests to connect to shared folders' - SMB Sharing" info : "Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system." reference : "800-53|AC-2,800-171|3.1.1,CN-L3|7.1.3.2(d),CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,ITSG-33|AC-2,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Users & Groups 3. Select Guest User 4. Uncheck Allow guests to connect to shared folders Alternatively: 1. Run the following command in Terminal: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no" plist_name : "/Library/Preferences/SystemConfiguration/com.apple.smb.server" plist_item : "AllowGuestAccess" regex : "0" plist_option : CAN_BE_NULL type : CMD_EXEC description : "6.1.5 Remove Guest home folder" info : "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." reference : "LEVEL|1S" solution : "Perform the following to implement the prescribed state - 1. Run the following command in Terminal-rm -R /Users/Guest 2. Make sure there is no ouputImpact- The Guest account should not be necessary after it is disabled and it will be automatically re-created if the Guest account is re-eanbled" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" cmd : "/bin/ls /Users/ | /usr/bin/grep Guest" expect : "" type : CMD_EXEC description : "6.2 Turn on filename extensions" info : "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." reference : "800-171|3.4.2,800-53|CM-6,CSCv6|3.1,CSF|PR.IP-1,LEVEL|1S,PCI-DSSv3.1|2.2.4" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" cmd : "/usr/bin/defaults read NSGlobalDomain AppleShowAllExtensions" expect : "^1$" type : MACOSX_DEFAULTS_READ description : "6.3 Disable the automatic run of safe files in Safari" info : "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. The attackers make sure that the malicious file type will fall within Safari's safe files policy and will download and run without user input." reference : "800-53|SC-18,800-171|3.13.13,CSF|DE.CM-5,ITSG-33|SC-18,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf" solution : "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open 'safe' files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" plist_name : "com.apple.Safari" plist_item : "AutoOpenSafeDownloads" plist_user : "all" regex : "0" plist_option : CANNOT_BE_NULL description : "Mac OSX 10.12 Sierra is not installed" info : "The target system is not running OSX 10.12 Sierra" see_also : "https://benchmarks.cisecurity.org/tools2/osx/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.pdf"