New NIST macOS Security Compliance Project Audit Files

Summary

Tenable, in collaboration with NIST, has released a series of audit files based on the content of the NIST macOS Security Compliance project from https://github.com/usnistgov/macos_security. Customers now have the option to choose NIST, CIS, and DISA STIG macOS content for their environment.

The audit files cover all current content for Catalina, Monterey, and Big Sur. The audit files are further refined by profiles that relate to ‘tags’ from the source content. These profiles cover 800-171, 800-53, and CNSSI 1253. Profiles 800-53 r4 and 800-53 r5 have additional audits covering low, moderate, and high baselines from the NIST 800-53B publication.

The NIST and Tenable content covers many areas, including: Least functionality, access control, least privilege, system preferences, authorization control, and much more.

Tenable Audit Example

The following check is from the Big Sur rules for FIPS 140 ciphers, converted to audit format:

  <custom_item>

    system      : "Darwin"

    type        : CMD_EXEC

    description : "Big Sur - Limit SSHD to FIPS 140 Validated Ciphers"

    info        : "If SSHD is enabled then it _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.

Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.

NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system."

    solution    : "[source,bash]

----

/usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak  's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd

----"

    reference   : "CCE|CCE-85454-7,CCI|CCI-000803,CCI|CCI-000068,CCI|CCI-000087,CCI|CCI-003123,CCI|CCI-002890,STIG-ID|APPL-11-000054,800-171|3.1.13,800-171|3.13.8,800-171|3.13.11,800-53|SC-13,800-53|AC-17(2),800-53|MA-4(6),800-53|IA-7,800-53|SC-8(1)"

    see_also    : "https://github.com/usnistgov/macos_security"

    cmd         : "/usr/bin/grep -c \"^Ciphers aes256-ctr,aes192-ctr,aes128-ctr\" /etc/ssh/sshd_config"

    expect      : "1"

  </custom_item>

Target Release Date

December 13, 2021

Additional Notes

Please see https://github.com/usnistgov/macos_security for additional information about the source content.