Merge branch 'sonoma'

CHANGELOG.adoc

@@ -2,193 +2,56 @@
 
 This document provides a high-level view of the changes to the macOS Security Compliance Project.
 
-== [Ventura, Revision 2.0] - 2023-06-26
+== [Sonoma, Revision 1.0] - 2023-09-21
 
 * Rules
 ** Added Rules
-*** os_home_folders_default
-*** supplemental_stig
+*** icloud_freeform_disable
+*** os_account_modification_disable
+*** os_on_device_dictation_enforce
+*** os_setup_assistant_filevault_enforce
+*** os_sshd_channel_timeout_configure
+*** os_sshd_unused_connection_timeout_configure
 ** Modified Rules
-*** audit_acls_files_configure
-*** audit_acls_folders_configure
-*** audit_auditd_enabled
-*** audit_control_mode_configure
-*** audit_files_group_configure
-*** audit_files_mode_configure
-*** audit_files_owner_configure
-*** audit_folder_group_configure
-*** audit_folder_group_configure
-*** audit_folders_mode_configure
 *** auth_ssh_password_authentication_disable
-*** icloud_appleid_preference_pane_disable
-*** icloud_appleid_system_settings_disable
-*** os_anti_virus_installed
-*** os_home_folders_secure
-*** os_policy_banner_loginwindow_enforce
-*** os_policy_banner_ssh_configure
 *** os_policy_banner_ssh_enforce
-*** os_screensaver_timeout_loginwindow_enforce
 *** os_sshd_client_alive_count_max_configure
 *** os_sshd_client_alive_interval_configure
-*** os_sshd_fips_140_ciphers
-*** os_sshd_fips_140_macs
 *** os_sshd_fips_compliant
-*** os_sshd_key_exchange_algorithm_configure
 *** os_sshd_login_grace_time_configure
 *** os_sshd_permit_root_login_configure
-*** pwpolicy_account_lockout_timeout_enforce
-*** pwpolicy_minimum_length_enforce
-*** pwpolicy_special_character_enforce
-*** system_settings_assistant_disable
+*** system_settings_location_services_menu_enforce
+*** system_settings_siri_disable
+** Deleted Rules
+*** icloud_appleid_preference_pane_disable.yaml
+*** os_efi_integrity_validated
+*** os_sshd_key_exchange_algorithm_configure
+*** os_sshd_fips_140_ciphers
+*** os_sshd_fips_140_macs
 *** system_settings_bluetooth_prefpane_disable
-*** system_settings_firewall_enable
-*** system_settings_firewall_stealth_mode_enable
-*** system_settings_guest_account_disable
 *** system_settings_internet_accounts_preference_pane_disable
 *** system_settings_siri_prefpane_disable
 *** system_settings_touch_id_pane_disable
-*** system_settings_usb_restricted_mode
 *** system_settings_wallet_applepay_prefpane_disable
 *** system_settings_wallet_applepay_prefpane_hide
-
-* Baselines
-** Added Baselines
-*** cmmc_lvl1
-*** cmmc_lvl2
-*** cnssi-1253_high
-*** cnssi-1253_moderate
-*** cnssi-1253_low
-*** DISA-STIG
-** Modified Baselines
-*** all_rules
-*** Removed Baselines
-** cnssi-1253
-
-* Scripts
-** generate_guidance
-*** Added base64 support for documentation logo
-*** Added support for CMMC references
-*** Added ssh key generation to compliance script
-*** Added cfc argument to compliance script
-*** Bug Fixes
-** generate_baseline
-*** Bug Fixes
-** generate_scap
-*** Bug Fixes
-
-* Includes
-** mscp-data
-*** Added CMMC data
-*** Updated CNSSI-1253 data
-** supported_payloads
-*** Added com.apple.sharingd
-*** Removed com.apple.locationmenu
-
-== [Ventura, Revision 1.1] - 2022-12-08
-
-* Rules
-** Added Rules
-*** icloud_game_center_disable
-*** os_safari_advertising_privacy_protection_enable
-*** os_safari_prevent_cross-site_tracking_enable
-*** os_safari_show_full_website_address_enable
-*** os_safari_warn_fraudulent_website_enable
-** Modified Rules
-*** os_dvdram_disable
-*** os_hibernate_mode_enable
-*** os_rapid_security_response_removal_disable
-*** os_tftpd_disable
-*** system_settings_automatic_logout_enforce
-*** system_settings_internet_accounts_disable
-*** system_settings_ssh_enable
-*** system_settings_system_wide_preferences_configure
-*** system_settings_time_server_configure
-*** system_settings_time_server_enforce
-*** supplemental_cis_manual
-** Bug fixes
-
-* Baselines
-** Updated all baselines
-
-* Scripts
-** generate_guidance
-*** Added custom references to compliance check script
-*** Added debug option
-*** Bug Fixes
-** generate_baseline
-*** Added author function
-*** Bug Fixes
-** generate_mapping
-*** Bug Fixes
-
-== [Ventura, Revision 1] - 2022-10-20
-
-* Rules
-** Added ODV support
-** Added Rules
-*** icloud_appleid_system_settings_disable
-*** os_config_profile_ui_install_disable
-*** os_firewall_ui_disable
-*** os_power_nap_enable
-*** os_rapid_security_response_allow
-*** os_rapid_security_response_removal_disable
-*** os_software_update_deferral
-*** system_settings_USB_restricted_mode
-*** system_settings_internet_accounts_disable
-** Modified Rules
-*** os_power_nap_disable
-*** os_ssh_fips_compliant
-*** os_ssh_server_alive_count_max_configure
-*** os_ssh_server_alive_interval_configure
-*** os_sshd_client_alive_count_max_configure
-*** os_sshd_client_alive_interval_configure
-*** os_sshd_fips_140_ciphers
-*** os_sshd_fips_140_macs
-*** os_sshd_fips_compliant
-*** os_sshd_key_exchange_algorithm_configure
-*** os_sshd_login_grace_time_configure
-*** os_sshd_permit_root_login_configure
-*** os_sudo_timeout_configure
-*** os_sudoers_timestamp_type_configure
-*** pwpolicy_account_inactivity_enforce.yaml
-*** pwpolicy_account_lockout_enforce.yaml
-*** pwpolicy_account_lockout_timeout_enforce.yaml
-*** pwpolicy_alpha_numeric_enforce.yaml
-*** pwpolicy_history_enforce.yaml
-*** pwpolicy_lower_case_character_enforce.yaml
-*** pwpolicy_max_lifetime_enforce.yaml
-*** pwpolicy_minimum_length_enforce.yaml
-*** pwpolicy_minimum_lifetime_enforce.yaml
-*** pwpolicy_simple_sequence_disable.yaml
-*** pwpolicy_special_character_enforce.yaml
-*** pwpolicy_upper_case_character_enforce.yaml
-*** system_settings_system_wide_preferences_configure
-*** System Preferences -> System Settings
-** Deleted Rules
-*** os_sudoers_tty_configure
 ** Bug Fixes
 
 * Baselines
 ** Modified existing baselines
-** Added parent_values
 
 * Scripts
 ** generate_guidance
-*** Added ODV support
-*** Added Ruby gem generation
-*** Added support for fix/check in compliance script
-*** Added unified log support to compliance script
+*** Added iOS support
+*** Added support for pwpolicy regex
+*** Modified ssh_key_check
 *** Bug Fixes
 ** generate_baseline
-*** Added ODV support
-*** Added tailoring support
+*** Added iOS support
 *** Bug Fixes
 ** generate_mappings
+*** Added iOS support
 *** Bug Fixes
 ** generate_scap
-*** Added support for ODV
-*** Added support for new checks
-*** Generate scap, xccdf, or oval
-*** Bug Fixes
-
-
+*** Added iOS support
+*** Added support for pwpolicy regex
+*** Bug Fixes

CONTRIBUTING.adoc

@@ -7,15 +7,15 @@ Contribute new content, share feedback and ask questions about resources in the
 These operating rules describe and govern NIST’s management of this repository and contributors’ responsibilities. NIST reserves the right to modify this policy at any time.
 
 === Criteria for Contributions and Feedback
-This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file. 
+This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
 
-NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: 
-* states or implies NIST endorsement of any entities, services, or products;  
-* is inaccurate;  
-* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;  
-* is clearly "off topic"; 
+NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:
+* states or implies NIST endorsement of any entities, services, or products;
+* is inaccurate;
+* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;
+* is clearly "off topic";
 * makes unsupported accusations;
-* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or, 
+* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or,
 * contains .exe or .jar file types.
 
 _These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._
@@ -28,4 +28,4 @@ NIST also reserves the right to reject or remove contributions from the reposito
 * responding to NIST representatives in a timely manner;
 * keeping contributions and contributor GitHub username up to date
 
-*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page]. 
+*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page].

LICENSE.md

@@ -51,9 +51,9 @@ By exercising the Licensed Rights (defined below), You accept and agree to be bo
 5.	_Downstream recipients._
 
     **A.** _Offer from the Licensor_ – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
-    
+
     **B.** _No downstream restrictions._ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
-    
+
 6.	_No endorsement._ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
 
 ## b.	Other rights.
@@ -75,17 +75,17 @@ Your exercise of the Licensed Rights is expressly made subject to the following
    **i.**	 	identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
 
    **ii.**		a copyright notice;
-      
+
    **iii.**	 	a notice that refers to this Public License;
-     
+
    **iv.**	 	a notice that refers to the disclaimer of warranties;
-      
+
    **v.**	 	a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
-      
+
    **B.**	indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
-    
+
    **C.**	indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
-    
+
 **2.**	You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
 
 **3.**	If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
@@ -116,11 +116,11 @@ For the avoidance of doubt, this Section 4 supplements and does not replace Your
 **a.**	This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
 
 **b.**	Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
-         
+
    **1.**	automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
-         
+
    **2.**	upon express reinstatement by the Licensor.
-         
+
 For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
 
 **c.**	For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.

README.adoc

@@ -1,7 +1,7 @@
 image::templates/images/mscp_banner_outline.png[]
 // settings:
 :idprefix:
-:idseparator: - 
+:idseparator: -
 ifndef::env-github[:icons: font]
 ifdef::env-github[]
 :status:
@@ -18,7 +18,7 @@ endif::[]
 
 ifdef::status[]
 image:https://badgen.net/badge/icon/apple?icon=apple&label[link="https://www.apple.com/"]
-image:https://badgen.net/badge/icon/13.0?icon=apple&label[link="https://www.apple.com/macos"]
+image:https://badgen.net/badge/icon/14.0?icon=apple&label[link="https://www.apple.com/macos"]
 endif::[]
 
 IMPORTANT: We recommend working off of one of the OS branches, rather than the `main` branch.
@@ -29,7 +29,7 @@ This project is the technical implementation of NIST Special Publication, 800-21
 
 Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page.
 
-This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.  
+This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
 
 To learn more about the project, please see the {uri-repo}/wiki[wiki].
 
@@ -61,7 +61,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
 
 == Changelog
 
-Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes. 
+Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
 
 == NIST Disclaimer
 

VERSION.yaml

@@ -1,4 +1,5 @@
-os: "13.0"
-version: "Ventura Guidance, Revision 2.0"
-cpe: o:apple:macos:13.0
-date: "2023-06-26"
+os: "14.0"
+platform: macOS
+version: "Sonoma Guidance, Revision 1.0"
+cpe: o:apple:macos:14.0
+date: "2023-09-21"