MacOS Hardening
MacOS Hardening
2 Revision 1
16
17
18 C O M P U T E R S E C U R I T Y
19
20
21 DRAFT NIST Special Publication 800-179
22 Revision 1
23
47
48
49 U.S. Department of Commerce
50 Wilbur L. Ross, Jr., Secretary
51
52 National Institute of Standards and Technology
53 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
54 Authority
55 This publication has been developed by NIST in accordance with its statutory responsibilities under the
56 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
57 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
58 including minimum requirements for federal information systems, but such standards and guidelines shall
59 not apply to national security systems without the express approval of appropriate federal officials
60 exercising policy authority over such systems. This guideline is consistent with the requirements of the
61 Office of Management and Budget (OMB) Circular A-130.
62 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory
63 and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should
64 these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of
65 Commerce, Director of the OMB, or any other federal official. This publication may be used by
66 nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States.
67 Attribution would, however, be appreciated by NIST.
71 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
72 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
73 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
74 available for the purpose.
75 There may be references in this publication to other publications currently under development by NIST in
76 accordance with its assigned statutory responsibilities. The information in this publication, including concepts and
77 methodologies, may be used by federal agencies even before the completion of such companion publications. Thus,
78 until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain
79 operative. For planning and transition purposes, federal agencies may wish to closely follow the development of
80 these new publications by NIST.
81 Organizations are encouraged to review all draft publications during public comment periods and provide feedback
82 to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at
83 https://csrc.nist.gov/publications.
84
85 Public comment period: October 19, 2018 through November 16, 2018
86 National Institute of Standards and Technology
87 Attn: Computer Security Division, Information Technology Laboratory
88 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
89 Email: [email protected]
90 All comments are subject to release under the Freedom of Information Act (FOIA).
91
i
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
93 The Information Technology Laboratory (ITL) at the National Institute of Standards and
94 Technology (NIST) promotes the U.S. economy and public welfare by providing technical
95 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test
96 methods, reference data, proof of concept implementations, and technical analyses to advance
97 the development and productive use of information technology. ITL’s responsibilities include the
98 development of management, administrative, technical, and physical standards and guidelines for
99 the cost-effective security and privacy of other than national security-related information in
100 federal information systems. The Special Publication 800-series reports on ITL’s research,
101 guidelines, and outreach efforts in information system security, and its collaborative activities
102 with industry, government, and academic organizations.
103
104 Abstract
105 This publication assists IT professionals in securing Apple macOS 10.12 desktop and laptop
106 systems within various environments. It provides detailed information about the security features
107 of macOS 10.12 and security configuration guidelines. The publication recommends and
108 explains tested, secure settings with the objective of simplifying the administrative burden of
109 improving the security of macOS 10.12 systems in three types of environments: Standalone,
110 Managed, and Specialized Security-Limited Functionality.
111
112 Keywords
113 Apple OS X; checklist; endpoint device security; hardening guide; host security; macOS; mobile
114 device security; operating system security; secure configuration.
ii
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
115
119
iii
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
iv
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
v
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
vi
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
249
251 Figure 1: System Image Utility (after selecting the source "Install macOS Sierra.app") 25
252 Figure 2: Time Machine System Backup ....................................................................... 27
253 Figure 3: Software Update Options ............................................................................... 29
254 Figure 4: Advanced Finder Preferences ........................................................................ 36
255 Figure 5: FileVault Settings ........................................................................................... 37
256 Figure 6: Spotlight Search Results ................................................................................ 40
257 Figure 7: Login Options Pane........................................................................................ 42
258 Figure 8: Setting the NTP Servers ................................................................................ 50
259 Figure 9: Gatekeeper Options ....................................................................................... 51
260 Figure 10: Sharing Options ........................................................................................... 55
261 Figure 11: Privacy Options ............................................................................................ 60
262 Figure 12: Administrator Access for System-wide Preferences..................................... 63
263 Figure 13: Siri Privacy Message .................................................................................... 64
264 Figure 14: Distribution of Security Controls ................................................................... 69
265
vii
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
314 When an IT security configuration checklist (e.g., hardening or lockdown guide) is applied to a
315 system in combination with trained system administrators and a sound and effective security
316 program (which includes a robust patch management program), a substantial reduction in
317 vulnerability exposure can be achieved. Accordingly, the National Institute of Standards and
318 Technology (NIST) has produced the Guide to Securing Apple macOS 10.12 Systems for IT
319 Professionals: A NIST Security Configuration Checklist to assist personnel responsible for the
320 administration and security of macOS 10.12 1 systems. This guide contains information that can
321 be used by system administrators to secure local macOS 10.12 desktops and laptops more
322 effectively in a variety of environments, including Standalone and Managed environments. The
323 guidance should only be applied throughout an enterprise by trained and experienced system
324 administrators.
325 The guidance presented in this document is applicable only to macOS 10.12 systems. The
326 recommendations in this guide should not be applied to systems running anything other than
327 macOS 10.12.
328 This guide provides detailed information about the security of macOS 10.12 and security
329 configuration guidelines for the macOS 10.12 operating system. The guide documents the
330 methods that system administrators can use to implement each security setting recommended.
331 The principal goal of the document is to recommend and explain tested, secure settings for
332 macOS 10.12 systems with the objective of simplifying the administrative burden of improving
333 the security of macOS 10.12 systems in three types of environments: Standalone, Managed, and
334 one custom environment labeled Specialized Security-Limited Functionality (SSLF). 2
335 • Standalone. Standalone, sometimes called Small Office/Home Office (SOHO), describes
336 small, informal computer installations that are used for home or business purposes.
337 Standalone encompasses a variety of small-scale environments and devices, ranging from
338 laptops, mobile devices, and home computers, to telework systems located on broadband
339 networks, to small businesses and small branch offices of a company. Historically,
340 Standalone environments are the least secured and most trusting. Generally, the
341 individuals performing Standalone system administration are not knowledgeable about
342 security. This can result in environments that are less secure than they need to be because
343 the focus is generally on functionality and ease-of-use.
ix
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
351 posture to be maintained across the enterprise. Generally, Managed environments are
352 more restrictive than Standalone environments.
374 Although the guidance presented in this document has undergone considerable testing, every
375 system and environment is unique, so system administrators should perform their own testing.
376 The development of the NIST security baselines 3 was driven by the need to create more secure
377 macOS 10.12 system configurations. These NIST security baselines provide guidance on how to
378 define specific configurations with varying levels of security and make certain tradeoffs that
379 depend on the target environment. Because some settings in the baselines may reduce the
380 functionality or usability of the system, caution should be used when applying the security
381 baselines. Specific settings in the baselines should be modified as needed (with due consideration
382 of the security implications, including the possible need for compensating controls) so that the
383 settings conform to local policies and support the required system functionality. NIST
384 recommends that organizations fully test the baselines on representative systems before
385 widespread deployment. Some settings may inadvertently interfere with applications, particularly
386 legacy applications that may require a less restrictive security profile.
387 The security configuration guidance provided in this document was tested on clean macOS 10.12
388 installations. NIST recommends that system administrators build their systems from a clean
389 formatted state to begin the process of securing macOS 10.12 systems. NIST recommends that
390 the installation process be performed on a secure network segment or off the organization’s
3 Refer to Appendix D, Appendix I, and Appendix J for more information on the baselines and how to implement them.
x
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
391 network until the security configuration is completed, all patches are applied, and strong
392 passwords are set for all accounts.
393 After the macOS 10.12 operating system has been installed and securely configured, it should be
394 regularly monitored and patched when necessary to mitigate software vulnerabilities. Once
395 Apple releases an update, it should be tested thoroughly and applied to all systems within an
396 organization as soon as possible. Updates to third-party applications should receive similar
397 treatment.
398 This guidance document includes recommendations for configuring selected applications built
399 into macOS 10.12, such as web browsers and email clients. This list is not intended to be a
400 complete list of applications for macOS 10.12, nor does it imply NIST’s endorsement of
401 particular products. Many of the configuration recommendations for the applications focus on
402 preventing damage from malware, either to the applications themselves or to the macOS 10.12
403 system, while the applications are being used.
404 This document provides recommendations to assist organizations in making their macOS 10.12
405 systems more secure than out-of-the-box installations. The recommendations provide system
406 administrators with the information necessary to modify the settings and to comply with local
407 policy or special situations. The baseline recommendations and settings provide a high level of
408 security for macOS 10.12 systems when used in conjunction with a sound and comprehensive
409 local security policy and other relevant security controls. The guidelines are appropriate for
410 organizational environments that are configuring and deploying laptops for mobile users and
411 desktop computers for teleworkers.
xi
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
413 This document builds on the work and recommendations presented in SP 800-179. The guidance
414 originally offered for OS X 10.10 has been updated to be compatible with macOS 10.12 systems.
415 Settings no longer configurable or applicable have been removed from the guide. Likewise,
416 additional guidance is offered for the new functionality present in version 10.12. Some settings
417 have had their recommended values changed to better align with the usability and security
418 requirements of the different usage profiles.
419 This guide no longer discusses settings that are considered secure by default. However, they are
420 still listed in the companion spreadsheet.
422 • System Integrity Protection (SIP) is the biggest new security feature introduced since
423 10.10. It prevents modification of Apple-specified system files. It is discussed further in
424 Section 3.1.
425 • Siri, added in 10.12, is Apple’s personal assistant technology. It allows for voice control
426 of the system. More information on Siri and the security concerns it raises can be found
427 in Section 6.8.5.4.
428 • Spotlight is now enhanced with Internet search functionality. Although a convenience
429 feature, all search queries are now sent to Apple and select third parties by default. See
430 Section 6.2.6 for further information on Spotlight.
431 • The system process launchctl is responsible for starting and stopping system services. It
432 can be used to disable unused features such as file sharing, thus reducing the attack
433 surface of the system. The majority of launchctl related guidance is located in Appendix
434 J.16.
435 • An account lockout password policy item is now configured. It controls how many failed
436 login attempts are permitted before a user account is locked for a predetermined length of
437 time. It can be found with other password policies in Section 6.3.4.
438 • The secure erase feature has been removed from both the Graphical User Interface (GUI)
439 and command line environments. Secure erase is not necessarily effective when used for
440 newer systems with Solid State Drive (SSD) devices. As a compensating control, a crypto
441 erase (affecting an entire device) can be performed if Filevault is enabled on the system.
xii
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
442 1. Introduction
444 This publication is designed to assist IT professionals in securing Apple macOS 10.12 desktop
445 and laptop systems. Only trained and competent system administrators should apply these
446 guidelines. Configuration of other versions of macOS, as well as macOS Server, is outside the
447 scope of this publication. Other versions of macOS are only mentioned for informative purposes.
448 The guide provides detailed information about the security features of macOS 10.12 and security
449 configuration guidelines for the macOS 10.12 operating system (OS). The guide documents the
450 methods that IT professionals can use to implement each security setting recommended. The
451 principal goal of the document is to recommend and explain tested, secure settings for macOS
452 10.12 desktops and laptops with the objective of simplifying the administrative burden of
453 improving their security in three types of environments: Standalone, Managed, and Specialized
454 Security-Limited Functionality (SSLF). The proposed controls are consistent with the minimum
455 security controls for an IT system as represented in NIST Special Publication (SP) 800-53,
456 Recommended Security Controls for Federal Information Systems and Organizations [SP 800-
457 53r4].
459 This document has been created for IT professionals, particularly system administrators and
460 information security personnel (security managers, engineers, administrators, etc.) who are
461 responsible for securing or maintaining the security of macOS 10.12 systems. Auditors and
462 others who need to assess the security of systems may also find this publication useful. The
463 document assumes that the reader has experience installing and administering macOS-based
464 systems [NISTIR 7298r2]. The document discusses various macOS 10.12 security settings in
465 technical detail.
467 The remainder of this document is organized into the following sections and appendices:
468 • Section 2 provides insight into the threats and security controls that are relevant for
469 various environments, such as a large enterprise or a home office, and describes the need
470 to document, implement, and test controls, as well as monitor and maintain systems on an
471 ongoing basis.
472 • Section 3 presents an overview of the security components offered by macOS 10.12.
473 • Section 4 provides guidelines for installing, backing up, and patching macOS 10.12
474 systems.
475 • Section 5 discusses security policy configuration and how security baselines can best be
476 used.
1
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
477 • Section 6 provides an overview of the settings in the NIST security baselines and
478 explains how the settings can provide better security for systems.
479 • Section 7 provides guidelines for IT professionals on how to use the guide effectively to
480 secure macOS 10.12 systems.
482 • Appendix B maps the guide’s security controls and baseline settings to the controls in
483 NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal
484 Information Systems and Organizations.
485 • Appendix C lists built-in tools used to create the security configuration for macOS 10.12
486 systems.
487 • Appendix D lists resources that may be useful macOS 10.12 security references.
489 • Appendix F gives a description of variables used in many Terminal commands in this
490 document.
492 • Appendix H lists processes that must be restarted to successfully apply settings.
494 • Appendix J describes all the Terminal commands needed for system configuration.
497 IT professionals should read the entire publication, including the appendices, before using
498 the security baselines or implementing any of the other recommendations or suggestions in
499 the guide. Readers with limited macOS 10.12 administration and security experience are
500 cautioned not to apply the baselines or other recommendations to systems on their own. As
501 described in Section 7, the effective use of this publication involves extensive planning and
502 testing.
2
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
504 In today’s computing environment, the security of all computing resources, from network
505 infrastructure devices to users’ desktop and laptop computers, is essential. There are many
506 threats to users’ computers, ranging from remotely launched network service exploits to malware
507 spread through emails, websites, and file downloads. Increasing the security of individual
508 computers protects them from these threats and reduces the likelihood that a system will be
509 compromised or that data will be disclosed to unauthorized parties. Effective and well-tested
510 security configurations mean that less time and money are spent eradicating malware, restoring
511 systems from backups, and reinstalling operating systems and applications. In addition, having
512 stronger host security increases network security (e.g., home, business, government, the
513 Internet); for example, most distributed denial of service attacks against networks use large
514 numbers of compromised hosts.
515 The goal of this guide is to provide security configuration guidelines to the users and system
516 administrators of macOS 10.12 systems. This advice can be adapted to any environment, from
517 individual Standalone installations to large geographically diverse organizations. This guide
518 draws on a large body of vendor knowledge, as well as government and security community
519 experience gained over many years of securing computer systems.
520 This section of the guide is based largely on the steps proposed in NIST’s FISMA (Federal
521 Information Security Management/Modernization Act) Implementation Project for achieving
522 more secure information systems. 4 Sections 2.1 and 2.2 address the need to categorize
523 information and information systems. Each macOS 10.12 system can be classified as having one
524 of three roles; each system can also be classified according to the potential impact caused by
525 security breaches. Section 2.3 describes threats and provides examples of security controls that
526 can mitigate these threats. Section 2.4 outlines the primary types of environments for information
527 systems—Standalone, Managed, and Specialized Security-Limited Functionality—and ties each
528 environment to typical threat categories and security controls. Section 2.5 briefly describes the
529 security-related documentation that affects the configuration and usage of systems and
530 applications. Section 2.6 provides a brief overview of the implementation of the security controls
531 and the importance of performing functionality and security testing. Finally, Section 2.7
532 discusses the need to monitor the security controls and maintain the system.
534 macOS security should consider the role that the system plays. In the past, macOS systems were
535 divided into three roles: inward-facing, outward-facing, and mobile. An inward-facing macOS
536 system is typically a user workstation on the interior of a network that is not directly accessible
537 from the Internet. An outward-facing macOS system is one that is directly connected to the
538 Internet. A system with a mobile role typically moves between a variety of environments and
539 physical locations. Over time, the mobile role has become the predominant role for most macOS
540 systems. Therefore, this publication assumes the mobile role.
3
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
541 Systems in the mobile role might use both traditional wired methods (e.g., Ethernet) and wireless
542 methods (e.g., IEEE 802.11) for network connectivity. The mobility of the system makes it more
543 difficult to manage centrally. It also exposes the system to a wider variety of threat
544 environments; for example, in a single day the system might be in a home environment, an office
545 environment, a wireless network hotspot, and a hotel room. An additional threat is the loss or
546 theft of the system. This could lead to loss of productivity at a minimum, but could include the
547 disclosure of confidential information or the possible opening of a backdoor into the organization
548 if remote access is not properly secured.
549 Most macOS systems today are used for the same combination of tasks: accessing websites,
550 reading email, performing instant messaging, using social networks, and conducting other tasks
551 with both work-related and personal contexts. This range of activity, as well as the frequent lack
552 of perimeter defenses, exposes macOS systems to a wider variety of threats than they were
553 exposed to in the past.
555 The classic model for information security defines three objectives of security: maintaining
556 confidentiality, integrity, and availability. Confidentiality refers to protecting information from
557 being accessed by unauthorized parties. Integrity refers to ensuring the authenticity of
558 information—that the information is not altered, and that the source of the information is
559 genuine. Availability means that information is accessible by authorized users. Each objective
560 addresses a different aspect of providing protection for information.
561 Determining how strongly a system needs to be protected is based largely on the type of
562 information that the system processes and stores. For example, a system containing medical
563 records probably needs much stronger protection than a computer only used for viewing publicly
564 released documents. This is not to imply that the second system does not need protection; every
565 system needs to be protected, but the level of protection may vary based on the value of the
566 system and its data. To establish a standard for determining the security category of a system,
567 NIST created Federal Information Processing Standard (FIPS) 199, Standards for Security
568 Categorization of Federal Information and Information Systems [FIPS 199]. FIPS 199
569 establishes three security categories—low, moderate, and high—based on the potential impact of
570 a security breach involving a particular system. The FIPS 199 definitions for each category are as
571 follows:
4
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
600 Each system should be protected based on the potential impact to the system of a loss of
601 confidentiality, integrity, or availability. Protection measures (otherwise known as security
602 controls) tend to fall into two categories. First, security weaknesses in the system need to be
603 resolved. For example, if a system has a known vulnerability that attackers could exploit, the
604 system should be patched so that the vulnerability is removed or mitigated. Second, the system
605 should offer only the minimum required functionality to each authorized user. This principle is
606 known as least privilege. 5 Limiting functionality and resolving security weaknesses have a
607 common goal: give attackers as few opportunities as possible to breach a system.
608 Although each system should ideally be made as secure as possible, this is generally not feasible
609 because the system needs to meet the functional requirements of the system’s users. Another
610 common problem with security controls is that they often make systems less convenient or more
611 difficult to use. When usability is an issue, many users will attempt to circumvent security
612 controls; for example, if passwords must be long and complex, users may write them down.
613 Balancing security, functionality, and usability is often a challenge. This guide attempts to strike
614 a proper balance and make recommendations that provide a reasonably secure solution while
615 offering the functionality and usability that users require.
616 Another fundamental principle recommended by this guide is the use of multiple layers of
617 security. For example, a host may be protected from external attack by several controls,
618 including a network-based firewall, a host-based firewall, and OS patching. The motivation for
619 having multiple layers is that if one layer fails or otherwise cannot counteract a certain threat,
5 For more information on least privilege and other fundamental principles of computer security, see “The Protection of
Information in Computer Systems” by Jerome Saltzer and Michael Schroeder, April 17, 1975
(http://web.mit.edu/Saltzer/www/publications/protection/).
5
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
620 other layers might prevent the threat from successfully breaching the system. A combination of
621 network-based and host-based controls is generally most effective at providing consistent
622 protection for systems. Note that in many situations, such as Standalone environments, there may
623 not be any network-based controls present, thus creating a reliance on layers of host-based
624 controls.
625 NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and
626 Organizations, proposes minimum baseline management, operational, and technical security
627 controls for information systems. These controls are to be implemented based on the security
628 categorizations proposed by FIPS 199, as described earlier in this section [SP 800-37r1][SP 800-
629 39]. This guidance should assist agencies in meeting baseline requirements for macOS 10.12
630 systems deployed in their environments.
632 To secure a system, it is essential first to define the threats that need to be mitigated. This
633 knowledge of threats is key to understanding the reasons that the various configuration options
634 have been chosen in this guide. Most threats against data and resources are possible because of
635 mistakes—either bugs in operating system and application software that create exploitable
636 vulnerabilities, or errors made by users and administrators. Threats may involve intentional
637 actors (e.g., an attacker who wants to access credit cards on a system) or unintentional actors
638 (e.g., an administrator who forgets to disable the user accounts of a terminated employee).
639 Threats can be local, such as a disgruntled employee, or remote, such as an attacker in another
640 country. The following sections describe each major threat category, list possible controls,
641 provide examples of threats, and summarize the potential impact of the threat. The list of threats
642 is not exhaustive; it simply represents the major threat categories that were considered during the
643 selection of the security controls as described in this guide. Organizations should conduct risk
644 assessments to identify the specific threats against their systems and determine the effectiveness
645 of existing security controls in counteracting those threats, then perform risk mitigation to decide
646 what additional measures (if any) should be implemented [SP 800-30r1].
648 Local threats require either physical access to the system or logical access to the system (e.g., an
649 authorized user account). Local threats are grouped into three categories: boot process,
650 unauthorized local access, and privilege escalation.
652 Threat: An unauthorized individual boots a computer from third-party media (e.g., removable
653 drives, Universal Serial Bus [USB] token storage devices). This could permit the attacker to
654 circumvent operating system (OS) security measures and gain unauthorized access to
655 information.
656 Examples:
657 • While traveling, an employee misplaces a laptop, and the party that acquires it tries to see
658 what sensitive data it contains.
6
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
659 • A disgruntled employee boots a computer off third-party media to circumvent other
660 security controls so the employee can access sensitive files (e.g., confidential data stored
661 locally, local password file).
663 Impact: Unauthorized parties could cause a loss of confidentiality, integrity, and availability.
665 • Implement physical security measures (e.g., locked doors, badge access) to restrict access
666 to equipment. 6
667 • Enable a strong and difficult-to-guess password for the Extensible Firmware Interface
668 (EFI), and configure the EFI to boot the system from the local hard drive only, assuming
669 that the case containing the OS and data is physically secure. This will help protect the
670 data unless the hard drive is removed from the computer.
671 • Secure local files via encryption to prevent access to data if the physical media is placed
672 in another computer.
674 Threat: An individual who is not permitted to access a system gains local access.
675 Examples:
676 • A visitor to a company sits down at an unattended computer and logs in by guessing a
677 weak password for a user account.
678 • A former employee gains physical access to facilities and uses old credentials to log in
679 and gain access to company resources.
680 Impact: Because the unauthorized person is masquerading as an authorized user, this could
681 cause a loss of confidentiality and integrity; if the user has administrative rights, this could also
682 cause a loss of availability.
684 • Require valid username and password authentication before allowing any access to
685 system resources, and enable a password-protected screen saver. These actions help to
686 prevent an attacker from walking up to a computer and immediately gaining access.
6 Organizations should have a physical and environmental protection policy that includes requirements for providing adequate
physical security for systems and networks. Most technical controls can be easily defeated without physical security.
7
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
687 • Enable a logon banner containing a warning of the possible legal consequences of
688 misuse.
689 • Implement a password policy to enforce stronger passwords, so that it is more difficult
690 for an attacker to guess passwords.
691 • Do not use or reuse a single password across multiple accounts; for example, the
692 password for a personal email account should not be the same as that used to gain access
693 to the macOS system.
694 • Establish and enforce a checkout policy for departing employees that includes the
695 immediate disabling of their user accounts.
696 • Physically secure removable storage devices and media, such as CDs and flash drives,
697 that contain valuable information. An individual who gains access to a workspace may
698 find it easier to take removable media than attempt to get user-level access on a system.
700 Threat: An authorized user with normal user-level rights escalates the account’s privileges to
701 gain administrator-level access.
702 Examples:
705 • A user guesses the password for an administrator-level account, gains full access to the
706 system, and disables several security controls.
707 Impact: Because the user is gaining full privileges on the system, this could cause a loss of
708 confidentiality, integrity, and availability.
710 • Restrict access to all administrator-level accounts and administrative tools, configuration
711 files, and settings. Use strong, difficult-to-guess passwords for all administrator-level
712 accounts [SP 800-63-3]. These actions will make it more difficult for users to escalate
713 their privileges.
714 • Disable unused local services. Vulnerabilities in these services may permit users to
715 escalate their privileges.
716 • Install application and OS updates. These updates will resolve system vulnerabilities,
717 reducing the number of attack vectors that can be used.
718 • Encrypt sensitive data. Even administrator-level access would not permit a user to access
719 data in encrypted files.
8
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
721 Unlike local threats, remote threats do not require physical or logical access to the system. The
722 categories of remote threats described in this section are network services, data disclosure, and
723 malicious payloads.
725 Threat: Remote attackers exploit vulnerable network services on a system. This includes gaining
726 unauthorized access to services and data, and causing a denial of service (DoS) condition.
727 Examples:
728 • An attacker gains access to a system through a service that did not require authentication.
729 • An attacker impersonates a user by taking advantage of a weak remote access protocol.
730 • A worm searches for systems with an unsecured service listening on a particular port, and
731 then uses the service to gain full control of the system.
732 Impact: Depending on the type of network service that is being exploited, this could cause a loss
733 of confidentiality, integrity, and availability.
735 • Disable unused services. This provides attackers with fewer chances to breach the
736 system.
737 • Install application and OS updates. These updates will resolve system software
738 vulnerabilities, reducing the number of attack vectors that can be used.
744 • Do not use weak remote access protocols and applications; instead, use only accepted,
745 industry standard strong protocols (e.g., Internet Protocol Security [IPsec], Secure Shell
746 [SSH], Transport Layer Security [TLS]) for accessing and maintaining systems remotely.
747 • Use firewalls or packet filters to restrict access to each service to the authorized hosts
748 only. This prevents unauthorized hosts from gaining access to the services and also
749 prevents worms from propagating from one host to other hosts on the network.
750 • Enable logon banners containing a warning of the possible legal consequences of misuse.
9
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
752 Threat: A third party intercepts sensitive data sent over a network.
753 Examples:
757 • An attacker intercepts usernames and passwords sent in plaintext over a local network
758 segment or a wireless network.
760 Impact: The interception of data could lead to a loss of confidentiality and/or data integrity. For
761 example, if authentication data (such as passwords) are intercepted, it could cause a loss of
762 confidentiality and integrity, and possibly a loss of availability.
764 • Use switched networks for wired networks, which make it more difficult to sniff
765 packets. 7
766 • Use a secure user identification and authentication system, preferably with multifactor
767 authentication.
768 • Encrypt network communications or application data with various protocols (e.g., TLS,
769 IPsec, SSH, WPA2) particularly when accessing the Internet from public Wi-Fi. This
770 protects the data from being accessed by a third party. Where possible, use signatures and
771 MACs (message authentication codes) to provide integrity.
772 • Use trusted and known Domain Name System (DNS) servers.
774 Threat: Malicious payloads such as viruses, worms, Trojan horses, and active content attack
775 systems through many vectors. End users of the system may accidentally trigger malicious
776 payloads.
777 Examples:
7 Switched networks cannot completely prevent packet sniffing. For example, techniques such as address resolution protocol
(ARP) spoofing can be used to convince a switch to direct traffic to an attacker’s machine instead of the intended
destination. The attacker’s machine can then forward the packets to the legitimate recipient.
10
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
778 • A user visits a web site and downloads a free game that includes a Trojan horse. When
779 the user installs the game on her computer, the Trojan horse is also installed, which
780 compromises the system.
781 • A user with administrative-level privileges surfs the web and accidentally visits a
782 malicious web site, which successfully infects the user’s system.
783 • A user opens and executes a payload that was attached to a spam or spoofed message.
786 Impact: Malware often gains full administrative-level privileges to the system, or inadvertently
787 crashes the system. Malware may cause a loss of confidentiality, integrity, and availability.
789 • Operate the system on a daily basis with a standard or managed user account. Only use
790 administrator-level accounts when needed for specific maintenance tasks. Many instances
791 of malware cannot successfully infect or remain persistent on a system unless the current
792 user has administrative privileges.
793 • Educate users on avoiding malware infections, and make them aware of local policy
794 regarding the use of potential transmission methods, such as instant messaging (IM)
795 software, social network services, and unknown or untrusted applications not downloaded
796 from Apple’s App Store. Users who are familiar with the techniques for spreading
797 malware should be less likely to infect their systems.
798 • Use antimalware software as an automated way of preventing most infections and
799 detecting the infections that were not prevented.
800 • Use application whitelisting technology to allow authorized applications to run and
801 communicate externally over the network.
802 • Use email clients that support spam filtering—automatically detecting and quarantining
803 messages that are known to be spam or have the same characteristics as typical spam.
804 • Use multiple web browsers. Although, browsers provide sandboxing technology to
805 isolate the sessions, dedicate one browser to casual Internet surfing and searching. Use a
806 second browser to interact with personal or work-related sensitive sites and services.
807 • Use multifactor authentication mechanisms, particularly when accessing sensitive remote
808 services and data.
809 • Do not install or use non-approved applications (e.g., P2P, IM) to connect to unknown
810 servers. Educate users regarding the potential danger caused by P2P, IM, social network
11
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
811 services, and unknown, untrusted, and unsigned software applications not downloaded
812 from the App Store.
813 • Configure server and client software, such as email servers and clients, web proxy servers
814 and clients, and productivity applications to reduce exposure to malware. For example,
815 email servers and clients could be configured to block email attachments with certain file
816 types. This should help to reduce the likelihood of infections.
820 This section has described various types of local and remote threats that can negatively affect
821 systems. The possible controls listed for the threats are primarily technical, as are the controls
822 discussed throughout this document. However, it is important to further reduce the risks of
823 operating a macOS system by also using management and operational controls. Examples of
824 important operational controls are restricting physical access to a system; performing
825 contingency planning [SP 800-34r1]; backing up the system, storing the backups in a safe and
826 secure location, and testing the backups regularly; and monitoring Apple mailing lists for
827 relevant security bulletins. Management controls could include developing policies regarding
828 macOS system security and creating plans for maintaining macOS systems. By selecting and
829 implementing management, operational, and technical controls for macOS, organizations can
830 better mitigate the threats that macOS systems may face.
831 Another reason to use multiple types of controls is to provide better security in situations where
832 one or more controls are circumvented or otherwise violated. This may be done not only by
833 attackers, but also by authorized users with no malicious intent. For example, taping a list of
834 passwords to a monitor for convenience may nullify controls designed to prevent unauthorized
835 local access to that system. Establishing a policy against writing down passwords (management
836 control), educating users on the dangers of password exposure (operational control), and
837 performing periodic physical audits to identify posted passwords (operational control) may all be
838 helpful in reducing the risks posed by writing down passwords. On macOS, the keychain
839 application is available to manage passwords. See Section 6.3.6 for more information. Technical
840 controls may be helpful as well, such as using Personal Identity Verification (PIV) smart cards
841 [CSD16], derived PIV [SP 800-157] credentials, or another method other than (or in addition to)
842 passwords for system authentication (preferably multifactor authentication).
844 This section describes the types of environments in which a macOS host may be deployed—
845 Standalone, Managed, and custom—as described in the NIST National Checklist Program (NCP)
846 [SP 800-70r4]. The typical custom environment for macOS is Specialized Security-Limited
847 Functionality, which is for systems at high risk of attack or data exposure, with security taking
848 precedence over functionality. Each environment description summarizes the primary threats and
849 controls that are typically part of the environment.
12
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
851 Standalone, sometimes called Small Office/Home Office (SOHO), describes small, informal
852 computer installations that are used for home or business purposes. Standalone encompasses a
853 variety of small-scale environments and devices, ranging from laptops, mobile devices, and
854 home computers, to telework systems located on broadband networks, to small businesses and
855 small branch offices of a company. Historically, Standalone environments are the least secured
856 and most trusting. Generally, the individuals performing Standalone system administration are
857 less knowledgeable about security. This often results in environments that are less secure than
858 they need to be because the focus is usually on functionality and ease-of-use. A Standalone
859 system might not use any security software (e.g., antimalware software, host-based firewall). In
860 some instances, there are no network-based controls such as firewalls, so Standalone systems
861 may be directly exposed to external attacks. Therefore, Standalone environments are frequently
862 targeted for exploitation.
863 Because the primary threats in Standalone environments are external, and Standalone computers
864 generally have less restrictive security policies than Managed or Specialized Security-Limited
865 Functionality computers, they tend to be most vulnerable to attacks from remote threat
866 categories. (Although remote threats are the primary concern for Standalone environments, it is
867 still important to protect against other threats.) Standalone systems are typically threatened by
868 attacks against network services and by malicious payloads (e.g., viruses, worms). These attacks
869 are most likely to affect availability (e.g., crashing the system, consuming all network
870 bandwidth, breaking functionality) but may also affect integrity (e.g., infecting data files) and
871 confidentiality (e.g., providing remote access to sensitive data, emailing data files to others).
872 Standalone security has improved with the proliferation of small, inexpensive, hardware-based
873 firewall routers that protect, to some degree, the Standalone machines behind them. The adoption
874 of host-based firewalls is helping to better secure Standalone environments. Another key to
875 Standalone security is strengthening the hosts on the Standalone network by patching
876 vulnerabilities and altering settings to restrict unneeded functionality. The simplicity of a
877 Standalone environment allows updates and patches to be applied quickly after they are released,
878 because the updates are being delivered directly from the vendor, with no delays for local
879 review.
881 The Managed environment, also known as an Enterprise environment, is typically comprised of
882 large organizational systems with defined, organized suites of hardware and software
883 configurations, usually consisting of centrally-managed workstations and servers protected from
884 threats on the Internet with firewalls and other network security devices. Managed environments
885 generally have a group dedicated to supporting users and providing security. The combination of
886 structure and skilled staff allows better security practices to be implemented during initial system
887 deployment and in ongoing support and maintenance. Managed installations typically use a
888 domain model to effectively manage a variety of settings and allow the sharing of resources (e.g.,
889 file servers, printers). The enterprise can enable only the services needed for normal business
890 operations, with other possible avenues of exploit removed or disabled. Authentication, account,
13
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
891 and policy management can be administered centrally to maintain a consistent security posture
892 across an organization.
893 The Managed environment is more restrictive and provides less functionality than the Standalone
894 environment. Managed environments typically have better control on the flow of various types of
895 traffic, such as filtering traffic based on protocols and ports at the enterprise’s connections with
896 external networks. Because of the supported and largely homogeneous nature of the Managed
897 environment, it is typically easier to use more functionally-restrictive settings than it is in
898 Standalone environments. Managed environments also tend to implement several layers of
899 defense (e.g., firewalls, antimalware servers, intrusion detection systems, patch management
900 systems, email filtering), which provide greater protection for systems. In many Managed
901 environments, interoperability with legacy systems may not be a major requirement, further
902 facilitating the use of more restrictive settings. In a Managed environment, this guide should be
903 used by advanced users and system administrators. The Managed environment settings
904 correspond to an enterprise security posture that will protect the information in a moderate risk
905 environment.
906 In the Managed environment, systems are typically susceptible to local and remote threats. In
907 fact, threats often encompass all the categories of threats defined in Section 2.3. Local attacks,
908 such as unauthorized usage of another user’s workstation, most often lead to a loss of
909 confidentiality (i.e., unauthorized access to data) but may lead to a loss of integrity (i.e., data
910 modification) or availability (i.e., theft of a system). Remote threats may be posed not only by
911 attackers outside the organization but also by internal users who are attacking other internal
912 systems across the organization’s network. Most security breaches caused by remote threats
913 involve malicious payloads sent by external parties, such as malware acquired via email or
914 infected websites. Threats against network services tend to affect a smaller number of systems
915 and may be caused by internal or external parties. Both malicious payloads and network service
916 attacks are most likely to affect availability (e.g., crashing the system, consuming all network
917 bandwidth, breaking functionality) but may affect integrity (i.e., infecting data files) and
918 confidentiality (i.e., providing remote access to sensitive data). Data disclosure threats tend to
919 come from internal parties who are monitoring traffic on local networks, and they primarily
920 affect confidentiality.
14
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
933 payroll processing, air traffic control). These computers might be targeted by third parties for
934 exploitation, but also might be targeted by trusted parties inside the organization.
935 An SSLF environment could be a subset of a Standalone or Managed environment. For example,
936 three desktops in a Managed environment that hold confidential employee data could be thought
937 of as an SSLF environment within a Managed environment. In addition, a laptop used by a
938 mobile worker might be an SSLF environment within a Standalone environment. An SSLF
939 environment might also be a self-contained environment outside any other environment—for
940 instance, a government security installation dealing in sensitive data.
941 Systems in SSLF environments face the same threats as systems in Managed environments.
942 Threats from both insiders and external parties are a concern. Because of the risks and possible
943 consequences of a compromise in an SSLF environment, it usually has the most functionally
944 restrictive and secure configuration. The suggested configuration is complex and provides the
945 greatest protection at the expense of ease-of-use, functionality, and remote system management.
946 In an SSLF environment, this guide is targeted at experienced security specialists and seasoned
947 system administrators who understand the impact of implementing these strict requirements.
949 An organization typically has many documents related to the security of macOS systems.
950 Foremost among the documents is a macOS security configuration guide that specifies how
951 macOS systems should be configured and secured. 8 As mentioned in Section 2.2, NIST SP 800-
952 53 proposes management, operational, and technical security controls for systems, each of which
953 should have associated documentation. In addition to documenting procedures for implementing
954 and maintaining various controls, every environment should also have other security-related
955 policies and documentation that affect the configuration, maintenance, and usage of systems and
956 applications. Examples of such documents are as follows:
962 • Security awareness and training for end users and administrators.
8 Organizations should verify that their macOS security configuration guides are consistent with this publication.
Organizations without macOS security configuration guides should modify this document to create a configuration guide
tailored for their environments.
15
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
964 Implementing security controls can be a daunting task. As described in Section 2.2, many
965 security controls have a negative impact on system functionality and usability. In some cases, a
966 security control can even have a negative impact on other security controls. For example,
967 installing a patch could inadvertently break another patch, or enabling a firewall could
968 inadvertently block antimalware software from automatically updating its supporting content or
969 disrupt patch management software, remote management software, and other security and
970 maintenance-related utilities. Therefore, it is important to perform testing for all security controls
971 to determine what impact they have on system security, functionality, and usability, and to take
972 appropriate steps to address any significant issues.
973 As described in Section 5, NIST has compiled a set of security baselines as well as additional
974 recommendations for security-related configuration changes. The controls proposed in this guide
975 and the NIST macOS security baselines are consistent with the FISMA controls, as discussed in
976 Section 2.2. See Section 5 for more information on the composition and use of these baselines.
977 Although the guidelines presented in this document have undergone considerable testing, every
978 system is unique, so it is possible for specific settings to cause unexpected problems. System
979 administrators should perform their own testing, especially for the applications used by their
980 organizations, to identify any functionality or usability problems before the guidance is deployed
981 throughout organizations. 9 It is important to confirm that the desired security settings have been
982 implemented properly and are working as expected.
984 Every system needs to be monitored (ideally, continuously) and maintained on a regular basis so
985 that security issues can be identified and mitigated promptly, reducing the likelihood of a
986 security breach. However, no matter how carefully systems are monitored and maintained,
987 incidents may still occur, so organizations should be prepared to respond to them [SP 800-
988 61r2]. 10 Depending on the environment, some preventative actions may be partially or fully
989 automated. Guidance on performing various monitoring and maintenance activities is provided in
990 subsequent sections of this document or other NIST publications. Recommended actions include
991 the following:
993 • Acquiring and installing software updates (e.g., OS and application patches, antimalware
994 supporting content).
9 Any changes made to the baselines or settings should be documented as part of the overall documentation of macOS
systems’ security configuration.
10 Organizations should have an incident response policy and a formal incident response capability. For guidance on incident
handling preparation and execution, see NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide, available
at https://doi.org/10.6028/NIST.SP.800-61r2.
16
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
995 • Monitoring event logs to identify problems and suspicious activity such as installation of
996 unsanctioned software applications.
998 • Monitoring changes to OS and software settings, as configuration drifts may occur over
999 time.
1002 • Assessing the security posture of a system through vulnerability assessments [SP 800-
1003 115].
1004 • Disabling unneeded user accounts and deleting accounts that have been disabled for some
1005 time.
1006 • Maintaining system, peripheral, and accessory hardware (periodically and as needed),
1007 and logging all hardware maintenance activities.
1009 • Protect each system based on the potential impact to the system of a loss of
1010 confidentiality, integrity, or availability.
1011 • Reduce the opportunities that attackers have to breach a system by resolving security
1012 weaknesses and limiting functionality according to the principle of least privilege.
1013 • Select security controls that provide a reasonably secure solution while supporting the
1014 functionality and usability that users require.
1015 • Use multiple layers of security so that if one layer fails or otherwise cannot counteract a
1016 certain threat, other layers might prevent the threat from successfully breaching the
1017 system.
1018 • Conduct risk assessments to identify threats against systems and determine the
1019 effectiveness of existing security controls in counteracting the threats. Perform risk
1020 mitigation to decide what additional measures (if any) should be implemented.
1021 • Document procedures for implementing and maintaining security controls. Maintain
1022 other security-related policies and documentation that affect the configuration,
1023 maintenance, and usage of systems and applications, such as an acceptable use policy, a
1024 configuration management policy, and IT contingency plans.
1025 • Test all security controls, including the settings in the NIST security baselines, to
1026 determine what impact they have on system security, functionality, and usability. Take
17
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1027 appropriate steps to address any significant issues before applying the controls to
1028 production systems.
1029 • Monitor and maintain systems on a regular basis so that security issues can be identified
1030 and mitigated promptly. Actions include acquiring and installing software updates,
1031 monitoring event logs, providing remote system administration and assistance,
1032 monitoring changes to OS and software settings, protecting and sanitizing media,
1033 responding promptly to suspected incidents, performing vulnerability assessments,
1034 disabling and deleting unused user accounts, and maintaining hardware.
1035
18
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1037 This section presents an overview of selected security features offered by the macOS operating
1038 system (OS). This section highlights the security features and security-supporting features in
1039 macOS 10.12, such as privacy protection, anti-malware, and firewall capabilities.
1041 A new feature called System Integrity Protection (SIP) was added in OS X 10.11. 11 SIP prevents
1042 modification of many system files and directories by all users including root. These files can
1043 only be modified by specific Apple-signed processes, such as Apple software updates and
1044 installers. As a result, such files can no longer be customized for a secure configuration and
1045 many file permission settings have been removed from this guide. Protected files and directories
1046 include: /System, /usr, /bin, /sbin, and built-in applications. All protected files and directories
1047 are listed in the file /System/Library/Sandbox/rootless.conf. This list is shown in Appendix I.1.
1049 Gatekeeper was a new feature in OS X 10.8 that essentially enforces high-level application
1050 whitelisting for installing applications. Already-installed applications are unaffected by
1051 Gatekeeper settings. There are two configuration options for Gatekeeper: to allow only
1052 applications from the App Store and to allow only applications from the App Store and
1053 “identified developers.” 12 These settings can be overridden by right-clicking a restricted
1054 application in Finder, selecting “Open” and then providing administrator-level credentials, if
1055 requested. These actions only need to be performed once for each application.
1057 In macOS 10.12, software updates are obtained from the App Store. The system can be
1058 configured to automatically download and install updates. See Section 4.3 for more information
1059 on macOS updates.
1061 macOS provides several privacy settings to allow users control over the actions performed with
1062 their information. Examples include the following:
1063 • Activating or deactivating Location Services, and restricting which applications can use
1064 Location Services;
1065 • Controlling which applications can access the user’s Calendar and Contacts;
19
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1069 A keychain is a mechanism for securely storing user passwords for applications and other small
1070 pieces of sensitive information, such as cryptographic keys, digital certificates, and account
1071 numbers. Using a keychain can greatly reduce the number of passwords that have to be
1072 remembered. The keychain itself has a password that must be entered to gain access to the
1073 passwords stored in the keychain; this protects the keychain contents from being accessed by
1074 unauthorized users. Because only a single password has to be remembered, more complex,
1075 harder-to-guess passwords can be chosen for applications.
1076 By default, keychains are stored locally. Keychains can also be saved to removable media, such
1077 as a USB flash drive. 13 This allows passwords to be securely transported between Mac
1078 computers. A user can have multiple keychains, such as a portable keychain with only those
1079 passwords that need to be used on multiple computers, and a regular keychain (stored on the
1080 local computer) with the other passwords.
1082 macOS offers two host-based firewalls—an application-based one that can be configured
1083 through the GUI, and a protocol-based one that can be configured through the command line.
1084 The application-based firewall filters incoming network traffic only, by application, based on the
1085 digital signature of each application. For example, it can be configured to prohibit the use of
1086 email services (e.g., SMTP, POP3, etc.) when they are employed by applications other than the
1087 designated email client application, and it can prohibit the use of all email services when the
1088 designated email client application is not running. If an organization wants to prohibit the use of
1089 chat services, it can configure the application-based firewall to block all incoming chat service
1090 attempts.
1091 The protocol-based firewall, pf 14, is a stateful inspection firewall that can restrict both incoming
1092 and outgoing network traffic based on the TCP and UDP port numbers that the traffic uses. pf is
1093 intended to be used by administrators and advanced users who want stronger protection and more
1094 control over network traffic than the application-based firewall can provide. Rules for the
1095 application-based firewall and the pf firewall may conflict with each other, but if either firewall
1096 denies access, the traffic is blocked. If “Enable stealth mode” or “Block all incoming
1097 connections” is enabled through the application firewall, pf is activated with a set of predefined
1098 rules. Creating custom rules for the application firewall, however, does not make rules for or
1099 enable pf. Additional information about pf is located in Section 6.6.1.
13 Consult your organization’s removable media policies to determine if this is acceptable in your environment.
14 Before OS X 10.8, the protocol-based firewall was called ipfw. The pf firewall provides similar functionality to ipfw.
20
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1101 macOS 10.12 is FIPS approved and supports three forms of storage encryption: FileVault 15,
1102 FileVault 2, and Disk Utility. These encryption methods possess varying functionality and
1103 strengths. However, NIST recommends the full disk encryption capability provided by FileVault
1104 2 or equivalent third-party validated solution.
1105 FileVault 2 provides full disk encryption [SP 800-111] via the XTS-AES 128-bit encryption
1106 algorithm. Full disk encryption offers more coverage than just encrypting the home folder
1107 portions of the disk. FileVault 2 requires that the Recovery Partition (which typically is hidden
1108 from user view) be installed on the startup volume.
1109 FileVault 2 cannot be used to encrypt data stored on removable media, network drives, and other
1110 non-local locations. For those cases, macOS provides Disk Utility, which performs many
1111 functions, including the encryption of disk images. A disk image is a file that contains encoded
1112 files and folders. Disk Utility can encrypt disk images, which allows encrypted files to be sent to
1113 others via email, file transfers, etc., and to be stored securely on removable media, network
1114 shares, and other locations. Disk Utility supports the FIPS 140 approved algorithms 128-bit and
1115 256-bit AES encryption. In addition to encrypting disk images, macOS offers a method for
1116 producing encrypted backups on external media using Time Machine, which is explained in
1117 Section 4.2.
1119 The following are examples of macOS 10.12’s code execution protection features:
1120 • Address space layout randomization (ASLR) is a security technique that is supported by
1121 many operating systems, including macOS 10.12. When ASLR is used, executables and
1122 their related components (e.g., libraries, etc.) are placed into memory at random
1123 locations, so that an attacker (or malware) cannot predict or readily guess where one
1124 component is located based on the location of another component. ASLR is built into
1125 macOS 10.12, and the OS provides no option for disabling or otherwise configuring it.
1126 • Execute disable (XD) is a feature built into the CPUs of macOS 10.12 systems that
1127 separates data and executables in memory. This helps to deter an attacker from injecting
1128 malicious “data” and then executing that data. There is no option for disabling XD.
1129 • Several macOS features rely on application signing to identify particular applications and
1130 verify their integrity—examples include the application-based firewall and the keychains.
1131 Apple signs applications included with macOS, and third-party applications may be
1132 signed by their developers as well. The operating system may sign applications for use
1133 with certain OS features.
15 macOS 10.12 does not support new instantiations of legacy FileVault. For more information on legacy FileVault, consult the
previous version of this guide, SP 800-179.
21
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1134 • macOS offers application sandboxing. This separates an application from the rest of the
1135 host in designated ways, dictating which resources it is allowed to utilize. One benefit of
1136 sandboxing is that it prevents one application from accessing another application’s data.
1137 Other benefits include restricting an application’s network and file access. However,
1138 sandbox support must be built into the application, and the user cannot force an
1139 application to run in a sandbox. Sandboxing is used for all new applications on the App
1140 Store.
1141 • macOS has a quarantine feature for downloaded files. When a file is downloaded from an
1142 external source, such as a web server or an email attachment, the application that
1143 downloaded it (i.e., Safari, Mail, or Messages) tags it as quarantined. When a user
1144 attempts the execution of a quarantined file, the user is presented with the download
1145 metadata (timestamp and location) and asked whether he or she still wants to execute the
1146 file or not. If the user agrees to execute it, the quarantine tagging is removed. The
1147 purpose of quarantining is to reduce the likelihood that a user will run a malicious
1148 executable that he or she has downloaded.
1150 macOS secures its virtual memory by encrypting it, thwarting attempts to extract sensitive data
1151 from it. This feature has been enabled by default since version 10.6. Disabling virtual memory
1152 encryption is not possible after version 10.8.
1154 macOS provides application whitelisting capabilities through its Parental Controls feature. This
1155 feature, if enabled, restricts which installed applications may be executed by a particular user.
1156 See Section 6.5.2 for additional information.
22
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1158 This section provides guidance on installing, backing up, and patching macOS systems, as well
1159 as migrating data between macOS systems and identifying security issues in macOS systems.
1161 This section discusses the basic methods for performing a macOS 10.12 installation, both for
1162 new installations and for upgrades. This section breaks down the installation process into three
1163 phases: media sanitization, old patches, and OS installation, migration, and upgrades. NIST
1164 recommends performing clean installations, when possible.
1166 Appropriate methods for media sanitization are determined by the operating environment. For
1167 Standalone systems where FileVault is enabled, it is sufficient to erase the encryption keys. For
1168 SSLF and Managed systems, please defer to the organization’s policy on media sanitization.
1169 More information on NIST’s media sanitation guidance is located in [SP 800-88r1].
1171 NIST recommends performing a clean install. However, when a clean install is not possible, old
1172 patches should be installed prior to an OS upgrade. 16 If a system is being upgraded from a
1173 previous version of macOS, it is recommended that all existing patches be installed for the OS
1174 before doing the upgrade. Also, if a new installation is being performed, but data is being
1175 migrated from an old system, it is recommended that the old system’s OS be fully patched first.
1177 For macOS, new installations, upgrades, and reinstallations use the same software. A new
1178 installation can be performed as “clean” or as a reinstall over an existing macOS 10.12
1179 installation. Apple recommends doing a clean install if macOS 10.12 is already installed. This
1180 section will only provide instructions for clean installations and upgrades, not reinstallations.
1181 New installations and upgrades follow the same basic process, except that new installations will
1182 ask more questions than an upgrade. For example, when a new installation occurs, the Setup
1183 Assistant performs operations such as configuring networking and creating an initial
1184 administrator account that are not necessary for an upgrade. The Installer presents the user with
1185 the option to run the Migration Assistant, which can transfer a user’s configuration settings,
1186 accounts, data, etc. from another macOS system. See Section 4.1.4 for more on the Migration
1187 Assistant.
1188 As of September 2017, it is no longer possible to obtain a new copy of macOS 10.12 from Apple
1189 via the App Store. However, 10.12 can be downloaded using an Apple account that has
23
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1190 previously downloaded the OS. It can be obtained through the Purchased tab in the App Store.
1191 Organizations should retain a copy of the version of macOS that comes with new systems so that
1192 they can restore to that version later if necessary. 17
1193 There are several methods of performing an installation or upgrade. These tend to fall into two
1194 categories:
1195 • A dynamic installation process, involving performing a full installation of macOS 10.12
1196 from installation media, then completing the configuration of the installed system (e.g.,
1197 configuring security settings).
1198 • The monolithic imaging process, which refers to setting up and configuring one system
1199 completely, then cloning it (creating an image of it) and copying that image to other
1200 systems. After the image is put in place, minor configuration changes may be needed,
1201 such as setting a unique system name and adding accounts for local users.
1202 Administrators should be aware that, by default, the macOS installer creates a recovery partition
1203 that is used in the event of a system failure. The recovery partition is also required to enable
1204 FileVault. This is a good recovery mechanism, but it may present another attack vector.
1205 The subsections below provide more detail on the available installation methods.
1207 System Image Utility is an Apple-provided utility that is available on macOS 10.12. System
1208 Image Utility is used to create a network disk image, which refers to a disk image that is
1209 accessible over a network. As part of the disk image creation process, the images can be
1210 preloaded with configuration profiles provided by Profile Manager. When the disk images are
1211 accessed over a network, a Mac with macOS Server software is required to host them.
1212 Depending on the source media available, the utility supports up to three image creation options,
1213 described below in Figure 1. 18 All image creation options are available if the OS installer app file
1214 is located in the Applications directory and selected in System Image Utility.
17 If macOS 10.12 was never downloaded, it will not be available for download, even if the computer is already running
macOS 10.12.
18 For more information on image creation see https://support.apple.com/en-us/HT202061.
24
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1215
1216 Figure 1: System Image Utility (after selecting the source "Install macOS Sierra.app")
1217
1218 • NetBoot: Boot a macOS 10.12 system from a remote network disk image (i.e., stored on
1219 a macOS Server). This image type is not appropriate for deploying images to systems,
1220 only for running systems remotely from an image.
1221 • NetInstall: Install macOS 10.12 from a remote network disk image. This is similar to
1222 using the standard macOS 10.12 installer. It allows an administrator to select which
1223 macOS 10.12 packages are installed on a local system. The administrator will be
1224 responsible for configuring the system properly after the installation completes. In 10.12,
1225 it is now possible to create a NetInstall image with configuration profiles, scripts or other
1226 packages. This can be created separately from OS installation media.
1227 • NetRestore: Restore a macOS 10.12 volume from a remote Apple Software Restore disk
1228 image. This type of system image is a clone of a configured macOS 10.12 system, and
1229 using this image will restore the cloned image onto a local system. There are no
1230 configuration options available for a NetRestore installation; the entire cloned image will
1231 be restored onto the system.
1232 NetRestore images are used with Apple Software Restore (program name asr), which is a
1233 command-line utility included in macOS 10.12 systems that can restore a system based on a
1234 NetRestore image.
25
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1235 Note that there must be a DHCP server on the local network at boot time for the client to connect
1236 to the image storing machine. macOS Server can provide a DHCP server. To enable a DHCP
1237 server in the macOS Server application, expand the Advanced section on the left pane, select
1238 DHCP, and then toggle the On/Off switch.
1240 There is a variety of third-party utilities that can perform custom installations of macOS 10.12.
1241 These utilities perform “imaging,” but this is more complicated than simply copying an image to
1242 a host. Instead, these utilities perform modular installations of macOS 10.12 components that
1243 include extensive configuration of the system. The utilities can also execute scripts to perform
1244 customizations that are not directly supported by the utilities.
1245 The advantage of using third-party utilities for installing macOS 10.12 is that they can handle
1246 both installation and configuration in an integrated and automated way, and administrators
1247 therefore do not have to do installation and configuration as separate steps. Configuration in
1248 particular can be a tedious manual process, although automated tools are increasingly available
1249 for implementing configurations. It is entirely feasible to do a standard macOS installation and
1250 then use a third-party utility to configure that installation.
1252 Migration Assistant is a utility built into macOS 10.12 that can “transfer user accounts,
1253 applications, and computer settings” and data to a macOS 10.12 system from another Mac, a
1254 Windows PC, a disk from a Mac or PC, or a Time Machine backup. Although Migration
1255 Assistant can be very helpful at transferring user data (e.g., files) and profiles (i.e., accounts), it
1256 can inadvertently cause problems by migrating compromised, vulnerable, or outdated
1257 applications, as well as migrating security misconfigurations from one system to another.
1258 It is recommended that Migration Assistant only be used to transfer user data and local profiles 19,
1259 preferably through Time Machine backups. Applications should not be migrated using Migration
1260 Assistant. Data and profiles should not be migrated until after macOS 10.12 and all applications
1261 have been installed and fully patched.
1263 NIST recommends that data are backed up regularly and protected with a strong password. To
1264 increase the availability of data in the case of a system failure or data corruption caused by a
1265 power failure or other event, macOS has built-in capabilities to back up and restore data and
1266 systems. Time Machine is the built-in backup and restore utility. It does not provide all of the
1267 advanced backup and security features that third-party backup and restore utilities may offer, but
1268 it can encrypt its backups, and recover an entire disk in case of failure. It does backup updates
1269 once an hour, as long as the backup media is available, so it provides very granular backups.
19 If a macOS system uses a domain account (non-local account), the account itself should not be migrated using Migration
Assistant. Only local accounts should be migrated.
26
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1270 By default, Time Machine is disabled. To enable it, go to System Preferences / Time Machine,
1271 and set it to “ON”. To configure it, click the “Select Disk…” button, select the disk that will hold
1272 the backups, enable the “Encrypt backups” option, and then click the “Use Disk” button. The
1273 system may prompt the user to allow the backup media to be erased and reformatted for
1274 compatibility. The system will also prompt the administrator to enter a backup password (to
1275 encrypt the backup) and a password hint. The administrator should enter a strong password to
1276 protect the backup and enter nothing useful for a password hint, to better protect the password.
1277 This password will be required every time the Time Machine backup media is connected to the
1278 macOS system, and to recover from a previously encrypted backup. However, the password can
1279 be saved in a keychain for automatic unlocking of the disk when it is connected. See Figure 2 for
1280 a sample Time Machine configuration.
1281
1282 Figure 2: Time Machine System Backup
1283 When using an encrypted Time Machine disk, it is important to understand that a different
1284 (perhaps newer) version of macOS may not be able to restore from the encrypted Time Machine
1285 disk or may restore an invalid configuration. When using encrypted Time Machine backups, it is
1286 therefore important to have access to a macOS system running the same version (e.g., macOS
1287 10.12) that was used to create the backups in order to guarantee the ability to recover backed-up
1288 data.
1289 Another backup option built into macOS is iCloud. iCloud is available for limited backup
1290 capabilities, such as duplicating contacts in the cloud. Organizations should disable iCloud
1291 unless there is a specific reason to be using it for backup purposes or other reasons. Note that
1292 disabling iCloud also prevents use of the Find My Mac utility, which itself can pose security and
27
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1293 privacy risks. Location services must be running in order to use Find My Mac; 20 the use of
1294 location services is not recommended, however. To disable iCloud, go to System Preferences /
1295 iCloud, and deselect all of the services listed in the pane (Mail, Contacts, Calendars &
1296 Reminders, etc.) Note that users can re-enable iCloud without administrative privileges.
1297 Besides the backup methods provided by Apple, there are also various third-party local and
1298 enterprise utilities for backing up and restoring files and systems. These can be used instead of or
1299 in addition to the Apple backup methods. Regardless of the backup method chosen, it is very
1300 important to verify periodically that backups and restores can be performed successfully; backing
1301 up a system regularly will not be beneficial if the backups are corrupted or the wrong files are
1302 being backed up, for example.
1303 Organizations should have policies and procedures that address the entire backup and recovery
1304 process, as well as the protection and storage of backup and recovery media. Because backups
1305 may contain sensitive user data as well as system configuration and security information (e.g.,
1306 passwords and KeyChain database), backup media should be properly protected to prevent
1307 unauthorized access. For additional guidance on backups and backup security, see [SP 800-
1308 34r1].
1310 It is essential to keep a system’s operating system and applications up to current patch levels to
1311 eliminate known vulnerabilities and weaknesses. Apple provides two mechanisms for
1312 distributing security updates for Apple-provided software: the App Store and manual package
1313 updates. These are discussed below. There are also third-party applications that can be used to
1314 manage both Apple and non-Apple patches, and some non-Apple applications can update
1315 themselves automatically as well. Organizations should use one or more of these update
1316 mechanisms to ensure that the operating system and major applications are kept fully patched.
1317 For more information on enterprise patch management and general recommendations for
1318 patching, see [SP 800-40r3].
1320 Through the App Store preferences pane, a macOS system can be configured to check the App
1321 Store automatically every day for new updates, download them, and install them. Using the App
1322 Store is the preferred update mechanism for Standalone systems. If using this technique to keep a
1323 macOS system up-to-date, organizations should configure it to do the checks, downloads, and
1324 installations automatically. Figure 3 shows these options enabled. Note that because
1325 administrator-level credentials are needed for installation, update installation cannot be fully
1326 automated for typical users (who should not be running as administrator on a daily basis).
20 https://support.apple.com/kb/PH25730?locale=en_US
28
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1327
1328 Figure 3: Software Update Options
1329 Some organizations do not want the latest updates applied immediately to their macOS systems.
1330 For example, in a Managed environment, it may be undesirable for updates to be deployed to
1331 production systems until macOS administrators and security administrators have tested them. In
1332 addition, in large environments, many systems may need to download the same update
1333 simultaneously. This could cause a serious impact on network bandwidth. Organizations with
1334 such concerns often establish a local update server (using macOS Server) that contains approved
1335 updates and restrict the locations from which macOS systems can retrieve updates. 21 Managed
1336 and SSLF systems should follow their organizational update policies [SP 800-40r3]. See
1337 Appendix J.17 for a list of commands that can be used to configure system update settings
1338 through the command line.
1340 As discussed on Apple’s server help page, 22 each update can be downloaded and installed
1341 through the command line. This allows scripting of the update process.
29
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1342 Additionally, macOS system updates are available in packages known as combo updates. These
1343 updates can be downloaded to removable media and can be used to update new systems before
1344 they are connected to the Internet.
1346 • Regardless of how an organization chooses to install macOS software and updates, the
1347 choices should be clearly described in a configuration management policies and
1348 procedures document, and both administrators and regular users should be instructed to
1349 follow the guidance contained therein.
1350 • Media sanitization guidelines are determined by the operating environment. For
1351 Standalone systems with FileVault, encryption keys should be erased. For other systems,
1352 refer to the organizational policy.
1355 • Until a new system has been fully installed and patched, either keep it disconnected from
1356 all networks, or connect it to an isolated, strongly protected network. System updates can
1357 be downloaded from Apple’s website using a patched system, copied to external media
1358 and installed offline. 23
1359 • iCloud should be disabled unless there is specific reason to use it.
1360 • Organizations should have policies addressing the entire backup and recovery process.
1361 Verify periodically that backups and restores can be performed successfully and that
1362 backups are protected.
1363 • Keep systems up to current patch levels to eliminate known vulnerabilities and
1364 weaknesses.
30
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1366 This section discusses options for managing the security configuration of macOS desktops and
1367 laptops in a Managed environment.
1369 A directory service is responsible for managing computing resources, such as computers,
1370 printers, and networks. It handles user authentication and ensures that connected resources
1371 follow organizational policies. This eases system administration because the systems are
1372 managed from a central location. Furthermore, user accounts are independent of the individual
1373 machines, which allows users to log in to any directory-bound computer. macOS systems are
1374 compatible with both the Open Directory and the Active Directory services.
1376 There are several methods available for installing applications, including the following:
1377 • Apple disk images (.dmg). These are mainly used when an application just needs to be
1378 copied into the correct location in order to install it.
1379 • Installer application. Installer is an application built into macOS that is used to install
1380 software from package (.pkg) and metapackage (.mpkg) files. It has a GUI version and a
1381 command line version (located at /usr/sbin/installer). The package and metapackage
1382 files can be used not only to install applications, but also to deploy application updates
1383 and application configuration settings.
1384 • App Store. The App Store can be used to download and install a variety of applications
1385 from Apple and third parties.
1388 • Third-party application management software. An organization may use a utility that
1389 handles application management or software distribution, such as regulating which
1390 versions of software are permitted to be installed on the organization’s systems and
1391 ensuring that this software is kept fully patched. These third-party utilities might also
1392 provide mechanisms for distributing application configuration settings.
1393 While all of these methods may alter security configuration settings as part of their installation
1394 processes, note that two of these methods—the Installer application and third-party application
1395 management software—can be used outside of the installation process to distribute security
1396 configuration settings to macOS systems. This is useful for maintaining settings for already-
1397 installed applications.
1398 In addition to the Installer application and third-party application management software, there
1399 are other means of altering settings for existing applications, as well as the operating system
1400 itself. For example, shell scripts can be run on a macOS system to alter OS configuration
31
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1401 settings. There is a variety of configuration management tools, some supporting the Security
1402 Content Automation Protocol (SCAP), which can also be used to alter OS and application
1403 settings.
1405 System security is largely dependent upon staying up to date with security patches, maintaining
1406 well-considered configuration settings, and identifying and remediating other security
1407 weaknesses as they are identified. Unfortunately, macOS does not provide built-in utilities for
1408 assessing its system security, other than basic auditing capabilities. Third-party utilities are
1409 needed to verify patch installation, identify security configuration setting weaknesses, and find
1410 other security issues on macOS systems.
1411 Configuration management tools are available that can be used to assess the security postures of
1412 macOS systems, either periodically or on a continuous basis (i.e., continuous monitoring). These
1413 tools have a variety of capabilities, such as comparing security settings with baseline settings and
1414 identifying missing patches. Some tools can also correct problems that they find by changing
1415 settings, installing patches, and performing other actions. Some tools can provide an independent
1416 verification that the security controls are implemented as intended and can document this
1417 verification for use in demonstrating compliance with laws, regulations, and other security
1418 requirements. NIST has been leading the development of SCAP [SP 800-117][SP 800-126r2],
1419 which is a set of specifications for expressing security information in standardized ways.
1420 Configuration management tools that support SCAP can use security baselines that are made
1421 publicly available by organizations such as NIST, and they can generate output in standardized
1422 forms that can be used by other tools.
32
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1424 This section provides an overview of the security configuration options for macOS 10.12
1425 systems and explains how they can provide better security than the default out-of-the-box
1426 parameters. These configuration options are grouped by the following categories:
1435 Throughout this section, there are instructions for changing security configuration settings. The
1436 instructions may provide multiple values for each setting, depending on the profile (Standalone,
1437 Managed, SSLF). If only one value is specified, then it should be assumed that all profiles use
1438 that value. Some settings are applied to a single user, and a ~ in the directory path represents the
1439 path to the current user’s home directory that will be modified. In order to modify another user’s
1440 settings, use ~$USER instead of ~. 24 Unless explicitly stated otherwise, it is assumed in each case
1441 that the person making the changes has access to an administrator-level account on the macOS
1442 system and uses that account to make the changes. Using an administrator-level account to
1443 modify user-level configuration settings in this way may change a file’s owner. See Appendix C
1444 for a list of tools that can be used to make configuration changes, along with short descriptions of
1445 their functionality.
1446 Since most power-management settings are not security relevant, they are not included in the
1447 configuration; however, a few commands are included in Appendix J.15.
1449 A system is not secured unless the hardware and firmware have been secured. This section
1450 describes techniques for restricting access to firmware and disabling unneeded hardware
1451 components.
33
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1453 Macs have moved away from Open Firmware and have adopted the Extensible Firmware
1454 Interface (EFI). Other systems have made the same transition away from the comparable BIOS.
1455 The EFI launches the OS and determines whether the OS should boot normally or in single-user
1456 mode, which automatically logs in the root account, providing full administrator-level access to
1457 the system. Unauthorized booting in single-user mode is a major security weakness, but it can be
1458 prevented by setting an EFI password. An EFI password also prevents unauthorized personnel
1459 from booting the system from another media. Organizations should not rely on EFI passwords to
1460 provide security unless the physical security of the system is ensured. Be sure to consult the
1461 organization’s policy on firmware security.
1463 macOS systems contain many hardware interfaces for purposes such as wireless networking,
1464 data transfer, and multimedia. Each interface creates a potential point of attack on the system.
1465 Accordingly, an organization may determine that one or more of these interfaces are unnecessary
1466 and should be disabled, particularly in SSLF environments. An example is an organization that
1467 prohibits the use of cameras on desktop and laptop systems. Another example is a policy that
1468 Bluetooth should be disabled if not paired with the system’s keyboard, mouse, or trackpad.
1469 Organizations should determine which interfaces may be needed and disable all other interfaces.
1470 Organizations should be mindful of accessibility features made available through various
1471 hardware interfaces that might otherwise be unused. For example, accessibility features such as
1472 Dictation and VoiceOver make extensive use of the microphone (or line in) and speakers.
1473 In previous versions of macOS it was possible to disable some hardware interfaces by moving
1474 the associated kernel extensions (files that end with a .kext extension) out of the
1475 /System/Library/Extensions directory, effectively disabling operating system support for the
1476 chosen interface. However, this action can no longer be performed due to System Integrity
1477 Protection (SIP). 25 In macOS 10.12, configuration settings must be changed to disable the
1478 interfaces. Note that with this method, in most cases users are able to override the configuration
1479 settings without any administrative privileges, so organizations should not rely on these
1480 configuration settings to provide security, since users can alter them at will. For any macOS host
1481 where disabling hardware interfaces is a security prerogative, the host’s interfaces should be
1482 continuously monitored to detect any restoration of disabled interface functionality.
1483 Note that disabling some hardware interfaces may impact the ability to use accessibility features.
1484 These settings are designed to improve ease-of-use and may be required for some users. These
1485 settings include text-to-speech, auditory alerts and the ability to control the system through voice
1486 commands. Accessibility settings may negatively affect security by causing information leakage,
1487 but this effect can be partially mitigated with modifications to the operating environment. The
1488 majority of these settings rely on the audio hardware interface. Accessibility features are disabled
1489 by default and NIST recommends that they remain off unless needed.
34
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1490 The methods for disabling hardware components can be implemented by running the commands
1491 found in Appendix J.1.
1493 This section covers filesystem security for both internal and removable media. Its information is
1494 presented in the following categories: hard drive formatting and mounting, Finder, storage
1495 encryption, secure erase, file and folder permissions, and Spotlight.
1497 The system’s main hard drive partition should be formatted as HFS+. This filesystem supports
1498 all the filesystem security features provided by macOS 10.12.
1499 Disk arbitration should not be disabled. Disk arbitration determines if new drives should be
1500 mounted automatically. Although disabling this prevents the inadvertent mounting of drives that
1501 may contain malicious content, this also prevents internal disks from being mounted upon system
1502 restart. macOS is unable to boot if disk arbitration is disabled.
1503 Network filesystems can be automatically mounted with the automount tool. While convenient,
1504 access to remote files can pose a risk, especially if they are accessible by others. Remote files
1505 with setid bits enabled could run with elevated privileges. For this reason, automount should
1506 remain configured with the nosuid mount option. This is the default configuration, and NIST
1507 recommends that it should not be changed. See Appendix J.11 for the necessary commands.
1509 Finder should be configured to show file extensions, to show a warning before changing a file
1510 extension and to search this system when performing a search. By default, Finder does not show
1511 hidden files and folders, which is beneficial to normal users unaware of the system’s structure.
1512 However, administrators with intimate knowledge of the macOS system could notice unusual
1513 hidden files and would benefit from their visibility. Consequently, hidden files should be
1514 displayed in an SSLF environment. These options can improve defenses against malware. To
1515 configure these options, go to Finder / Preferences / Advanced; then enable the corresponding
1516 options as shown in Figure 4. To configure Finder settings through the command line, see
1517 Appendix J.2.
35
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1518
1519 Figure 4: Advanced Finder Preferences
1521 As discussed in Section 3.7, macOS 10.12 provides two mechanisms for storage encryption:
1522 FileVault 2 and encrypted disk images. NIST recommends the use of full disk encryption
1523 (FileVault 2).
1525 It is recommended when enabling FileVault 2 26 to log out of the system and log in with an
1526 administrator account. After doing so, go to System Preferences / Security & Privacy /
1527 FileVault. Select the button marked “Turn On FileVault…” to begin enabling FileVault.
1528 Designate which users should be allowed to unlock the FileVault encryption (i.e., log onto the
1529 system after it has been encrypted) and have each user authenticate him or herself. 27 macOS will
1530 then generate a recovery key 28 and present it on the screen so that it can be transferred to a secure
1531 location (not on the system) for use in case all the passwords on the system are forgotten or
1532 otherwise lost. macOS will provide an option to store the recovery key with Apple through the
1533 iCloud service; this key is only protected through recovery questions, so this option is not
26 The macOS 10.12 user interface refers to FileVault 2 as FileVault. This section continues that convention.
27 If a user is not available to authenticate him or herself at this time, the authentication step can be skipped. However, the user
will need to authenticate within an administrator’s session (System Preferences / Security & Privacy / FileVault tab,
“Enable Users...” button).
28 In version 10.6 and earlier, there was no recovery key; instead, there was a “master password”. The recovery key has
replaced the master password in terms of functionality.
36
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1534 recommended because of the possibility of the recovery key being retrieved by unauthorized
1535 personnel.
1536 After rebooting the macOS system, the encryption process will begin for FileVault. This may
1537 take several hours, depending on the hardware characteristics of the system and the amount of
1538 data that needs to be encrypted. However, this encryption process can take place in the
1539 background while other work occurs. When finished, the FileVault settings page should look
1540 similar to that of Figure 5.
1541
1542 Figure 5: FileVault Settings
1543
37
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1544 For more information on FileVault, see the Apple technical white paper titled “Best Practices for
1545 Deploying FileVault 2”. 29 Of particular interest is that this paper describes additional enterprise
1546 tools for FileVault key management and recovery.
1548 As explained in Section 3.7, an encrypted disk image can be used to safeguard a single file or a
1549 group of files, in addition to (or instead of) using FileVault. The encrypted disk image can reside
1550 on the macOS system or on removable media. NIST recommends using encrypted disk images
1551 on drives where FileVault is not available. Users and administrators can follow these steps to
1552 create an encrypted disk image:
1553 1. Run the Disk Utility and select File / New / Blank Disk Image.
1554 2. Enter a name and location for the encrypted image to be stored. Set the size to the
1555 maximum that you may need (the size can’t be changed after the image is created). Set
1556 the encryption to either 128-bit AES or 256-bit AES. After adjusting all the necessary
1557 settings, click the Create button.
1558 3. Enter a password that will be used for decrypting the disk image. The dialog box provides
1559 an option to store the password in the user’s keychain. When done with the dialog box,
1560 click the OK button. The encrypted disk image will be created using the designated name
1561 and location.
1562 This technique can be very effective at securing individual files containing sensitive information,
1563 such as sensitive personally identifiable information (PII). A discussion of securing files in the
1564 form of email attachments is outside of the scope of this publication, but more information (e.g.,
1565 on S/MIME) is available from [SP 800-45v2].
1567 By default, macOS 10.12 runs in FIPS mode (i.e., uses FIPS-validated 30 cryptographic modules).
1569 The Secure Erase feature existed in prior versions of macOS, but has since been removed from
1570 Finder 31 and Disk Utility. 32 Recommendations for secure file deletion can be found in [SP 800-
1571 88r1].
29 https://web.archive.org/web/20170822164742/https://training.apple.com/pdf/WP_FileVault2.pdf
30
https://km.support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT207497/APPLEFIPS_GUIDE_CO_macOS10.12.pdf
31 Note the section on Finder: https://support.apple.com/en-us/HT205267.
32 https://support.apple.com/kb/PH22241?locale=en_US
38
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1573 macOS’s file and folder permissions have their roots in BSD Unix; although macOS has
1574 significant changes from BSD Unix, file and folder permissions should look familiar to Unix-
1575 savvy administrators. Examples include requiring certain critical system files (such as
1576 /usr/bin/sudo) to be owned by root and group-owned by wheel, setting modes (e.g., 644, 755) on
1577 particular files and folders, and removing the setuid bit from selected system executables. 33
1578 In previous versions of macOS, administrators were responsible for configuring file system
1579 access control mechanisms (e.g. setuid, rwx bits) to protect system files. However, most of the
1580 system files are now protected by SIP, and thus can no longer be modified. The NIST baselines
1581 include permission settings only for the user home directories. These settings exist to prevent
1582 users from accessing other users’ files on the same system. See Appendix I.2 for more
1583 information on user home directory permissions.
1585 Spotlight is a system-wide search capability. It indexes files to facilitate fast searches. However,
1586 this indexing can inadvertently capture sensitive information, potentially exposing it to
1587 unauthorized access. Organizations should evaluate these risks and determine if particular files
1588 or groups of files should be omitted from Spotlight indexing and searching, such as files
1589 containing sensitive PII. To specify folders to be excluded, go to System Preferences /
1590 Spotlight / Privacy. In this pane, add the folders or disks that should not be searched by
1591 Spotlight. Note that users can alter these settings without administrative privileges.
1592 Spotlight searches are not limited to the local system. Queries, including any potentially sensitive
1593 information they contain, are sent to third-party Internet search providers. In order to protect user
1594 privacy, this functionality should be disabled. To disable these features, open System
1595 Preferences / Spotlight / Search Results and uncheck “Spotlight Suggestions” in the scroll area
1596 and “Allow Spotlight Suggestions in Look up” at the bottom of the window as shown in Figure
1597 6. “Allow Spotlight Suggestions in Look up” can be disabled with the terminal command
1598 available in Appendix J.13.
39
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1599
1600 Figure 6: Spotlight Search Results
1602 This section discusses the configuration settings related to user accounts and groups. The
1603 discussion is divided into the following categories: user account types, login options, parental
1604 controls, password policies, session locking, credential storage, alternate credentials, and sudo.
1606 There are three general types of accounts for users: administrator, standard, and managed.
1607 Administrator accounts can do everything. Administrator accounts should only be used for
1608 system administration tasks. At least one non-administrator (standard) account should be created
1609 for daily operation of the system. A standard account can do things, including installing
1610 software, that affect the account owner but not other users. A managed account is just like a
40
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1611 standard account, except that there are some additional restrictions available (System
1612 Preferences / Parental Controls), including application limitations.
1613 Each user should be utilizing a unique standard or managed account for his or her daily use of a
1614 macOS system. User account settings are accessible under System Preferences / Users &
1615 Groups.
1616 NIST recommends that administrators periodically review user accounts and disable those that
1617 have been inactive for 90 days, as well as disabling temporary accounts after 30 days.
1618 Organizations should follow procedures to disable accounts as soon as they are no longer needed
1619 (e.g., the user leaves the organization or the user’s responsibilities change). Disabled accounts
1620 should be deleted after a specific period to release resources and prevent unneeded accounts from
1621 accidentally being re-enabled.
1623 • Guest. The Guest account, a special managed account, is considered a security
1624 vulnerability in most situations because it has no password associated with it. Once an
1625 attacker has gained guest-level access, the attacker can try to elevate privileges to further
1626 exploit a system. NIST recommends that the Guest account be disabled on all macOS
1627 systems unless there is a clearly demonstrated need to use a Guest account. The Guest
1628 account is not allowed to log in to a computer by default. However, guest users can
1629 access shared folders remotely by default. This setting is called “Allow guest users to
1630 connect to shared folders” and should be disabled. Both of these settings are available
1631 under System Preferences / Users & Groups / Guest User and are disabled by default.
1632 Note that when a guest logs out of a macOS system, the guest’s environment is destroyed
1633 and reinitialized.
1634 • Root. The root account is not to be confused with the administrator accounts; root is a
1635 separate account that is disabled by default. Root and administrator accounts have similar
1636 privileges, but the root account has considerably less overhead associated with it (for
1637 example, the person does not have to authenticate repeatedly to issue administrator-level
1638 commands when using the root account). The root account is intended for command line
1639 access. NIST recommends that the root account be disabled on all macOS systems and
1640 that a separate administrator account be established for each person who will be
1641 performing regular administrative tasks. The administrator accounts should then use the
1642 sudo command to perform actions with root-level privileges even if the root account is
1643 disabled. An administrator uses the sudo command to perform system-wide
1644 modifications. The root account should be the only account with User ID 0.
1645 Other types of users include local, network, and mobile, but these classifications only refer to the
1646 account’s physical location and not the associated privilege levels. It is recommended to have
1647 accounts of all types hidden from the login screen so that account names are not visible, but it is
1648 also useful to understand the available account types. Local user accounts are the default account
1649 type and exist solely on the system on which they are created. Network accounts allow a user to
1650 login from any system on the network, and the user’s files on one system are independent of all
1651 the others. Alternatively, network accounts can be configured to use a centralized home folder,
41
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1652 which allows access from any networked system. Mobile accounts are similar to network
1653 accounts, but the user’s home folder contents are synchronized between the different systems.
1654 However, even with all account types hidden, FileVault-enabled systems display usernames at
1655 the initial login screen. Additionally, the username is visible on the lock screen if a user has an
1656 active session. With FileVault enabled, usernames are only hidden after a user has authenticated
1657 with the system and then logged out.
1659 The Login Options pane within the System Preferences / Users & Groups screen contains
1660 several options related to user login, as shown in Figure 7. Sections 6.3.2.1 through 6.3.2.5
1661 provide additional information on several of these security- and privacy-related options.
1662
1663 Figure 7: Login Options Pane
1664 The user login options shown in the GUI can also be configured via the command line. The
1665 commands for these login-related options can be found in Appendix J.4. Some login window
1666 options are not available to be changed through the GUI. These command-line-only settings can
1667 be configured using the commands in Appendix J.4.
42
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1669 By default, macOS requires credentials to log into an administrator account and does not log in
1670 automatically. The corresponding configuration setting for this is shown at the top of Figure 7.
1672 The NIST baselines set the display login window option to “Name and password”, as shown in
1673 Figure 7. The “List of users” option displays a list of usernames on the login window. This
1674 option would only require an attacker to obtain the password in order to be authenticated. If
1675 name and password boxes are shown instead, an attacker would have to know not only a
1676 password, but also the username that corresponds with it. This makes an attack slightly harder,
1677 but it also makes login more inconvenient for users. Organizations should weigh the security
1678 benefits against the usability impact and decide which setting is best for the circumstances.
1680 One of the options shown in Figure 7 is “Show password hints”. If enabled, this will display
1681 password hints that users have created for their accounts to help them remember their passwords.
1682 Although this can improve usability, it can also significantly affect security in a negative way by
1683 helping attackers to recover user passwords. As with the Display Login Window option
1684 described in Section 6.3.2.2, organizations should consider both security and usability when
1685 determining how this option should be set. The NIST baselines disable this option. See Appendix
1686 J.4 for the password-hint configuration setting.
1688 NIST recommends disabling fast user switching for systems in Managed and SSLF environments
1689 that have policies against its use. The fast user switching feature permits two or more users to be
1690 logged into the same macOS system simultaneously. Only one user session is in the foreground
1691 at any given time. The employment of fast user switching is beneficial on low-security systems
1692 where someone may need brief access to a system that is in use, because it preserves security and
1693 privacy for both people while minimizing the impact on usability. This is a good alternative to
1694 having users share their accounts.
1695 However, on other systems, the risks associated with having multiple users logged in
1696 simultaneously may be considered too great. In such cases, the fast user switching capability
1697 should be disabled, requiring one user to log out before another user logs in. To disable fast user
1698 switching, disable the Figure 7 option involving fast user switching (“Show fast user switching
1699 menu”).
1701 NIST recommends following organizational policy on joining an Active Directory domain. The
1702 last configuration setting in Figure 7 is for the use of an Active Directory domain or an Open
1703 Directory server. By clicking on the “Join…” button, a computer can be associated with an
1704 organization’s directory server.
43
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1706 If the login window is displayed as “Name and password,” a user may attempt a console login.
1707 This is performed by typing exactly “>console” (without the quotes) into the username field on
1708 the login screen. Informal testing at NIST revealed that, in its default configuration, use of this
1709 feature may cause the system to become unresponsive. Console logins can be disabled by
1710 running the Terminal command listed in Appendix J.4.
1712 If Parental Controls are enabled for a user account, a wide variety of restrictions can be placed on
1713 what the user can do on the system. This includes restricting which applications may be
1714 executed, as described in Section 6.5.2. Other types of restrictions of potential interest for
1715 security include the following:
1717 • What hours of the day the system can be used, and
1720 In addition to educating users regarding the selection and use of passwords, it is also important to
1721 set password parameters so that passwords are sufficiently strong. This reduces the likelihood of
1722 an attacker guessing or cracking passwords to gain unauthorized access to the system. The
1723 following parameters are specified in the NIST baselines:
1724 • Maximum password age. This forces users to change their passwords after a password
1725 has reached the maximum age. The lower this value is set, the more likely users will be to
1726 choose poor passwords that are easier for them to remember (e.g., Mypasswd1,
1727 Mypasswd2, Mypasswd3). The higher this value is set, the more likely the password will
1728 be compromised and used by unauthorized parties.
1729 • Minimum password length. This specifies the minimum length of a password in
1730 characters. The rationale behind this setting is that longer passwords are more difficult to
1731 guess and crack than shorter passwords. The downside is that longer passwords are often
1732 more difficult for users to remember and to enter accurately. Organizations that want to
1733 set a relatively large minimum password length should encourage their users to use
1734 passphrases, which may be easier to remember than conventional passwords.
1735 • Password complexity requirements. macOS has several settings that can be used to
1736 require a mixture of character types, including uppercase and lowercase letters, digits,
1737 and special characters such as punctuation marks. Additionally, there is a setting to
1738 ensure that a password does not have a guessable pattern. These settings can make it
1739 more difficult to guess or crack passwords.
44
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1740 • Enforce password history. This setting determines how many old passwords the system
1741 will remember for each account. Users will be prevented from reusing any of the old
1742 passwords. For example, if this is set to 15, then the system will not allow users to reuse
1743 any of their last 15 passwords. Old passwords may have been compromised, or an
1744 attacker may have invested resources to crack encrypted passwords. Reusing an old
1745 password could inadvertently give attackers access to the system.
1746 • Account lockout. This policy item is designed to prevent brute force guessing of user
1747 passwords. It is a combination of two attributes and determines when a user account
1748 should be locked after failed login attempts. Two components influence this setting:
1749 failed attempts before lockout and lockout duration. For example, three failed password
1750 attempts could result in the account being locked for 15 minutes.
1751 • Guessable pattern. This policy dictates that a password cannot contain more than two
1752 sequential (ascending or descending, e.g., “321”) or consecutive (run of the same, e.g.,
1753 “aaa”) characters. This prevents users from creating easily guessable passwords.
1754 One of the main challenges in setting account policies is balancing security, functionality, and
1755 usability. For example, locking out user accounts after only a few failed logon attempts in a long
1756 time period may make it more difficult to gain unauthorized access to accounts by guessing
1757 passwords, but may also sharply increase the number of calls to the help desk to unlock accounts
1758 accidentally locked by failed attempts from legitimate users. This could cause more users to
1759 write down their passwords or choose easier-to-remember passwords. Organizations should
1760 carefully think out such issues before setting macOS account policies.
1761 Note that the macOS 10.12 GUI does not provide any mechanisms for setting password or
1762 account lockout policies. Instead, these settings can be accessed via a command prompt using the
1763 pwpolicy command.
1764 The pwpolicy configuration utility does not appear to apply all of the available password rules
1765 typically available in Managed environments. To deter password guessing attacks, macOS can be
1766 configured to lock out (i.e., disable) an account when too many failed login attempts occur. Note
1767 that if the accompanying failed login reset time policy is not set, a locked account remains
1768 inaccessible until an administrator intervenes.
1769 There are two ways to set password policy settings: apply them to specific users or set a global
1770 policy. User-specific policies override global policies, so the user policies must either be left
1771 unset or be set along with the global policies. Alternatively, on macOS 10.12, existing policies
1772 can be cleared on a per-user basis with the command pwpolicy –u $USER -clearaccountpolicies
1773 before applying global policies to ensure that they affect all users. Use the Terminal commands
1774 given in Appendix J.5 to change password policy settings.
1776 It is important to provide protection against unauthorized local access to macOS systems. One
1777 such control is to lock the current user’s session through automatic or manual means. A screen
1778 saver can lock a session automatically after the system has been idle for a certain number of
45
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1779 minutes, requiring the user to authenticate before unlocking the system. NIST recommends using
1780 an authentication-enabled screen saver on all macOS systems that need protection from
1781 unauthorized physical access. Settings for enabling a screen saver (which is accomplished by
1782 setting a “start after” time other than “Never”) are located in System Preferences / Desktop &
1783 Screen Saver / Screen Saver. NIST recommends that the screen saver be set to start after 20
1784 minutes of idle time. If values other than 1, 2, 5, 10, 20, 30, or 60 are used, the idle time value
1785 will be reset to 20 the next time the Screen Saver preferences pane is opened. Depending on the
1786 accessibility of the system and its environment, a different value may be more suitable.
1787 Other screen saver options for locking are located under System Preferences / Security &
1788 Privacy / General. To require locking, enable the option to “Require password after sleep or
1789 screen saver begins” and set it to “Immediately” or “5 seconds”. From a security perspective,
1790 these are roughly equivalent; from a system usability perspective, setting it to “5 seconds” may
1791 be much more convenient for users than setting it to “Immediately,” while not significantly
1792 impacting security. There is also an option for the login window screen saver that can be
1793 configured through the command line. Note that users can alter any of the screen saver options
1794 and that these options are set per user, not per system.
1795 Users can manually lock their sessions. A user can put the cursor over a designated “hot corner”
1796 of the screen to automatically lock the system, if this has been configured (located under System
1797 Preferences / Desktop & Screen Saver). Selecting either of the “Put Display to Sleep” or “Start
1798 Screen Saver” hot corners will allow the user to lock the session. In order to improve ease of
1799 access, the use of a modifier key in conjunction with the start-screen-saver hot corner is not
1800 recommended. Users are cautioned not to designate any of the hot corners as “Disable Screen
1801 Saver” because this could inadvertently reduce security.
1802 There is another option that only administrators can set related to session locking. Under System
1803 Preferences / Security & Privacy, click the “Advanced…” button and uncheck the option to
1804 “Log out after x minutes of inactivity”. If checked, this option could cause users’ work in
1805 progress to be lost. It is more user friendly to have a password-protected screen saver instead of
1806 the inactivity log out option.
1807 Session-locking settings can also be configured through the command prompt. See Appendix J.6
1808 for NIST recommendations on the Standalone, Managed, and SSLF profiles for session locking
1809 settings.
1811 Section 3.5 has already described the macOS feature known as keychains. Although password
1812 management as provided by keychains is a valuable security feature, by default it is not
1813 configured as securely as it should be.
1814 By default, the user account and primary keychain have the same password set. Additionally, the
1815 primary keychain is unlocked when the user logs in (since the passwords are the same). To set a
1816 different password for the primary keychain, run the Keychain Access utility, and choose the
1817 primary keychain from the list of keychains. Click on Edit / Change Password for Keychain,
1818 and change the keychain’s password. Note that this may impact some core services that use the
46
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1819 keychain, such as the caching of the encryption passphrases for wireless networks. NIST
1820 recommends separating daily-use passwords from those used for sensitive information access.
1821 Creating a separate keychain can be accomplished by clicking the “+” icon at the bottom of the
1822 Keychain Access window.
1823 NIST recommends that the keychain locks when the screen saver starts. By default, keychains do
1824 not automatically lock when a system sleeps. This increases the risk of unauthorized disclosure
1825 or modification of keychain data. To correct this, run the Keychain Access utility and choose the
1826 primary keychain from the list of keychains. From the menu, select Edit / Change Settings for
1827 Keychain, and select the “Lock when sleeping” option. A related setting found on the same
1828 menu, “Lock after x minutes of inactivity”, causes the keychain to lock after it has not been used
1829 for x minutes.
1831 macOS supports the use of alternate credentials for logical user authentication; examples include
1832 token-based authentication, biometric-based authentication, and Personal Identity Verification
1833 (PIV) cards. As shown at the bottom of Figure 7, there is a “Network Account Server” option in
1834 the Users & Groups window. Clicking on the “Join…” button opens a window for specifying
1835 the Open Directory or Active Directory server that should be used for alternate credentials. If the
1836 server name is not known, or additional options are needed, click on the “Open Directory
1837 Utility…” button to run the Directory Utility application.
1838 If alternate credentials are not being supported, and there is no other reason to enable directory
1839 services, then directory services should not be enabled to prevent their possible abuse and
1840 exploitation. A common example is Standalone systems, which often do not bind to any
1841 directories.
1843 The sudo program allows an account with administrator privileges to perform an action as the
1844 super user (root). This is very powerful functionality, and its use needs to be controlled. Options
1845 related to sudo are located in /private/etc/sudoers and can be modified using the visudo
1846 command.
1847 sudo restrictions should be applied to SSLF systems. NIST recommends requiring user
1848 authentication for each invocation of the sudo command. This setting can be found in Appendix
1849 J.3.
1851 This section discusses macOS 10.12’s configuration settings related to auditing and system
1852 logging. Systemwide security auditing is enabled by default.
1854 macOS 10.12’s auditing capabilities are based on auditd. macOS logs contain error messages,
1855 audit information, and other records of activity on the system that can be filtered with
47
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1856 auditreduce and viewed via the praudit command line utilities. These audit logs are independent
1857 of messages recorded by the syslogd system logging utility. Only administrators can read audit
1858 log files, and they do not show up in the Console utility.
1859 The audit control file, /etc/security/audit_control, contains the policies for system auditing.
1860 Audit logs must be maintained for a sufficient amount of time—30 days—and must record all
1861 security-relevant events. The NIST configuration allows for a minimum of 5 GB of log storage.
1862 Logs older than 30 days will only be deleted if more than 5 GB of space is used by the auditing
1863 subsystem. Additionally, the maximum recommended size per audit file is 80 MB. Table 1
1864 describes the NIST recommended audit event flags and Appendix J.14 explains how to configure
1865 audit settings.
1866 Table 1: audit_control Flags
ad Administrative events
1867
1868 Logging should be enabled and log retention time should be specified for various system logs for
1869 all environments. The logs on each system should be reviewed on a regular basis; the logs can be
1870 used not only to identify suspicious and malicious behavior and investigate security incidents,
1871 but also to assist in troubleshooting system and application problems. If the log retention time is
1872 very low, the system will not store as much information on system activity. Some organizations
1873 may have a logging policy and central log servers, so the baseline settings may need to be
1874 adjusted so they comply with the policy.
1875 Other files involved with system auditing are /etc/security/audit_warn and
1876 /etc/security/audit_user. The shell script audit_warn is responsible for handling warning
1877 messages generated by auditd. audit_warn can be customized to perform actions depending on
1878 the type of warning messages received. The audit_user file contains the auditing events to
1879 record on a per-user basis. This file can specify that additional events not included by the
1880 /etc/security/audit_control file also be recorded.
1881 It is recommended that auditing remain enabled; however, if auditing must be disabled, use the
1882 following commands, in the specified order. First, use audit –t to disable auditing for the
48
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1883 current session. Then, in order to prevent the auditd process from restarting at the next boot, use
1884 launchctl disable system/com.apple.auditd. The auditd process can be reenabled with
1885 launchctl enable system/com.apple.auditd and then restarting the system.
1887 It is important to configure macOS systems to synchronize their clocks on a regular basis with
1888 accurate time sources. If audit logs contain evidence of an attack, and the system’s clock is
1889 inaccurate, the analysis of the attack is more difficult and the evidentiary value of the logs may
1890 be weakened. Time synchronization is convenient because users do not need to manually adjust
1891 the clock to compensate for inaccuracies in the system’s timekeeping. macOS uses the Network
1892 Time Protocol (NTP) for time synchronization.
1893 To configure a macOS host to use NTP, choose System Preferences / Date & Time. Enable the
1894 “Set date & time automatically” option and enter the name of the organization’s designated NTP
1895 server (or select one of the Apple-provided default time servers). If there is more than one
1896 designated NTP server, their names can be entered as a list, separating each entry from the others
1897 with a space. Figure 8 below shows the Date & Time settings panel.
49
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1898
1899 Figure 8: Setting the NTP Servers
1900
1901 To set a time server and to enable automatic updating of time, use the commands in Appendix
1902 J.11.
1904 Crash and kernel panic reports should be monitored to prevent potentially sensitive data from
1905 being written to unencrypted files. These reports are meant to provide diagnostic information
1906 regarding system crashes and panics. The reports are located in
1907 /Library/Logs/DiagnosticReports. If an organization does not plan to use the files for diagnostic
1908 purposes, the files should be manually deleted periodically to conserve disk space and limit the
1909 possibility of exposing sensitive information. Testing did not reveal a way to disable report
1910 generation.
50
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1912 macOS offers multiple ways of restricting the execution of software; see Section 3.1 for
1913 additional information. This section briefly looks at two methods of limiting software execution:
1914 Gatekeeper and Parental Controls. Gatekeeper restricts the applications that may be installed
1915 onto a system, while Parental Controls restricts the applications already installed on a system that
1916 may be run by a user.
1918 It is recommended to configure Gatekeeper to “App Store” for all systems. Gatekeeper’s
1919 configuration options are not marked as pertaining to Gatekeeper, but rather are all bundled into
1920 the System Preferences / Security & Privacy / General. This pane has two options related to
1921 “Allow applications downloaded from”, as described in Section 3.1. By default, the option to
1922 limit downloads to “App Store and identified developers” is enabled. To use the strictest
1923 Gatekeeper controls, select the “App Store” option. These options are shown in Figure 9 below.
1924 Some Gatekeeper settings can be configured using the commands found in Appendix J.17.
1925
1926 Figure 9: Gatekeeper Options
51
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1928 Parental Controls can be used to specify which installed applications may be executed through
1929 the “Limit Applications” option in the System Preferences / Parental Controls window. If the
1930 Limit Applications option is enabled, a user will be unable to run an application unless an
1931 administrator has added it to the list of permitted applications for that user. The administrator can
1932 also configure each user account so that it can or cannot use apps from the App Store, either
1933 altogether or based on age ratings.
1935 This section discusses security issues related to network services. The information is organized
1936 into the following categories: firewalls, sharing, IPv6, the SSH daemon, wireless networking,
1937 Bonjour, and network daemons. For network service configuration commands, see Appendix
1938 J.11.
1940 Both built-in firewalls, the application firewall and the stateful inspection firewall, are disabled
1941 by default. To enable the application firewall, go to System Preferences / Security & Privacy /
1942 Firewall. Click the “Turn On Firewall” button. There are five additional options under the
1943 “Firewall Options...” button:
1944 • Block all incoming connections. NIST recommends that this option is enabled for SSLF
1945 systems. This blocks all incoming traffic except for a few protocols, such as DHCP, that
1946 may be needed for basic system services to function. This setting provides a high level of
1947 network security while possibly negatively impacting functionality. Before using this
1948 setting in a production environment, perform testing to determine how this setting affects
1949 all major applications on the system.
1950 • Enable selected applications. Once the user has authenticated as an administrator (by
1951 clicking the lock and providing the username and password), specific applications can be
1952 authorized to accept incoming connections (subject to being allowed by the pf firewall
1953 described below).
1962 • Enable stealth mode. This option is only available if “Block all incoming connections”
1963 is disabled. This option prevents the system from responding to pings, traceroutes, and
1964 other similar diagnostic tools.
52
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1965 Enabling the stateful inspection firewall (pf; see the pfctl man page) is ineffective unless its
1966 ruleset has been configured, because by default, the pf ruleset does not block any network traffic.
1967 A detailed explanation of how to configure a pf ruleset is outside the scope of this publication.
1968 Table 2 presents a recommended pf ruleset. This ruleset should be altered depending on an
1969 organization’s networking service needs.
1970 Table 2: pf Firewall Services and Ports
SSH 22 22 Incoming
telnet 23 23 Incoming
TFTP 69 69 Both
finger 79 Both
HTTP 80 80 Incoming
SMTP 25 Incoming
53
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1971
1972 The various application firewall settings can be changed via the command line with the
1973 commands given in Appendix J.7.
1975 Sharing settings can be accessed via System Preferences / Sharing. By default, all sharing is
1976 disabled. There are several different types of sharing, as shown in Figure 10, including screen,
1977 file 34, printer, Internet, and Bluetooth. Other systems may have slightly different lists of sharing,
1978 based on their hardware characteristics (for example, systems with optical drives will have a
1979 “DVD or CD Sharing” option). For all the sharing services, there may be names or directories
1980 listed; however, this does not imply that the service is enabled. Note that this list includes three
1981 options for remote access to an macOS system:
1982 • Remote Login. The Remote Login feature allows Secure Shell (SSH) and Secure FTP
1983 (SFTP) connections to be made to the macOS system from other systems. By default,
1984 SSH and SFTP are disabled, and organizations should not enable them unless they are
1985 needed for system maintenance, access, etc. because they are additional attack vectors
1986 into a system.
1987 • Remote Management and Screen Sharing. Remote Management and Screen Sharing
1988 both allow remote operation of a computer. These services would be required for a
1989 technical support person to remotely see a macOS system’s screen from another system.
1990 Since both settings allow external control of a system, they should be disabled unless
1991 needed.
1992 • Remote Apple Events (logging of events from other macOS systems on this system).
1993 This feature is intended to be used when a system is acting as a server, not a desktop or
1994 laptop. In most cases, it should be disabled.
34 File sharing includes options for sharing files and folders using the Apple Filing Protocol (AFP), File Transfer Protocol
(FTP), or Server Message Block (SMB) protocol.
54
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
1995
1996 Figure 10: Sharing Options
1997 To reduce the number of attack vectors against a system, all sharing and remote access services
1998 should be disabled unless explicitly needed. To enable a needed service, go to System
1999 Preferences / Sharing, and turn on the appropriate service. Computer names are used for
2000 networking purposes and are helpful for users to differentiate between machines. Computer
2001 names should not have content that identifies any of its users. To configure computer name
2002 settings, see Appendix J.11.
2003 Sharing will only work if the firewall or firewalls are configured to permit it. For example, the
2004 built-in application firewall has an option called “Block all incoming connections”. If enabled,
2005 this will disable all sharing. To alter the setting for this option, go to System Preferences /
2006 Security & Privacy / Firewall. Click the “Firewall Options…” button and change the setting as
2007 appropriate for the “Block all incoming connections” option.
2008 macOS has individual configuration settings for sharing each local printer. If a system has local
2009 printers, these printers should not be shared remotely unless they need to provide printing
2010 services to other systems. To disable sharing for a printer, choose System Preferences / Printers
2011 & Scanners, and for each local printer, deselect the “Share this printer on the network” option.
2012 Note that when the “Share this printer on the network” option is enabled; this also enables the
2013 Printer Sharing option in System Preferences / Sharing.
55
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2014 There is another form of macOS sharing that is not included in the Figure 10 menu: AirDrop.
2015 AirDrop is a peer-to-peer file sharing service. AirDrop is only available on certain Apple
2016 hardware that supports it, and it requires the use of Wi-Fi. Some Apple devices additionally use
2017 Bluetooth to initiate the AirDrop transfer. 35 AirDrop is only enabled when the user specifically
2018 has it open (Finder / Go / Airdrop). When open, AirDrop automatically scans for other
2019 AirDrop-enabled systems within Wi-Fi range. However, files are not transferred unless a user
2020 specifically authorizes the transfer.
2021 NIST recommends that if any sharing services are enabled, they should be protected by another
2022 layer (such as a host-based firewall) that restricts access to the service. Allowing global access to
2023 any form of sharing is not recommended.
2024 To disable sharing services via the command line, use the commands provided in Appendix J.8.
2026 If IPv6 is not needed, it should be disabled. To disable IPv6, perform the following steps:
2027 1. In a Terminal window, enter networksetup -setv6off Wi-Fi (or other network name, if
2028 desired).
2031 4. Select Wi-Fi (or the other network name chosen in step 1).
2036 NIST recommends that the Secure Shell (SSH) daemon (sshd) be disabled in all environments
2037 unless specifically needed. The NIST baselines contain several settings to make sshd more
2038 secure; these settings should be applied whether or not sshd is enabled just in case it becomes
2039 enabled inadvertently or is needed in the future.
2040 The table in Appendix J.9 lists some of the possible settings that can be configured for the SSH
2041 daemon in order to mitigate significant vulnerabilities that can emerge; this is not, however, a
2042 comprehensive list of all changes that could be made to SSH. The settings exist in the
56
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2043 /etc/ssh/sshd_config file as key-value pairs in the format of “key value.” For additional
2044 information on SSH security, see [NISTIR 7966].
2046 Any wireless networking services (e.g., Wi-Fi, Bluetooth) that are not needed should be disabled.
2047 See Section 6.1.2 for more information on disabling hardware interfaces. For wireless
2048 networking services that are enabled, NIST recommends reviewing their configuration options
2049 and locking them down to the greatest extent possible. These services should also have their
2050 menu bar icons displayed so that users are aware of the operating states. Additional
2051 recommendations for these services can be found in Appendix J.10.
2052 The System Preferences menu presents the following Bluetooth settings:
2059 For example, the Bluetooth option “Allow Bluetooth devices to wake this computer” is
2060 beneficial if the system is using Bluetooth input devices (keyboard, mouse), but otherwise poses
2061 risk without providing benefit. The Bluetooth discoverability setting is not manually configured
2062 through the System Preferences or the command line. The setting automatically toggles to “on”
2063 and the computer becomes visible to other Bluetooth devices when the System Preferences /
2064 Bluetooth pane is opened.
2065 Wireless settings can also be configured, and these settings include: preferred networks, toggled
2066 state on menu bar, and AirDrop. One setting that can be configured through the System
2067 Preferences is “Require administrator authorization to: Create computer-to-computer networks”.
2068 Such an option should be enabled unless users specifically require this privilege and do not have
2069 administrator-level access. This setting is located under System Preferences / Network.
2070 For additional information on wireless networking security, see Guidelines for Securing Wireless
2071 Local Area Networks (WLANs) [SP 800-153] and Guide to Bluetooth Security [SP 800-121r2].
2073 Bonjour multicast advertisements should be disabled in all environments except Standalone.
2074 Bonjour advertises the system’s capabilities, which opens it to attack. It allows other systems
2075 running Bonjour to detect a system and any services that it provides. By disabling Bonjour
57
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2076 multicast advertisements, only the service announcements are being disabled and not the services
2077 themselves. For information on disabling Bonjour advertisements, go to Appendix J.11.
2079 NIST recommends that systems be configured to use at least two DNS servers. This provides
2080 redundancy in the event of a failure. A failure in name resolution could lead to the failure of
2081 security functions requiring name resolution, which may include time synchronization,
2082 centralized authentication, and remote system logging. Command line configuration for DNS
2083 servers is available in Appendix J.11.
2085 Disabling network services reduces potential attack vectors into a system. If a service is unused it
2086 should be disabled. It is possible to disable Bluetooth, Wi-Fi, NFS, and Apple File Server at the
2087 daemon level. See Appendix J.16 for daemon disabling commands.
2089 This section provides basic information on securing commonly used built-in macOS
2090 applications, namely Mail, Safari, and Terminal.
2092 Email has become a popular means for malware propagation. The careful configuration of email
2093 clients is important not only to protect a given system, but also to prevent the propagation of
2094 malware from the system to other systems.
2095 Examples of security-related settings for the built-in Mail client are listed below. Note that the
2096 validity of these settings will vary from organization to organization, depending on the email
2097 server infrastructure and the security needs versus the functionality needs.
2098 • Under Mail / Preferences / Accounts / Server Settings, uncheck the checkbox for
2099 “Automatically manage connection settings for both incoming and outgoing servers.
2100 Then make sure the “Use TLS/SSL” option is enabled in both places.
2101 • Under Mail / Preferences / Junk Mail, enable the “Enable junk mail filtering” option.
2102 There are other options available that support junk mail filtering, such as defining what
2103 actions should be performed when junk mail is received and determining which
2104 categories of messages should not be flagged as being junk mail (e.g., from certain
2105 senders).
2106 • Under Mail / Preferences / Viewing, there are security-related options including “Use
2107 Smart Addresses”, which if disabled will show email addresses instead of names.
2108 Additionally, there is the “Load remote content in messages” option, which if disabled
2109 will prevent possibly objectionable or malicious images from being displayed.
58
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2111 Web browsing is a common way for malware to infect systems and otherwise take advantage of
2112 systems. It is important to configure web browsers with security in mind, particularly in higher-
2113 security environments (e.g., SSLF), otherwise the web browser may provide an easy way for
2114 malware to infiltrate a system.
2115 Examples of security-related settings for the built-in Safari web browser are listed below. Note
2116 that the validity of these settings will vary from organization to organization depending on
2117 security needs versus functionality needs.
2118 • Under Safari / Preferences / General, there is an option titled “Open “safe” files after
2119 downloading”, which is enabled by default. The intention of this option is to allow
2120 automatic opening of file types that are unlikely to include malicious content; however,
2121 the list of file formats includes PDFs, which have been known to contain malicious
2122 content. This option should be disabled unless all downloads are being inspected by
2123 antimalware software.
2124 • Under Safari / Preferences / AutoFill, some of the options are for autofilling “User
2125 names and passwords” and “Credit cards”. AutoFill should be disabled for all options.
2126 • Under Safari / Preferences / Security, there are several security-related options under
2127 this pane, including the following:
2128 • “Warn when visiting a fraudulent website” will do as the name implies, so it should
2129 typically be enabled.
2130 • The option to “Block pop-up windows” should generally be enabled because of the
2131 frequency with which pop-up windows have been used to transmit malicious content.
2132 In some cases, however, a mission-critical web application will use popup windows;
2133 in this case, pop-up windows should be temporarily allowed only while the critical
2134 web application is being used.
2135 • There are options to “Allow Plug-ins” and “Enable JavaScript”. Under the Plug-in
2136 Settings menu, there is a checkbox to enable Java. Organizations should consider
2137 disabling some or all of these options for high-security needs (e.g., systems in SSLF
2138 environments). NIST recommends disabling the Java plugin for all environments.
2139 • Under Safari / Preferences / Privacy, there are several privacy-related options, as shown
2140 in Figure 11. Cookies are stored on a system from visiting websites and can be used to
2141 track user browsing behavior. Websites may require cookies in order to function
2142 properly, so organizations should weigh the benefits of added functionality against the
2143 risks to privacy that cookies embody. In order to mitigate these privacy risks,
2144 organizations can periodically delete cookies, but this may temporarily reduce
2145 functionality.
59
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2146
2147 Figure 11: Privacy Options
2151 Safari can be configured to show its status bar, and the command-line option is located in
2152 Appendix J.17. This is useful for confirming the underlying web address for a hyperlink.
2154 Many software update settings can be configured using a command prompt. Available system
2155 updates can be displayed and applied using the softwareupdate tool in a similar manner to the
2156 App Store GUI. An example of using the softwareupdate tool is provided in Appendix J.17.
2158 The Terminal application has a configuration item labeled “Secure Keyboard Entry” available in
2159 the Terminal top menu bar. This prevents other applications from intercepting and modifying
2160 keyboard input. It is recommended to enable this setting. The configuration command is
2161 available in Appendix J.17.
2163 This section discusses security management options not covered in the other parts of Section 6,
2164 such as configuring CD and DVD preferences, login banners, privacy settings, and virtualization.
2166 There can be security risks in automatically performing actions when a CD or DVD is placed
2167 into an macOS system. CDs or DVDs could contain malicious content that could be
2168 automatically opened and exploit a vulnerability in the default application on the system.
2169 Automatic actions can be disabled through System Preferences / CDs & DVDs by choosing the
2170 “Ignore” option for each type of media. Note that the settings are not visible if there is no optical
60
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2171 drive, but will appear if a supported external drive is attached. These settings can also be
2172 configured through the command line using the commands described in Appendix J.12.
2174 Login banners are often used to warn people of the permitted actions and possible legal
2175 consequences of misuse of a system. There are two ways to set up login banners for macOS:
2176 • Set the text for the login window access warning. This option is best suited for short login
2177 banners (three lines or less). 36
2178 • Create a policy banner file that contains the text of the banner. The file must be located at
2179 /Library/Security, and it must be named PolicyBanner with a file extension of .txt,
37
2180 .rtf, or .rtfd.
2181 Depending on organizational rules, there may be a need to set up a warning banner for command
2182 line access (both remote and local). 38
2184 General privacy settings are available through System Preferences / Security & Privacy /
2185 Privacy. These settings are divided into three categories:
2186 • Location Services. The “Enable Location Services” option will enable or disable the use
2187 of location services. To preserve privacy, disabling location services is recommended
2188 unless there is a specific reason to have them enabled. If location services are enabled,
2189 only the necessary applications should have access to location information. This can be
2190 configured through the same menu.
2191 • Contacts. This setting is comprised of a list of applications that have requested access to
2192 the Contacts information. Contacts access can be revoked by unchecking the permission
2193 box for a specific application. Only the necessary applications should have access to
2194 contact information in order to protect it from unintended disclosure.
2195 • Diagnostics & Usage. This category holds two configuration settings: “Send diagnostic
2196 & usage data to Apple” and “Share crash data with app developers”. According to the
2197 descriptions presented to the user, all data is anonymized before being sent to Apple and
2198 the app developers. The NIST baselines disable these settings. These settings require
2199 administrator-level credentials to enable.
61
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2200 Privacy settings can be configured through the command line as described in Appendix J.13.
2202 A macOS system can be run as a virtual machine instance (a guest operating system) on an
2203 Apple host system. 39 This can provide additional isolation for activities occurring within the
2204 virtual macOS system. For more information on the use of full virtualization, see [SP 800-125].
2206 This section discusses additional settings, including administrator access for preferences, dock
2207 auto-hide, Dashboard and Siri.
2209 Not all system preferences require an administrator password to be changed. In particular, all
2210 systemwide settings should require administrator authentication. This setting is found in the
2211 System Preferences / Security & Privacy pane, after clicking the “Advanced…” button at the
2212 bottom of the window. This is shown in Figure 12 below. The configuration commands are
2213 available in Appendix J.17.
62
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2214
2215 Figure 12: Administrator Access for System-wide Preferences
2217 To change Dock preferences, go to System Preferences / Dock. NIST recommends that the
2218 Dock auto-hide setting be enabled for SSLF systems. The terminal command to configure Dock
2219 auto-hide is available in Appendix J.17.
2221 The Dashboard is disabled by default on macOS 10.12. Updates to Dashboard widgets may pose
2222 a security risk, so NIST recommends that the Dashboard remains disabled for SSLF systems.
2223 However, enabling it does not require administrator permission. The terminal commands for the
2224 Dashboard are available in Appendix J.17.
2226 Siri is a new feature in macOS 10.12. It allows for spoken commands to perform actions on the
2227 system, such as opening programs and performing searches. However, Siri collects voice, contact
2228 and location information and sends it to Apple. Therefore, NIST recommends that Siri be
2229 disabled using the command in Appendix J.13.
63
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2230
2231 Figure 13: Siri Privacy Message
2233 • Each hardware interface creates a potential point of attack, so an organization may
2234 determine that one or more of these interfaces are unnecessary and therefore should be
2235 disabled. However, the available method of disabling hardware interfaces is not
2236 foolproof, so on such hosts the disabled interfaces should be continuously monitored to
2237 detect any restoration. SIP complicates this issue by preventing removal of kext files.
2238 • SIP should remain enabled to protect system files from modification.
2239 • Use EFI passwords, but understand that they can only be relied on to provide security if
2240 the physical security of the system is assured.
2241 • Use FileVault full disk encryption on system drives, and use Disk Utility to encrypt disk
2242 images on removable media.
2244 • Only use administrator accounts for system administration tasks. Each user should utilize
2245 a unique standard or managed account for daily use of macOS systems.
64
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2246 • Administrators should periodically review user accounts and disable those that have been
2247 inactive for 90 days, as well as disabling temporary accounts after 30 days. Organizations
2248 should follow procedures to disable accounts as soon as they are no longer needed.
2249 Disabled accounts should be deleted after a specific period of time to release resources
2250 and prevent unneeded accounts from accidentally being re-enabled.
2252 • The root account should be disabled on all macOS systems, and a separate administrator
2253 account should be established for each person who will be performing regular
2254 administrative tasks.
2257 • Implement and enforce a strong password policy in accordance with the organizational
2258 policy. 40 Password hints should be disabled.
2259 • Use an authentication-enabled screen saver on all macOS systems. A screensaver should
2260 activate after no more than 20 minutes. A hot corner should be configured to activate the
2261 screen saver without any modifier keys.
2262 • Carefully consider usability issues before setting macOS account policies.
2263 • Make sure Gatekeeper is enabled to prevent installation of software from unknown
2264 sources.
2266 • Configure macOS systems to synchronize their clocks on a regular basis with accurate
2267 time sources.
2269 • If IPv6 is not needed, disable it to reduce the possible attack vectors into the system.
2270 • Disable Spotlight Suggestions to prevent local search queries from being sent to third
2271 parties.
2272 • Disable any unneeded sharing and network services. Protect active sharing services with
2273 restrictive access measures, such as a host-based firewall.
40 See Appendix B Table 9 control IA-5: Authenticator management for guidance on implementing and enforcing a strong
password policy.
65
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2275 • Disable network interfaces such as Wi-Fi and Bluetooth if they are not used.
2278 • Configure CD & DVD preferences to disable auto-launching programs when a disk is
2279 inserted.
66
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2284 This publication covers many topics related to the security of macOS 10.12 systems. The
2285 purpose of this section is to put it all together by describing the basic process that IT
2286 professionals should follow to use this publication and the accompanying baselines. The primary
2287 steps are as follows:
2288 1. Read the entire publication, including the appendices. As needed, review the additional
2289 reference material listed throughout the publication and in Appendix D.
2290 2. As discussed in Section 4, install and patch the OS and applications on test systems.
2291 Ensure that there is a plan for system backups and restores, and be sure to test that they
2292 work as intended.
2293 3. Refer to Section 2 to review the system threats, then select the appropriate operating
2294 environment. Review the security baseline and the settings spreadsheet columns
2295 corresponding to that environment. Refer to Section 6 as needed for more information on
2296 the different regions and values within the baseline.
2297 4. Modify the baseline to reflect local policy and apply it to test systems using the
2298 appropriate deployment tool, as described in Section 5. Create multiple versions of the
2299 baseline if necessary to address multiple system roles or environments. Refer to
2300 Appendix C and Appendix D for other tools that may be useful for deployment.
2301 5. Augment the baseline with additional controls presented in Section 6, as well as any
2302 others that are required, based on the local environment. Apply application-specific
2303 security configuration changes.
2304 6. Verify that the controls have been deployed properly by testing system functions and
2305 security controls, as described in Sections 2.6 and 5.3. Modify and document any changes
2306 made to the baseline security controls (e.g., altering a setting so a particular application
2307 can function properly). Modify the baselines as necessary to incorporate changes that
2308 apply to all systems.
2309 7. Perform another round of testing in a test environment before deploying the baselines and
2310 other changes to production systems.
2311 8. Deploy the baselines and additional controls to production systems. Verify that the
2312 controls have been deployed properly by testing system functions and security controls.
2313 9. Maintain the systems, as described in Section 2.7 This includes keeping systems updated
2314 (Section 4.3), monitoring the system’s primary security controls (Section 5.3),
2315 performing periodic or continuous vulnerability assessments (Section 5.3), and
2316 monitoring the various logs described throughout the publication.
2317
67
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2319 Appendix A briefly discusses the NIST security baselines and settings spreadsheet.
2320 NIST produced a list of settings that are important for ensuring the security of a macOS system.
2321 These settings correspond to three different environments—Standalone, Managed, and SSLF. All
2322 of these settings are documented in a spreadsheet with the following columns:
2323 • Category. The category of the setting as seen in Figure 14. The script and the
2324 spreadsheet use this to group like settings together.
2325 • Setting Name. Combines with the CCE ID to produce the function name in the script.
2327 • CCE IDv5. The unique Common Configuration Enumeration (CCE) ID value assigned
2328 to each setting.
2329 • Security Baseline. The human-readable setting value for each environment profile.
2330 • Technical Mechanism. The in-depth explanation of how to apply the setting.
2331 • Read Setting State. A command-line statement used to read the current state of the
2332 setting.
2333 • Write Setting State. A command-line statement used to write the new value for the
2334 setting.
2335 • Standalone, Managed, and SSLF (Environment-Specific Value). Specifies the setting
2336 baseline value for Standalone, Managed, and SSLF.
2337 • STIG ID. The unique ID of the related setting in the 10.12 DISA STIG (Defense
2338 Information Systems Agency Security Technical Implementation Guide). 41
2340 • Reference. Any references providing more information for the setting.
2341 The spreadsheet and other associated materials can be found on the GitHub page listed in
2342 Appendix D. The NIST security baselines include many recommendations that are considered
2343 secure by default. These settings are omitted from this document, but are included in a separate
2344 tab of the settings spreadsheet.
41 https://iase.disa.mil/stigs/os/mac/Pages/index.aspx
68
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2345 Figure 14 gives an illustrative overview of the setting categories covered by this guide. The
2346 number of settings for a category does not imply increased importance of one category over
2347 another.
2348
2349 Figure 14: Distribution of Security Controls
2350
69
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2352 Appendix B maps many of the security controls and baseline settings referenced throughout this document to their corresponding
2353 controls in NIST Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and
2354 Organizations. The list of controls and mappings is not intended to be fully comprehensive or authoritative, and it omits SP 800-53
2355 controls that are not directly related to individual macOS 10.12 systems. Note that a mapping does not imply full satisfaction of a
2356 given security control’s requirements. If an organization were to follow the guidance in Sections 6.3.1 and 6.3.2.4, additional steps
2357 might still be required to fully satisfy control AC-2 requirements. The mappings are listed according to the control family categories
2358 established in SP 800-53. Each category has a separate table, with three columns containing the following information for each
2359 mapping:
2361 • The sections of this publication that map to the SP 800-53 control, and a brief description of the content within those sections
2362 that corresponds to the SP 800-53 control.
2363 • The settings within this publication and their corresponding spreadsheet entries that map to the SP 800-53 control, if any.
2364 The tables include the requirements and control enhancements that apply to low, moderate, and high impact systems. (Section 2.2
2365 contains definitions for the impact categories.) After determining the impact level of a system, administrators can select the SP 800-53
2366 controls that correspond to that impact level, and then identify the sections of this document and baseline settings that match those SP
2367 800-53 controls. This would provide a starting point for identifying all of the security controls needed to secure the system.
2368
2369 Table 3: Access Control (AC) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Corresponding NIST Baseline Settings
Name Publication
70
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Corresponding NIST Baseline Settings
Name Publication
AC-4: Information flow enforcement • Section 2.3.2.1 (Using a firewall to limit CCE_79522_9_enable_firewall_logging
network access to a host) CCE_79445_3_enable_firewall_logging_detail_level
• Section 3.6 (Using a host-based firewall to CCE_79443_8_allow_signed_downloaded_sw_receive_connection
restrict network traffic) s
• Section 4.2 (Disabling iCloud) CCE_79444_6_allow_signed_sw_receive_connections
• Section 6.1.2 (Disabling unneeded CCE_79470_1_turn_on_firewall
hardware components, including network See Table 20 for pf rules
interfaces) CCE_79528_6_disable_remote_login
• Section 6.2.6 (Spotlight settings) CCE_79404_0_disable_bonjour_advertising
71
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Corresponding NIST Baseline Settings
Name Publication
AC-6: Least privilege • Section 2.2 (Assigning user rights based on CCE_79443_8_allow_signed_downloaded_sw_receive_connection
least privilege) s
• Section 6.3.1 (Assigning user rights based CCE_79444_6_allow_signed_sw_receive_connections
on least privilege)
AC-7: Unsuccessful logon attempts • Section 6.3.4 (Locking out accounts after CCE_79423_0_password_failed_login_lockout_policy
too many failed login attempts)
72
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Corresponding NIST Baseline Settings
Name Publication
2370
2371 Table 4: Awareness and Training (AT) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
AT-2: Security awareness training • Section 2.3.2.3 (Educating users on N/A
avoiding malware infections)
• Section 2.5 (Having security awareness and
training for end users and administrators)
AT-3: Role-based security training • Section 2.5 (Having security awareness and N/A
training for end users and administrators)
73
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2372
2373 Table 5: Audit and Accountability (AU) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
AU-2: Audit events • Section 6.4 (Configuring system auditing) CCE_79413_1_set_audit_control_flags
AU-4: Audit storage capacity • Section 6.4.1 (Enabling logging and CCE_79522_9_enable_firewall_logging
specifying log retention time) CCE_79445_3_enable_firewall_logging_detail_level
CCE_79411_5_audit_log_retention
CCE_79410_7_audit_log_max_file_size
AU-6: Audit review, analysis, and • Section 2.7 (Monitoring logs) CCE_79412_3_do_not_send_diagnostic_info_to_apple
reporting • Section 6.4.1 (Reviewing logs)
AU-8: Time stamps • Section 6.4.2 (Performing clock CCE_79433_9_use_network_time_protocol
synchronization)
2374
2375 Table 6: Security Assessment and Authorization (CA) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
CA-7: Continuous monitoring • Section 2.7 (Monitoring security controls N/A
and configuration changes)
2376
2377 Table 7: Configuration Management (CM) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
CM-1: Configuration management • Section 2.5 (Having a configuration N/A
policy and procedures management policy, plan, and procedures)
• Section 4 (Having a configuration
management policy and user guidance for
operating system and application
installation and changes)
• Section 5 (Managing security
configurations)
74
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
CM-2, Baseline configuration • Section 2 (Having effective and well-tested All settings
security configurations)
75
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
• Section 2.3.2.1 (Disabling unused network CCE_79483_4_disable_bonjour_advertising
services) CCE_79526_0_disable_remote_apple_events
CCE_79525_2_disable_printer_sharing
CCE_79528_6_disable_remote_login
CCE_79488_3_restrict_screen_sharing_to_specified_users
CCE_79529_4_disable_remote_management
CCE_79546_8_bluetooth_disable_file_sharing
CCE_79507_0_disable_airdrop
CCE_79481_8_disable_apple_file_server
CCE_79482_6_disable_bluetooth_daemon
CCE_79484_2_disable_nfs
CCE_79485_9_disable_wifi_services
• Section 3.10 (Application whitelisting) N/A
• Section 6.1.2 (Disabling unneeded N/A
hardware components)
• Section 6.5 (Restricting the installation and N/A
execution of applications)
• Section 6.6.1 (Using firewalls to restrict CCE_79522_9_enable_firewall_logging
network traffic) CCE_79445_3_enable_firewall_logging_detail_level
CCE_79443_8_allow_signed_downloaded_sw_receive_connection
s
CCE_79444_6_allow_signed_sw_receive_connections
CCE_79470_1_turn_on_firewall
See
Table 20 for pf rules
• Section 6.6.2 (Disabling sharing and remote CCE_79546_8_bluetooth_disable_file_sharing
access utilities) CCE_79511_2_no_guest_access_to_shared_folders
CCE_79525_2_disable_printer_sharing
CCE_79488_3_restrict_screen_sharing_to_specified_users
CCE_79526_0_disable_remote_apple_events
CCE_79528_6_disable_remote_login
CCE_79529_4_disable_remote_management
CCE_79483_4_disable_bonjour_advertising
CCE_79507_0_disable_airdrop
76
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
CCE_79481_8_disable_apple_file_server
• Section 6.6.3 (Disabling IPv6 support) N/A
• Section 6.6.4 (Disabling sshd support) CCE_79500_5_ssh_restrict_users
• Section 6.6.5 (Disabling wireless CCE_79528_6_disable_remote_login
networking) CCE_79494_1_ssh_disable_root_login
• Section 6.6.6 (Disabling Bonjour multicast CCE_79466_9_pf_rule_ssh
advertisements)
CCE_79506_2_bluetooth_turn_off_bluetooth
CCE_79546_8_bluetooth_disable_file_sharing
CCE_79547_6_remove_all_preferred_wireless_networks
CCE_79482_6_disable_bluetooth_daemon
CCE_79483_4_disable_bonjour_advertising
CM-11: User-installed software • Section 2.3.2.3 (Not installing or using non- CCE_79406_5_enable_gatekeeper
approved applications)
• Section 3.1 (Using Gatekeeper to limit
which applications can be installed on a
system)
• Section 6.5 (Using Gatekeeper and
Parental Controls to limit which applications
can be executed on a system)
2378
2379 Table 8: Contingency Planning (CP) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
CP-2: Contingency plan • Section 2.3 (Performing contingency N/A
planning)
• Section 2.5 (Having IT contingency plans)
77
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
CP-9: Information system backup • Section 2.3 (Performing backups, storing N/A
them in a safe and secure location, and
testing them regularly)
• Section 4.2 (Performing backups and
restores; testing backups)
2380
2381 Table 9: Identification and Authentication (IA) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
IA-1: Identification and • Section 2.3.1.2 (Having a password policy) CCE_79428_9_require_admin_password_for_system_prefs
authentication policy and • Section 2.3.2.1 (Having a password policy) CCE_79422_2_password_enforce_password_history_restriction
procedures CCE_79424_8_password_guessable_pattern
CCE_79419_8_password_complex_passwords_alphabetic_char
CCE_79420_6_password_complex_passwords_numeric_char
CCE_79421_4_password_complex_passwords_symbolic_char
CCE_79427_1_password_uppercase_and_lowercase
CCE_79426_3_password_minimum_length
CCE_79425_5_password_maximum_age
IA-2: Identification and • Section 2.3.1.2 (Requiring valid username CCE_79434_7_users_list_on_login
authentication (organizational and password authentication) CCE_79429_7_retries_until_hint
users) • Section 2.3.1.3 (Requiring strong CCE_79418_0_fast_user_switching
passwords for administrator accounts) CCE_79416_4_console_login
• Section 2.3.2.1 (Requiring strong CCE_79430_5_screensaver_grace_period
authentication for using network services) CCE_79519_5_require_password_after_screensaver
• Section 2.3.2.3 (Using a daily-use account CCE_79431_3_start_screen_saver_hot_corner
for normal system operations; using an
CCE_79517_9_no_modifier_keys_for_screen_saver_start
administrator-level account only when
needed for specific tasks) CCE_79518_7_no_prevent_screensaver_corner
• Section 6.3.1 (Having an individual user CCE_79417_2_desktop_idle_time
account for each person) CCE_79514_6_disable_guest_user
CCE_79428_9_require_admin_password_for_system_prefs
CCE_79496_6_ssh_login_grace_period
CCE_79492_5_ssh_challenge_response_authentication_disallowed
CCE_79539_3_ssh_enable_password_authentication
78
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
CCE_79493_3_ssh_disable_pub_key_authentication
CCE_79500_5_ssh_restrict_users
CCE_79501_3_ssh_set_client_timeout
CCE_79497_4_ssh_max_auth_tries_4_or_less
CCE_79494_1_ssh_disable_root_login
CCE_79537_7_ssh_disallow_empty_passwords
CCE_79540_1_ssh_turn_off_user_environment
CCE_79541_9_ssh_use_protocol_version_2
CCE_79538_5_ssh_disable_x11_forwarding
CCE_79495_8_ssh_keep_alive_messages
CCE_79433_9_use_network_time_protocol
CCE_79520_3_sudo_restrict_to_single_terminal
CCE_79432_1_sudo_timeout_period_set_to_0
CCE_79428_9_require_admin_password_for_system_prefs
CCE_79422_2_password_enforce_password_history_restriction
CCE_79424_8_password_guessable_pattern
CCE_79419_8_password_complex_passwords_alphabetic_char
CCE_79420_6_password_complex_passwords_numeric_char
CCE_79421_4_password_complex_passwords_symbolic_char
CCE_79427_1_password_uppercase_and_lowercase
CCE_79426_3_password_minimum_length
CCE_79425_5_password_maximum_age
79
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
IA-5: Authenticator management • Section 2.3.2.2 (Using a secure user N/A
identification and authentication system)
• Section 6.3.4 (Setting maximum password CCE_79422_2_password_enforce_password_history_restriction
age; ensuring password strength; CCE_79424_8_password_guessable_pattern
preventing password reuse through CCE_79425_5_password_maximum_age
password history)
CCE_79419_8_password_complex_passwords_alphabetic_char
CCE_79420_6_password_complex_passwords_numeric_char
CCE_79421_4_password_complex_passwords_symbolic_char
CCE_79427_1_password_uppercase_and_lowercase
CCE_79426_3_password_minimum_length
2382
2383 Table 10: Incident Response (IR) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
IR-1: Incident response policy and • Section 2.7 (Having an organization incident N/A
procedures response policy)
IR-4: Incident handling • Section 2.7 (Having a formal incident N/A
response capability)
2384
2385 Table 11: Maintenance (MA) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
MA-1: System maintenance policy • Section 2.3.2.3 (Creating a plan for N/A
and procedures maintaining macOS 10.12 systems)
MA-2: Controlled maintenance • Section 2.7 (Performs regular security N/A
maintenance)
MA-4: Nonlocal maintenance • Section 2.7 (Providing remote system N/A
administration and assistance)
2386
80
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
MP-4: Media storage • Section 2.3.1.2 (Physically securing N/A
removable media)
• Section 2.7 (Protecting media)
• Section 4.2 (Storing and protecting backup
media)
MP-6: Media sanitization • Section 2.7 (Sanitizing media) N/A
• Section 4.1.1 (Sanitizing media)
2388
2389 Table 13: Physical and Environmental Protection (PE) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
PE-1: Physical and environmental • Section 2.3.1.1 (Having a physical and N/A
protection policy and procedures environmental protection policy)
PE-3: Physical access control • Section 2.3.1.1 (Implementing physical N/A
securing measures to restrict access to
systems)
• Section 2.3.2.3 (Restricting physical access
to systems)
2390
2391 Table 14: Planning (PL) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
PL-2: System security plan • Section 2.5 (Having a security configuration N/A
guide and other security-related
documentation)
PL-4: Rules of behavior • Section 2.5 (Having a rules-of-behavior N/A
document)
2392
81
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
PS-4: Personnel termination • Section 2.3.1.2 (Disabling accounts as soon N/A
as employees leave the organization)
• Section 2.3.2.1 (Disabling accounts as soon
as employees leave the organization)
• Section 6.3.1 (Disabling accounts as soon
as they are no longer needed, such as an
employee leaving the organization)
PS-5: Personnel transfer • Section 6.3.1 (Disabling accounts as soon N/A
as they are no longer needed, such as an
employee whose responsibilities change)
2394
2395 Table 16: Risk Assessment (RA) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
RA-2: Security categorization • Section 2.2 (Describes the FIPS 199 N/A
security categories and their relationship to
SP 800-53 controls)
RA-3: Risk assessment • Section 2.3 (Defining threats, conducting N/A
risk assessments, performing risk
mitigation)
RA-5: Vulnerability scanning • Section 2.7 (Performing vulnerability N/A
assessments to assess the security posture
of the system)
• Section 5.3 (Using vulnerability scanners to
identify security issues)
2396
82
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2397 Table 17: System and Services Acquisition (SA) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
SA-5: Information system • Section 2.5 (Having a security configuration N/A
documentation guide and other security-related
documentation)
2398
2399 Table 18: System and Communications Protection (SC) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
SC-4: Information in shared • Section 3.9 (Encrypting virtual memory) N/A
resources
SC-8: Transmission confidentiality • Section 2.3.2.2 (Encrypting network CCE_79498_2_ssh_remove_non_fips_140_2_ciphers
and integrity communications) CCE_79499_0_ssh_remove_non_fips_140_2_macs
• Section 6.6.4 (SSH Daemon)
SC-13: Cryptographic protection • Section 6.2.3.3 (Using FIPS-approved CCE_79498_2_ssh_remove_non_fips_140_2_ciphers
encryption algorithms) CCE_79499_0_ssh_remove_non_fips_140_2_macs
SC-18: Mobile code • Section 2.3.2.3 (Configuring systems so N/A
that default file associations prevent
automatic execution of active content files)
SC-28, Protection of information at • Section 2.3.1.1 (Encrypting local files to N/A
rest prevent access)
• Section 2.3.1.3 (Encrypting sensitive data)
• Section 3.7 (Encrypting files to prevent
access)
• Section 3.9 (Encrypting virtual memory)
• Section 4.2 (Encrypting Time Machine
backups)
• Section 6.2.3 (Encrypting files to prevent
access)
2400
83
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2401 Table 19: System and Information Integrity (SI) Family Controls
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
SI-2: Flaw remediation • Section 2.3.1.3 (Installing application and CCE_79544_3_install_system_data_updates
OS updates) CCE_79543_5_install_security_updates
• Section 2.3.2.1 (Testing and installing CCE_79502_1_update_apple_software
application and OS updates) CCE_79545_0_updates_download_in_background
• Section 2.7 (Acquiring and installing
software updates)
• Section 4.3 (Acquiring and installing
security updates; configuring software
update features)
• Section 5.2 (Installing applications and
application updates)
• Section 5.3 (Checking the patch status of
computers)
SI-3: Malicious code protection • Section 2.3.2.3 (Protecting systems from CCE_79438_8_display_file_extensions
malicious payloads; using antivirus and CCE_79543_5_install_security_updates
antispyware software; configuring server CCE_79442_0_terminal_secure_keyboard
and client software to reduce exposure to
malware)
• Section 3.8 (Using code execution
protection features)
• Section 6.2.2 (Displaying full filenames to
identify suspicious extensions used by
malware)
• Section 6.5 (Restricting the execution of
software)
• Section 6.6.1 (Using host-based firewalls to
block unknown software communications)
• Section 6.7.4 (Using Terminal secure
keyboard)
SI-4: Information system monitoring • Section 2.7 (Monitoring event logs to N/A
identify problems and suspicious activity)
SI-5: Security alerts, advisories, and • Section 2.3.2.3 (Monitoring mailing lists for N/A
directives relevant security bulletins)
• Section 2.7 (Subscribing to and monitoring
vulnerability notification mailing lists)
84
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
SP 800-53 Control Number and Corresponding Sections in This Publication Corresponding NIST Baseline Settings
Name
SI-6: Security function verification • Section 5.3 (Performing central monitoring N/A
of security controls)
SI-7: Software, firmware, and • Section 2.7 (Monitoring changes to OS and N/A
information integrity software settings)
• Section 3.2 (Preventing unwanted
executables from being installed)
• Section 6.5.2 (Using Parental Controls to
prevent unwanted executables from
running)
SI-8: Spam protection • Section 2.3.2.3 (Protecting systems from N/A
malicious payloads; using e-mail clients that
support spam filtering)
• Section 6.7.1 (Configuring e-mail clients to
use anti-spam features; configuring e-mail
clients not to load remote images
automatically)
• Section 6.7.2 (Limiting Web browser
cookies, including tracking cookies)
SI-16, Memory protection • Section 3.8 (Code execution protection) N/A
2402
85
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2403 Firewall rules for the pf firewall are grouped together in Table 20.
2404 Table 20: pf Firewall Rules
CCE_79446_1_pf_enable_firewall CCE_79463_6_pf_rule_screen_sharing
CCE_79450_3_pf_rule_ftp CCE_79452_9_pf_rule_icmp
CCE_79466_9_pf_rule_ssh CCE_79465_1_pf_rule_smtp
CCE_79467_7_pf_rule_telnet CCE_79459_4_pf_rule_pop3
CCE_79468_5_pf_rule_tftp CCE_79460_2_pf_rule_pop3s
CCE_79449_5_pf_rule_finger CCE_79453_7_pf_rule_imap
CCE_79451_1_pf_rule_http CCE_79454_5_pf_rule_imaps
CCE_79457_8_pf_rule_nfs CCE_79461_0_pf_rule_printer_sharing
CCE_79462_8_pf_rule_remote_apple_events CCE_79448_7_pf_rule_bonjour
CCE_79464_4_pf_rule_smb CCE_79456_0_pf_rule_mDNSResponder
CCE_79447_9_pf_rule_apple_file_service CCE_79455_2_pf_rule_itunes_sharing
CCE_79469_3_pf_rule_uucp CCE_79458_6_pf_rule_optical_drive_sharing
2405
86
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2407 Appendix C lists tools that may be helpful in configuring, managing, and monitoring the security
2408 of macOS systems.
2409 The following table briefly describes a variety of commands that can be used to make
2410 configuration changes on macOS. This is not an exhaustive list of all tools available to make
2411 configuration changes. In order to fully automate some settings, other commands may be
2412 required in addition to those listed below. For more information on these commands, view the
2413 manual pages by using the man command in Terminal.
2414 Table 21: Built-in Commands Used to Write macOS Configuration Data
chmod This command is used to change a file’s permission bits. Modifications can be
made to read, write, and execute attributes of a file or directory.
chown This command is used to modify the owner and group owner on a file or
directory.
defaults The defaults command is used to modify or read macOS .plist configuration
files. Modifying configuration files with defaults has a side-effect of resetting
permissions and changing ownership metadata to the user who executed the
command.
dscl This command is used to modify and read Directory Service data. In this
guide, dscl is used to modify and read user properties.
kickstart This program is used for modifying remote management settings. This can be
used to turn remote management off entirely, or to limit access to specific
users.
87
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
PlistBuddy This utility provides an alternate method for reading and editing .plist files. It
allows for the modification of nested keys.
praudit This tool allows the reading of BSM formatted log files, such as the ones
located in $AUDIT_LOG_PATH.
pwpolicy This is used to change password policy requirements for a specific user or for
an entire system.
scutil This command is used to modify and read many system settings. In this guide,
the command is used to modify the system’s name.
socketfilterfw This command controls a variety of software firewall settings. It is used for
actions such as disabling the firewall or configuring what applications are
allowed through the firewall.
softwareupdate This is the command-line program for viewing available updates and choosing
which updates to install.
systemsetup The systemsetup command can be used to modify many of the settings found
in the System Preferences GUI application. This command is used to modify
network time settings in this guide.
visudo This program is used to edit the /etc/sudoers file while ensuring the file’s
proper format.
2415
88
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2417 Appendix D lists resources that may be useful macOS security references.
2418 Table 22: macOS Security Resources
2419
89
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2421 Selected acronyms and abbreviations used in the guide are defined below.
GB Gigabyte
IM Instant Messaging
IP Internet Protocol
IT Information Technology
90
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
OS Operating System
P2P Peer-to-Peer
PC Personal Computer
SP Special Publication
XD Execute Disable
2422
91
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2424 Many terminal commands explained in this document use variables, which are described below.
2425 They must be replaced with a value in order to have the desired effect.
2426 Table 23: Terminal Command Variable Descriptions
Variable Description
$AUDIT_LOG_PATH This value is the location of the path to audit logs specified in the
/etc/security/audit_control file. It is located on the line beginning with dir:
$DEVICE_NAME This variable is used for configuring wireless network settings and represents the Wi-
Fi adapter to be configured. It can be retrieved from the system by running this
command:
networksetup -listnetworkserviceorder
$HOST_ID This should be replaced with a non-identifying name that will be used for each type of
name for a single computer. The different name types are LocalHostName,
HostName, ComputerName, and NetBIOSName.
$HW_UUID This is the unique hardware-based identifier for the system. This value can be
obtained by using this command:
system_profiler SPHardwareDataType 2> /dev/null | grep
'Hardware UUID' | awk ' { print $3 }'
$PROFILE_VALUE Since not all security configurations use the same values, this variable is a
placeholder for the actual profile’s value. The values for the Standalone, Managed,
and SSLF profiles are given in the table along with the terminal command.
$SHELL_FILES_PATH The location of the shell files as specified in the /etc/shells file.
$USER For some settings that require a specific username to run, this variable is used.
Replace this variable with the desired username.
$USER_GROUP This variable should be replaced with the group name for which the user is a member.
2427
92
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2429 Below is a list of files that must be edited manually because there are no provided tools.
2430 Table 24: Files Requiring Manual Editing
/etc/sudoers This file needs to be modified in order to set restrictions on the sudo
command. For SSLF systems, NIST recommends that authentication
should be required for each sudo command, and sudo sessions should
not persist across Terminal windows.
Editing the /etc/sudoers file manually can lead to mistakes that may
make the file unreadable to the system. To make changes to this file, edit
it using the visudo command. An administrator can type sudo visudo
into Terminal to begin editing /etc/sudoers. When saving changes to
the file, visudo will validate that all additions are formatted properly.
See Appendix J.3 for enhancing sudo security.
/etc/ssh/sshd_config This file contains configuration information and security settings for the
SSH daemon (server).
/etc/security/audit_control This file contains the values for configuring audit logs, which includes log
retention, log size, and the type of information that is recorded.
/etc/autofs.conf This file holds the configuration information for the automount service.
2431
93
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2433 Some settings may require certain processes to be restarted in order for the desired result to be
2434 achieved. In most cases, restarting processes causes the setting changes to take effect
2435 immediately, rather than after restarting the system. macOS 10.12 uses preference caching,
2436 which can prevent changed preferences from taking effect properly without restarting the
2437 cfprefsd process. The table below gives the names of processes and the settings related to those
2438 processes.
2439
2440 Table 25: Settings Requiring Process Restart
Disable AirDrop
Disable blank CD actions
Disable blank DVD actions
Disable music CD actions cfprefsd, SystemUIServer
Disable picture CD actions
Disable video DVD actions
Show Bluetooth status in menu bar
Disallow Bluetooth devices to wake the computer cfprefsd, UserEventAgent
2443 • cfprefsd
2444 • Dock
94
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2445 • Finder
2446 • Siri
2447 • SystemUIServer
2448 • UserEventAgent
95
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2451 NIST recommends that SIP remain enabled, which is the default state.
2452 SIP status can be queried with the Terminal command csrutil status. In specific
2453 circumstances, SIP may be temporarily disabled. The SIP state can only be modified when the
2454 system is operating in recovery mode. In a recovery mode Terminal, csrutil disable can be
2455 used to turn off SIP (enabled with csrutil enable). Disabling SIP allows an administrator full
2456 access to the file system and therefore to any protected system settings. Changes made to
2457 protected files while SIP is disabled will be enforced by SIP after SIP is re-enabled. Subsequent
2458 system updates, however, may overwrite such configuration changes.
96
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2536
97
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2538 System files need to be protected from unauthorized modification. On macOS 10.12, SIP only
2539 allows Apple-sanctioned programs to change these files. Normally, file properties can be
2540 modified using programs such as chmod, chown, and chgrp. System files and directories include,
2541 but are not limited to, those found in /etc, /bin, /usr/bin, /sbin, and /usr/sbin. Note that all
2542 files and folders must belong to a valid owner and group. Typically, a user or group becomes
2543 invalid when it is deleted from the system, and files they owned were not removed.
2544 New files created on a system have default file permissions applied. These default file
2545 permissions are controlled by the system’s umask value. The umask value specifies the
2546 permissions that new files will not have. For example, a umask of 022 will result in a file with
2547 mode 755. The umask configuration command is available in Appendix J.17.
2548 Table 26 lists the recommended permissions and ownership information for a variety of macOS
2549 files. A “-” represents no recommended change from the default value for that column. A “*” in
2550 the path means that all files in the directory should have the specified permissions and ownership
2551 values applied to them. See the man page for chmod for more details. Note that permissions can
2552 be reduced below the recommended values but may cause loss of functionality.
2553
2554 Table 26: Recommended File Permissions and Ownership
2555
98
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2557 This appendix provides the terminal commands needed to configure a system through an
2558 automated process. It is broken down into sections based on the categories of the settings. Some
2559 of the recommended baseline settings are already achieved by the default system configuration.
2560 These settings have been omitted from this appendix, but can be found in the companion
2561 spreadsheet.
2563 Note that moving kernel extension (kext) files is no longer possible on macOS 10.12 because
2564 SIP blocks access.
2565 Table 27: Disabling Hardware Components
2568 * This setting requires a process restart to take effect. See Appendix H for a list of the specific processes that must be restarted.
42 Run the command networksetup -listnetworkserviceorder to view the short device names.
99
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2571
2574
2575 Table 31: Login Window Terminal Settings
100
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2576
2578 The pwpolicy program uses a .plist file for policy configuration. The NIST-recommended
2579 password policy is available as a .plist file on the GitHub repository listed in the resources in
2580 Appendix D.
2581 The plist policy file is applied for all users with the following command:
2582 pwpolicy -setaccountpolicies /full/path/to/policyTempFile
2584 Alternatively, the pwpolicy .plist file can be generated and customized using the following
2585 process. First, the .plist file array needs to be created only once for each of the following policy
2586 categories. These commands do not need to be run on a per-setting basis.
2587 /usr/libexec/PlistBuddy –c “Add :policyCategoryPasswordContent array”
2588 /full/path/to/policyTempFile
2593 Each setting needs to have an array index different than the others, in increasing order, starting
2594 with index 0. These commands must be run for each setting, substituting the values from Table
2595 32.
2596 /usr/libexec/PlistBuddy –c “Add :$policy_category:$index:policyContent string
2597 $policy_content” /full/path/to/policyTempFile
101
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2605
2606 Table 32: Password Policy Settings
102
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
Password cannot This setting did not work as documented during informal testing.
contain username
2607
103
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
*No prevent screen For any corner that would prevent the screen saver, run the following command for that
saver hot corner corner:
defaults write ~/Library/Preferences/com.apple.dock.plist wvous-
$CORNER-corner -int 1
2610 * This setting requires a process restart to take effect. See Appendix H for a list of the specific processes that must be restarted.
2611
43 Use one of the codes “bl,” “br,” “tl,” or “tr” in place of $CORNER; where “bl” is bottom left, “tr” is top right, etc.
104
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2614
2615 The pf firewall is separate from the application firewall and offers finer-grained controls. Before
2616 making changes to pf settings, be sure to back up the /etc/pf.conf file. The pf firewall must be
2617 configured to run automatically on system startup in order to maintain persistence. The pf
2618 firewall needs to be directed to a configuration file with the desired anchor points. An anchor
2619 point allows a set of firewall rules to be loaded from another file. An anchor is first defined and
2620 then loaded from a specified file.
2621 Firewall rules must be constructed and placed in a custom anchor file specified in /etc/pf.conf.
2622 For example, incoming SSH connections can be blocked with the following rule: block in proto
2623 { tcp udp } to any port 22. This instructs pf to block incoming traffic using the TCP or UDP
2624 protocols destined for any IP address on port 22. The full set of recommendations for pf firewall
2625 rules is available in Table 2. The Terminal configuration commands are available below in Table
2626 35.
2627 Table 35: pf Firewall Settings
Define and add custom anchor echo 'anchor "sam_pf_anchors"' >> /etc/pf.conf
to config file echo 'load anchor "sam_pf_anchors" from
"/etc/pf.anchors/sam_pf_anchors"' >> /etc/pf.conf
2628
105
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
defaults delete
/private/var/db/dslocal/nodes/Default/groups/com.apple.access_remote
_ae.plist nestedgroups
2631 * This setting requires a process restart to take effect. See Appendix H for a list of the specific processes that must be restarted.
LoginGraceTime 30
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-
cbc,aes192-cbc,aes256-cbc,3des-cbc
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
ChallengeResponseAuthentication no
PubkeyAuthentication no
DenyUsers *
ClientAliveInterval 900
maxAuthTries 4
106
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
PermitRootLogin no
ClientAliveCountMax 0
2635
2638 * This setting requires a process restart to take effect. See Appendix H for a list of the specific processes that must be restarted.
2639
107
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
defaults delete
/private/var/db/dslocal/nodes/Default/groups/com.apple.access_scr
eensharing.plist groupmembers
defaults delete
/private/var/db/dslocal/nodes/Default/groups/com.apple.access_scr
eensharing.plist nestedgroups
2642 * This setting requires a process restart to take effect. See Appendix H for a list of the specific processes that must be restarted.
44 [network service] is one of the services listed from running the command `networksetup –
listallnetworkservices`.
108
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2643
2646 * This setting requires a process restart to take effect. See Appendix H for a list of the specific processes that must be restarted.
2647
109
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2650 * This setting requires a process restart to take effect. See Appendix H for a list of the specific processes that must be restarted.
2653
2655 Although most power management settings do not directly affect security, they are still important
2656 for effective system use. The one important setting to note is “Display sleep idle time,” which
2657 must have a value greater than or equal to the “Desktop idle time” setting in Appendix J.6. If the
2658 screen goes to sleep before the session locks, it creates a false sense of security.
2659 Table 43: Power Management Settings
110
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2660
This setting is only recommended for SSLF systems and systems where
Bluetooth is not used.
This setting is only recommended for SSLF systems and systems where Wi-Fi
is not used.
111
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2663
spctl --enable
rm sam_temp.plist
2666 * This setting requires a process restart to take effect. See Appendix H for a list of the specific processes that must be restarted.
112
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2668 For other terms not defined here, please see NISTIR 7298, Glossary of Key Information Security
2669 Terms [NISTIR 7298r2].
Application Firewall A firewall that uses stateful protocol analysis to analyze network traffic for
[SP 800-41r1] one or more applications.
Kernel Panic A system error that cannot be recovered from, and requires the system to be
restarted.
Kext File A Kernel extension file that allows the operating system to make use of
hardware components. Files of this type typically have a .kext file extension.
Principle of Least Privilege 45 The principle that users and programs should only have the necessary
privileges to complete their tasks.
Privilege Escalation The exploitation of a bug or flaw that allows for a higher privilege level than
what would normally be permitted.
Production Environment An environment where functionality and availability must be ensured for the
completion of day-to-day activities.
Property List (.plist) File An XML file that is used to store system settings.
Shell The command line environment made available to macOS users through the
Terminal application.
Stateful Inspection Packet filtering that also tracks the state of connections and blocks packets
[SP 800-41r1] that deviate from the expected state.
Whitelist A list of discrete entities, such as hosts or applications, that are known to be
[NISTIR 7298r2] benign and are approved for use within an organization and/or information
system.
2670
45 J. Saltzer and M. Shroeder, “The Protection of Information in Computer Systems,” Proceedings of the IEEE vol. 63, issue 9,
p. 1278-1308, Sep. 1975, https://doi.org/10.1109/PROC.1975.9939.
113
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2672 [CSD16] Computer Security Division, Applied Cybersecurity Division (2016) Best
2673 Practices for Privileged User PIV Authentication. (National Institute of
2674 Standard and Technology, Gaithersburg, MD).
2675 https://doi.org/10.6028/NIST.CSWP.04212016
2676 [FIPS 199] National Institute of Standards and Technology (2004) Standards for
2677 Security Categorization of Federal Information and Information Systems.
2678 (U.S. Department of Commerce, Washington, D.C.), Federal Information
2679 Processing Standards Publication (FIPS) 199, February 2004.
2680 https://doi.org/10.6028/NIST.FIPS.199
2681 [FIPS 200] National Institute of Standards and Technology (2006) Minimum Security
2682 Requirements for Federal Information and Information Systems. (U.S.
2683 Department of Commerce, Washington, D.C.), Federal Information
2684 Processing Standards Publication (FIPS) 200, March 2006.
2685 https://doi.org/10.6028/NIST.FIPS.200
2686 [NISTIR 7298r2] Kissel R (ed.) (2013) Glossary of Key Information Security Terms.
2687 (National Institute of Standards and Technology, Gaithersburg, MD),
2688 NIST Internal Report (NISTIR) 7298 Rev. 2, May 2013.
2689 https://doi.org/10.6028/NIST.IR.7298r2
2690 [NISTIR 7966] Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of
2691 Interactive and Automated Access Management Using Secure Shell (SSH).
2692 (National Institute of Standards and Technology, Gaithersburg, MD),
2693 NIST Internal Report (NISTIR) 7966, October 2015.
2694 https://doi.org/10.6028/NIST.IR.7966
2695 [SP 800-30r1] Joint Task Force Transformation Initiative (2012) Guide for Conducting
2696 Risk Assessments. (National Institute of Standards and Technology,
2697 Gaithersburg, MD), NIST Special Publication (SP) 800-30 Rev. 1,
2698 September 2012. https://doi.org/10.6028/NIST.SP.800-30r1
2699 [SP 800-34r1] Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010)
2700 Contingency Planning Guide for Federal Information Systems. (National
2701 Institute of Standards and Technology, Gaithersburg, MD), NIST Special
2702 Publication (SP) 800-34 Rev. 1, May 2010 (Updated 11/11/2010).
2703 https://doi.org/10.6028/NIST.SP.800-34r1
2704 [SP 800-37r1] Joint Task Force Transformation Initiative (2014) Guide for Applying the
2705 Risk Management Framework to Federal Information Systems: a Security
2706 Life Cycle Approach. (National Institute of Standards and Technology,
2707 Gaithersburg, MD), NIST Special Publication (SP) 800-37 Rev. 1,
2708 February 2010 (Updated 6/5/2014). https://doi.org/10.6028/NIST.SP.800-
2709 37r1
114
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2710 [SP 800-39] Joint Task Force Transformation Initiative (2011) Managing Information
2711 Security Risk: Organization, Mission, and Information System View.
2712 (National Institute of Standards and Technology, Gaithersburg, MD),
2713 NIST Special Publication (SP) 800-39, March 2011.
2714 https://doi.org/10.6028/NIST.SP.800-39
2715 [SP 800-40r3] Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch
2716 Management Technologies. (National Institute of Standards and
2717 Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40
2718 Rev. 3, July 2013. https://doi.org/10.6028/NIST.SP.800-40r3
2719 [SP 800-41r1] Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall
2720 Policy. (National Institute of Standards and Technology, Gaithersburg,
2721 MD), NIST Special Publication (SP) 800-41 Rev. 1, September 2009.
2722 https://doi.org/10.6028/NIST.SP.800-41r1
2723 [SP 800-45v2] Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on
2724 Electronic Mail Security. (National Institute of Standards and Technology,
2725 Gaithersburg, MD), NIST Special Publication (SP) 800-45 Version 2,
2726 February 2007. https://doi.org/10.6028/NIST.SP.800-45ver2
2727 [SP 800-53r4] Joint Task Force Transformation Initiative (2015) Security and Privacy
2728 Controls for Federal Information Systems and Organizations. (National
2729 Institute of Standards and Technology, Gaithersburg, MD), NIST Special
2730 Publication (SP) 800-53 Rev. 4, April 2013 (Updated 1/22/2015).
2731 https://doi.org/10.6028/NIST.SP.800-53r4
2732 [SP 800-61r2] Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer
2733 Security Incident Handling Guide. (National Institute of Standards and
2734 Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61
2735 Rev. 2, August 2012. https://doi.org/10.6028/NIST.SP.800-61r2
2736 [SP 800-63-3] Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines.
2737 (National Institute of Standards and Technology, Gaithersburg, MD),
2738 NIST Special Publication (SP) 800-63-3, June 2017 (Updated 12/1/2017).
2739 https://doi.org/10.6028/NIST.SP.800-63-3
2740 [SP 800-70r4] Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National
2741 Checklist Program for IT Products: Guidelines for Checklist Users and
2742 Developers. (National Institute of Standards and Technology,
2743 Gaithersburg, MD), NIST Special Publication (SP) 800-70 Rev. 4,
2744 February 2018. https://doi.org/10.6028/NIST.SP.800-70r4
2745 [SP 800-88r1] Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for
2746 Media Sanitization. (National Institute of Standards and Technology,
2747 Gaithersburg, MD), NIST Special Publication (SP) 800-88 Rev. 1,
2748 December 2014. https://doi.org/10.6028/NIST.SP.800-88r1
115
NIST SP 800-179 REV. 1 (DRAFT) SECURING MACOS 10.12 SYSTEMS:
NIST SECURITY CONFIGURATION CHECKLIST
2749 [SP 800-111] Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage
2750 Encryption Technologies for End User Devices. (National Institute of
2751 Standards and Technology, Gaithersburg, MD), NIST Special Publication
2752 (SP) 800-111, November 2007. https://doi.org/10.6028/NIST.SP.800-111
2753 [SP 800-115] Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical
2754 Guide to Information Security Testing and Assessment. (National Institute
2755 of Standards and Technology, Gaithersburg, MD), NIST Special
2756 Publication (SP) 800-115, September 2008.
2757 https://doi.org/10.6028/NIST.SP.800-115
2758 [SP 800-117] Quinn SD, Scarfone KA, Barrett MP, Johnson CS (2010) Guide to
2759 Adopting and Using the Security Content Automation Protocol (SCAP)
2760 Version 1.0. (National Institute of Standards and Technology,
2761 Gaithersburg, MD), NIST Special Publication (SP) 800-117, July 2010.
2762 https://doi.org/10.6028/NIST.SP.800-117
2763 [SP 800-121r2] Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone
2764 KA (2017) Guide to Bluetooth Security. (National Institute of Standards
2765 and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-
2766 121 Rev. 2, May 2017. https://doi.org/10.6028/NIST.SP.800-121r2
2767 [SP 800-125] Scarfone KA, Souppaya MP, Hoffman P (2011) Guide to Security for Full
2768 Virtualization Technologies. (National Institute of Standards and
2769 Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125,
2770 January 2011. https://doi.org/10.6028/NIST.SP.800-125
2771 [SP 800-126r2] Waltermire DA, Quinn SD, Scarfone KA, Halbardier AM (2012) The
2772 Technical Specification for the Security Content Automation Protocol
2773 (SCAP): SCAP Version 1.2. (National Institute of Standards and
2774 Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126
2775 Rev. 2, September 2011 (Updated 3/19/2012).
2776 https://doi.org/10.6028/NIST.SP.800-126r2
2777 [SP 800-153] Souppaya MP, Scarfone KA (2012) Guidelines for Securing Wireless
2778 Local Area Networks (WLANs). (National Institute of Standards and
2779 Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-153,
2780 February 2012. https://doi.org/10.6028/NIST.SP.800-153
2781 [SP 800-157] Ferraiolo H, Cooper DA, Francomacaro S, Regenscheid AR, Burr WE,
2782 Mohler J, Gupta S (2014) Guidelines for Derived Personal Identity
2783 Verification (PIV) Credentials. (National Institute of Standards and
2784 Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-157,
2785 December 2014. https://doi.org/10.6028/NIST.SP.800-157
2786
116