The STIG is available on IASE at: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems,mac-os
U_Apple_OS_X_10-14_V1R2_STIG
Version: 1, Release: 2, 24 Jan 2020
This script will require additional configuration prior to deployment.
Sets organizational compliance for each listed item, which gets written to STIG_security_score.plist. Values default to "true".
To disregard a given item set the value to "false" by changing the associated comment: AOSX_14_00000X="true" or AOSX_14_00000X="false"
The script writes to /Library/Application Support/SecurityScoring/STIG_security_score.plist by default.
Run this before and after 3_STIG_10_14_Remediation to audit the remediation.
Reads the plist at /Library/Application Support/SecurityScoring/STIG_security_score.plist. For items prioritized (listed as "true,") the script queries against the current computer/user environment to determine compliance against each item.
Items that pass compliance do not require further remediation and are set to "false" in the STIG_security_score.plist.
Non-compliant items are recorded at /Library/Application\ Support/SecurityScoring/STIG_audit
Reads the plist at /Library/Application Support/SecurityScoring/org_security_score.plist.
For items still prioritized (listed as "true,") the script applies recommended remediation actions for the client/user.
- 1_STIG_10_14_Set_Priorities.sh – Script Priority: Before
- 2_STIG_10_14_Audit_Compliance.sh – Script Priority: Before
- 3_STIG_10_14_Remediation.sh – Script Priority: Before
- 2_STIG_10_14_Audit_Compliance.sh – Script Priority: After
- Recurring trigger to track compliance over time (Daily, weekly, or Monthly)
- Update Inventory
Set as Data Type "String." Reads contents of /Library/Application\ Support/SecurityScoring/STIG_audit file and records to Jamf Pro inventory record.
Set as Data Type "Integer." Reads contents of /Library/Application\ Support/SecurityScoring/STIG_audit file and records count of items to Jamf Pro inventory record. Usable with smart group logic (2.6_STIG_Audit_Count greater than 0) to immediately determine computers not in compliance.
The following Configuration profiles are available in mobileconfig and plist form. Mobileconfigs can be uploaded to Jamf Pro as Configuration Profiles.
- AOSX_14_002043 - Custom payload > com.apple.applicationaccess > allowCloudPhotoLibrary=false
- AOSX_14_003001 - Certificate payload
- AOSX_14_000007 - Custom payload > com.apple.dock > wvous-tl-corner=0, wvous-br-corner=0, wvous-bl-corner=0, wvous-tr-corner=0
- AOSX_14_002020 - Custom payload > com.apple.ironwood.support > Ironwood Allowed=false
- AOSX_14_002020 - Custom payload > com.apple.ironwood.support > Assistant Allowed=false
- AOSX_14_002062 - Custom payload > com.apple.MCXBluetooth > DisableBluetooth=true
- AOSX_14_000032 - Custom payload > com.apple.loginwindow > DisableFDEAutoLogin=true
- AOSX_14_002007 - Custom payload > com.apple.MCX > forceInternetSharingOff=true
- AOSX_14_002005 - Custom payload > com.apple.mDNSResponder > NoMulticastAdvertisements=true
- AOSX_14_000020 - Passcode payload > MAXIMUM NUMBER OF FAILED ATTEMPTS 3
- AOSX_14_000021 - Passcode payload > DELAY AFTER FAILED LOGIN ATTEMPTS
- AOSX_14_000022 - Passcode payload > MAXIMUM NUMBER OF FAILED ATTEMPTS 3
- AOSX_14_000022 - Passcode payload > DELAY AFTER FAILED LOGIN ATTEMPTS
- AOSX_14_003007 - Passcode payload > Require alphanumeric value (checked)
- AOSX_14_003008 - Passcode payload > MAXIMUM PASSCODE AGE 60
- AOSX_14_003009 - Passcode payload > PASSCODE HISTORY 5
- AOSX_14_003010 - Passcode payload > MINIMUM PASSCODE LENGTH 15
- AOSX_14_003011 - Passcode payload > MINIMUM NUMBER OF COMPLEX CHARACTERS 1
- AOSX_14_003011 - Passcode payload > Allow simple value (unchecked)
- AOSX_14_002009 - Restrictions payload > Media > Allow AirDrop (unchecked)
- AOSX_14_002010 - Restrictions payload > Applications > Disallow "/Applications/FaceTime.app"
- AOSX_14_002011 - Restrictions payload > Applications > Disallow "/Applications/Messages.app"
- AOSX_14_002012 - Restrictions payload > Functionality > Allow iCloud Calendar (unchecked)
- AOSX_14_002013 - Restrictions payload > Functionality > Allow iCloud Reminders (unchecked)
- AOSX_14_002014 - Restrictions payload > Functionality > Allow iCloud Contacts (unchecked)
- AOSX_14_002015 - Restrictions payload > Functionality > Allow iCloud Mail (unchecked)
- AOSX_14_002016 - Restrictions payload > Functionality > Allow iCloud Notes (unchecked)
- AOSX_14_002017 - Restrictions payload > Functionality > Allow use of Camera (unchecked)
- AOSX_14_002018 - Restrictions payload > Preferences > disable selected items "Internet Accounts"
- AOSX_14_002019 - Restrictions payload > Applications > Disallow "/Applications/Mail.app"
- AOSX_14_002023 - Restrictions payload > Applications > Disallow "/Applications/Calendar.app"
- AOSX_14_002031 - Restrictions payload > Preferences > disable selected items "iCloud"
- AOSX_14_002040 - Restrictions payload > Functionality > Allow iCloud Keychain (unchecked)
- AOSX_14_002041 - Restrictions payload > Functionality > Allow iCloud Drive (unchecked)
- AOSX_14_002042 - Restrictions payload > Functionality > Allow iCloud Bookmarks (unchecked)
- AOSX_14_002049 - Restrictions payload > Functionality > Allow iCloud Drive (unchecked)
- AOSX_14_002067 - Restrictions payload > Applications > Disallow "/Users"
- AOSX_14_000001 - Security & Privacy Payload > General > Allow user to unlock the Mac using an Apple Watch (un-checked)
- AOSX_14_000002 - Security & Privacy Payload > General > Require password * after sleep or screen saver begins (checked)
- AOSX_14_000003 - Security & Privacy Payload > General > Require password * after sleep or screen saver begins (select * time no more than five seconds)
- AOSX_14_000004 - Login Window payload > Options > Start screen saver after: (checked) > 15 Minutes of Inactivity (or less)
- AOSX_14_000006 - Login Window payload > Options > Start screen saver after: (checked) > USE SCREEN SAVER MODULE AT PATH: (path to screensaver)
- AOSX_14_002021 - Security & Privacy payload > Privacy > Allow sending diagnostic and usage data to Apple... (unchecked)
- AOSX_14_002034 - Login Window payload > Options > Disable Siri setup during login (checked)
- AOSX_14_002035 - Login Window payload > Options > Disable Apple ID setup during login (checked)
- AOSX_14_002060 - Security & Privacy payload > General > Mac App Store and identified developers (selected)
- AOSX_14_002061 - Security & Privacy payload > General > Do not allow user to override Gatekeeper setting (checked)
- AOSX_14_002063 - Login Window payload > Options > Allow Guest User (unchecked)
- AOSX_14_002066 - Login Window payload > Options > Disable automatic login (checked)
- AOSX_14_003012 - Login Window payload > Options > Show password hint when needed and available (checked)
- AOSX_14_002037 - Custom payload > com.apple.SetupAssistant.managed > SkipiCloudStorageSetup=true
- AOSX_14_002036 - Custom payload > com.apple.SetupAssistant.managed > SkipPrivacySetup=true
- AOSX_14_000005 - Smart Card payload > Enable Screen Saver on Smart Card removal (checked)
- AOSX_14_001060 - Smart Card Payload > VERIFY CERTIFICATE TRUST = Check Certificate
- AOSX_14_003002 - Smart Card Payload > VERIFY CERTIFICATE TRUST = Check Certificate
- AOSX_14_003005 - Smart Card payload > Enforce Smart Card use (checked)
- AOSX_14_003025 - Smart Card payload > Enforce Smart Card use (checked)
- AOSX_14_000008 – Keep Wi-Fi enabled if it is approved and needed. – The macOS system must be configured with Wi-Fi support software disabled.
- AOSX_14_004020 – Keep Wi-Fi enabled if it is approved and needed. – The macOS system must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
- AOSX_14_000012 – Managed by a directory server (AD) – The macOS system must automatically remove or disable temporary user accounts after 72 hours.
- AOSX_14_000013 – Managed by a directory server (AD) – The macOS system must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
- AOSX_14_000020 – This setting will cause unrecoverable account lockout (also see AOSX_14_000021) – The macOS system must enforce the limit of three consecutive invalid logon attempts by a user.
- AOSX_14_000021 – This setting will cause unrecoverable account lockout (also see AOSX_14_000020) NOT COMPATIBLE WITH MACOS V10.11 OR LATER
- AOSX_14_000022 – REDUNDANT to AOSX_14_000020 and AOSX_14_000021 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.
- AOSX_14_002065 – REDUNDANT to AOSX_14_002068 – The macOS system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
- AOSX_14_000010 – DUPLICATE check to AOSX_14_004010 and AOSX_14_004011
- AOSX_14_000011 – DUPLICATE check to AOSX_14_000040
- AOSX_14_000040 – DUPLICATE check to AOSX_14_000011
- AOSX_14_001060 – DUPLICATE check to AOSX_14_003002
- AOSX_14_002034 – DUPLICATE check to AOSX_14_002039
- AOSX_14_002041 – DUPLICATE check to AOSX_14_002049
- AOSX_14_002049 – DUPLICATE check to AOSX_14_002041
- AOSX_14_003002 – DUPLICATE check to AOSX_14_001060
- AOSX_14_003005 – DUPLICATE check to AOSX_14_003025
- AOSX_14_003020 – DUPLICATE check to AOSX_14_003024
- AOSX_14_003024 – DUPLICATE check to AOSX_14_003020
- AOSX_14_003025 – DUPLICATE check to AOSX_14_003005
- AOSX_14_004010 – DUPLICATE check to AOSX_14_000010 and AOSX_14_004011
- AOSX_14_004011 – DUPLICATE check to AOSX_14_000010 and AOSX_14_004010
- AOSX_14_004020 – DUPLICATE check to AOSX_14_000008
-
AOSX_14_000005 – Smart Card - Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
-
AOSX_14_001060 – Smart Card - Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
-
AOSX_14_003002 – Smart Card - Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
-
AOSX_14_003005 – Smart Card - Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
-
AOSX_14_003025 – Smart Card - Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
-
AOSX_14_003050 – Smart Card - Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
-
AOSX_14_003051 – Smart Card - Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
-
AOSX_14_003052 – Smart Card - Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
-
AOSX_14_000020 - Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.
-
AOSX_14_000021 - Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.
-
AOSX_14_000022 - Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.
-
AOSX_14_003007 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.
-
AOSX_14_003008 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.
-
AOSX_14_003009 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.
-
AOSX_14_003010 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.
-
AOSX_14_003011 – Passcode – Use caution if passwords are managed by Active Directory, Enterprise Connect, or another similar tool. Having multiple password policy sources (I.E. AD and config profile) may lead to unexpected results.