usnistgov / macos_security Goto Github PK

Summary

https://developer.apple.com/documentation/devicemanagement/timeserver
The domain com.apple.MCX with they key timeServer can be overruled by the systemsetup binary

Steps to reproduce

sudo systemsetup -setnetworktimeserver "example.com"

Operating System version

macOS 10.15.5

What is the expected correct behavior?

The expected behavior is that a configuration sets the setting permanently.

Possible fixes

Setting the time server using
systemsetup -setnetworktimeserver "time-a.nist.gov,time-b.nist.gov"

Checking the time server using
systemsetup -getnetworktimeserver

Summary

On the Scripts page of the Wiki, each example uses the path baseline.
python3 create_guide.py ../baseline/moderate.yaml -o ../build/MyBaselineGuide.adoc

However, the currently committed code has the folder named baselines not baseline.

Example lines

python3 create_guide.py ../baseline/moderate.yaml -o ../build/MyBaselineGuide.adoc
python3 script_generator.py ../baseline/moderate.yaml
python3 profile_generator.py ../baseline/moderate.yaml

Consider adding a CJIS baseline.

https://www.fbi.gov/file-repository/csp-v5_5-to-nist-controls-mapping-1.pdf/view

In the UK, they have a requirement to meet the controls introduced in the following white paper. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure.pdf

Fix the wording for the result field. Template wording makes for strange wording. #44

Change to ""a list containing approved root certificates"

The Common Criteria GPOS https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442 lists configuration requirements that it maps to NIST Controls. Providing a mapping in this effort will let users who wish to deploy macOS with those settings an easy method to produce the required settings and documentation.

In the docs, baseline_identify.py has _ (underscore) as the word separator in the file name shown in the topic heading and example usage. This is consistent with the convention used in the file names of the other ./scripts files. In the repo, a "-" (dash) is used.

Suggestion: Leave the wiki doc as-is and change the filename from baseline-identify.py to baseline_identify.py

The rule is labeled CM-8(8) which is "The organization employs automated mechanisms to support tracking of information system components by geographic location."

The rule file does the opposite of that.

We should change fm to -fm as no 800-53 rule actually requires auditing of all file modifications (successful or not).

This will also make audit far less busy.

Feature Proposal

add a deeper layer for the documentation in the baselin.yaml

Feature details

Add to the baseline.yaml for a deeper layer that will result in a 5.1.1 index?

Example:

- section: "authentication"
    rules:
      - auth_pam_login_smartcard_enforce
      - subsection: "deeper level authentication"
          subrules:
          - auth_smartcard_allow
  - section: "auditing"
    rules:
      - audit_folder_group_configure
      - audit_failure_halt

Result will be

5. Authentication
5.1. Enforce Multifactor Authentication for Login
5.1.1 Allow Smartcard Authentication
6. Auditing
6.1. Configure Audit Log Folders Group to Wheel
6.2. Configure System to Shut Down Upon Audit Failure

Summary

Created Custom Rules with custom references.
creating documentation in HTML and PDF all good
but if you add -x for an excel sheet, in the excel sheet, the custom references with the same name have repeated as an extra row, even if the custom references is the same name.

Steps to reproduce

create multiple custom rules, within the rules add custom references.
generate guidance with -x
look at the excel document you will see duplicated rows of the custom references.

Operating System version

Big Sur branch - Big Sur Guidance Revision 2

What is the current bug behaviour?

in the excel sheet, the custom references with the same name have repeated as an extra row

What is the expected correct behaviour?

if the custom reference name is the same add one row. only add extra rows if the custom reference name is different

Problem to solve

I would like to make this easier to deploy and make it transparent to a user, but maintain the choice of an admin to choose whether to deploy with or without human interaction.

Intended users

Further details

def generate_script(baseline_name, build_path, baseline_yaml) is the base of the culprit. Give this the ability to bypass by giving it known commands.

Allow a way for tool builders to map the implementation of rules to features in their tools. This mapping should be able to be created in an independent file and then mapped into the references section via a script.

Problem to solve

Make it easier to track SPECIFIC changes to yaml files in the custom folder. Custom tags are a needed feature, but they introduce the issue that it becomes difficult to track changes to fixes, changes in results, changes in checks, changes in discussions, or changes in tags in the custom folder, when every file is tagged. By including some metadata of whether a file is changed, it is easy to track what has actually been changed in the yaml files

I'm proposing a set of metadata tags inside the yaml file:

customDiscussion
customCheck
customResult
customFix
customTags

These are binary settings, true or false

By default, all the tags in the project would have these set to false. When edited, the metadata could be set to true, to allow for quick queries of different customizations in a mdm or security tool. The SOP would be copy a file and edit it in the Custom folder, where the tags would then be set.

additional tags could be

requiresCustomization ( for yaml rules like timeserver or any other item needing organizational personalization)

and

requiresAdminReview (for yaml rules like mandatory smartcard enforcement, which can impact system usability if not properly understood)

Intended users

This should make it easier for mdm vendors to present files that require changes or have been changed. It should also make it easier for admins who have changed files to track what files have what type of changes, to accelerate yearly organizational customizations

Further details

While this could be done with tags in macOS's Finder easily, placing the metadata in the yaml files keeps each rule truly portable, and gives a means for the tool builder or admin to track changes by adjusting a set of defined metadata tags.

Proposal

Simply add a metadata section to the yaml files used to track changes of specific sections

Documentation

none

Testing

Customize yaml files and edit the metadata tags. query on the types of changes.

What does success look like, and how can we measure that?

Adding some additional metadata is a lightweight way to keep track of customized yaml files, and specifically what section has been customized- this is very useful visualizing needed changes during yearly OS updates.
A mdm vendor has the ability to allow customizations in the gui, and then has the ability to organize and track changes, so an admin can review customizations by type. If a sysadmin can query files by types of changes, we can accelerate yearly change management

Links / references

none

SC-15 is on a low, moderate, high baseline but is inherently met as applications require user approval to use the camera, on macOS systems(and specifically T2) the camera is not able to be enabled remotely, and the light indicates when the camera is in use.

Control Description
The information system:
a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and

b. Provides an explicit indication of use to users physically present at the devices.

The rule file is labeled, SC-15(3), which is not required on any baseline.

Remove os_camera_disable from low, moderate, high as it may only be something that an organization defined additional rule.

Allow customized reference data to be displayed in generated documentation and spreadsheets.

This allows users of the guidance to reference categories that identify elements of data specific to their usage.

This is for users that create custom content.

os_guest_access_smb_disable should be moved to sysprefs

Also the configuration profile key does not appear to work and does not restrict SMB guest access on Catalina or Big Sur

Check

/usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess

Result: 0

Fix

/usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no

Library Validation. This protection checks if an app's libraries are signed by Apple or the creator. Until very recently, macOS apps could load code freely from foreign sources called code libraries. With macOS 10.15, apps are no longer allowed to load libraries that weren't originally packaged with it, unless they explicitly allow it.

defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool false

Summary

If you attempt to run profile_generator.py from any directory other than scripts, it doesn't work.

Steps to reproduce

• Check out project
• Install requirements
• From the base of the project run: ./scripts/profile_generator.py baselines/800-53_low.yaml

What is the current bug behavior?

Script looks like it's running (warning prints), but no mobileconfigs are generated.

What is the expected correct behavior?

mobileconfigs are generated in build folder.

Note to group:

As part of #48, we cleaned up the references table. Bring changes from 34352cc to big_sur and catalina branches.

Summary

Under the baseline listing, I see High, Medium, and Low. As this project matures and additional baselines are added, it is possible that there will be a namespace collision. I recommend prefixing or postfixing the regulatory scheme to the name of each of the baselines.

Summary

Rule - os_filevault_user_account.yaml - Create a new user account that will be used to unlock the disk on startup.
Apple Silicon systems do not like: sudo dscl . append /Users/<FileVault_User> AuthenticationAuthority DisabledUser
Once you use DisableUser on M1 that user can no longer unlock FV.

Change the user shell to “/usr/bin/false”
This will work for Intel and Apple silicon.

Steps to reproduce

(How one can reproduce the issue - this is very important)

Operating System version

macOS 11.4 (20F71)

What is the current bug behavior?

Once you use DisableUser on M1 that user can no longer unlock FV.

What is the expected correct behavior?

User should be disabled for login, but should still be able to unlock FileVault.

Possible fixes

Change the user shell to “/usr/bin/false”
This will work for Intel and Apple silicon.

Updated check: # sudo dscl . -read /Users/<FileVault_User> UserShell | grep "/usr/bin/false"

Updated Fix: # sudo dscl . -create /Users/<FileVault_User> UserShell “/usr/bin/false”

Summary

Typo in rule - os_facetime_app_disable.yaml - STIG ID is listed as ASOX-14-002010. It should be APPL-11-002010

sysprefs_diagnostics_reports_disable is labeled SI-4, it does not meet the SI-4 description.

SI-4 may need a rule yaml as it is required in low, moderate, and high

Summary

os_sshd_key_exchange_algorithm_configure.yaml fails because there is no KexAlgorithms in sshd_config, and unlike the other sshd_config rules it does not fall back to appending such a line

Steps to reproduce

run build/PROFILE/PROFILE_compliance.sh, tell it to fix os_sshd_key_exchange_algorithm_configure, then run it again and see that it hasn't actually fixed it because there's no line to change with sed.

Operating System version

11.3.0

What is the current bug behavior?

When no KexAlgorithms entry is in /etc/ssh/sshd_config is present, a correct one is not added

What is the expected correct behavior?

When no KexAlgorithms entry is in /etc/ssh/sshd_config is present, a correct one is added

Possible fixes

Apple Mobile File Integrity. AMFI is the macOS kernel module that enforces the code-signing validation.

https://eclecticlight.co/2018/12/29/amfi-checking-file-integrity-on-your-mac/

Check would be to check for the existence of "amfi_get_out_of_my_way=1" in the nvram boot-args

Summary

The check for sysprefs_ad_tracking_disable is incorrect.

Steps to reproduce

Apply the configuration profile for disabling ad tracking.

Run the check in the Terminal
sudo /usr/bin/profiles -P -o stdout | /usr/bin/grep -c '"forceLimitAdTracking" = 1'

What is the current bug behavior?

0 found due to the quotes

Possible fixes

/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'forceLimitAdTracking = 1;'
No quotes around forceLimitAdTracking

The Australian Government publishes its Guidelines for System Hardening inside the Information Security Manual. Suggest mapping these controls to the hardening guide: https://www.cyber.gov.au/ism/guidelines-for-system-hardening

The 800-171 is used by many organizations. Having a baseline mapped to the 171 would be helpful.
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

I followed the instruction outlined at https://github.com/usnistgov/macos_security/wiki/Compliance-Script:

sudo /usr/libexec/PlistBuddy -c "Delete os_firmware_password_require" /Library/Preferences/org.800-53_moderate.audit.plist
sudo /usr/libexec/PlistBuddy -c "Add :os_firmware_password_require:exempt bool true" /Library/Preferences/org.800-53_moderate.audit.plist
sudo /usr/libexec/PlistBuddy -c "Add :os_firmware_password_require:finding bool false" /Library/Preferences/org.800-53_moderate.audit.plist
sudo /usr/libexec/PlistBuddy -c "Add :os_firmware_password_require:exempt_reason string 'Not supported for VM'" /Library/Preferences/org.800-53_moderate.audit.plist

But when I run sudo ./build/800-53_moderate/800-53_moderate_compliance.sh this rule is still failing:

ERROR | SetupTRBSettings | The firmware on this machine is not supported.
ERROR | main | Exiting with error: 5
Thu Mar 11 13:35:07 UTC 2021 os_firmware_password_require failed (Result: 0, Expected: {integer: 1})

How can I disable os_firmware_password_require?

The output for the checks adds the \ character before | in all of the checks.

Summary

The profile entries that os_airdrop_disable tests and sets are not consistent

Steps to reproduce

apply the mobileconfig from a baseline that requires os_airdrop_disable, and run the check

Operating System version

11.3.0

What is the current bug behavior?

The remediation action for os_airdrop_disable is to set a mobileconfig with "allowAirDrop: false". However, the test is for "DisableAirDrop = 1"

What is the expected correct behavior?

It appears that "allowAirDrop: false" does disable airdrop, I think the check needs to look for "allowAirDrop = 0"

Possible fixes

Change

Audit is overly busy and talkative

Editing the audit_event file and changing
43127:AUE_MAC_SYSCALL:mac_syscall(2):ad
to
43127:AUE_MAC_SYSCALL:mac_syscall(2):zz
Will stop sandbox violations from being in the audit logs but make them still auditable if desired using the zz flag.

Possibly adding an audit supplemental or rule.

Summary

When running profile_generator.py, no matter which baseline you are targeting, the outputted .mobileconfig files are put into a folder named mobileconfigs. This means that, when running the script against multiple baselines, the .mobileconfig files are combined into a single directory.

When running

Steps to reproduce

1. Run python3 profile_generator.py ../baselines/high.yaml
2. Run python3 profile_generator.py ../baselines/low.yaml

Operating System version

10.15.5 (19F101)

What is the current bug behavior?

The mobileconfigs directory contains .mobileconfig files from both of steps 1 and 2

What is the expected correct behavior?

In line with the behaviour of the other scripts, I believe that output directory should contain the name of the targeted baseline, e.g.:

• high_mobileconfigs
• moderate_mobileconfigs
• low_mobileconfigs

Possible fixes

I think that something along the lines of the following, should fix:

# Output folder
mobileconfig_output_path = os.path.join(parent_dir, 'build', ''+profile_name+'_mobileconfigs')

I would open a PR myself, but not hugely Python-y and so wouldn't wish to define/duplicate profile_name in the wrong place/way.

Many thanks!

Peter

os_siri_prompt_disable.yaml

800-53 tag incorrect. It has the tag of CM-5(5)(b) which is

Reviews and reevaluates privileges [Assignment: organization-defined frequency].

Possibly should be changed to CM-5(5)(a)

Limits privileges to change information system components and system-related information within a production or operational environment; and

Currently this rule is mapped to CM-5(1) and IA-2. This should probably be AC-2, specifically AC-2(9). Also, this is only tagged to 800-53r4_high, but should be Mod and Low.

The check reads

/usr/bin/csrutil status | grep -c 'System Integrity Protection status: enabled.'

Should be for consistency
/usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.'

Also the file is listed as os_SIP_enable.yaml, and should be os_sip_enable.yaml

The check reads for os_system_wide_preferences_configure
/usr/bin/security authorizationdb read system.preferences 2> /dev/null | grep -A 1 "<key>shared</key>" | grep -c "<false/>"
Should be for consistency
/usr/bin/security authorizationdb read system.preferences 2> /dev/null | /usr/bin/grep -A 1 "<key>shared</key>" | grep -c "<false/>"

Same with os_unlock_active_user_session_disable

/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | grep -c 'use-login-window-ui'

Should be for consistency
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui'

os_secure_boot_verify
/usr/sbin/nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy | grep -c '%02'

Should be for consistency

/usr/sbin/nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy | /usr/bin/grep -c '%02'

os_firmware_password_require
/usr/sbin/firmwarepasswd -check | grep -c "Password Enabled: Yes"

Should be
/usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes"

The tool currently generates complete configuration profiles.
Please give the option of outputting plists that can be imported into a custom configuration profile.

Problem to solve

When uploading configuration profiles to Jamf Pro the PayloadDislayName key is used as the display name for the configuration profile object. Currently this is set to 'macOS Baseline settings' across every single profile created and when uploading signed profiles we're unable to change this value, meaning each profile is named the same and most without a visible payload to differentiate one from another.

Currently we're required to build each profile as unsigned, edit the key then sign manually before upload.

Intended users

Jamf Pro customers.

Further details

Ease of administration and maintenance.

Proposal

Use a similar naming convention but include the preference domain for which the profile is being used to manage.

The following rules need to be fixed as they are setting permissions on the folder and not the files within.

audit_files_group_configure
audit_files_mode_configure
audit_files_owner_configure

$(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') needs a trailing /*

Fixes needed in big_sur and catalina, will be merged into main in next revision.

/usr/bin/profiles status -type enrollment | /usr/bin/awk -F': ' 'END{print $2}' | /usr/bin/grep -c "Yes" will not work in macOS 11.

The output of /usr/bin/profiles status -type enrollment is:
Enrolled via DEP: Yes
MDM enrollment: Yes (User Approved)
MDM server: https://MDMSERVER:8443/mdm/ServerURL

The check should be updated to:
/usr/bin/profiles status -type enrollment | /usr/bin/awk -F: '/MDM enrollment/ {print $2}' | /usr/bin/grep -c "Yes (User Approved)"

This could also be used for Catalina if we want to go back.

Summary

Running one of the scripts with the wrong option and without pointing at a baseline file can result in the baseline being over wrote with a 0 byte file

Steps to reproduce

python3 yaml-to-xls.py -o ../baselines/all_rules.yaml
usage: yaml-to-xls.py [-h] [-o OUTPUT] baseline
yaml-to-xls.py: error: the following arguments are required: baseline

What is the expected correct behavior?

The all_rules or any baseline is not over wrote and since no baseline was defined, the script should quit without writing any data.

Your tools generate unsigned profiles. Consider adding a flag that accepts the name of a signing identity in my keychain which will then be used to sign the profiles.

I expect that anyone who manually generates baselines would like to have this feature.

The GLBA is used by many organizations who process financial information. Having a baseline mapped to GLBA would be helpful.
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

Summary

settings applied by mobileconfig ignore exempt preferences settings

Steps to reproduce

set the defaults plist in /Library/Preferences/org.PROFILE.plist exempt entry to true (and exempt_reason) for a rule that is enforced by mobileconfig, e.g. os_camera_disable. Then generate the mobileconfigs with scripts/generate_guidance.py -p build/baselines/stig_6390.yaml. The resulting mobileconfig will contain the entry that disables the camera, even though it should be exempt. Only the [source,bash] fixes take exempt into account, from what I can tell,

Operating System version

11.3.0

What is the current bug behavior?

things are disabled by the generated mobileconfig files even if they should not be.

What is the expected correct behavior?

rules that are exempt should not produce entries in the generated mobileconfig files.

Possible fixes

modify generate_guidance.py -y, I suppose, to read the preferences before deciding if a rule's mobileconfig entry should be created.

Summary

These rules are listed in the wrong sections in the following baselines.
sysprefs_wifi_disable - 800-53_high, 800-53_moderate, cnssi-1253, all_rules - should be inherent, not system preferences

os_peripherals_identify - 800-53_high, 800-53_moderate, cnssi-1253, all_rules - should be inherent, no OS

pwpolicy_emergency_accounts_disable - 800-53_high, 800-53_moderate, cnssi-1253, all_rules - should be inherent, not password policy

pwpolicy_temporary_accounts_disable - 800-53_high, 800-53_moderate, cnssi-1253, all_rules - should be inherent, not password policy

audit_auditd_enabled - 800-53_high, 800-53_moderate, 800-53_low, cnssi-1253, all_rules - should be audit, not inherent

pwpolicy_force_password_change - 800-53_high, 800-53_moderate, 800-53_low, cnssi-1253, all_rules - should be inherent, not permanent

Summary

Setting "os_ssh_max_sessions_configure" does not limit connections on my machine.

Steps to reproduce

Set "MaxSessions 10" in sshd.conf
from another machine, open multiple ssh connections to the ssh server.

Operating System version

20A5343i

What is the current bug behavior?

The number of sessions is not capped at 10.

What is the expected correct behavior?

After 10 connections, further connection attempts should fail.

Summary

(Summarize the bug encountered concisely)

fixtext commands are broken; have newline chars instead of spaces. for example, see the fix command below

/usr/bin/sed 
-i.bak_
$(date"+%Y-%m-%d_%H:%M")"s|#PasswordAuthentication
yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication
yes|ChallengeResponseAuthentication no|"
/etc/ssh/sshd_config
; /bin/launchctl kickstart 
-k system/com.openssh.sshd

Same issue is there for description fields of rules. See below:
<title>Enforce Smartcard
Authentication</title>

/usr/bin/profiles

-P-o stdout | /usr/bin/grep

-c'enforceSmartCard = 1'

Steps to reproduce

(How one can reproduce the issue - this is very important)

Open the XML file and see fixtext

Operating System version

(macOS Version and build)

What is the current bug behavior?

(What actually happens)

What is the expected correct behavior?

(What you should see instead)

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)

Output of checks

(Paste any output that occurs with the bug)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)